diff options
531 files changed, 5336 insertions, 4324 deletions
diff --git a/CMakeLists.txt b/CMakeLists.txt index 4785409ed..390583543 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -292,12 +292,13 @@ if(BUILD_EXAMPLES) target_compile_definitions(nDPIsrvd-json-dump PRIVATE ${NDPID_DEFS}) target_include_directories(nDPIsrvd-json-dump PRIVATE ${NDPID_DEPS_INC}) + add_executable(nDPIsrvd-analysed examples/c-analysed/c-analysed.c utils.c) + target_compile_definitions(nDPIsrvd-analysed PRIVATE ${NDPID_DEFS}) + target_include_directories(nDPIsrvd-analysed PRIVATE ${NDPID_DEPS_INC}) + add_executable(nDPIsrvd-simple examples/c-simple/c-simple.c) target_compile_definitions(nDPIsrvd-simple PRIVATE ${NDPID_DEFS}) target_include_directories(nDPIsrvd-simple PRIVATE ${NDPID_DEPS_INC}) - target_link_libraries(nDPIsrvd-simple "${pkgcfg_lib_NDPI_ndpi}" - "${pkgcfg_lib_PCRE_pcre}" "${pkgcfg_lib_MAXMINDDB_maxminddb}" - "${GCRYPT_LIBRARY}" "${GCRYPT_ERROR_LIBRARY}" "${PCAP_LIBRARY}") if(ENABLE_COVERAGE) add_dependencies(coverage nDPIsrvd-collectd nDPIsrvd-captured nDPIsrvd-json-dump nDPIsrvd-simple) diff --git a/dependencies/nDPIsrvd.h b/dependencies/nDPIsrvd.h index 29287ae00..a0fd80495 100644 --- a/dependencies/nDPIsrvd.h +++ b/dependencies/nDPIsrvd.h @@ -36,7 +36,7 @@ #define nDPIsrvd_STRLEN_SZ(s) (sizeof(s) / sizeof(s[0]) - sizeof(s[0])) #define TOKEN_GET_SZ(sock, ...) nDPIsrvd_get_token(sock, __VA_ARGS__, NULL) #define TOKEN_GET_VALUE_SZ(sock, value_length, ...) \ - nDPIsrvd_get_token_value(sock, value_length, TOKEN_GET_SZ(sock, __VA_ARGS__, NULL)) + nDPIsrvd_get_token_value(sock, TOKEN_GET_SZ(sock, __VA_ARGS__, NULL)) #define TOKEN_VALUE_EQUALS(sock, token, string_to_check, string_to_check_length) \ nDPIsrvd_token_value_equals(sock, token, string_to_check, string_to_check_length) #define TOKEN_VALUE_EQUALS_SZ(sock, token, string_to_check) \ @@ -44,6 +44,7 @@ #define TOKEN_VALUE_TO_ULL(sock, token, value) nDPIsrvd_token_value_to_ull(sock, token, value) #define TOKEN_GET_KEY(sock, token, key_length) \ (nDPIsrvd_jsmn_token_to_string(sock, &sock->jsmn.tokens[token->token_index - 1], key_length)) +#define TOKEN_GET_VALUE(sock, token, value_length) (nDPIsrvd_get_jsmn_token_value(sock, token, value_length)) #define FIRST_ENUM_VALUE 1 #define LAST_ENUM_VALUE CLEANUP_REASON_LAST_ENUM_VALUE @@ -828,6 +829,30 @@ static inline jsmntok_t const * nDPIsrvd_get_jsmn_token(struct nDPIsrvd_socket c return &sock->jsmn.tokens[token->token_index]; } +static inline char const * nDPIsrvd_get_jsmn_token_value(struct nDPIsrvd_socket const * const sock, + struct nDPIsrvd_json_token const * const token, + size_t * const value_length) +{ + jsmntok_t const * const jt = nDPIsrvd_get_jsmn_token(sock, token); + + if (jt == NULL) + { + return NULL; + } + + if (jt->type != JSMN_STRING && jt->type != JSMN_PRIMITIVE) + { + return NULL; + } + + if (value_length != NULL) + { + *value_length = jt->end - jt->start; + } + + return sock->buffer.json_string + jt->start; +} + static inline char const * nDPIsrvd_jsmn_token_to_string(struct nDPIsrvd_socket const * const sock, jsmntok_t const * const jt, size_t * const string_length) @@ -837,10 +862,16 @@ static inline char const * nDPIsrvd_jsmn_token_to_string(struct nDPIsrvd_socket return NULL; } + if (jt->type != JSMN_STRING && jt->type != JSMN_PRIMITIVE) + { + return NULL; + } + if (string_length != NULL) { *string_length = jt->end - jt->start; } + return sock->buffer.json_string + jt->start; } @@ -888,7 +919,7 @@ static inline struct nDPIsrvd_json_token const * nDPIsrvd_get_next_token(struct for (int i = *next_index + 2; i < sock->jsmn.tokens_found; i += 2) { - if (sock->jsmn.tokens[i].parent != start->token_index + 1) + if (sock->jsmn.tokens[i].type != JSMN_STRING && sock->jsmn.tokens[i].type != JSMN_PRIMITIVE) { continue; } @@ -909,6 +940,31 @@ static inline struct nDPIsrvd_json_token const * nDPIsrvd_get_next_token(struct return result; } +static inline int nDPIsrvd_token_iterate(struct nDPIsrvd_socket const * const sock, + struct nDPIsrvd_json_token const * const start, + struct nDPIsrvd_json_token * const next) +{ + if (start == NULL || next->token_index >= sock->jsmn.tokens_found || + sock->jsmn.tokens[start->token_index].type != JSMN_ARRAY) + { + return 1; + } + + if (next->token_index <= 0) + { + next->token_index = start->token_index; + } + + next->token_index++; + if (sock->jsmn.tokens[next->token_index].parent != start->token_index) + { + return 1; + } + next->token_keys_hash = 0; + + return 0; +} + static inline struct nDPIsrvd_json_token const * nDPIsrvd_get_token(struct nDPIsrvd_socket const * const sock, char const * const json_key, ...) @@ -1077,10 +1133,11 @@ static inline int nDPIsrvd_walk_tokens( } else if (t->type == JSMN_ARRAY) { + nDPIsrvd_add_token(sock, h, b); j = 0; for (i = 0; i < t->size; i++) { - j += nDPIsrvd_walk_tokens(sock, h, b + 1 + j, count - j, 1, depth + 1); + j += nDPIsrvd_walk_tokens(sock, h, b + 1 + j, count - j, 0, depth + 1); } return j + 1; } diff --git a/examples/c-analysed/c-analysed.c b/examples/c-analysed/c-analysed.c index c0af7a8d9..c12ccf621 100644 --- a/examples/c-analysed/c-analysed.c +++ b/examples/c-analysed/c-analysed.c @@ -1,13 +1,25 @@ #include <signal.h> #include <stdio.h> #include <stdlib.h> +#include <syslog.h> #include <unistd.h> #include "nDPIsrvd.h" +#include "utils.h" + +#define MIN(a, b) (a > b ? b : a) +#define BUFFER_REMAINING(siz) (NETWORK_BUFFER_MAX_SIZE - siz) static int main_thread_shutdown = 0; static struct nDPIsrvd_socket * sock = NULL; +static char * pidfile = NULL; +static char * serv_optarg = NULL; +static char * user = NULL; +static char * group = NULL; +static char * csv_outfile = NULL; +static FILE * csv_fp = NULL; + #ifdef ENABLE_MEMORY_PROFILING void nDPIsrvd_memprof_log_alloc(size_t alloc_size) { @@ -129,12 +141,119 @@ static void sighandler(int signum) } } +static void csv_buf_add(char csv_buf[NETWORK_BUFFER_MAX_SIZE + 1], + size_t * const csv_buf_used, + char const * const str, + size_t siz_len) +{ + size_t len; + + if (siz_len > 0 && str != NULL) + { + len = MIN(BUFFER_REMAINING(*csv_buf_used), siz_len); + if (len == 0) + { + return; + } + strncat(csv_buf, str, len); + } + else + { + len = 0; + } + + *csv_buf_used += len; + if (BUFFER_REMAINING(*csv_buf_used) > 0) + { + csv_buf[*csv_buf_used] = ','; + (*csv_buf_used)++; + } + csv_buf[*csv_buf_used] = '\0'; +} + +static int json_value_to_csv(struct nDPIsrvd_socket * const sock, + char csv_buf[NETWORK_BUFFER_MAX_SIZE + 1], + size_t * const csv_buf_used, + char const * const json_key, + ...) +{ + va_list ap; + nDPIsrvd_hashkey key; + struct nDPIsrvd_json_token const * token; + size_t val_length = 0; + char const * val; + int ret = 0; + + va_start(ap, json_key); + key = nDPIsrvd_vbuild_jsmn_key(json_key, ap); + va_end(ap); + + token = nDPIsrvd_find_token(sock, key); + if (token == NULL) + { + ret++; + } + + val = TOKEN_GET_VALUE(sock, token, &val_length); + if (val == NULL) + { + ret++; + } + + csv_buf_add(csv_buf, csv_buf_used, val, val_length); + + return ret; +} + +static int json_array_to_csv(struct nDPIsrvd_socket * const sock, + char csv_buf[NETWORK_BUFFER_MAX_SIZE + 1], + size_t * const csv_buf_used, + char const * const json_key, + ...) +{ + va_list ap; + nDPIsrvd_hashkey key; + struct nDPIsrvd_json_token const * token; + int ret = 0; + + va_start(ap, json_key); + key = nDPIsrvd_vbuild_jsmn_key(json_key, ap); + va_end(ap); + + token = nDPIsrvd_find_token(sock, key); + if (token == NULL) + { + ret++; + csv_buf_add(csv_buf, csv_buf_used, NULL, 0); + } + + { + struct nDPIsrvd_json_token next = {}; + + csv_buf_add(csv_buf, csv_buf_used, "\"", 1); + csv_buf[--(*csv_buf_used)] = '\0'; + while (nDPIsrvd_token_iterate(sock, token, &next) == 0) + { + size_t val_length = 0; + char const * const val = TOKEN_GET_VALUE(sock, &next, &val_length); + + csv_buf_add(csv_buf, csv_buf_used, val, val_length); + } + csv_buf[--(*csv_buf_used)] = '\0'; + csv_buf_add(csv_buf, csv_buf_used, "\"", 1); + } + + return ret; +} + static enum nDPIsrvd_callback_return simple_json_callback(struct nDPIsrvd_socket * const sock, struct nDPIsrvd_instance * const instance, struct nDPIsrvd_thread_data * const thread_data, struct nDPIsrvd_flow * const flow) { - (void)sock; + char csv_buf[NETWORK_BUFFER_MAX_SIZE + 1]; + size_t csv_buf_used = 0; + (void)instance; (void)thread_data; @@ -154,36 +273,226 @@ static enum nDPIsrvd_callback_return simple_json_callback(struct nDPIsrvd_socket return CALLBACK_ERROR; } - struct nDPIsrvd_json_token const * const iat = TOKEN_GET_SZ(sock, "data_analysis", "iat"); - if (iat == NULL) + csv_buf[0] = '\0'; + + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_datalink", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "l3_proto", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "src_ip", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "dst_ip", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "l4_proto", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "src_port", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "dst_port", NULL); + + if (json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_state", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_src_packets_processed", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_dst_packets_processed", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_first_seen", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_src_last_pkt_time", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_dst_last_pkt_time", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_src_min_l4_payload_len", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_dst_min_l4_payload_len", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_src_max_l4_payload_len", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_dst_max_l4_payload_len", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_src_tot_l4_payload_len", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "flow_dst_tot_l4_payload_len", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "midstream", NULL) != 0) + { + return CALLBACK_ERROR; + } + + if (json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "iat", "min", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "iat", "avg", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "iat", "max", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "iat", "stddev", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "iat", "var", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "iat", "ent", NULL) != 0) + { + return CALLBACK_ERROR; + } + + if (json_array_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "iat", "data", NULL) != 0) + { + return CALLBACK_ERROR; + } + + if (json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "pktlen", "min", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "pktlen", "avg", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "pktlen", "max", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "pktlen", "stddev", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "pktlen", "var", NULL) != 0 || + json_value_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "pktlen", "ent", NULL) != 0) + { + return CALLBACK_ERROR; + } + + if (json_array_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "pktlen", "data", NULL) != 0) + { + return CALLBACK_ERROR; + } + + if (json_array_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "bins", "c_to_s", NULL) != 0) + { + return CALLBACK_ERROR; + } + + if (json_array_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "bins", "s_to_c", NULL) != 0) + { + return CALLBACK_ERROR; + } + + if (json_array_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "directions", NULL) != 0) { return CALLBACK_ERROR; } + if (json_array_to_csv(sock, csv_buf, &csv_buf_used, "data_analysis", "entropies", NULL) != 0) { + return CALLBACK_ERROR; + } + + json_value_to_csv(sock, csv_buf, &csv_buf_used, "ndpi", "proto", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "ndpi", "proto_id", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "ndpi", "encrypted", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "ndpi", "breed", NULL); + json_value_to_csv(sock, csv_buf, &csv_buf_used, "ndpi", "category", NULL); + { + struct nDPIsrvd_json_token const * const token = TOKEN_GET_SZ(sock, "ndpi", "confidence"); struct nDPIsrvd_json_token const * current = NULL; int next_child_index = -1; - while ((current = nDPIsrvd_get_next_token(sock, iat, &next_child_index)) != NULL) + if (token == NULL) { - size_t key_length = 0; - char const * const key = TOKEN_GET_KEY(sock, current, &key_length); + csv_buf_add(csv_buf, &csv_buf_used, NULL, 0); + csv_buf_add(csv_buf, &csv_buf_used, NULL, 0); + } + else + { + while ((current = nDPIsrvd_get_next_token(sock, token, &next_child_index)) != NULL) + { + size_t key_length = 0, value_length = 0; + char const * const key = TOKEN_GET_KEY(sock, current, &key_length); + char const * const value = TOKEN_GET_VALUE(sock, current, &value_length); - printf("__%.*s__\n", (int)key_length, key); - next_child_index++; + csv_buf_add(csv_buf, &csv_buf_used, key, key_length); + csv_buf_add(csv_buf, &csv_buf_used, value, value_length); + } } -printf("===\n"); } + if (csv_buf_used > 0 && csv_buf[csv_buf_used - 1] == ',') + { + csv_buf[--csv_buf_used] = '\0'; + } + + fprintf(csv_fp, "%.*s\n", (int)csv_buf_used, csv_buf); + return CALLBACK_OK; } -static void simple_flow_cleanup_callback(struct nDPIsrvd_socket * const sock, - struct nDPIsrvd_instance * const instance, - struct nDPIsrvd_thread_data * const thread_data, - struct nDPIsrvd_flow * const flow, - enum nDPIsrvd_cleanup_reason reason) +static void print_usage(char const * const arg0) { + static char const usage[] = + "Usage: %s " + "[-d] [-p pidfile] [-s host]\n" + "\t \t[-u user] [-g group] [-o csv-outfile]\n\n" + "\t-d\tForking into background after initialization.\n" + "\t-p\tWrite the daemon PID to the given file path.\n" + "\t-s\tDestination where nDPIsrvd is listening on.\n" + "\t \tCan be either a path to UNIX socket or an IPv4/TCP-Port IPv6/TCP-Port tuple.\n" + "\t-u\tChange user.\n" + "\t-g\tChange group.\n" + "\t-o\tSpecify the CSV output file for analysis results\n\n"; + + fprintf(stderr, usage, arg0); +} + +static int parse_options(int argc, char ** argv) +{ + int opt; + + while ((opt = getopt(argc, argv, "hdp:s:u:g:o:")) != -1) + { + switch (opt) + { + case 'd': + daemonize_enable(); + break; + case 'p': + free(pidfile); + pidfile = strdup(optarg); + break; + case 's': + free(serv_optarg); + serv_optarg = strdup(optarg); + break; + case 'u': + free(user); + user = strdup(optarg); + break; + case 'g': + free(group); + group = strdup(optarg); + break; + case 'o': + free(csv_outfile); + csv_outfile = strdup(optarg); + break; + default: + print_usage(argv[0]); + return 1; + } + } + + if (csv_outfile == NULL) + { + fprintf(stderr, "%s: Missing CSV output file (`-o')\n", argv[0]); + return 1; + } + + opt = 0; + if (access(csv_outfile, F_OK) != 0 && errno == ENOENT) + { + opt = 1; + } + + csv_fp = fopen(csv_outfile, "a+"); + if (csv_fp == NULL) + { + fprintf(stderr, "%s: Could not open file `%s' for appending\n", argv[0], csv_outfile); + return 1; + } + + if (opt != 0) + { + fprintf(csv_fp, + "flow_datalink,l3_proto,src_ip,dst_ip,l4_proto,src_port,dst_port,flow_state,flow_src_packets_processed," + "flow_dst_packets_processed,flow_first_seen,flow_src_last_pkt_time,flow_dst_last_pkt_time,flow_src_min_" + "l4_payload_len,flow_dst_min_l4_payload_len,flow_src_max_l4_payload_len,flow_dst_max_l4_payload_len," + "flow_src_tot_l4_payload_len,flow_dst_tot_l4_payload_len,midstream,iat_min,iat_avg,iat_max,iat_stddev," + "iat_var,iat_ent,iat_data,pktlen_min,pktlen_avg,pktlen_max,pktlen_stddev,pktlen_var,pktlen_ent,pktlen_" + "data,bins_c_to_s,bins_s_to_c,directions,entropies,proto,proto_id,encrypted,breed,category," + "confidence_id,confidence\n"); + } + + if (serv_optarg == NULL) + { + serv_optarg = strdup(DISTRIBUTOR_UNIX_SOCKET); + } + + if (nDPIsrvd_setup_address(&sock->address, serv_optarg) != 0) + { + fprintf(stderr, "%s: Could not parse address `%s'\n", argv[0], serv_optarg); + return 1; + } + + if (optind < argc) + { + fprintf(stderr, "Unexpected argument after options\n\n"); + print_usage(argv[0]); + return 1; + } + + return 0; } int main(int argc, char ** argv) @@ -193,23 +502,38 @@ int main(int argc, char ** argv) signal(SIGTERM, sighandler); signal(SIGPIPE, sighandler); - sock = nDPIsrvd_socket_init(0, 0, 0, 0, simple_json_callback, NULL, simple_flow_cleanup_callback); + sock = nDPIsrvd_socket_init(0, 0, 0, 0, simple_json_callback, NULL, NULL); if (sock == NULL) { return 1; } - if (nDPIsrvd_setup_address(&sock->address, (argc > 1 ? argv[1] : "127.0.0.1:7000")) != 0) + if (parse_options(argc, argv) != 0) { return 1; } + printf("Recv buffer size: %u\n", NETWORK_BUFFER_MAX_SIZE); + printf("Connecting to `%s'..\n", serv_optarg); + if (nDPIsrvd_connect(sock) != CONNECT_OK) { + fprintf(stderr, "%s: nDPIsrvd socket connect to %s failed!\n", argv[0], serv_optarg); nDPIsrvd_socket_free(&sock); return 1; } + signal(SIGUSR1, sighandler); + signal(SIGINT, sighandler); + signal(SIGTERM, sighandler); + signal(SIGPIPE, sighandler); + + if (daemonize_with_pidfile(pidfile) != 0) + { + return 1; + } + openlog("nDPIsrvd-analyzed", LOG_CONS, LOG_DAEMON); + if (nDPIsrvd_set_read_timeout(sock, 180, 0) != 0) { return 1; @@ -247,5 +571,9 @@ int main(int argc, char ** argv) printf("Parse read %s\n", nDPIsrvd_enum_to_string(read_ret)); } - return 1; + nDPIsrvd_socket_free(&sock); + daemonize_shutdown(pidfile); + closelog(); + + return read_ret; } diff --git a/examples/py-flow-info/flow-info.py b/examples/py-flow-info/flow-info.py index 3c58858ed..0fba6fcaa 100755 --- a/examples/py-flow-info/flow-info.py +++ b/examples/py-flow-info/flow-info.py @@ -363,18 +363,18 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): flow_event_name += '{}{:>16}{}'.format(TermColor.WARNING, json_dict['flow_event_name'], TermColor.END) if args.print_analyse_results is True: - next_lines = [' {:>9}|{:>9}|{:>9}|{:>9}|{:>9}|{:>9}'.format( + next_lines = [' {:>9}|{:>9}|{:>9}|{:>9}|{:>15}|{:>8}'.format( 'min', 'max', 'avg', 'stddev', 'variance', 'entropy')] - next_lines += ['[IAT.........: {:>9.3f}|{:>9.3f}|{:>9.3f}|{:>9.3f}|{:>9.3f}|{:>9.3f}]'.format( + next_lines += ['[IAT.........: {:>9.3f}|{:>9.3f}|{:>9.3f}|{:>9.3f}|{:>15.3f}|{:>8.3f}]'.format( nDPIsrvd.toSeconds(json_dict['data_analysis']['iat']['min']), nDPIsrvd.toSeconds(json_dict['data_analysis']['iat']['max']), nDPIsrvd.toSeconds(json_dict['data_analysis']['iat']['avg']), nDPIsrvd.toSeconds(json_dict['data_analysis']['iat']['stddev']), nDPIsrvd.toSeconds(json_dict['data_analysis']['iat']['var']), - nDPIsrvd.toSeconds(json_dict['data_analysis']['iat']['ent']) + json_dict['data_analysis']['iat']['ent'] )] next_lines += [''] - next_lines[-1] += '[PKTLEN......: {:>9.3f}|{:>9.3f}|{:>9.3f}|{:>9.3f}|{:>9.3f}|{:>9.3f}]'.format( + next_lines[-1] += '[PKTLEN......: {:>9.3f}|{:>9.3f}|{:>9.3f}|{:>9.3f}|{:>15.3f}|{:>8.3f}]'.format( json_dict['data_analysis']['pktlen']['min'], json_dict['data_analysis']['pktlen']['max'], json_dict['data_analysis']['pktlen']['avg'], @@ -396,6 +396,12 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): next_lines[-1] += '[IATS(ms)....: {}]'.format(iats) next_lines += [''] next_lines[-1] += '[PKTLENS.....: {}]'.format(','.join([str(n) for n in json_dict['data_analysis']['pktlen']['data']])) + next_lines += [''] + ents = '' + for n in json_dict['data_analysis']['entropies']: + ents += '{:.1f},'.format(n) + ents = ents[:-1] + next_lines[-1] += '[ENTROPIES...: {}]'.format(ents) else: if json_dict['flow_event_name'] == 'new': line_suffix = '' @@ -416,6 +422,9 @@ def onJsonLineRecvd(json_dict, instance, current_flow, global_user_data): line_suffix += ']' flow_event_name += '{}{:>16}{}'.format(flow_active_color, json_dict['flow_event_name'], TermColor.END) + if args.print_hostname is True and 'ndpi' in json_dict and 'hostname' in json_dict['ndpi']: + line_suffix += '[{}]'.format(json_dict['ndpi']['hostname']) + if json_dict['l3_proto'] == 'ip4': print('{}{}{}{}{}: [{:.>6}] [{}][{:.>5}] [{:.>15}]{} -> [{:.>15}]{} {}{}' \ ''.format(timestamp, first_seen, last_seen, instance_and_source, flow_event_name, @@ -472,6 +481,7 @@ if __name__ == '__main__': argparser.add_argument('--analyse', action='store_true', default=False, help='Print only analyse flow events.') argparser.add_argument('--detection', action='store_true', default=False, help='Print only detected/detection-update flow events.') argparser.add_argument('--ipwhois', action='store_true', default=False, help='Use Python-IPWhois to print additional location information.') + argparser.add_argument('--print-hostname', action='store_true', default=False, help='Print detected hostnames if available.') argparser.add_argument('--print-analyse-results', action='store_true', default=False, help='Print detailed results of analyse events.') args = argparser.parse_args() diff --git a/nDPId-test.c b/nDPId-test.c index 9621c9035..7dba33890 100644 --- a/nDPId-test.c +++ b/nDPId-test.c @@ -675,7 +675,7 @@ static void * distributor_client_mainloop_thread(void * const arg) case READ_PEER_DISCONNECT: del_event(dis_epollfd, mock_testfds[PIPE_TEST_READ]); pipe_read_finished = 1; - continue; + break; } enum nDPIsrvd_parse_return parse_ret = nDPIsrvd_parse_all(mock_sock); @@ -712,7 +712,6 @@ static void * distributor_client_mainloop_thread(void * const arg) { del_event(dis_epollfd, mock_nullfds[PIPE_NULL_READ]); null_read_finished = 1; - continue; } printf("%.*s", (int)bytes_read, buf); @@ -730,7 +729,6 @@ static void * distributor_client_mainloop_thread(void * const arg) { del_event(dis_epollfd, mock_arpafds[PIPE_ARPA_READ]); arpa_read_finished = 1; - continue; } /* @@ -156,6 +156,7 @@ struct nDPId_flow_analysis struct ndpi_analyze_struct pktlen; uint8_t * directions; struct ndpi_bin payload_len_bin[FD_COUNT]; + float * entropies; }; /* @@ -1325,15 +1326,20 @@ static void free_analysis_data(struct nDPId_flow_extended * const flow_ext) ndpi_free(flow_ext->flow_analysis->directions); ndpi_free_bin(&flow_ext->flow_analysis->payload_len_bin[FD_SRC2DST]); ndpi_free_bin(&flow_ext->flow_analysis->payload_len_bin[FD_DST2SRC]); + ndpi_free(flow_ext->flow_analysis->entropies); ndpi_free(flow_ext->flow_analysis); + flow_ext->flow_analysis = NULL; } } static void free_detection_data(struct nDPId_flow * const flow) { - ndpi_free_flow_data(&flow->info.detection_data->flow); - ndpi_free(flow->info.detection_data); - flow->info.detection_data = NULL; + if (flow->info.detection_data != NULL) + { + ndpi_free_flow_data(&flow->info.detection_data->flow); + ndpi_free(flow->info.detection_data); + flow->info.detection_data = NULL; + } } static int alloc_detection_data(struct nDPId_flow * const flow) @@ -1362,6 +1368,8 @@ static int alloc_detection_data(struct nDPId_flow * const flow) nDPId_options.max_packets_per_flow_to_analyse); flow->flow_extended.flow_analysis->directions = (uint8_t *)ndpi_malloc( sizeof(*flow->flow_extended.flow_analysis->directions) * nDPId_options.max_packets_per_flow_to_analyse); + flow->flow_extended.flow_analysis->entropies = (float *)ndpi_malloc( + sizeof(*flow->flow_extended.flow_analysis->entropies) * nDPId_options.max_packets_per_flow_to_analyse); if (ndpi_init_bin(&flow->flow_extended.flow_analysis->payload_len_bin[FD_SRC2DST], ndpi_bin_family8, @@ -1370,7 +1378,9 @@ static int alloc_detection_data(struct nDPId_flow * const flow) ndpi_bin_family8, nDPId_ANALYZE_PLEN_NUM_BINS) != 0 || flow->flow_extended.flow_analysis->iat.values == NULL || - flow->flow_extended.flow_analysis->pktlen.values == NULL) + flow->flow_extended.flow_analysis->pktlen.values == NULL || + flow->flow_extended.flow_analysis->directions == NULL || + flow->flow_extended.flow_analysis->entropies == NULL) { goto error; } @@ -1379,6 +1389,7 @@ static int alloc_detection_data(struct nDPId_flow * const flow) return 0; error: free_detection_data(flow); + flow->info.detection_completed = 1; return 1; } @@ -2479,6 +2490,14 @@ static void jsonize_data_analysis(struct nDPId_reader_thread * const reader_thre ndpi_serialize_string_uint32(&workflow->ndpi_serializer, "", analysis->directions[i]); } ndpi_serialize_end_of_list(&workflow->ndpi_serializer); + + ndpi_serialize_start_of_list(&workflow->ndpi_serializer, "entropies"); + for (unsigned long long int i = 0; i < nDPId_options.max_packets_per_flow_to_analyse; ++i) + { + ndpi_serialize_string_float(&workflow->ndpi_serializer, "", analysis->entropies[i], "%.9f"); + } + ndpi_serialize_end_of_list(&workflow->ndpi_serializer); + ndpi_serialize_end_of_block(&workflow->ndpi_serializer); } } @@ -3957,16 +3976,17 @@ static void ndpi_process_packet(uint8_t * const args, ndpi_data_add_value(&flow_to_process->flow_extended.flow_analysis->iat, tdiff_us); } - ndpi_data_add_value(&flow_to_process->flow_extended.flow_analysis->pktlen, header->caplen); + ndpi_data_add_value(&flow_to_process->flow_extended.flow_analysis->pktlen, ip_size); flow_to_process->flow_extended.flow_analysis ->directions[(total_flow_packets - 1) % nDPId_options.max_packets_per_flow_to_analyse] = direction; ndpi_inc_bin(&flow_to_process->flow_extended.flow_analysis->payload_len_bin[direction], plen2slot(l4_payload_len), 1); + flow_to_process->flow_extended.flow_analysis + ->entropies[(total_flow_packets - 1) % nDPId_options.max_packets_per_flow_to_analyse] = + ndpi_entropy((ip != NULL ? (uint8_t *)ip : (uint8_t *)ip6), ip_size); - if (flow_to_process->flow_extended.packets_processed[FD_SRC2DST] + - flow_to_process->flow_extended.packets_processed[FD_DST2SRC] == - nDPId_options.max_packets_per_flow_to_analyse) + if (total_flow_packets == nDPId_options.max_packets_per_flow_to_analyse) { jsonize_flow_event(reader_thread, &flow_to_process->flow_extended, FLOW_EVENT_ANALYSE); } @@ -3982,7 +4002,7 @@ static void ndpi_process_packet(uint8_t * const args, &flow_to_process->flow_extended, PACKET_EVENT_PAYLOAD_FLOW); - if (flow_to_process->flow_extended.flow_basic.state != FS_INFO) + if (flow_to_process->flow_extended.flow_basic.state != FS_INFO || flow_to_process->info.detection_data == NULL) { /* Only FS_INFO goes through the whole detection process. */ return; diff --git a/schema/flow_event_schema.json b/schema/flow_event_schema.json index 87ba541b9..1395b6260 100644 --- a/schema/flow_event_schema.json +++ b/schema/flow_event_schema.json @@ -433,6 +433,12 @@ "items": { "type": "number" } + }, + "entropies": { + "type": "array", + "items": { + "type": "number" + } } }, "additionalProperties": false diff --git a/scripts/get-and-build-libndpi.sh b/scripts/get-and-build-libndpi.sh index 35a6bd8b1..a3c0c52b6 100755 --- a/scripts/get-and-build-libndpi.sh +++ b/scripts/get-and-build-libndpi.sh @@ -38,12 +38,14 @@ cd "$(dirname "${0}")/.." if [ -d ./.git ]; then git submodule update --init ./libnDPI else - printf '%s' '-----------------------------------' - printf 'WARNING: %s is supposed to be a GIT repository. But it is not.' "$(realpath $(dirname "${0}")/..)" - printf '%s' 'Can not clone libnDPI as GIT submodule.' - printf '%s' 'Falling back to Github direct download.' - printf 'URL: %s' "${GITHUB_FALLBACK_URL}" - printf '%s' '-----------------------------------' + set +x + printf '%s\n' '-----------------------------------' + printf 'WARNING: %s is supposed to be a GIT repository. But it is not.\n' "$(realpath $(dirname "${0}")/..)" + printf '%s\n' 'Can not clone libnDPI as GIT submodule.' + printf '%s\n' 'Falling back to Github direct download.' + printf 'URL: %s\n' "${GITHUB_FALLBACK_URL}" + printf '%s\n' '-----------------------------------' + set -x wget "${GITHUB_FALLBACK_URL}" -O ./libnDPI-github-dev.zip unzip ./libnDPI-github-dev.zip mv ./nDPI-dev ./libnDPI diff --git a/test/results/1kxun.pcap.out b/test/results/1kxun.pcap.out index 7e0151494..836594239 100644 --- a/test/results/1kxun.pcap.out +++ b/test/results/1kxun.pcap.out @@ -147,11 +147,11 @@ 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":197,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1470104379271401,"flow_dst_last_pkt_time":1470104373232452,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104379271401,"pkt":"AQBef\/\/6SNIkYzEACABFAAChOp0AAAERyODAqAUs7\/\/\/+si9B2wAjdLxTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":198,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1470104379271484,"flow_dst_last_pkt_time":1470104379169121,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":92,"pkt_l4_len":38,"thread_ts_usec":1470104379271484,"pkt":"MzMAAQAD\/PiuMpcsht1gAAAAACYRAf6AAAAAAAAA6Y+64hn3aw\/\/AgAAAAAAAAAAAAAAAQAD1mgU6wAmi+DsIAAAAAEAAAAAAAAM5bCP5L2b5bCI5qmfAAD\/AAE="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_src_last_pkt_time":1470104379271492,"flow_dst_last_pkt_time":1470104379169283,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"thread_ts_usec":1470104379271492,"pkt":"AQBeAAD8\/PiuMpcsCABFAAA6KxsAAAER6ZTAqANf4AAA\/NZoFOsAJg3d7CAAAAABAAAAAAAADOWwj+S9m+WwiOapnwAA\/wAB"} -01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":211,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379118171,"flow_src_last_pkt_time":1470104379286078,"flow_dst_last_pkt_time":1470104379304068,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":720,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379304068,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49601,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":11413.0,"max":56171,"stddev":20339.8,"var":413706496.0,"ent":3.1,"data": [26,52106,52225,22,5484,34,48207,11555,801,69,59,49,273,37,27,28,464,56171,23,50473,3499,84,64,53877,45,17726,143,82,52,49,50]},"pktlen": {"min":54,"avg":835.9,"max":1314,"stddev":585.3,"var":342554.8,"ent":4.5,"data": [66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01693{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":250,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379118544,"flow_src_last_pkt_time":1470104379309514,"flow_dst_last_pkt_time":1470104379309350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":718,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309514,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49602,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":12315.4,"max":66248,"stddev":24063.6,"var":579054976.0,"ent":2.8,"data": [30,54573,54712,41,4152,56,64506,68,36,30,74,39,719,84,86,86,61743,22,885,65392,59,66248,63,504,2917,559,54,52,83,3871,32]},"pktlen": {"min":54,"avg":757.1,"max":1314,"stddev":600.3,"var":360321.4,"ent":4.4,"data": [66,66,66,54,54,413,413,60,373,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,0,0,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01698{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":252,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379117273,"flow_src_last_pkt_time":1470104379305366,"flow_dst_last_pkt_time":1470104379309692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309692,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49599,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":12274.6,"max":66840,"stddev":23326.2,"var":544113344.0,"ent":2.9,"data": [36,53209,53269,23,4558,53,61521,40,293,57,57277,26,5093,104,312,45,266,88,5943,34,1372,65090,55,53,50,66840,34,3844,90,757,80]},"pktlen": {"min":54,"avg":757.2,"max":1314,"stddev":600.2,"var":360235.6,"ent":4.4,"data": [66,66,66,54,54,415,415,60,373,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379119336,"flow_src_last_pkt_time":1470104379328801,"flow_dst_last_pkt_time":1470104379305020,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":369,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":1458,"flow_dst_tot_l4_payload_len":23877,"midstream":0,"thread_ts_usec":1470104379328801,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49604,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":12746.7,"max":96474,"stddev":26329.7,"var":693255296.0,"ent":2.7,"data": [37,50730,50813,26,5716,35,60276,105,70,53,49,73,718,44,49,52,342,56283,26,72323,56,48,50,164,52,68,54,259,49,96474,55]},"pktlen": {"min":54,"avg":847.0,"max":1314,"stddev":555.0,"var":308021.3,"ent":4.6,"data": [66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1314,932,423,423]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379117772,"flow_src_last_pkt_time":1470104379360886,"flow_dst_last_pkt_time":1470104379361184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":362,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379361184,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49600,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":15694.4,"max":142000,"stddev":32346.1,"var":1046270720.0,"ent":2.8,"data": [54,51945,52076,32,5225,53,60454,877,31,40,63,40,400,73,48,50,170,85115,142000,23,40785,2483,129,70,65,43573,78,404,66,55,49]},"pktlen": {"min":54,"avg":836.0,"max":1314,"stddev":585.2,"var":342449.5,"ent":4.5,"data": [66,66,66,54,54,416,416,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314]},"bins": {"c_to_s": [8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02099{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":211,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379118171,"flow_src_last_pkt_time":1470104379286078,"flow_dst_last_pkt_time":1470104379304068,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":720,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379304068,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49601,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":11413.0,"max":56171,"stddev":20339.8,"var":413706496.0,"ent":3.1,"data": [26,52106,52225,22,5484,34,48207,11555,801,69,59,49,273,37,27,28,464,56171,23,50473,3499,84,64,53877,45,17726,143,82,52,49,50]},"pktlen": {"min":40,"avg":821.9,"max":1300,"stddev":585.3,"var":342554.8,"ent":4.5,"data": [52,52,52,40,40,400,400,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300]},"bins": {"c_to_s": [8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1],"entropies": [4.540471077,4.540471077,4.955154419,4.784184456,4.784184456,5.816493034,5.816493034,4.216916561,5.618361473,7.450107098,7.815211296,7.836095333,7.822941780,7.836542130,7.816992283,7.822154999,7.824875832,7.819305897,4.734184265,4.734184265,7.817429543,7.824024200,7.815408707,7.842577934,4.684183598,4.684183598,7.822679520,7.834252357,7.831438541,7.831308842,7.851968765,7.839091301]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02092{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":250,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379118544,"flow_src_last_pkt_time":1470104379309514,"flow_dst_last_pkt_time":1470104379309350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":718,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309514,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49602,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":12315.4,"max":66248,"stddev":24063.6,"var":579054976.0,"ent":2.8,"data": [30,54573,54712,41,4152,56,64506,68,36,30,74,39,719,84,86,86,61743,22,885,65392,59,66248,63,504,2917,559,54,52,83,3871,32]},"pktlen": {"min":40,"avg":743.1,"max":1300,"stddev":600.3,"var":360321.4,"ent":4.4,"data": [52,52,52,40,40,399,399,46,359,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,40,40]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,0,0,1,1,1,1,1,1,0,0],"entropies": [4.502009392,4.502009392,4.993616104,4.730640888,4.730640888,5.803964615,5.803964615,4.390829086,5.642121315,7.460942745,7.814809799,7.800187588,7.823173046,7.782991886,7.796648026,7.817361355,7.794824600,4.784183979,4.784183979,7.794241905,7.811538219,7.814032555,4.784183979,4.784183979,7.809308529,7.796229362,7.803008556,7.811974525,7.809011459,7.814390182,4.834183693,4.834183693]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02097{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":252,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1470104379117273,"flow_src_last_pkt_time":1470104379305366,"flow_dst_last_pkt_time":1470104379309692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":21739,"midstream":0,"thread_ts_usec":1470104379309692,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49599,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":12274.6,"max":66840,"stddev":23326.2,"var":544113344.0,"ent":2.9,"data": [36,53209,53269,23,4558,53,61521,40,293,57,57277,26,5093,104,312,45,266,88,5943,34,1372,65090,55,53,50,66840,34,3844,90,757,80]},"pktlen": {"min":40,"avg":743.2,"max":1300,"stddev":600.2,"var":360235.6,"ent":4.4,"data": [52,52,52,40,40,401,401,46,359,1300,1300,40,40,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1],"entropies": [4.540471077,4.540471077,4.955154419,4.834183693,4.834183693,5.784319878,5.784319878,4.303872585,5.637725830,7.471795559,7.791592598,4.734183788,4.734183788,7.804637909,7.807570934,7.830432415,7.825576305,7.818768978,7.845777035,4.734183788,4.734183788,7.838691235,7.833523750,7.842283726,7.806497097,7.842946529,4.784183979,4.784183979,7.828577518,7.834991455,7.820946693,7.813043594]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02094{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379119336,"flow_src_last_pkt_time":1470104379328801,"flow_dst_last_pkt_time":1470104379305020,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":369,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":1458,"flow_dst_tot_l4_payload_len":23877,"midstream":0,"thread_ts_usec":1470104379328801,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49604,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":12746.7,"max":96474,"stddev":26329.7,"var":693255296.0,"ent":2.7,"data": [37,50730,50813,26,5716,35,60276,105,70,53,49,73,718,44,49,52,342,56283,26,72323,56,48,50,164,52,68,54,259,49,96474,55]},"pktlen": {"min":40,"avg":833.0,"max":1300,"stddev":555.0,"var":308021.3,"ent":4.6,"data": [52,52,52,40,40,400,400,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,1300,1300,1300,918,409,409]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0],"entropies": [4.502009392,4.502009392,4.955154896,4.884183884,4.884183884,5.823695183,5.823695183,4.434307098,5.651605129,7.494920254,7.816417217,7.819696903,7.824419022,7.827455044,7.838195324,7.842068195,7.840069771,7.839951038,4.834183693,4.834183693,7.833738804,7.824559212,7.804037571,7.837569714,7.815773964,7.860733032,7.833745480,7.858436108,7.849576473,7.725791931,5.812777519,5.812777519]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02100{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1470104379117772,"flow_src_last_pkt_time":1470104379360886,"flow_dst_last_pkt_time":1470104379361184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":362,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":24259,"midstream":0,"thread_ts_usec":1470104379361184,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49600,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":15694.4,"max":142000,"stddev":32346.1,"var":1046270720.0,"ent":2.8,"data": [54,51945,52076,32,5225,53,60454,877,31,40,63,40,400,73,48,50,170,85115,142000,23,40785,2483,129,70,65,43573,78,404,66,55,49]},"pktlen": {"min":40,"avg":822.0,"max":1300,"stddev":585.2,"var":342449.5,"ent":4.5,"data": [52,52,52,40,40,402,402,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300]},"bins": {"c_to_s": [8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1],"entropies": [4.540471077,4.540471077,4.993616104,4.784183979,4.784183979,5.806403637,5.806403637,4.330940247,5.620885849,6.705548286,7.731300354,7.779007435,7.737928867,7.737201214,7.704045296,7.681565285,7.569606781,4.071334362,6.314223289,4.784183979,4.784183979,7.705962181,7.781871796,7.735430241,7.740441799,7.698603153,4.834183693,4.834183693,7.712049484,7.719846249,5.648873806,3.023065329]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104379579523,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":244,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":244,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":244,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379579523,"l3_proto":"ip4","src_ip":"192.168.5.67","dst_ip":"192.168.255.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00833{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":286,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":286,"pkt_l4_len":252,"thread_ts_usec":1470104379579523,"pkt":"\/\/\/\/\/\/\/\/jHNut5QdCABFAAEQAABAAEARs0nAqAVDwKj\/\/wCKAIoA\/P+KEQouQ8CoBUMAigDmAAAgRkRFQkVPRUtFSkNORU1FSkVHRUZFQ0VQRVBFTENOQUEAIEZIRVBGQ0VMRUhGQ0VQRkZGQUNBQ0FDQUNBQ0FDQUJPAP9TTUIlAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEQAATAAAAAAAAAAAAAAAAAAAAAAAAABMAFYAAwABAAEAAgBdAFxNQUlMU0xPVFxCUk9XU0UAD1DgkwQAU0FOSkktTElGRUJPT0stTAQJA5qEAA8BVapzYW5qaS1MSUZFQk9PSy1MSDUzMSBzZXJ2ZXIgKFNhbWJhLCBVYnVudHUpAA=="} 01022{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104379579523,"flow_src_last_pkt_time":1470104379579523,"flow_dst_last_pkt_time":1470104379579523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":244,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":244,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":244,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379579523,"l3_proto":"ip4","src_ip":"192.168.5.67","dst_ip":"192.168.255.255","src_port":138,"dst_port":138,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv1","proto_id":"10.16","encrypted":0,"breed":"Dangerous","category_id":18,"category":"System","hostname":"sanji-lifebook-"}} @@ -167,7 +167,7 @@ 01009{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":404,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104379903616,"flow_src_last_pkt_time":1470104379941700,"flow_dst_last_pkt_time":1470104379940364,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":336,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379941700,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49605,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"jp.kankan.1kxun.mobi","http": {"url":"jp.kankan.1kxun.mobi\/api\/videos\/10410.json","code":0,"content_type":"","user_agent":""}}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_src_last_pkt_time":1470104379916943,"flow_dst_last_pkt_time":1470104379954670,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104379954670,"pkt":"ABxCjnAxTF4M6gNlCABFAAA0AABAADYGguxquSNuwKhzCABQwcaIrnkOwQ72oYASchC\/lAAAAgQFtAEBBAIBAwMH"} 01031{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":409,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104379956802,"flow_dst_last_pkt_time":1470104379954670,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104379956802,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"jp.kankan.1kxun.mobi","http": {"url":"jp.kankan.1kxun.mobi\/api\/movies\/mp4script\/10410?definition=true","code":0,"content_type":"","user_agent":""}}} -01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":441,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104380141237,"flow_dst_last_pkt_time":1470104380142241,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":714,"flow_dst_tot_l4_payload_len":20160,"midstream":0,"thread_ts_usec":1470104380142241,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":14506.6,"max":146838,"stddev":33179.1,"var":1100853504.0,"ent":2.6,"data": [56,37783,37994,70,1795,58,38952,109751,153,146838,45,329,66,113,56,463,29,236,62,115,388,44,244,36267,36544,26,410,130,482,92,113]},"pktlen": {"min":54,"avg":707.6,"max":1314,"stddev":612.0,"var":374554.6,"ent":4.3,"data": [66,66,66,54,54,411,411,60,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,54,54,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02100{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":441,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1470104379916887,"flow_src_last_pkt_time":1470104380141237,"flow_dst_last_pkt_time":1470104380142241,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":714,"flow_dst_tot_l4_payload_len":20160,"midstream":0,"thread_ts_usec":1470104380142241,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.185.35.110","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":14506.6,"max":146838,"stddev":33179.1,"var":1100853504.0,"ent":2.6,"data": [56,37783,37994,70,1795,58,38952,109751,153,146838,45,329,66,113,56,463,29,236,62,115,388,44,244,36267,36544,26,410,130,482,92,113]},"pktlen": {"min":40,"avg":693.6,"max":1300,"stddev":612.0,"var":374554.6,"ent":4.3,"data": [52,52,52,40,40,397,397,46,1300,1300,40,40,1300,1300,1300,1300,40,40,1300,1300,1300,40,40,1300,1300,40,40,1300,1300,1300,1300,1300]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,0,1,1,1,1,1],"entropies": [4.540471077,4.540471077,4.955154896,4.784183979,4.784183979,5.758289814,5.758289814,4.303872585,5.568258762,4.972586632,4.784183979,4.784183979,4.816908836,5.305360317,5.245053291,5.141684532,4.684184074,4.684184074,5.953328609,5.139973164,5.197480202,4.784183979,4.784183979,5.838756561,5.133826733,4.734184265,4.734184265,4.452571869,4.709616661,4.691545486,5.564413548,5.160192013]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":458,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104380188079,"flow_src_last_pkt_time":1470104380188079,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104380188079,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"218.244.135.170","src_port":49607,"dst_port":9099,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":458,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_src_last_pkt_time":1470104380188079,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104380188079,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UhRAAIAGEmDAqHMI2vSHqsHHI4t8ty1+AAAAAIACIAAqAAAAAgQE7AEDAwgBAQQC"} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":459,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1470104380188122,"flow_dst_last_pkt_time":1470104380188079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104380188122,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UhRAAIAGEmDAqHMI2vSHqsHHI4t8ty1+AAAAAIACIAAqAAAAAgQE7AEDAwgBAQQC"} @@ -224,7 +224,7 @@ 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":569,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382053678,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104382053678,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":569,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1470104382053678,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104382053678,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UjJAAIAGjM3AqHMIt4MwkMHNAFBSJ8A7AAAAAIACIABfkwAAAgQE7AEDAwgBAQQC"} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":570,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1470104382053709,"flow_dst_last_pkt_time":1470104382053678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1470104382053709,"pkt":"TF4M6gNlABxCjnAxCABFAAA0UjJAAIAGjM3AqHMIt4MwkMHNAFBSJ8A7AAAAAIACIABfkwAAAgQE7AEDAwgBAQQC"} -01944{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":571,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1470104380890420,"flow_src_last_pkt_time":1470104382084858,"flow_dst_last_pkt_time":1470104381881083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":445,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":3612,"flow_dst_tot_l4_payload_len":6271,"midstream":0,"thread_ts_usec":1470104382084858,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"42.120.51.152","src_port":49609,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":70487.1,"max":398999,"stddev":104302.2,"var":10878943232.0,"ent":3.6,"data": [50,76520,76599,25,1136,41,62341,85,61755,47,298859,73,398999,66467,177,166123,34,60273,507,89,60822,34,117112,46,178142,469,61984,45,102335,44259,349653]},"pktlen": {"min":54,"avg":364.6,"max":1314,"stddev":410.3,"var":168364.1,"ent":4.2,"data": [66,66,62,54,54,306,306,60,79,499,499,499,499,60,1314,1314,54,54,1314,1314,542,54,54,281,281,60,79,491,491,60,747,54]},"bins": {"c_to_s": [9,0,0,0,0,0,0,4,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02343{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":571,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1470104380890420,"flow_src_last_pkt_time":1470104382084858,"flow_dst_last_pkt_time":1470104381881083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":445,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":3612,"flow_dst_tot_l4_payload_len":6271,"midstream":0,"thread_ts_usec":1470104382084858,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"42.120.51.152","src_port":49609,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":70487.1,"max":398999,"stddev":104302.2,"var":10878943232.0,"ent":3.6,"data": [50,76520,76599,25,1136,41,62341,85,61755,47,298859,73,398999,66467,177,166123,34,60273,507,89,60822,34,117112,46,178142,469,61984,45,102335,44259,349653]},"pktlen": {"min":40,"avg":350.6,"max":1300,"stddev":410.3,"var":168364.1,"ent":4.1,"data": [52,52,48,40,40,292,292,46,65,485,485,485,485,46,1300,1300,40,40,1300,1300,528,40,40,267,267,46,65,477,477,46,733,40]},"bins": {"c_to_s": [9,0,0,0,0,0,0,4,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0],"entropies": [4.633441925,4.633441925,4.967222691,4.981687069,4.981687069,5.768459320,5.768459320,4.652828693,5.358993053,6.064707279,6.064707279,6.054220200,6.054220200,4.609350204,5.268521309,4.718248367,4.931687355,4.931687355,4.699154854,5.227048397,4.912804604,4.931686878,4.931686878,5.830219269,5.830219269,4.609350204,5.397304058,6.051352978,6.051352978,4.696306705,5.685911179,4.912815094]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":573,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1470104382053709,"flow_dst_last_pkt_time":1470104382122949,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1470104382122949,"pkt":"ABxCjnAxTF4M6gNlCABFAAAsAABAADEGLgi3gzCQwKhzCABQwc0rYeLSUifAPGASOQhglAAAAgQFtAAA"} 01501{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":577,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382125031,"flow_dst_last_pkt_time":1470104382122949,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":503,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104382125031,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"183.131.48.144","http": {"url":"183.131.48.144\/vlive.qqvideo.tc.qq.com\/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE65694457E3F53549CD617D5C9F671A26C70DC68F93F1D7BCD017762F&guid=F5EB01CC01A8E08CD83630828DE17C2B02162FD8&locid=a06f98fd-fa26-44e5-acc5-0d83f9df03af&size=9418655&ocid=253564332","code":0,"content_type":"","user_agent":""}}} 01528{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":3,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104382125065,"flow_dst_last_pkt_time":1470104382192288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":281,"midstream":0,"thread_ts_usec":1470104382192288,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media","hostname":"183.131.48.144","http": {"url":"183.131.48.144\/vlive.qqvideo.tc.qq.com\/u0020mkrnds.p1203.1.mp4?vkey=7AB139BF6B32F53747E8FF192E6FE557B3A3D644C034E34BF6EAEB4E0774F2A92EF3AC5C007520BB925E5C8A18E6D302C2DAE0A295B26AA8FD1DC8069D47CE1B4A16A56870BD1ACA3E86ABE4C079659DB2182FC71217AB68CCD344CE65694457E3F53549CD617D5C9F671A26C70DC68F93F1D7BCD017762F&guid=F5EB01CC01A8E08CD83630828DE17C2B02162FD8&locid=a06f98fd-fa26-44e5-acc5-0d83f9df03af&size=9418655&ocid=253564332","code":206,"content_type":"video\/mp4","user_agent":""}}} @@ -252,7 +252,7 @@ 00897{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":608,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1470104383810371,"flow_dst_last_pkt_time":1470104383815221,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1470104383815221,"pkt":"ABxCjnAxTF4M6gNlCABFAAFIAAAAABARrEPAqHcBwKgFEABDAEQBNHbOAgEGABeXwMwAAAAAwKgFEMCoBRDAqHcBAAAAAGDFRwW8jAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEFNgTAqHcBMwQAAAA8AQT\/\/wAAAwTAqHcBBhCoXwEBCAgICKhfwAEICAQE\/wAAAAAAAAAAAAAAAAAA"} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":612,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1470104384085549,"flow_dst_last_pkt_time":1470104378045830,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104384085549,"pkt":"AQBef\/\/6\/PiuMpcsCABFAAChLEMAAAER2QfAqANf7\/\/\/+uhMB2wAjbUvTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":618,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1470104384289461,"flow_dst_last_pkt_time":1470104381217586,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104384289461,"pkt":"AQBef\/\/6CJ4BzeuNCABFAAChFFAAAAER7zTAqAUl7\/\/\/+t\/tB2wAjbvITS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} -01839{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":622,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104384990940,"flow_dst_last_pkt_time":1470104384790982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":9497,"midstream":0,"thread_ts_usec":1470104384990940,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":183050.5,"max":862765,"stddev":252834.9,"var":63925489664.0,"ent":3.6,"data": [31,69271,69368,26,1928,34,67940,1399,6083,291,73959,37,665858,862765,47,408647,411020,37,251400,251827,47,336785,335976,58,329935,190,130781,55,599505,799208,58]},"pktlen": {"min":54,"avg":383.3,"max":1078,"stddev":452.5,"var":204736.5,"ent":4.0,"data": [66,66,60,54,54,557,557,60,335,1078,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,1078,54,54,1078,54,54]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02238{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":622,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1470104382053678,"flow_src_last_pkt_time":1470104384990940,"flow_dst_last_pkt_time":1470104384790982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":503,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1006,"flow_dst_tot_l4_payload_len":9497,"midstream":0,"thread_ts_usec":1470104384990940,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"183.131.48.144","src_port":49613,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":183050.5,"max":862765,"stddev":252834.9,"var":63925489664.0,"ent":3.6,"data": [31,69271,69368,26,1928,34,67940,1399,6083,291,73959,37,665858,862765,47,408647,411020,37,251400,251827,47,336785,335976,58,329935,190,130781,55,599505,799208,58]},"pktlen": {"min":40,"avg":369.3,"max":1064,"stddev":452.5,"var":204736.5,"ent":3.9,"data": [52,52,46,40,40,543,543,46,321,1064,1064,40,40,1064,40,40,1064,40,40,1064,40,40,1064,40,40,1064,1064,40,40,1064,40,40]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0],"entropies": [4.463547707,4.463547707,4.611080170,4.784183979,4.784183979,5.504161358,5.504161358,4.457919598,5.616157532,3.396698952,2.285910130,4.834183693,4.834183693,2.224251509,4.834183693,4.834183693,2.277304173,4.834183693,4.834183693,2.234616041,4.834183693,4.834183693,2.318356037,4.834183693,4.834183693,2.277927399,2.247195482,4.834183693,4.834183693,2.248827934,4.834183693,4.834183693]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385211573,"flow_dst_last_pkt_time":1470104382241911,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104385211573,"pkt":"AQBef\/\/6uKxvwfbSCABFAAChJ0oAAAERfD7AqGUh7\/\/\/+ti9B2wAjWL8TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00679{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":626,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385211727,"flow_dst_last_pkt_time":1470104382242882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1470104385211727,"pkt":"AQBef\/\/6cPGh+Cr9CABFAAChfwAAAAERhKDAqAUJ7\/\/\/+ti8B2wAjcMVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00684{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":631,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1470104385418800,"flow_dst_last_pkt_time":1470104382448863,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"thread_ts_usec":1470104385418800,"pkt":"AQBef\/\/66LH8q\/uyCABFAAClCewAAAQR9ojAqAUx7\/\/\/+sn4B2wAkYV1TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1hbjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="} @@ -522,7 +522,7 @@ 00903{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1282,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1470104373025824,"flow_src_last_pkt_time":1470104373127416,"flow_dst_last_pkt_time":1470104373025824,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":26,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":52,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104423298822,"l3_proto":"ip4","src_ip":"192.168.5.44","dst_ip":"224.0.0.252","src_port":59571,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"LLMNR","proto_id":"154","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00915{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1282,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1470104377634231,"flow_src_last_pkt_time":1470104378045036,"flow_dst_last_pkt_time":1470104377634231,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104423298822,"l3_proto":"ip6","src_ip":"fe80::edf5:240a:c8c0:8312","dst_ip":"ff02::1:3","src_port":61603,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"LLMNR","proto_id":"154","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00905{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1282,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1470104377720702,"flow_src_last_pkt_time":1470104377820998,"flow_dst_last_pkt_time":1470104377720702,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":88,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104423298822,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"224.0.0.252","src_port":51458,"dst_port":5355,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"LLMNR","proto_id":"154","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1299,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1470104379118972,"flow_src_last_pkt_time":1470104424311883,"flow_dst_last_pkt_time":1470104379310452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":723,"flow_dst_tot_l4_payload_len":22966,"midstream":0,"thread_ts_usec":1470104424311883,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49603,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":1464012.6,"max":45001141,"stddev":7948794.0,"var":63183326806016.0,"ent":0.1,"data": [34,54477,54551,26,4891,45,65495,70,68,364,89,71,208,46,29,27,25,61484,19,69006,62,56,48,731,52,51,51,454,70696,24,45001141]},"pktlen": {"min":54,"avg":795.6,"max":1314,"stddev":593.2,"var":351838.7,"ent":4.5,"data": [66,66,66,54,54,415,415,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1281,54,54,55]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02108{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1299,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1470104379118972,"flow_src_last_pkt_time":1470104424311883,"flow_dst_last_pkt_time":1470104379310452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":361,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":723,"flow_dst_tot_l4_payload_len":22966,"midstream":0,"thread_ts_usec":1470104424311883,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"106.187.35.246","src_port":49603,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":1464012.6,"max":45001141,"stddev":7948794.0,"var":63183326806016.0,"ent":0.1,"data": [34,54477,54551,26,4891,45,65495,70,68,364,89,71,208,46,29,27,25,61484,19,69006,62,56,48,731,52,51,51,454,70696,24,45001141]},"pktlen": {"min":40,"avg":781.6,"max":1300,"stddev":593.2,"var":351838.7,"ent":4.4,"data": [52,52,52,40,40,401,401,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,1300,1300,1267,40,40,41]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,17,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0],"entropies": [4.578932762,4.578932762,5.032077789,4.884183884,4.884183884,5.794129372,5.794129372,4.434307098,5.652597904,7.484868050,7.818575859,7.782110691,7.797027111,7.823266506,7.845933437,7.821538448,7.845500469,7.838393688,4.834183693,4.834183693,7.836544514,7.832671165,7.837013721,7.831301689,7.829290867,7.832065582,7.849477768,7.838781357,7.842006683,4.884183884,4.884183884,4.829466343]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104424738880,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104424738880,"l3_proto":"ip4","src_ip":"192.168.0.104","dst_ip":"192.168.255.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_packet_id":1,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1470104424738880,"pkt":"\/\/\/\/\/\/\/\/AAwpjO\/4CABFAABOZ6MAAIARUUPAqABowKj\/\/wCJAIkAOgIy8PkBEAABAAAAAAAAIEZERURDT0VCRkNGQ0VCRU9FREVCRkNDT0VQRkNFSEFBAAAgAAE="} 00895{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1318,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":118,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470104424738880,"flow_src_last_pkt_time":1470104424738880,"flow_dst_last_pkt_time":1470104424738880,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470104424738880,"l3_proto":"ip4","src_ip":"192.168.0.104","dst_ip":"192.168.255.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"sc.arrancar.org"}} @@ -808,9 +808,9 @@ 16052{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1490,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":144,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136216297,"flow_dst_last_pkt_time":1654385136563824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":11586,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":11586,"pkt_l4_len":11552,"thread_ts_usec":1654385136563824,"pkt":"nLbQ0+MztKXvZygQCABFAC00DihAADYGILqsaXlSwKgCfgBQtISflMKw6t\/AxoAQAOsWCQAAAQEICsmhz1fytRrc\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIASICJgMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APBdf1K+GvXii9uOLh+PNP8AePvX3sYx5VofGybuyCPU74H\/AI\/bj\/v6aJRT2Rm7k8epX4YOt9cAjuJWH9aSST2IblqrnQL4t8Q3MQik1KVRjBKHBP1NevVznGVKfJdLzSSb+f8AkeVSyfB0586Tfk22l8hyahfbc\/bJ8\/8AXQ815Liup6V3awj6le4P+mTc\/wDTQ1m4rsRKT7kYvbvJJuJTk5OXPJosuxnd9xJ9QvGGGupW9MuaaS7FXfcjS9u1O5bmUHvhyKvRju+4Nf3e7f8Aapd3rvOaq3kNXvuRPql6uVW7mAPo5qko9hq\/cZFqF3nAuZQD1Ac1XLHcevcuW+pXqji7mHsHNZuK7EO66k0Wo3I5+0SfUMaOVPoLXuSnUb0qV+1zFfTeanlXYSchh1G9Xpdygf8AXQ1SiuxevcaL++yMXU2Ov+sNXyrsUnLuPF\/fA\/8AH5Pg\/wC2apKPYbb7kqX98W\/4\/J\/+\/hoaVtiHJ9yaLUb3OPtc3\/fZqLLsCnJolTUb4HP2yb8XNJ27Cu72uNOo3p\/5epvpvNPlXYTb7jW1G+xj7XN\/32atJLoOM5EcmoXuP+Pub\/vs0JK+w3KSBb+9zzdzZP8A00NU0mtENSa6iS6nqCQMFu7gqSMgSdTnA6njk1nJxirsuHNOVkN8XeLPDuh303hfxGPGllIeZruy8lXkXpmLfkhDg4IwTXlSxlaS9yMV+Z6dHD04WlJ3OW0e88CpLqdx4X8Zawt5bwNNax+Jm8oz7efLSRCU3nnAbGegIzURrTi1KUfuO2ac9E9Dnpfid4iuNdW5XUWkd8Zi85xHNx93B5Vu1diqNO8UZyw6kmpM9K0vWLm+0u3voby4CTpu2MWDRnOCpz3ByK9SDjKKdjyatOdOTi2Wlvr3Oftc2R\/tmqtHsYtvuSJqF6SP9Lm\/7+GqUV2FzPuWX1S8ZNhuZCQoVW8wjaB6fWlyrqhcz7jF1G9Ax9qm\/wC+zTcI9ik33GtqF5zi7m\/77NHLHsHM+4qajegY+1Tf99mk4R7Am+5Il9et0upv++zScYroHNLuSw3F40yAXcpP++ayqpW2Nad77m7bpeKgMtzMB3+c1zx0exvJe7uUby7uopmQXUuB\/tmupJW2OZN9WZV5qd4krbbuY\/8AAzVWj2C8n1KjanqLHm7mx\/vms7JvYpXsXLS+vcZN1N\/32atRXYlt3LDX92RxdSn\/AIGazcoroaxi2tyE6heE8Xcv\/fZq4qL6EyUlpcVb+9Jx9qm\/77NaKMexnd9y1BdXxAP2qX\/vs0\/d7A3LuWYby9B5upv++zQ1HsS2+5bgvrr\/AJ+Zc\/7xqHGPYTbvuLLf3fa5l\/76oUIvoVGbRE2oXn\/P1L\/32aiyT2NubmW46O9vSf8Aj6l6\/wB41olHsYyuupYS8vNvNzJ\/31T5Y9iby7kiXd2f+XmXH+9TUV2DmfckS5u8D\/SJP++jVcsewc0u5PDcXhPNxL\/31Ryx7BzPuWkurkDP2iTp\/epcsewnJ9yveXt8WBW4kH\/AqiUE+hpTnpuWIr68EY3XEmR1+aqUI22M5N9Gb3hnVJwwJmY\/U1y1oLsQ3LudXLqQNod9wc46ZrjUHfYjn8zldWuZWnJjuH68YNd1NK1mieZ9yGDULmMAGd\/zq+VdgfM+pDf6vcqhCzuSfeqSj2KipPqZc13eFC32mT\/vqlzRvaxvytLcggv7sT7jdSf99U3FPoHM7bl\/7XczJn7RJx0+as3FdjJzlfcW1kuo0bNxJljnO40KMewnNt6sFurtWYedJj13Gm4prYG5PqfNuvpjXr0+tw\/\/AKEa44u8Ujvk9WVNvH+eavUVx8WemaZLNWwOFH0pEW1NNXwnT86TehLRGWB5qGjGSFJOKRKIXOckk4prcaWokRNPVajtYVgSuAafMUiIxZNXcq45IyDS5kQ2TKM8dKTY3qPjOOlVcT7Eqn5eTQGwx2yTVRBMVCevansO5MpGKBvYeHHGKaE2SKwGDmkJIfuwKhsHcN+WweM1SDW5Vu7+zt5khnuYo5ZPuIzgM3uBQ5JPUtU21dLQ3DowXw1Lqs+pW0biLzYbcHc7Jnl2AOQo9a0tFL3nYcYtuzMC51O0MkdrY3VtcySMTtilJQL\/AAyFyOh7DqB1rGVdWOhYW4XtzptnB9o8ToP7PjDF7AzBDezAZi+Yc7ATu468CuTESlOK5XZo3o0eVu5w3xEuNb8beKLnX4rK4uonjiggEbB3VEQIq8ck8E8CuGLUI2k9TtUErJLQ4fVbW5sLSeK8gmt5iMGOeMo4\/A1vBmsE3USMfTbhwwiLkfMCh9D600dlWOnMj6W+Hl9p2s\/BaCW3y2oWl2WuSVO5HIAYE994AOOxT3NexSanBOGi6+p4eJg3NtjkJK7ugPT3rVM89olVgEDZyW4HH507iHPxEsgOc8H2qr6BYYXzUbBYcppsbRPbxNKcKKd7bisXBazouTE231AqbooI3MUgfoVPek1cFKxpHWFMJyTnHTFZ+zVy\/a6GTcTvLKTuxmtUjN6laVC569e9Fhp20FhgUHLYNSopGi13JZchcLUOZap9RIQcHOeahq+ppdINnPrWkLoyqSuKg5B71sZbl22kAHUUrag2Th8nINVcgfHJgioYEpJPQU0FhyR7jjtTaHcmSLbzntQhEqDJxTsIngTPamrgW4oh1NMm5KF29KBX10FbpzSBtkTDL5zmnYEx2C3WkDZZs2khbKMVqZJMT1LyXEz43SEis+VIVrCGQ\/xdalpENdSKeT5TjmhCMy6c7utaI1inYIC0i7Sc1Lir3LcmkRXMRV8jNaRJTvuW9JPIyelROJLRrKqY9sVlYy6kFwi5+U1cSkz5u17H9u3mT\/y8P\/6Ea4Y7I9CW7KbYJxWiELGBuFNgzTscDHNIRb3\/ACYpWJaBWz3qGYzRIThaRCRDKw\/\/AFU0XEYrjNOw2iYfMakVkO209RXdxwxjNDuJthjvimtQQADPWtRu1hx9u9IQgGadwHLwQKECV3qSL97rVF7MUA5xQ2Jqw9GxnIPtSbGkZOq+JbSyuBD99jxw3+fzrmqV1Dpc6qWFlUVyVdWknsILm1NrGkj7Ge8kaMIecE4HQ46jis\/rXNokbrA23Zi3WlD+1I\/Ed3rNhcSQoS0MaiZGA\/gYfeUNkjNRz8zu9TqhTio8kUzm9f8AEus61rNubSya0W2QpAkf7sqhPILd1z3NTVrSeq0sa0qMYLletx6eFNSlu2t9Lmd4j5cpjWQfuiyhgDzyPTsenWsowbdzWUlFXZ02iWF6biWK\/kVLmxXHlXdqWIzxxz8vHPIx6Gt4t7MwlGO8Sfxdf2VzpkcWnx6ei25CLugH+tz2IwV9fWnNxasyYxaeoal4s1PUvh7b+ENWsodc0yG8MrXF0m6dG2AMkcxOQF7GsJUF8VPc0hPkle5454n0p9O117WC3uVAG9FmQhwvXkew7\/jRDmXx7noUqinC7Ou+D3iS903U3tre4dFuwGVf4RIPun29Poa78PWcW4rqcVakkz1P7XHewJcwRmNX5K5zt55H4V1Xb1PHcFGTRNA4CYZWI7c9BWsGYztc0dKs5ruK5WNSRHbtN\/3yR\/jWnMRsVzDIDhlII7EVDaLsKoK0lJXHytGvoBQsA2KmUmC0OnKqLQgAAGsepfKtzm9YVVlOMc10x2MpKxQFVYgXGKClsAHGc0CuOQHNDGpWHhdwArJw1N1VVrF7SdOlvpxHHx6mnpFakNuWxY1jQp7GPzd29e59KcJKWgmnbUyse9XcaBTg\/wD1qdxNXJoye1K6J5W9ixH0yapK4rWLCN05p2E7liI7TihoSJhycc4pWsG5NCBuweaVykrlyCLIBAo5hOBOCEGCKOdE8gyeULGWU0N6CSaZDHLvYc1KZq46EyLurRGNifARQSM5ouA25kAgLDqO1TcpIZp15vk2HipYpx0LrnJz2rNswGOvynJ61N7AZ9yOTWq1Nosn00ChhPckvkXYT3oiyYmYL4xSbQKJs6IQvozVsb3zY8luahPsZ1KVth8s4A65q1oZKPY+bddkLa7fdcfaX\/8AQjXEvhR6Ul7zKu89xTWpNiWJuR6UyWaNiDtBNBHUtE4HWpbJkwjOOlQ2QPMnGMc0lZgV5HJOaYDEJLdTzTSuxliIsOM07CJ1cYwDRa7Cwu7Ham0iGhAwNJ6B0F7YzVJ3DQdnkE07jsLmmTYkUZx3xS2LumO5HWncYm7Bqb3AzPFurJpOlNOdpkf5I1J4JxyT7AVjUnyxub0KXtJ26Hj+qazdXN8WikJ+bexPO8\/4egrlULq7PoYU0oJMbJ4l1Nh5c0iTpnI8wcj6UnTRaoxsWtButT1PW7O1hdA8zkooGGAAJLZHsD+VZqKvaL1H7NRVzudQ+K95L4YudCax01FsxshuBaoJpFZhlC2MkZJatvaPlVkczw95ud9zndM8WLZ6hHJDEscEyBfLQldgHVfoTnj3qYtJsHCTXoP1vxbqWoX0cTXs7xQ8W8jv+8QHjBI646flUzvvcmKS1sWGuo5dIUER3lzGAxHn8n\/ZZSM8Um31Nbdth\/hzW7+DUojfQEgKRDbltgbdx8yjsMnGOvrWlGeur0RjiI6aLU9sk8JeCvHJae\/1KSye6jgs\/tBIIZjJsCgcZyGHTso7V6U4wm+bueSsRXw60W12eIeOPCF74A8X2cGpIIo7iMz2bK2d0QkKgn\/axjjtXG6TpTsezCtGvT54nceB7gXGjN+8z5crDbjAUHkY9Qa76ElKJ5OLTVQ3oQXQDd0O0D1raUuVHPCPM7Hb+DLe3MAwwGVw3r9K4J4lt2PQWF03F8VwWucqFDAckVtGblE55RSZyjqO1CuOSVgjYo+VJBHQg11Rjc5GtTUi1O48oL5mR2zUuCHzFS7mMkhLHNXFEPVjbSMzzrGONxApykkilFvQ6eXQ1W0wEGAvWudVrs0dK25zMqeXMU9DXQZND1XjkUCLtjEpjLHmpbKUbl\/T7wabOJQuQfvYpSjzIpPlLev69bXViYYQctwSazhTlF6lXTOZB9K1QrACD9ampPlVzWnDmkkS22TzXlurUlM9T2MIRLSgivWo8zjqeRWtzWRLCCTgDNa7GJct4z+PvTuSW4oiRSC5Yiix2rJmsWW4dqjmlZsJNDbpd68ZNFmgUkQrCzAgg4qkiL6iRWu2XJ49KaC5chQYqrmexBq0wjj4PI96iTsrlRiVtPkMwIbpUqV9Qk7E0UBjlL56UyeYsxzc7TWckyZMsoheM8Vm2YXsUryIqT79a1g9DSIWbrHy3Aq5I1ab0KmrXyq3yuCaSHCDuZkjmY7s4NaWTRuvdLdlJ5KgZye+alQtsZVJuZIbgsTzTtYxSaPCvEKga7e\/9fD\/APoRrzou0Ud8nqyntzVXFcliXmhEtmjZjCjOKGyWSyHnHFQyADDHXpUvUQN0zkVSVkJEbAE0g0uNUYPHGa0TViiYMQeo4piF3c9aOgChj0pCdh6k+tK4bD19M0bCuhwJzVJhcdGxxTGT25Xcc0O4JaiynJ5PSgl3ItwHHSlZlI8x+L2pPceKFsmkIgsogpUHqzcn+n5Vy1XeVme3gadqN+rONlG0FiOoyai7R6C1djZ+GXhC88X649rAwjhhQyTSMOAOyj3NcmLxMaEFJ6tnZTpOo7I9i8OfCa20fTmvZ5ZHu4o3MBQ4MIx0z34z+deLPMakpXjodccHFK8tWeaa7oFq3iS4ijXahBk2kcjCkgfj\/SvSo15OmmzhqU\/eaRzV5EV+6oOXyT\/P+VdUXdnCprYJc+Z58YK4A4A\/A\/0q7aBF6WCa6EzGC4RVKjCODjbTt1GotLmiylDeXtlcbllbcp\/jOavlTOhxjNXPRPhr8RbqyjjtLvTbO+Fm7T2ayBgBcNhRITnkKM8euK2hVlHQ4MRg4yu72ub3jCQ+MvhjqHn3EN34g0S4\/tMyf8tJYWZllRfVQNjkdtppuSqxd90KjT9lUVtnp93UX4RNHceHzOhXex2mMHOQDx+I5+oIrowrTVzlx8bWOrEu1hxtGcke9dU43Vjzoy5ZXNG01OWH5onKnHauJ4aVz0Vi4co261C5uPvuTXZCCijhqTcmRox6+n6U+VXuLmbQ9WI60+ZXsKUWP3HGKtEMGz1qriJrCXypw\/8Ad6VjUTaNqbSZ0ba239nGEvjIx71yxjaVzqnZxMOVw7lietdaZxz0FH3cCmQSwz+Scdc0rXNE7Ed3dlzjsDzVJENpkSHPemxpj1XJz3pJBccFOfrSlFNWZpCViaLC89h2qI4eKdzWdebViyrbhkV0JWOR6lywizg1Mi0jSjiym4AZFCZMkTwL04+tVozIs7F29MGpaHcQA9DVJWQpMlt+T0qZCWxOI1IzipuJtkUygjOOKZSYiqQhODikEtzn\/EczK2OeeKyqvSxvTimix4d\/1AOeaKSsiKyNQEHr1rTU5+oiqBJmpewMuwvhKycTPl1Kt+wwSeOK0gaRVjLupf3TbTyK1ZrHc43VtQnXUPLIIGeua5ZNqR1wScbmpYzt9nLE5rqj3RjLcguNTkibnGKyq1eU1hRU9iCLVmlY4Oce9c7xdzZ4PlWp5j4glX\/hIL0Z6XMn\/oRrJL3UZyWrIEbPOaZDRLFgnNUiWXYW+QdqkkJHI79aSEEbj1oaJH+ZxikIb5nJpglYA5IzRsMdnjPrVJjHp0ptoTHihMVhy+tQwJUPy\/8A1qZLihcc4oHYFyGo1GSLkVoK44HOc0EtjQNzc0ylueV\/FOwVPEGoXyvlXlRCCP49oLfhjFefUuptI+gwUn7OKZylwfvMTkZA\/DFCO2C6H0z+y54UWw8DwXsifvtRP2l8jnB+6Py\/nXzeOqe0rPy0PbwkOWnfuevNpEc1rJGQFEiFSfTIxXGkkzaT0PmH4jWLaVqj6gqtstLlrW7Q9VU8Bj+ORXq4WTl7p5leNvePN523KY8g7X7elepBdTzJJXuMtZFTcrcqRkVrYzmm1oMu4on3PjbkcUloVTk1oVchYwsgR1zgHIJWnc6bdVudX4DuNCsxdR6u7QwXUB8t1j5LAjgSAHGcdgepohe7dznmpyLi+IoINaZrIpHEI3WJY4gkZh27cMMZOckZJycgmq9o4vmQ+VW0Nz9nl7V31LTpXlUAMFABJQg8OB34BB\/CurB25rnLjotw5juLqNkYEkE5KHHqP8RzXopaHiiQnjGfpSYXsToRnjrTS0Al52cEVLLgNBOalI0bVhySqp5onUsZxg5MvW08LpggVmqrZo6dkNnRUOV6E9K3WqM1poNyT0NZs2THxjoTVRM52ZKWIOauxlYZvJPNOyC4igk5xQIkQc5NFimSpnOaYrkg9vxpWKXkPSMsen5VaVhtdy5bQnPTjNUQX7ZfLHPFRJXGnqW45l2beMmoW45xdixAc4q0rGDvsTg8UwSHIvPNFwZMqhASKi+oWJASVyTSFYgeQBgD0HWm1oNeZ2XhJLC7sfLlWLAGDkDNeZXlUjLQ0VmzlPiJo1pDcGS26dxW1GUpq0h6x2Ocs828eBXZaxLRo2soZMueTSvqS4CySBW60ENCi7CjlqXLcXKVL68DDg1UYlqJSEgYEbsD+dW9DRIyNVsopJd4x1qHG5afKhsa+VBiqitbEGbq1v5wzuIFY16KkrnRQrODKmm6aSWwzdPWvNWHaPQeMTR59r+Rr97n\/n5f\/wBCNbQacUckt2Rp90UGbLEHYCqtpczkXYfuCpZOrQ2c470kJkYLYzQ2LyHCTI9KQrMRTknnpVDsSJwvvQSx4JzmncvoKH7elTZkpXHq+fWhJ3CxIjH0p2FYlQ4xSAkB5oJHA5OapDQvOQe1WvMloXOD6UAkLu75oY0cb8S9KebQpgg3SPOboZ74AGP5Vy1IHqYKu+dX22PN9E0+61fWLfS7OJ5Li7mEUar1568eg5rnqVI04OT2PehBykkj7o8E6ZFpuhWlsoUJDCsYOcDgY\/pXyjd3c9uPuqw\/xP4p8MaPEYr3xBZRT9oUfzJM\/wC6uauNKb2REpxWjZ4B8UtX0q91ye8jSWWz1CMwagmwjcvaVc9wcGuyjTmtOvQ5qjizya\/sTaXbBGWSOQYV16HHcfUV60Kl1qeVUg0Z7IyuQOua6E+qMr9yS1eF5jHc\/KOxxytD0V0HLbUq3UJhcERg4zyf4h9O1Lc2hUUtLmlollLe6otnC0tyGIeIQJu5PHI\/h9x7VMXdXaHJNaoj1xWGuzRJwEwqlGHzAt1wOmcdO1PYmyjG50PwevDb+OHhWWSJzMxRhjPHbmtaLcJxkY143pfI9hmkWWV4fI2yEYVd2OR2+oOce3FevdHg1Iq5XUgDPT60Ix1Hq2eQKu40SK5Ax\/OpC7HoN2B61Wlik7lkWi7c4JPrXJVi29DqpWRHHG6Pt6ClCmwqSLMoxHxzjrXSrI5+pHuyPSm0hczQ5ZD0NFkJybJkO7oDSuJ6oVwMjiqQAAD9KBjxmncRJEpJxjrTQizFFj61VhpluNBxgdqLFXLVv8vFNiZITxQ2rCW5Wd3ST8eK5al09DsppOJqWEm5BnrW0XdHJUiosuqe5qzMmhAYgZwahysJnQWfhxryy3wykPjPPQ1zTxKi7NAjB1OG4sLgxTLyD1reM1JXQ73M+SbOfWrvcOUZDdzQSCSKVkPsetS0nowsPv8AUbi6AEsmRUxhGOxS8ynJkjireohsUjRn5uRStYegPcljnPeqWwmQyTnoec0nZMSRWnkJ6n8qoZCk2G60mNaCTuCuMjNSht3K7gkZ7DtTW5Jk6pd+TOEzgHis6skkaxWh0Hh+GOS3yO4ySaqLVtjOUmmeN6+h\/t+9GMAXEn\/oRrzYv3Udcnqyuoxgcir5iSzbc+1V0Ia1L8ZHl4xUBaxFOeMCi5m3roMXlakl7jcEdRTWpV0KnXOKbESIDnOKOgiTb8vFK4gK8DnmmmNOwq8H3q0Nk0Z4osSSqc8dxSYhQe1P1GKrY6dKVgHqxzxRFiHAgirAUcfSh6gZXixGnhjj5OQVOOdq9f6VnJdjpw7szg\/hrpE9x44W3g1L7DK5lWC6PGHUbsZ7ZGa8fFz5KV2rn0mH\/eyUU7H0loLaxq\/gKbw\/qExe7gi2vNEfvrnhga+f5lzXR7sYtxtLc4mbQ9C8Ob9Q8RXDx28LZkfksT7d63VWpJ2iS6UYq8jePiT4eXcMSxRq0DNsjlntiFdu4VumRScK8XzMVN0p6IbrPw18NeKrAnTYktJHGVeJMAN9BWtPEziZ1MPB6NHlPjb4c634eui91ZtIqcbkHDjsR71308XG1m7HFUwll7p51r9r5N8Qm5SOSD2rvhO8Tli+VuLHaUl7NdxW6w\/aXlcKkYGSxPam5KK5noQqcZytDc9o8E+EILbT5dsl6wAIvZNKaON7cjA4LDLlcngYzz9a855lKL20\/E9allUajSlL3vwPMPFnh+fQPHNzps0kc4t2EkVwows8RUMknPTKkcdjkdq9CEozipRejPMxlOeHnKjPdaGd4Tna28XwTxyhiZgcj1J+7z+VaKWlrA17qR73qXmtcebJIHYhfmz8x+UYP9Pwr1IpHztZe+0QAsSS5JJ7+tbHOlcliyTihsryJxE+OhwOtGhLTJY4ZdoZUbH0qJztoawimrk8M0u4Rgcms1I2Whfj0m6mj8wct1xWikupE02UpzJG5jkUqy9Qab0M46kXbNJMUktx0Skt64rQSsXbfaBUsbGy7d2RVIliIDx6U7AaNnZF1yR1oRSQ9rbyX5HXpVomRKigU7giRTigqw4HAzzTEvMehLf\/AF6TC6RMsQdeahq5SnYabpLaUKTih+6VyOZp206ywqy9\/SmtTBpp2H+cFPHFJoRtaF4rkslEMgDJ6jqK5a2HUtUCRX8Vakt8C8RHzVzKUoaHTSpJkOhQI0eXUHimqkmaThGOhj+N2EMRkQY2jPFaupKMbodGjGcrHP6PrAmYJJ1pUcUpO0jbEYFxV0basGXI\/Ou255jTWjI5uRgUwK5+U460kwuQysO2cUBoQSk49aSYEDPx0qmh2I5WbYSDS2BEMEjFgpasnPUtx0KniSxaYLIv51lWi2rmlJrVHQeFhtsQpPIUVpTl7tjGtFcx5D4hXOv3uP8An4f\/ANCNeetIo6JPVlIrzTTFcmt+PpVIXUtqcriqT0B6CSHPepM00wQYXJpMhsd3BxSvcQ5E55p3C5LEg9KVwJGHbtTQEbnnHSqSHbQjdgGGOtOKYldiq57GrBE0bZ70hkmaLAAP\/wBekJjozz0puIEqjBBppCFYjpjg0JWYyKdBIvP4mna5UXY4\/wAVaHDAlpbQK0j3upLj2DHBX361w4qKhTbPWwNV1KqTPov4FeCpPCWkXMYuZbhnzErSsWIUnOOewwAPpXyOIrOrO6R9lRpKnG1zU8aeA9O8U2yLeRsDbzCVdpwCwzjI7gZ6VMJuOpcrPRkXhn4Yabp2iwafbQQLa2js8UIUnDMck8+p9Kudec3qyIxjHRI6GDTYrMFVjVcDHFZKQPYyvF09o2jzWtzEkocYIYZra9tibM+UfjzpUdlrkU9vxHKuCMdCDXrZfUvFxZ5uNglNSLPwc0xoYv7bmhkBcmG2kC5CccyEenQfnU46td8i+ZeBw+vtGemeB9VvTZa3puqWcMOoxRh5JY1ws3zLhsf7Qx0rzZpJp3Pdw61VzzP453kE3xAkgRSGsLKG1lH+0AWI\/DcB+Fe1gIuOHimfPZ9WVbGycTzaxl8u+VxwVkzn05rstc55Xsmj33TrqW9toLuRcboVEjKcjfjr+IGfzr0sPJygmz57GaVXYtoSe9dZyFqzwZlFSxxWp0OnQpvXeBg9aybdjpjG+5pXsEQQ+WBjHSufnbN+RW0OdnkSO83Jg4PatYvuZSTudVouo2j2IbeA2ORnmqs0RzGF4hdJp94xnPUVqtdDJ7mYOOKtR6kyZPEMYIpshMtQAM4BqJOxoo3LwjiaMqEHNZqbuaOCsVfLw5HpXQtTE19PlRYBu6iqtYpPQS9njcgAikpITuQhuOKfMSOTJOabY4k8cRIxSUimi1HBhaLiaHDg49KolIxfFUchj8yMnIrmxCbWh3YWSvZkvhfUM24ic\/MPWsKde2jKxGH6o13kLDIrqVRNXOHkd7ELSqHAwQR0NY+21sbexfLce9yCvT8c1p7JS1M+dx0JoNSmSHZCQKl0oxFzOTKWqzT3g2TYx3x3pKMbGsZSjqZTaUEcPGPfArGWFV+ZHTHGu3KzZ0uF3QJwK6YK0bHDWak7ol1C1khTcrBh3I7VomZLzMyVvfNJjZAXBOCaVwsQTPjgcVSWgEOd3ehuw7j\/ACflznioUrja0H2tlGW3tmm0HM9ieaBGwh59KLJoV2i9pdp5aEhhjFQojabPGNfH\/E+vP+vh\/wD0I15q2RtL4mVwnA4pq1yLj41HXHSqRSXUnHApjepHnJpMylZMen3uazbJHxnmrUbBYkBxTCw8MMf55ppBYUnIzRYCEknmrtoIbtJ6jrTS7FJaAAQeehp3sIkQ9h1obQMlXmkIeuc8GgBy4HSi+ghwcA804odhQ4564pgGQVoegbDLKx+3+INLjEZkkS\/heNfVg4rlxqUsPNt9GduXzaxMLdWj6RuWn05QkKFiDk47k9a+JiforiaPhS+iujKpTYw4ZXHIpuzMWmjSuvLtY2foD2qSkjlNd1IIWIOKSWo2tDzjxXqctzOVXIXtWyMjzXxz4Zl8Q6pbK8gSGIEyHufYfX1rqo1\/ZJ23OapRVRq52fhLQpLiwW1sbOHyYE2FZNyjphSCBzj0rFz1be530aV1ZGb4\/u7XwD4XaTUZBLqMmFhjZv3k5BygI7IDySeTgCtMPSdaoktup0Vq9PCU3J6yex4Fq15PczS3l1N5txdu000h6sxOSa+kSPi7upUcmZEPUsoGaUUdUux7b4FuHufCmlyBVx5LpuUD5sN0J7kZ7124VWjZHh5hbnXc3UY9+9dyPPs7E9s2181Mn0KijTj1AxoFJye1ZNXN07DZdTuXXYJCF9PWpcEV7ToVFZixPc0WZd42J4mZV+ViPpW0V3OWTvsTCTeOTn61S0Yk0IeuatEyHxE4wOtDIsSqzjkmokuxrBsuwTt5ePXuKiEbO5cpXQoNbpmY8uQpKk9KGhR3H6FCtxdF5ydoOAB3rz5VGpHpqipQNu60pPJ8y3BHrzXXCpdanmzhaTKpgaH7wq07gtCxbkDmmVcndgqhs0DtcpyXAMmKSqK9rhKi7XRHc7Zoip5BFaSV0RB8rujHs7ZoNRXaTtLYrzqlBp3PSjiIuNmd7a2ts2nhdi5K9e9OKkjjlJXOc1JGS4KqRgGtfYpvmBVtLFaVmW3POTXQtEYv3nqV9NvCbgIe5xmsZyu7GkUlqbUyKEBohe4psiJxWyMSa1nSN\/QGhiZLqc6C2PzZyOKLjMCYnFIFYqyuc\/TpU6l6MZ5uTiqj5ksRfvcmmSWEYlMcUWGyxA+3tVNXQkOJLNnGBStoO5e0+VdhBYDjvSYPY8V8Qf8AIevT\/wBPD\/8AoRrx4bK5vL4mV4m+XBp9SGtSeEjArRMtbCykjoaYMj3c4xSM7DgxBFJJXJJFYA5pgkOLk0WDUfGxbr9Kqwh+PyqlYGhwWqWwAU54pXAQp0obEAUg+lTJAOX2NUtEA4H5qAAn0oAQHnnrTGhVbjtmhXBioQCKq4E1pcy2d9DeQOVlgcSRsOoI6VlUgqkHCWzNKNWVKoqkd1qejXNl4y8S3um6lpniX+z4pYll+VAQxIyVdSDnoehFfFVaapVJQa2Z+jUK7q04VO6ueh+DdPv7W7lvNTvoJZGjCIkKkDPckmsWrmk3c2NYnZ4NueCKz2Gjh\/EZ4YA1ohNnGanF85bvVoyZkSkLcMcZrSKTM5aPQhsLvxxYO0Fp4jS303cWjCwK0qA\/wgkUSUHqlqaRq1IR0Z5H8bL6S58VQQSTPcSJDvd5HyxJJ5Jr18BC1Ns8fGTlOd5M4+6IjtWJILOMDvivRTOKnrNW2KcPyscdSMU0dEtT174KXbP4SuLXKlVmEgB\/gOOq+h6g+orowzs5I8fHRd0dYx5I5ruW1zzh6bvWhWBXHhsn60Iq4+M88H61VtNQbHrjrjFPlIbHqce2PfrUt2HFNkqEMwxTi00Nxa3L1tbNMMgDA65qibMdJbNA3OCPUU9xWsKuD2oaGmSRj0osPmFG4nnmkIkGccVfQWxPo1yLe5IkHyMfyriqUrs76dd8p6X4N0catpzTE4jbpnvXPUq8jSMVFydzD8eWK6ddLDXXhpuSuZT3MKJxmupsEhZZMpjtSsGzKMxYP14rjlTakdsaicR0UhK46V2Qelmcc0lLQduXeDxmqdiGXo9UuFhMYIHHWo5Y7k6lRpHZiWOSfWqdguQ3LfwE8VL2GnqQ2duBLuxWbhdmnNY0jKdgBPStIpIzk2RtL2x+NPci4zzBnqaQ7Ebygt97n0pAQyjPfrQCK9whA5o0KbaIAvc0ybj0B9aYE8QOM+tJuw0rkiA+tJSK5GS5wtVdE8rG21zGxYZ6Vm5K4JNHkfiPjXrzn\/l4f\/0I15S+E3e7KkZqk77iaLED4696uwth0xOOe9MGRK2DQLccrcikybDi5qlqOw5WNOwpMngPNBBYUgjrikwHZAPTmqjqCJI\/mxQwZJ5ec1LYhkgFNBcjcfhTQEbcDimtxgDn1qgQqnnGaQ\/MUY3YzTWwkia3i3nms5SS1No0+YfNAyDdg4oUrkyhys6HSPFPiPTdIsLfSYRMULLkoCFIOQCT7GvnMxoxWJb7n3PDzVbDKDV7aHS6B488azTRxXXhaGcM2GltbgLsH+1nj8q8+VOKW57VfD+zWrO\/e\/Z7RWcFTjkHtXI0cuxzmrzCR2weCaqIHL6\/KsaEAjca0Rk2c6JTJchVGcn1qr2IZa1VxFpxweT2pxd2LoeM\/GXT5ItZj1EoxR4gHcDIXHavZwFRWcTzcVB8111OBu5mlYDoqjAFejYinBRQ60xvBJzzQTU2PTvgm2GvI8Z3IGz29vx61rQXvHmYqKcL9Tu0+Yj3rtTPLcS5EuAKq+gJ2RFKpWU+nWqjrqZPRixtiqHcs20YkyW6VSdhpXH3cIWPcnT0rKeuxvCJBCzCTioTaZrNRaOg0aVDAEPBFbxd0YJW0Jb91K7epzVxMpWuVQPegWg+P3pi3JBzQkkDuSomRzTYAYsc9qnlGpNHb+C\/F8OlaesE5I29MVyVsM5u6NITMbxdrTazqZnK7UHCitaUPZxsOxmCUDvWgJiGQ5xTBsZIwYc0CuRb8cdqcU0yJXHx7nb5eaqT0BK7NLTrPzj8\/FcU66izpjQbVy8dLRE3bsitFWuYShZmXqduI3HPB6VqtSGQxMqjApsGxssrFuKiU0txqLaGq24ZJqk0S42I7yby4j9KTloEdWZdvfM9xt75rGE7uzNJw6mkjjgscVqzOO4bvOfYilqyU\/eNpwbWg+WwnRMlfwrXnRkoPqRwRYyGGD700wbJoEwenFN6"} 18078{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1491,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136207603,"flow_dst_last_pkt_time":1654385136563848,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":13026,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":13026,"pkt_l4_len":12992,"thread_ts_usec":1654385136563848,"pkt":"nLbQ0+MztKXvZygQCABFADLUFpdAADcGEausaXlSwKgCfgBQtFrv1dsDOBd56YAQAOsbqQAAAQEICsmhz1jytRrT\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIAQQCgAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APFrvW9ct9Tm86+1OLEjbROnmL19eDXiyaex9drt+hZg8S6jtDPf28vH3WZkP68VFimkxLvVLa+iKalocl4uPvQuJP0zWsedbSsROnTkrSjcqQweF\/JBtr\/U9KKnIQtIgXPXg8AVXtK32tRQoUEvd0KMngKLU3FzpHi4ylzvBaXdvP5itFjJR0lExngYz1jIz9T+Hnju2uVuYJPtaoxOVuGUj8Dnj8atY6m1Z6GTwVaOqszj9Y8OePdOumZ9Pv2DHL+XLuDj8DXXTxNCS+I86thcSpX5DM1W71m1n8sJfwoAMPIHBzjn\/CuiPLNbnPKM4vWLG6Zqd1bzhpbm4dSPvCXO39aJR0sioO25evfEeoaXew3Vpq13BdLEhiltrh1ZCOQ\/B4PNZqHMgqSSMpvE\/iO8vjPqfiLUrlywbfc3TyZYDAJ3E54JH4mtXtaxhFtO7LMmp6g0Dpc30oSaPDMzHKt7c8dqytrdG91az6lPwxcXU+qIJrq6kij+Z1E5XcPr26VtVd4mVKClLU9A1LWrm28JW0T6hfeZcRmWCVZcqmXyNzZznH16153I3JtdD1oVFCCv1Oa\/4SjV18QTQR65PFatO0rAsWQgjGSB6jrWypXpptamNWtaq1G1i34k8ZapPZW13LqH2qS1l3GKTI4IAzjPsvPtjtTpYe0mkZzrppMd4Y8YeINS1KPIe4dd0kkvmNlcHKnGcYB\/SipSUIvUdKu5taGjrHxD1nSdSW\/aW6Pnb2RkOFDldpU57Y\/KsYUFLqa1MT7K2hFo3xJubrybd5r0pC\/mlBJwjFQrYJPOcd+30pyw2tyY45SVrC2vjSadpLA3UkD790aNK2D\/ALQGcE7amVBpcxvQxb+DY67QdSn\/ALGEaXbyJy3EpYsc54PrXNKmuZu52KbcU2ibXfFDabLFLFqUkUs8g8qIOd5wnO0Z68d+5qFRlO9jSeJjTSUkRy+P7u90uQ3eoyJ9jmX52kxI27hcAdcetVHDyXU5pV6c9Weg\/Az4hXPiLwV4g8LQzxtDo8P2kygMJC8jqmOeMfKcY7k1jiKE4Wcup00K1Kd4w6GJ4+8W\/YvE1rpU0qCSGNLj5pD5jIU2kBemO\/vU04Sav0Km4J8repL8SPiTf6sv2LTbiXQrjekh2Op+XacgAjGW6\/hWsU9mrowcoXunZmAfE2mQyaZJbeL\/ABRfSzKTetOiKQxU7FRFB6HBycZFaKP92xlKeukrm1c6\/wCFb\/wdFPFrGtL4oO1ZIZAgtmwRnkck9Tx0NRVTOihOz6GG0tx9lvYzcToPNQSIZjk4Xj6A8U4zdkKpCLkzqtJ8a2yeDptJ1H7e04uDMkEYO7HlIm4v7kHiudRkqnMapR5OVkkXjCyW80eWC8ns2tdUFy\/kMzsIwVyQcc9CfrWrTsyIQhdXsXfjJ440fxK+grYa1NOLGEpctKWUl\/MJO7jGSMfSpw6nTurbmuKUKrTViLxR4i0zUdas7ufUZpIrfTTGDH86ofLKhSW75x+dQnKO3UUYwsJo+qaDY\/s6+HtLvbqxOp28sjXllMrLc7NzfPI\/oQRgeh9q3lVlKd0cvsoQVmro4D4beJXi8cfY7tp7eCPTrj7O9wfvuZg\/K+oGAD7VrUi+TmXdG2FrwT9k1Zcr+9s9P8G+IdPk0fWrO91q3hW4aN4yyuxnZCc7MDC8ECuedSV0RGCZY0DxHp8Hjm+1OW6+zqxh8qaRSyygMm9SoBOAAaicm5GsYw9na2pz\/wAe9UbXn8bQaJPO41Fl\/sv5iiuAyliM42YAPWuqnNKUW3scdahzU2o7nk3hu11SLVo764vCv2XmNxOW35GCCOmBnr\/hW0qvuNLqKOG\/eKb6Hd2msXcfhOWL7S6tuk3FnOPvdc\/iK86pBudz0oTjGFjS+G\/jF9Au7w6i109lepsmEMmDlQcDJOCpBOa0lJySOe0U2dus82ofs\/Lf2F5II3huFiZTzgMwxkflUSk+a7CEUo2R5XpnijT7nT5SNTnD3cKK2L8KYyqDIIHB6dOK3\/eJ7EOdK17leTxhoy6MlpLqizRyzh4zJcsQzbAu3APXjqaXJVcthPEUVCzaJbv4iaTBZNF\/acBt0iChIwzqRyfToMnn2NaQw9R77kyxdJaK1ipp3jiXxBcM0WtRzSwNhkUmPCHByo4GM56VnUoulurF0sTGsrRa0MbXNbESMbm8mdMjBBPJzyMdvargrtEydlqUIfGpsvJsLaW+kRCJfs6vld2MKWYdWHrjpXSqLmrnLVrRi+Vlf\/hafiHRdYuporzVbS7u4mguyuE86JuSuD0BIH5VawblHe6MXjYRlqncrW\/jC9i01IrSea1XBcBnALM2c5Oc++CaJU5N2bBVqaWi0K0HxC1ZrqKEXs8O2VmZjHuILAK2eSSCB0\/Kh0JW3BYyne1hL3xNqEMRnt9QvVmUBgzEkNHgjGS2cYJ4pqk3uR7aMXdGpZ+IDeeBNGiXUipt5p4JfnKurFtysT1KlTj2xUzTU3c3hUjOCscj4xvr0ywSpcTJuB+VZmwffmuijLdHDi9ky74G1K5fUrSNp7qdFJDpFPtfn3HOffmnU0iycOk5pG3qp1dtChhsIzdyvdMQ9uzyXGPRlHAX371zxq3lq9LHdUg1TSiru\/zJo\/CHxEv7fy7LStQgW4bpcTCED0zk8+3FNYmindy\/UyeDxEvhjuXLL4UeM7SYDVfEun6ecbjG9yZWP4cc\/Q5onmVL7KbKjldb7TSOx8KfDPTG8RQapP4z1ad7WQGKHTrctHgfwqcniuOpj5Si4cu52UsujGanzXt5F3xbd3elX81jI91GkJwsTtslnzyABn5V7kmuON2eg0krWKSG9Nkb3UJ5DJNjZGrkAD\/ZGeg9TTur2TFyWV2YuoXAV87X5PGbnv6VspO25lKMex6x8LPghqmsaXH4g8ZSyeG9Gdd0SSuTdXi+qp\/Cv+01R7SSV7iUI3tY2vHHxf8AC3gDRE8PeAdMhMlsCvmt84V+mefvt7t+ArJKU5amjkoKx4xrU3jH4iT6deSa7MqXVu0927SkgSeYyZx\/E3yjr+ldt4YdXa1OKPPiJOMdkT3Os6f4L059G0O6uL+\/cg3F08pYeZjqx6ZHZRwKySqVpc8tEdUfZYaPLHVvczdHlv5L2TUL+4uZ5yCfLSVSzZHOEJ5PsMY610Q9w460udFe8ju28ySz1E+UG2xjzHIc88BiBg8dPXvS5bvcFUsrSRz95q1\/bz29wlzPuSTIBc4PHIP8q2p6E1NVZo7CwMOo2MEdvdXUaSwt8rSl\/MXbyGz\/ABJ\/Lmom+pCje6ZyPjTUZxqdtpgu2t\/O2FrlpGLPGPulznBLEbicdMVrTqe62YSjaaRvaLo+kbluLnxA86qCxRX2h+OmOTj2rD21S+iOp0KVm7q5qrqGmafC00Wqy+dPhmZZ5CCu0rnIA6AdB6GtVOfNqjGahy2TLf8AwmvhLStuLW8uP35Z4RFs8zj7\/mFj1PIG38awlTrT0bNY1aMLWiSv8YN4EFlokkcYBOZbtjtAHHCgCpWDaesjV43T3Ymbd\/ETXN729obOExRqZJJsZD7gX+Yn36gHOK09kjn+szfYgfxH451dorfQtS1SWI9UjBjMg5JK4A98g9OPWlyUY6yQ4yrz0i2XLHwV8S762ka4YW7zsGDT3WGbgjBxTliaUdjSOEqt3ZTTRrWOdrXUPFMaXttvE8Mc+AAW+8rNxweNvUdaXtpPVLQXsY3tJ6nU+G5\/BFlHFJJYalq08TZTktGh93fAznnj9ahuvLZ2RpBYePS7+84Ua3rxv5mUNKm9hlJFfAz3BORWlSlRNaeJqWWhZt\/EU8swhutMhduhEkWM\/j0rneHW6karExbs0XVnsmYO2kTwlhgPDnj8qTpy7lqtHsT2clu2AupXUQ3BWDxbwPbnAJwelQ1JOyRakmrmvbadpkjBDqZx2b+y15\/FZM1MpPqiloXzo6wQGew8RCJ0xx9olgBPuCGFJVE3ZoG30FWPxd5eYbqG9UDJAnimJ\/kf0o\/d7A5PsQifVVIXVtGICn5mFoVOPqTijlT2YnO+6LFz4b8Gak++5htGUjlns+Sf+Akn8aSxFSGzf3kOlSe6X3FC5+FHw\/vo\/lazRjx8l40Tqf8AgWPyrZY\/ELqZSwOGlvEwdW+BugyZTT9VnUt90tKGH6A5\/Oto5nVXxIwllVGS91syNX+C13eCKNdeghmgjWOOOT5lkA\/jLDuee3atY5jFO\/KZzyjm0UzGuvgv4vsJBJY3thdOmCPLlK\/hz1rZ5lRkrSVjCWU4iLvGSYnjPwL48ntbO3ttFZ4obfbKkDry5OSeTSoYrDptthiMHinGMYx9bHKp4Q8Xaddqbnw5qMSE7Xb7MZAq9\/u57V1zxNGS0kjiWExEZe9B\/cdRfeBri8eJvtsEFnLs8xZldJwo44BXHTp+tcX12ENLO\/4HestnNJ3VvxMi5j0zw94nudDhuPNgM4WG6fG8DAxnp69q2jOdeCmZVIQw9T2d9CtruseVdy2kcdnM8cxZt1uHVTnkc961pUkveZjOtryrUv8AhXWZ7lPskCWqTO5MkcVsiF0A4PA7VFWCTuVCrzadRsOt66upS2ianG65YXBS3iPbjkrnr6UnGChexdF1JVOW+nU6nwpLFb6QsYaKaVgZeDje57Njp9B6VyVEm20ehSlZWucb8ToJbvxBFJDFjK4wpyA2fWujCSUYu5xY+M6kotIv6XpkMFhBDLFMEQCNx5o3ZYN8y8cL\/ifalN8zdhQpcqSZ6b+x7pT22l+NkJwD9jh35z8u9j\/IVy4+fNyHZl9J0+e5yn7RCsfjQ6LO0aQWUSsUXdkbTxirwtvYvTqZY6\/tlr0OR8T3GoWtn9si1GVbksYbqMx5+UgYO45yfpyM11U1Tfu2OStKajzJkPhTVtYklDf2iVaBQsSpGNxXBycgc8dc06tOC2RNGpUluyprup3dhqKizvo5kwJI5Y0IOMcoScHHPT3rSEIyWxFWrKMvdZ02j6lrUOimT+0bVHkTdIzH5I2wdoPHykAdM44965p04OWx00qtRRu3qdr4o+E3jzQfD2l67D4ksdSGqwW0yQQxP+4MqGQty2OBwT054rF4iim48pusPiHFSU73Oa1Kx1gAw2up2sssKAMkkpAeLknGMFuf4vY+tNOK1a0H7Oq3aL1IGtPFOnBBqH2RBGiuJPPYs2fmQYPB78Y5pqdKWiuU6deHxW+8dpcviPV\/F+naLpGp2wudauRBBNJKSsUpbkMADgcdxx2pqMFFyktjFzqOSjB7nS+LfDHi\/wAGXMsGu6to8i3Fx9ldra6dosY3YYsuQMjkis1OnPSKN3CrBXnY5LSbDxVqmo6r\/ZUtkJNOhMlwzj5JR1Dr1yfTt61rKdKnFKSeplGjXqSbg1dG7pfhzxXqGi217beJLCKCMb98kjPFGGIViwUHgk4xyelRKrRTs4lwpVpR92WpH4H8MeNdd8SSWEPiBZII7grJcRo5UMS20L0I5XI\/WplVoWuogsPiE9Z6G38S\/g98YtLkmlTRfEeo29xbCS\/uEsX2xluuWfGCOhxW9NKW8LM5qslFaVNOtjnPBfhjxXpzSy3k5Fpa2qXM9u8gbbAx2qQBwfmxlQc1lWq03stTpw1OrG15XX6GhJPJ\/ZkyQTljG0qq2zac9RxXI1eWp6MV7rOY8WLIbOOC41C5MDhyHSP7suM8jI9OvpXfQXVI8nFNvRvQ+vv2A\/h\/aeP\/ANluHSNavdQ082l5PABbbMskh3hvmB9eKU6EKtWTv2MVi6uHpQilvff1Pmr4rfDPTPDHxH8Q2\/hmw1mfQNJvHtP7W1C5jZLuRXKs+1VGBuyAOemSa2nVtaCZFGlKSdRrf7jnfDHww1TxxrM8miCG1gijUzNLvl\/eEdBgAnI59qUsSqStLcuODlWk3C1jutE+Cepra29m8tvHJtZVjNhIxnI65BPBJOOP61yyxfVI6Y4OytdHmnhTT3sPipd2Fuz+VpzywTSsoAQjgjp3IwM104icZYdOW7McLFrEtR6XNDxxMqWVxE0uAxJWPdk5BzkVzUl7yOyu1aRj+DrJL\/XnsVuBB9rUsBIpMUixgs2cfxAZxXXNtQ9DznT5qllpf9DtLr4PaxdwxXCagVAQcrp80hZSBtP0\/Gsliox3X4mywU3bX8GZfinwP4ksH+yadpmrajKyBvLTTHiXceM5PWnGrB6tpfMVWhUWkU38jTl+Dl\/Z3OnTy6zPG9xbs84\/sokwPhcR4LDdnJGeMbah46DTVjX+z5XTv+BFZ\/CrUNTa4tJ\/EOlae0CnGWDmU5PBAPy8c4BPJIpPGwTuk2JZfUenMkdF4a+E+iWNgbSfXp7qVirs9pbFk3AfwgjnOfWs6mOlJ3SsdNLL4wjZsuN8KfB4kEk+natqBXLM15eR2qZ9MZBrH67U6WRo8BRl8V2anh\/RfBuhxiWz0bw1Y3Ck7JGlkvZsD02cfrUyrVZL3mzSnhqEH7sUjUPiOyjjNrbX94fl3MdP0qO3x7AuTn61nyye\/wCZspRWiKtxr0iHMWl316xxh73UTwPcKAPwzS5VfV2Bt+pDb6jqY3PBp+iWLEHJhshNID\/vPuNNOK3DUaZNfeVpLrW9SEOB8nmCFP8Ax3GBS5obJB7\/AFYrR6Q9pI9xc2zSlflllYyuGHK9skfj0oi5PQdorVkPhvSdY8R3qWGk6fLqmoXZAjihAwo\/vMTwqis7RT3E5aXPXdH8O+BvgzarqniK5tdd8UrGZFDANa2GO6ofvMP7x\/AVam27JXMntduy\/H\/gHifxe+NXiLx5dXMmnTXMtmW2iUMVJHb02\/zx6V0QwzjK89\/MwlXvG1JaHLaDo9jqFraatfXNxa2UKl7lZvl8189iOijH1JqpycG4pajpwU0pN2Ru+LXuF8MWs2iZsLKWN4p4MCKTaGyu0dTuySQOfWnytxXPqyVNRnJQ0TONiCxEEIcKwzx+f41cbmbVjobNJrVYCYC8Udwv7wlnRifuvs6YIP3vqOtaGTad9SvqSCG3a7i8lELjEYURup+YDK5Py5yRjjios7XC93Y5nWCrQxcEBp1B4B6nGa0pprRhUdo3Ow0KF7eONEgeWGP5QnzDaeck7gpyQT7YGKmSvoS27XsYPjWO2ne5aaJA1vIQhcDMTHoqtnOD124OPUVpTlZWM5q9rlO3tDOEMcMk5dAPLAY4PocevYilzFKm3sjqdI8K61dA\/wBnWMh+yI1xtjQlYh\/HIQx6Dhe\/enOpFLRijTbex0L\/AAm1S58RPaa7dxaQltsWa5ZQVtlkHyjrgjJxn+HPOKzdf3bouOHk5cstDWvvhx8MNBs2afxV\/al1HgrHC5KPg\/MpKDAzjAOeKyVas3dRN\/YUYqzZltrXhC2WBtO0eO6mhu0dmutqgIud0bsjMSzZHTA46VVqr3ZHPTVrIzP+E81mTUn\/ALD0ZYp1lDsLaz2hMBgCzElSSrYOAOgpOjC3vMca03L3EVNQv\/GmrZivtQeEMclPP3BfXcQQq\/rSUqMdkW\/bzXvOxT1KztNNtrW4Fwl+zlgXBIHb0xnp\/wDrrT2sW7JGfsbatlO61qPeGt7Y+YBtBnO9FHsgIFTCH8zKlNR+FGjqbawb+5DWDyZkbDK8Zxz+BquWm+pfv22L1tFYklLyxeZMH5fMK4Prkf55rlk2l7rN4qN7MakMMEz\/AGaOaNG+6N2WXjHU44yDVc2lnuWopPyLljYfarsZ1a4hDrndKmccdCM\/hWN2jWy6Gt\/ZF7ZRhoZxeqOS1uh3LnOCRjA4\/GpclJBZplF5mldkknbg7ShOD\/8ArqlFJaEc2pb09MOQVjYqBls\/55qJGiJo72dr5Yo9bvbSLZh3t5SQDzjA5Hpnp3oiklqrhurF6Sx1KcAQ+J7efByBd2Shj7EgDinGUOxPJLuTRRPbRONb0AyknMdzYqwR1OBngnHTjOOvSpbjf3WNLTVHIeKfF3g\/TkjIl1GzlkbI88F1xg9NmTmumnha0+lzGriaFL4n+ZseDJrnxDLdCwltJJbXZvWQHcA2cHBwQDtPPcg+lc9VeyS5up00KiqX5ehuPp+rxrt+wQttJzskx\/jWHNF9Tosyu66tbsnmWF8rAnmOQMPxyKuLj3Jt5Ekeo3hf53vYzjlWhBz7cUpWGh1zrzrsWeZEHCqXt2yT78URSewNrqV7y50e7XzLqz0q7GM\/vrdcn8xxVJ1I6RbRnKnTnukzE1LR\/BFzN++8K6WXPO+KMKc\/gRW8cRX6TZlLB4V7wRnx+BvBsU6XNtos9rIrfI8U7Ag\/nVvGV9nK5j\/ZuF3UfxG\/8K+0F41WNbyLLdFlByfXkGnHF1C3g47RHr8O7CK1uIYb65i+1hR5wVC8WPQ479801jL6cqM5YBN3UmvuKkfwtOGWPXpJBncGu7Ndx9sqwpLF315fxGsHOKtz39UWz4H1lbEW\/wDaOmzLn5S8bqwHcbgT6Cn9Zg\/hTCWGqaPR\/edF8ONOvPCmga1Zm3tTLqMsLK0Vw2Pk3Z3bh15rGrVU2tTWlTcE7pHCfE\/wj4q174jT+INPFkLeZY1aN7kZIVcEEEfWurDYmjClyPc87FYStUrc0djltd8AeOr+ZwltZeTuyI0vVJ+pJ611wxOGitW7+hy1cDi5XstPUl8MfC7x6tx5Z8NmaMAsHgvIw6nHY579MUp4vDvRS\/AmngcUvsaeqKWp\/C\/4lt+8vPDkm1eFzPHx7da2WKw6+GRM8BjJbw\/I2PDXhbxX\/Y8\/9peHdQRkdQiwsCJM55A3fwnOfqKwqVqV\/ckjoo4er\/y9g0eoeP8A4g+I9e+H1joOl+BtdtbjTxAJJFh3LIIo2RuMcbt2fauGFOLndyVvU7pTcYe5F\/ccNban4t03wpDotv4F1Sa3mlaabzLDLqSNoQSY3Fe4GeM11SjGT1mkcsKlSFv3b+4h1uHxPrU6KfBPiK3UiJNxtidgXgnI9\/0qKcYQ150zWrWlUVvZyXyK\/hXTPFGh\/EnSdWk8H63LbaTfrc7Y7X95KATyDnHOa1lOLptKSu\/M5YxqRqJuLsvI7T4s6hqnjK8uGsfAfibT4k8+7cXFuu6Z22gJlT7cYrCgowd3JfedFecqkVGMX9xh\/CxPFujL4jgvPBetzXmu23kW6m0OBkcE9+v86eK5W4cklZeZphXOCmpRevke7fsWfDTXdcN7J4gtdV8MxaPDHFDIIkDTTs5chVkDAqq9cjqRWkKEKzcr6HJiMRPDJRS1fcZ8e\/h9p\/w\/+I9tB4P0n4geJvEWozxXt5dxWqmwslebJDCOMBmIJO0EAAjNFTDwhZLciljatS7lZI9+\/bhsdQv\/ANmXXrDT9JvtYkuJ7WNrGzVmlkRpQGKgc8dc9sV2V\/g3PNw9vaJPY+T\/AAJ8DPi\/4s8H3mp2HgvULRfD2lR2aWmoS\/Z5NXIOSsQPUhQCQcA4AySa4VRlO7W17nryxVKlyx628jX\/AGLfhJ\/wlfxln0v4k+HYbrRm0q5l+yPeqGSdWQDIjYMCMsOadGNOU7PVjxdetTo3hpf0On\/a++Fnwk8J+PdL8O6Z8NtR8u60r7U9xYeIXtYwfMZcEPFKS2B1yODjFaznGjLY4aPtsQmnJHbfsx+LfCXw4\/Z48Y+INN0C+0q20W6iRLWbUTdPezmILEqN5S4YkgH5T61VGpFxlNXDFU5upCDaenQ8jsF0GL4cXGsT+BfGMmgxztFeXb64ZUWaQlyrE2\/OSx5xjkDvXK+WTc1F\/edkPaRiqXOvuPYPiroGk+B\/2TdMtfAC3GhGW7sp7aeMCa8JmIeUliMuxB57ADoBXRX5fY3aOPCzqPE2v3PF9X0vWtXlhu77xb4qvrmAZVrmOOLyh32knjNeU6i2R9A6d7Psc7N4M0YtcB47iOW4kLzyTarBC0rHkk7eapzfqHs4620uZ8\/hvwQm9Li10iKVfkMtxfSXGQO528EVXtqqtZ\/gR7Gl1X4jrG28G6dOLaJtFTB3CSDSmkYn2JORVuVZq92\/mJU6UXol9xt2+rxiBliu9UwOEW3gijUjHr1FY377mysV2vlMqSTrqkpU9LjUXQf+Of0p3vtYLBdajbzSeXa6JpAnfgSS+ZOw\/F2P8qTjpqyml2Es9L1aGHc1xa24Of8AU2qg\/qO1LnWwuWRnanPGmwanr9\/OHbairdrGv5IeBWqi3sjN2+0yuL7w1DLun3XDDkYkMjZ+uDS5J30ByprcafEui+QfJsp0IOAFRR+GWNVGjN7iVWFtihceMo1lUwQLtDFQs9xnJx6KKpYeS3ZDrq+iH23iLWZfng0kIm7bvjsmbHvubIxTdGHVgq876Ijn1LxHc58y+htkdsbXukjyvqFUkn8qFRp9hKrVfUjisb+WXdJdTzjdn5IJGDL\/ALz7VH507RWyJvK+rOj8E+FbvxFrcWk6XBLJdStkFp49kK+rbN3A9yKm7tdlaSZ6d4l8b+HvhH4ZHhfwn5d5qxh2ajfJjdI\/XBP90egrmnBTbsbXUVqeI2M+ueKfHtnqWozyt5k7eXH1yXUg4B+vet6fJSXKjmqKVROTOXu9I8jTo4YYyuFGQFBORxzXRzvmJ9leCsSaCs9wkdrekzxW7CO3inwip8pPPYnjAJp2V2yHKSXLc6WS5lXTluoGSFfMMcixxvsdFwEJ8v5QRuOcEA5HPWk9dhxOX8aahdmVLpVR2OAxbqVOSuT64x1q4K7szKblGN0P0DVZ3tlWeKUBgRHtk270\/jTd2HcejfWm0Q5rexLeQNLvQQMkysWAllAWVegAbpkAcg+uaTUluNTSV7HOajMk1lJH9lkQ5B3FgRWtNNO9yJyurWPR\/h3bXD+H7Hz3DRsrNGXXO4Y+7745NYVV710bR2tcy5rCxPiqzn1K1N3p2n70ZPNUeeuM7unLocZ45XHpV8r9m7PUz91TV1odBaePNLsx5WmeH4Xab5IZjDI4QdN4PyjIz156Vh7F31kbOtbSMRut+NteMK6a8bRW24NII0CYRUC8FfmzgDgHnPTrWnJGOpm6kmrXMVpdZ1BBGG8xZANvlLv8oE5I3Md3I4IPOTnNWpRW5KU5aJFu38GajeO0+paiqBsfLGTKygdsnCrj+dYzxMVtqbxwsnvoQXWjaDpFtcW+iSiW9APBlM2wd92BsXPvzTp1Ks5LmVkRVjSpwfK7s1NR8T6dpenRh7dJGwCsZfESfULjP0rJUpSbOr2kYxT2OF1zxLdanq8apLsWVwqqBtVeeqqK6KVBW94454m7tE0PEfh9I\/IZ5JUZgy7o5COQc4IqaczSpST1Oc1a0ltLhGgnmw20KhfLEnuOOa6qdpbo4qqcNUz0vUrzxRFNOLrRJSFZwJUgLHr17ivPdOF9GempzS1RnW19JJKfOvYoptuSs8Pl8\/gP6VUlaOgKVzTso726dY7dbK5d2wix3SeYx64APJ+lYt21Zom27LcsqZYcNc6ddINxG5I96qQcHlSe4I\/CiyezL5mnZo2ND1eO23+TLsLYyrDr19azkrGkZJmkdVknXc1rbTc9ZIQQPXpiskpbsttGr4v0LSY3tIbS2W1kvLCKa4KAt8xOeATx09afOToYLeFS3z2uo6eSDj55DGT+YqvapLUv2bOGn8eDT7grd+H9VU7c5dNufbjIP511wwya0kjjljOR+9Fkl18VfDsiLAL+WPzFCNBJDIck9QflxR9QrXul+QnmWGejf4M8g8b6il9rV99nVGjadgmECiNQ3yhQAMcf1PevZoUnGETwsRV55ytrqSaF4j1jSLSa8tdRuIb3y\/L80sSTHnOCe\/OOtTVw9OdouOg6WJq0k5Rlr+h3ngL4j+Kb51VG1BppXKJLBBvhHy7trMx+98rcfSvOr5fRh\/Wp6+GzGrUdrO\/4HYQ+LvFsUZeZ5TkAlpLM8n34riWHo3svzO9Yip1JR8SdcLeVLFaEY+YmFoyT+NKWCgldMaxb7Ev\/AAnsspAm062mBPJWXH4ciksPbqV9ZT6AnjCwe4KTaEQg+6Y3ViPWm8PLdMf1iLeqJ5da8KS8zaPdJk5P7sZ\/Q1l7GtsmV7WnfUadU8FO4JgnhHuGBP6UnTrp66lKpRfUcZvB7keRqToemPPI204qr1Qc1Loy9bwaVIAsGuSqowQDdrj9TSdSV\/h\/AtKL2ZqW1lCIgIfEhUnj78ZqPa6\/CVyLuNeDUoiwt9UikBH3vKjJP9aOaMuhPK0PksNSERZtRtT\/AHt1uB+PWleInFkVzp2pN8zS2BA+7+7OMdulXGUU9BcjGf2PqlwoDJozZIwzIQKJSiuovZyJP7N8SW8ilE0RUA\/5Zz7Mj3ANJVab6sXs5roiK8g1+dgs9ppcwI+4ZycfrWl4dGDjN7oj8jVFG3+zbAH1WYj+tQ3HuHI+xLCviMNiGzVVA4K3jAYrSLj3Bwl0RKE8Z7XK2kgT+ApfHGPfPWofJ1YuWfYdbWHixhuktpGJ+XH20\/0qVOnsHLLsOEPiOAPtsix\/hQ3pH9K0co9QtNdBdPk8WPHmTSpI\/mPTUic+\/AocodGJRl1RraFbeONS1y2sNM05Zrq5YLDG987ZP944xtVRyT7U0ueSjHcyqzVKLnLRI+oYLd\/h98H9SuLHyry+0fS57xnmJ2XFyELFmPXbuGPoBXt06XsaVkfK1q0sRW5pdfwR8maLrfxEuoYdUn8Wlp727S4uXbX5EBLyAsFQNgDnAA47V5TxEnOzbPdhg6ap\/Cj6o\/bQutSsv2d9Wn0vU5NNuReWardJO0JQNMoI3KQQCOOteviJclNs8HCxUqyTPnPRNA+K\/iHQNR1jRfGOp31po6CW9ltb24dYsjkL8\/zEAZIHOBmvMhVqzTcb2PenRw0HFTsm\/I0v2aPFmneAfiDf+NPEviWG90+LRbj93CgMtzM7ptVSerMc9T6k06FWMKjckLHYeU6MYw11PUNE0n4ufGvxTZ+OtU1rV\/hh4NtLXZDp9le\/6TqEYcv5r71Cx5BwXIxgcA9a7oSlV1tZHkS9lQXL8UvwR7V4YvtCv\/Ckdz4a1G31TT445I4byG4FwsjR5Vj5vO9gwIJ9a6FaxxO6bufFPwg0P4tfFzw9q62PxO12a3t2+z3kV7q7rFJ5u75AoUgjA5B9q4I+2rNqL0Pan9VoKLnHV9jl\/i1dS3vxHltPEvjK0vptAiXTEis9Qdbaw8pQhiTIGW+XLMAcknmsK\/tE+V9DrwdOk1zxVr9zAubvwmkOW1W0JA4AkeTPrn5TWKVV\/ZZ3P2XdEZ1DSIvLIEW0\/Mmy1Ylx+OKapVCOemuosvirQkwI9LkZmXO5oEGR7ZJ4prDVO5LxFPsZdt4ttrS6lkW2ciRSUX7QEXb6cD1rSWFk1uR9ZgtbCR+NJJpRHbaPZygruUkzT\/kAQPwxR9US1bI+tXeiLw1PxJeRutv4echk6waMRx6bmHB\/GkqEOsvxG68ui\/AZep45nhKTi6toxgRi4vIrce4IDA\/pVKnSXUTq1n5GdLo+pTuzT3duXOMYmluCPUfKpz+dWnBaIm82Ok8ORwwtLc380G4jAW3SNgB1AMjj+VPnvoiXTdriR6boe5la8uXwQdvnsSTjsIYz\/Ok3NPYSS7lix06zkJEGhuxL7g0tk7Z98yyY7f3afM+rKir7L8DWsLHVNu2K3W3Qc\/u2SIn6iJAf1rKbju2aKnN7IuJpFxLkXZibPHIaY\/8AjxbFZe1UdjVUn1LVr4QmmcLbxzynqAGESj8sUOs2V9WRqeGfA91q2pfY7KwsS4P72eVt\/lL3ycnpWUqrWrH7BG5478ZaZ4NtB4J8IzH7TdIyajqcCr5hO0navovb3qqd6rInJQR5r8J\/Dlzd3UOr+Iik00oWVIDyATggvnqfQdBSxLUE4wDDwcrTn1LemQfZdXmu2ZP9GlMgDEjaQxwTjoOOp4\/CiF+VNiqSWsUZ2spZzyyzri3kGVKBR9\/JJyPcgjPHQHGK6HC+xgpOKMDTHt7bVt06AwyY3gn7pByG\/A9fbNEZNbhOPNsbJt5F1RBa2qRO8kny794iYqPMUKRyu37oORhhjmtUZLVHEeL2mksJpjtX96DtAwBz0x2\/+tTpL3rhiVakO8Lzxy2YbbA7QAGSOTarkDgMrd\/mwCpHcVq9GckFdGvc\/bYXuLlGjLOdrxGYER5+6+ehBHA\/EUpyS1ZrGN9DFurGV7crJ9n2Nt3FXTJGeenNTGavoXOPundaDaEeFJr25WSNTdFFTbkLycADg5AA9KJPUiKskZjxQXmtDy7KZDCwbLuAoI\/jC4+6wLfMCeOtCTirlNXNfSfDWp22lIZNaMFtCjeWkSKg2N\/edsdqwddJ2RvHDtq70RLo1h4XvNQktVuftN2sW9pYmabywOAC\/AXJOOOafPUVm9EJwoxTUdWO1tdXsYYoNGGnykKQ0k0nMZHYKSRj8zV8tObvJgpVoxtGJhHSdZvJWuPEGsG4Un5LaGYhce5AwPwqnKEdIIhwqT\/iS+Qt2l9DCLe0+w21oGyYomIyfy5Puc1MGuZSluE4+44RWhzWq+G7u5uvPOpRMc5Pmktt+nAxXSqkFsjnlQqS3ZAuiSRXIeK7tkO4B2CsSwHtj9aXtlJbE\/V5rZo39WvnnTbJOjAcr8prmjC2x1uTsY2rSYaF7Vvmii2qcY9Qf0J5rppnNWOyvry6huJlgnmjcyHGyQggZ5ri5IuR6fNaJYXxBqKLsklE2O0yLJ\/6EDUyp22GndajY9RsJxi60LTZGJ7RGI\/X5SKlRl\/MHLF9C3YjQlYSwQajYyAEbrS9K4U8EDI6fjTknbWzRUYqLvF2LcNlplxFHHHrWpRhB+7SeHeqj0+Vvb0qHPuhqHmadnp12kWyx16wlDH5Umj2MT6fMvH51HNB9BpPubt0dfjuDZ61bW63Fsi7AGJMgwNvIOOmMVDsti4+ZHFqDpbBpdCuHjb7skallP44Ipeg3MX+2NN8l4rq3cBznDWsbbR6fwmpak2LmXUy9U0fwLqnmNMtnJvXo9s6sD9eRW0KlWOzJlGlL4lc57U\/hp4SuExYNZK0uVZWtkyvbhuDW8MZVT3f3mP1TDv7K+4zT8JYbOWOa0WwmeGQPGfMl4Ye24j9K0lj5yVmyY5fST5kvzLX\/CL6rZ3VxMbACS5l82QwzD5mIALYKjHAHArL20Gkmzb2Ti27aslFhqKJumjvVIPGIA4P5HNJSithpPqMN06fLLHIy5xl45kJ\/KiVmPmXUY1xaurMTCAB91nAP\/j60lz7MNCpI1nNNzaxMqjGEEZOfUlSKpJkOzJIdOt5IZPKicyRjcqGE4b\/AIEH4puUkx8t1oJDZQMx863mgZhy2+TH9e1S5NMOXuaNr4bs5EWdLibLAZ\/ehvoAGXipdaWxtGit7lefRNHF20cmobCMDbLJGB+GRzTjO2thOnG9rl218G6LeqTH4hRSeiPDGw\/RhmpniJR3iWqCa0Y4+AVilFwniC0QRsDiSBgvHrtas\/ri2UQ+ryTvcnuvB+oBCTfWs0Y5BUSAAHp3OahYmN9i5U5lUaHqUJYW11ZOUOBHHcvkD8Rya1VSO5ChNbFZ7DxMJWWO1uyqscbLpsAf1qlOnbX8hWq7IgmtPEnmjzYb9EUkAvMWx9aF7LyF+9vqhoTWLfckMsv3v+ehBx75HFXanJaibkhJTr8waOT7QVJx\/rgM+\/IFCVKIr1HoNt9O10uWWG7ITriWNzjsTmnKVPqyOWp2JTPrtmCZXvIwMgBgnPp0qGoND5qiFh1bxRGkZd5wrc7VCnHvxU+zoth7SqkTWV34nvpDG1ncOAD83nRqB9dzVo4wWzF7Sq3sbXhjwtq+syiXUtf0TwzYL\/rb3U9XhAT1AjQl3PsAPrVwocyv0OWti\/Zu1m32R6PY\/E\/wL8JfDlzZfC3T5fHXii5i23Ov37rb2ueyjJDFAf4EAzjlq7abo0Y2jueZWhicTL31Zdj3PV9V1TU\/2VL\/AFnUGi\/tW78HvdXBjQCMztBuOByNu7tyMV03i43PP5eWry+Z8o+G\/iH8aJoLGZ9YwpaAnFlZ4wWXPSH61wuuk7XPc+pJxbt+J9f\/ALamt694a\/Zw1nV\/DN4bXU47mzSObyFmwGmUMNrKwPHscV21NItni0IqVRJnzP8AC\/xf+0p4x1aXRvBXi3VJbiKI3LRJaRW8Magcl2aBVyTwB1JxXLGc3pE9SpQw8I80\/wBTI8Iana+DdVl8QN8O7\/xl41kvHk3azayRWGn3JYlgltGmZZN2eTtAP3QOtZqrSTvLc1nSrThywdo+R7TpPw4+JPxJ0w+Mv2ofHY0bwgmJo\/C9vP8A2dbsvUfajkbV\/wBklmPtXWnJq8tEeZN04Plp6vue8fCzUPB+ofDzTrjwHBaReGBG0WnR21qbeAxoxU7EIB2Eg4bHzdec5rWLT2Oaaadpbnz34ql0r9lr4M6tpHhy"} 02486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_packet_id":3,"flow_src_last_pkt_time":1654385136215384,"flow_dst_last_pkt_time":1654385136563855,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385136563855,"pkt":"nLbQ0+MztKXvZygQCABFAAXU7ZhAADYGaKmsaXlSwKgCfgBQtHgmuiQMUbJfToAQAOskjAAAAQEICsmhz1rytRrb\/9j\/4AAQSkZJRgABAQEAeAB4AAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMABAIDAwMCBAMDAwQEBAQFCQYFBQUFCwgIBgkNCw0NDQsMDA4QFBEODxMPDAwSGBITFRYXFxcOERkbGRYaFBYXFv\/bAEMBBAQEBQUFCgYGChYPDA8WFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFhYWFv\/AABEIASICJgMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APvKRyGwMdB1UelMQm9v9n\/vkU7CuSBjjt+QoAXcfb8hQAbj7fkKAFDHHb8qADcfb8qADcfb8qADcfb8qAFBOO35UWC4uT7flRYLhk+35UWC4ZPt+VFguKM+35UWC4Z+n5UALn6flQAZ+n5UAVtWhW50y4gYAiSJlxjrxWNeHPSlHujWlU5KkZdmcx8J72WSwuLGbGYH3KCBkA9RXm5ZUvCVPsevnNJOUKy6o69T9Pyr1E9EeHfUXP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XDP0\/Ki4XAfh+VAXF\/AUBcPwFAXD8BQFw\/AUBcPwFAXD8BQFw\/AUBcPwFAXD8BQFw\/AUBcD07UBcQHnt+VFwuKenagLiZ+n5UXC4A89vyouFxfyoC4mcelAXGPMiDJKigGzH8ReKtJ0iBpLu6RcD7vVj+FUTzjvCGrLrGmLfou1ZeVDIAQM96Aua4PI6dfSgdx\/4CpHcPwFAXD8BQFzP8R3IttNlkOMbT2FY4iX7oZ4f4nk\/te7NpHLIhDE5XFfKSb7jLBkk0HSQQfMfgYIzWEm+5Ri+KPFcml6Wbt5cueQoArSg33JlI4mz+MAt70C68z96TtJTgVvyzkY+0Ox8H3V3r9294t0fKZflHpWclLuXF8wx9Lmg1G4+2TF4C2Qx9Kz53Hqanmnxtu49KvLe+tLx1ROCobHWuvD3mtzCruP8ACnxEvrqW1WB5JPNIXBXIFazpytqRTlqdh8OtY1q1+NWmW97bFY7xiI328fdNVg7e2SudB9H6PLINTuVJXqD9wcV9KSbIdsfw\/wDfIoC4ySRicfL\/AN8igCGSWUcqF\/74H+FSy48vUjiunMhBC5Xr8g\/woKlHsTPc4jJZkA91FBBxfjr4maLoKzW8UqXV7FHv+zxKpO3OM+lRKVioxueXL8U9bvrj7Vq2qWumWjriKGBVzuyeST\/s1nds2SsfRUv3\/wAB\/KutHKwoAkHSgAoAKAHDpQAUAFABQA4dKACgAoAUdaAFoAKACgAo"} -01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1567,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136207603,"flow_src_last_pkt_time":1654385137102946,"flow_dst_last_pkt_time":1654385137455380,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":208,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":143010,"midstream":1,"thread_ts_usec":1654385137455380,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46170,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":73900.7,"max":895343,"stddev":189691.4,"var":35982831616.0,"ent":2.2,"data": [356191,54,308075,59,2442,3212,112,200163,56,36,29,26,27,25,1594,86,63,42,33,23,24,35,23,895343,371980,1,1344,81,1941]},"pktlen": {"min":274,"avg":4548.2,"max":21666,"stddev":5608.1,"var":31450230.0,"ent":4.2,"data": [278,387,13026,14466,2946,2946,1506,7266,2946,1506,2946,2946,1506,1506,1506,1506,1506,4386,6338,2946,2946,1506,1506,1506,802,274,387,17346,21666,1506,4386,17346]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1578,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":139,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1654385131029337,"flow_src_last_pkt_time":1654385137110902,"flow_dst_last_pkt_time":1654385137463937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":202,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":156844,"midstream":1,"thread_ts_usec":1654385137463937,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":60148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":481391.0,"max":4660887,"stddev":1215170.1,"var":1476638408704.0,"ent":2.4,"data": [306055,4848,325793,248766,4660887,4604216,364,552,841,1047,367664,134,94,2523,311381,119,1695,102,878348,204467,1564,1050,216537,375544,43,1531]},"pktlen": {"min":268,"avg":4999.8,"max":21666,"stddev":6236.2,"var":38890032.0,"ent":4.1,"data": [268,384,6298,268,384,5682,278,386,1506,1506,7266,2946,5826,2946,10146,2946,1506,5826,2946,1506,8706,1506,5768,277,386,20226,21666,15363,278,387,2946,21666]},"bins": {"c_to_s": [0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,17]},"directions": [0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01742{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1600,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136215384,"flow_src_last_pkt_time":1654385137106944,"flow_dst_last_pkt_time":1654385137800355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":212,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":424,"flow_dst_tot_l4_payload_len":219741,"midstream":1,"thread_ts_usec":1654385137800355,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":91723.4,"max":891560,"stddev":199830.4,"var":39932170240.0,"ent":2.5,"data": [348410,61,2586,311307,74,1916,87,90,200152,34,703,82,83,49,891560,375934,1624,82,2179,1527,332757,94,46,1896,46,1564,1588]},"pktlen": {"min":278,"avg":6946.2,"max":21666,"stddev":6776.1,"var":45915728.0,"ent":4.3,"data": [278,386,1506,11586,1506,4386,2946,13026,7266,1506,1506,1506,1506,2946,2946,1506,4605,278,388,21666,2946,10146,11586,17346,7266,18786,5826,20226,1506,10146,11586,21666]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,20]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02129{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1567,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":142,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136207603,"flow_src_last_pkt_time":1654385137102946,"flow_dst_last_pkt_time":1654385137455380,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":208,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":143010,"midstream":1,"thread_ts_usec":1654385137455380,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46170,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":73900.7,"max":895343,"stddev":189691.4,"var":35982831616.0,"ent":2.2,"data": [356191,54,308075,59,2442,3212,112,200163,56,36,29,26,27,25,1594,86,63,42,33,23,24,35,23,895343,371980,1,1344,81,1941]},"pktlen": {"min":260,"avg":4534.2,"max":21652,"stddev":5608.1,"var":31450232.0,"ent":4.2,"data": [264,373,13012,14452,2932,2932,1492,7252,2932,1492,2932,2932,1492,1492,1492,1492,1492,4372,6324,2932,2932,1492,1492,1492,788,260,373,17332,21652,1492,4372,17332]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1],"entropies": [5.893450737,5.720896244,7.959624290,7.965476036,7.917325974,7.914794445,7.850610256,7.954618454,7.905844212,7.834187031,7.916584969,7.918063164,7.852417469,7.840590954,7.847774029,7.850798130,7.845216751,7.939498901,7.947888374,7.909615040,7.916443348,7.857475281,7.837258339,7.835073948,7.714247704,5.815073967,5.763088703,7.974996090,7.979550838,7.864511967,7.949629784,7.970819473]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02157{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1578,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":139,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1654385131029337,"flow_src_last_pkt_time":1654385137110902,"flow_dst_last_pkt_time":1654385137463937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":202,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":156844,"midstream":1,"thread_ts_usec":1654385137463937,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":60148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":481391.0,"max":4660887,"stddev":1215170.1,"var":1476638408704.0,"ent":2.4,"data": [306055,4848,325793,248766,4660887,4604216,364,552,841,1047,367664,134,94,2523,311381,119,1695,102,878348,204467,1564,1050,216537,375544,43,1531]},"pktlen": {"min":254,"avg":4985.8,"max":21652,"stddev":6236.2,"var":38890032.0,"ent":4.1,"data": [254,370,6284,254,370,5668,264,372,1492,1492,7252,2932,5812,2932,10132,2932,1492,5812,2932,1492,8692,1492,5754,263,372,20212,21652,15349,264,373,2932,21652]},"bins": {"c_to_s": [0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,17]},"directions": [0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,1,1,1],"entropies": [5.855428219,5.722984791,7.936409950,5.839015007,5.749445915,7.913037300,5.895416737,5.774818897,7.526371002,7.860151768,7.955783844,7.904475212,7.946855068,7.922424793,7.958326817,7.918138504,7.851068020,7.947721004,7.924707413,7.854940414,7.955513000,7.859978199,7.947089672,5.929639816,5.726084709,7.965382099,7.968444347,7.959605694,5.904361725,5.721296787,7.762065887,7.963563442]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02141{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1600,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":143,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385136215384,"flow_src_last_pkt_time":1654385137106944,"flow_dst_last_pkt_time":1654385137800355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":212,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":21600,"flow_src_tot_l4_payload_len":424,"flow_dst_tot_l4_payload_len":219741,"midstream":1,"thread_ts_usec":1654385137800355,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":91723.4,"max":891560,"stddev":199830.4,"var":39932170240.0,"ent":2.5,"data": [348410,61,2586,311307,74,1916,87,90,200152,34,703,82,83,49,891560,375934,1624,82,2179,1527,332757,94,46,1896,46,1564,1588]},"pktlen": {"min":264,"avg":6932.2,"max":21652,"stddev":6776.1,"var":45915728.0,"ent":4.3,"data": [264,372,1492,11572,1492,4372,2932,13012,7252,1492,1492,1492,1492,2932,2932,1492,4591,264,374,21652,2932,10132,11572,17332,7252,18772,5812,20212,1492,10132,11572,21652]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,20]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.907779694,5.727939606,7.439003944,7.956123352,7.841159344,7.930701256,7.923262119,7.962357998,7.944649220,7.845450401,7.840456009,7.848997116,7.852864742,7.909528732,7.921172619,7.844360828,7.935763836,5.871500015,5.737739563,7.220952511,7.767323017,7.970802784,7.950772762,7.960227966,7.942826271,7.962452412,7.924762726,7.957526207,7.815425396,7.959965229,7.959893227,7.962502480]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385139579809,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":887,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":887,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":887,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385139579809,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"103.29.71.30","src_port":35200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01715{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_packet_id":1,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":953,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":953,"pkt_l4_len":919,"thread_ts_usec":1654385139579809,"pkt":"tKXvZygQnLbQ0+MzCABFAAOrd4dAAEAGTmTAqAJ+Zx1HHomAAFCgxdnYmdL2h4AYAfZ0\/wAAAQEICoGE\/JiYFaLeR0VUIC9jLzM1LzEzMjc3PyZfaW5fYXBwPWthbmthbiZfdWRpZD1lNmRiZDMwYi0zYjg0LTQ0YjQtOTc1MS02MzExNDhhM2VkZTkmX3Y9Mi44LjIuMSZfcGFja2FnZT1jb20uc2NlbmV3YXkua2Fua2FuJl9tb2RlbD1zZGtfZ3Bob25lX3g4NiZfb3Y9MTEmX2JyYW5kPUdvb2dsZSZfYW5kcm9pZF9pZD1iOWUyODc3NjM1NGQyNTllJl9nYWlkPTVhYzZhMGZmLThkMTgtNDdiYy1hOTAyLTI4MTJjZjBjMjUxZSZ0PTE2NTQzODUxMzYmXz0xNjU0Mzg1MTM3OTY4Jl9jaGFubmVsPTFreHVuJl9sb2NhbGU9VVNfZW4mX2NhcnJpZXI9MzEwMjYwJl9yZXNvbHV0aW9uPTEwODAlMkMxNzk0Jl9haWQ9NWFjNmEwZmYtOGQxOC00N2JjLWE5MDItMjgxMmNmMGMyNTFlIEhUVFAvMS4xDQpIb3N0OiByZWxlYXNlLmJpZ2RhdGEuMWt4dW4uY29tDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVcGdyYWRlLUluc2VjdXJlLVJlcXVlc3RzOiAxDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpBY2NlcHQ6IHRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsYXBwbGljYXRpb24veG1sO3E9MC45LGltYWdlL3dlYnAsaW1hZ2UvYXBuZywqLyo7cT0wLjgsYXBwbGljYXRpb24vc2lnbmVkLWV4Y2hhbmdlO3Y9YjM7cT0wLjkNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NCkFjY2VwdC1FbmNvZGluZzogZ3ppcCwgZGVmbGF0ZQ0KQWNjZXB0LUxhbmd1YWdlOiBlbi1VUyxlbjtxPTAuOQ0KDQo="} 01563{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1625,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385139579809,"flow_src_last_pkt_time":1654385139579809,"flow_dst_last_pkt_time":1654385139579809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":887,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":887,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":887,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385139579809,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"103.29.71.30","src_port":35200,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"release.bigdata.1kxun.com","http": {"url":"release.bigdata.1kxun.com\/c\/35\/13277?&_in_app=kankan&_udid=e6dbd30b-3b84-44b4-9751-631148a3ede9&_v=2.8.2.1&_package=com.sceneway.kankan&_model=sdk_gphone_x86&_ov=11&_brand=Google&_android_id=b9e28776354d259e&_gaid=5ac6a0ff-8d18-47bc-a902-2812cf0c251e&t=1654385136&_=1654385137968&_channel=1kxun&_locale=US_en&_carrier=310260&_resolution=1080%2C1794&_aid=5ac6a0ff-8d18-47bc-a902-2812cf0c251e","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} @@ -853,7 +853,7 @@ 01207{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1658,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385141046673,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141046673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":426,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":426,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":426,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385141046673,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.79.37","src_port":41390,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Google","proto_id":"7.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"google.open-js.com","http": {"url":"google.open-js.com\/doubleclick\/ca0ecde2.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} 01137{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1659,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_packet_id":2,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141075345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":520,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":520,"pkt_l4_len":486,"thread_ts_usec":1654385141075345,"pkt":"nLbQ0+MztKXvZygQCABFAAH68DMAAPgGrD4SQE8lwKgCfgBQoa4lNEsiAYFa4YAYAIOtmwAAAQEICtL8K4OmALBISFRUUC8xLjEgMjAwIE9LDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL2phdmFzY3JpcHQNCkNvbnRlbnQtTGVuZ3RoOiAxNDcxDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDA2OjE4OjEzIEdNVA0KTGFzdC1Nb2RpZmllZDogU3VuLCAyNyBTZXAgMjAyMCAwOTo0ODo1MSBHTVQNCkVUYWc6ICJmZGI1MmNiYTkxNGQxMGI3NWI2YTY2ZmQ1NzVhZmFkMCINClNlcnZlcjogQW1hem9uUzMNClgtQ2FjaGU6IEhpdCBmcm9tIGNsb3VkZnJvbnQNClZpYTogMS4xIGI0ZTZhMTMwMWExMTQzOTM3MjMzNGFhMTRmYjdkMzEwLmNsb3VkZnJvbnQubmV0IChDbG91ZEZyb250KQ0KWC1BbXotQ2YtUG9wOiBUWEw1MC1QMg0KWC1BbXotQ2YtSWQ6IGM4c2hiWWJFVnhFWWhjaEN4c1d5LUVhTDNiYzl2V3g5aUl5clpkVFEyYjVfeXZneTlRdTBNUT09DQpBZ2U6IDYxNjQ5DQoNCg=="} 02437{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1660,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":153,"flow_packet_id":3,"flow_src_last_pkt_time":1654385141046673,"flow_dst_last_pkt_time":1654385141075345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1494,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1494,"pkt_l4_len":1460,"thread_ts_usec":1654385141075345,"pkt":"nLbQ0+MztKXvZygQCABFAAXI8DQAAPgGqG8SQE8lwKgCfgBQoa4lNEzoAYFa4YAQAIPvVgAAAQEICtL8K4SmALBIZnVuY3Rpb24gaGF2ZVNjaXJwdCgpe3ZhciBhbGxTY3I9ZG9jdW1lbnQuZ2V0RWxlbWVudHNCeVRhZ05hbWUoInNjcmlwdCIpO2Zvcih2YXIgaT0wO2k8YWxsU2NyLmxlbmd0aDtpKyspe2lmKGFsbFNjcltpXS5zcmMuaW5kZXhPZigiaHR0cHM6Ly93d3cuZ29vZ2xldGFnbWFuYWdlci5jb20vZ3RhZy9qcz9pZD1VQS0xNTQ3NTc5MjktNTciKT4tMSl7cmV0dXJuIHRydWV9fXJldHVybiBmYWxzZX1kb2N1bWVudC53cml0ZWxuKCIgPGRpdiBpZD0nZ29vZ2xlYWQnIG9uQ2xpY2s9XCJndGFnKCdldmVudCcsICdPbkNsaWNrJywgeydldmVudF9jYXRlZ29yeScgOiAnYWRDbGljaycsICdldmVudF9sYWJlbCcgOiAnY2xpY2tzdWNjZXNzJ30pXCIgPiIpO2RvY3VtZW50LndyaXRlbG4oIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0Jz4iKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfY2xpZW50ID0gJ2NhLXB1Yi00NDAxNTQ3MTc4Mjc5NTA1JzsiKTtkb2N1bWVudC53cml0ZWxuKCIvKiBha2VtYW5nYS5jb21fQUtfMzIweDUwXzIgKi8iKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfc2xvdCA9ICdha2VtYW5nYS5jb21fQUtfMzIweDUwXzInOyIpO2RvY3VtZW50LndyaXRlbG4oImdvb2dsZV9hZF93aWR0aCA9IDMyMDsiKTtkb2N1bWVudC53cml0ZWxuKCJnb29nbGVfYWRfaGVpZ2h0ID0gNTA7Iik7ZG9jdW1lbnQud3JpdGVsbigiPFwvc2NyaXB0PiIpO2RvY3VtZW50LndyaXRlbG4oIjxzY3JpcHQgdHlwZT0ndGV4dC9qYXZhc2NyaXB0JyBzcmM9Jy8vcGFnZWFkMi5nb29nbGVzeW5kaWNhdGlvbi5jb20vcGFnZWFkL3Nob3dfYWRzLmpzJz4iKTtkb2N1bWVudC53cml0ZWxuKCI8XC9zY3JpcHQ+Iik7ZG9jdW1lbnQud3JpdGVsbigiPC9kaXY+Iik7dmFyIGhhdmVTY2lycHQxPWhhdmVTY2lycHQoKTtjb25zb2xlLmxvZygiZ29vZ2xlQWRzOiAiK2hhdmVTY2lycHQxKTtpZighaGF2ZVNjaXJwdDEpe2RvY3VtZW50LndyaXRlbG4oIjwhLS0gR2xvYmFsIHNpdGUgdGFnIChndGFnLmpzKSAtIEdvb2dsZSBBbmFseXRpY3MgLS0+Iik7ZG9jdW1lbnQud3JpdGVsbigiPHNjcmlwdCBhc3luYyBzcmM9J2h0dHBzOi8vd3d3Lmdvb2dsZXRhZ21hbmFnZXIuY29tL2d0YWcvanM\/aWQ9VUEtMTU0NzU3OTI5LTU3Jz48XC9zY3JpcHQ+Iik7ZG9jdW1lbnQud3JpdGVsbigiPHNjcmlwdD4iKTtkb2N1bWVudC53cml0ZWxuKCIgIHdpbmRvdy5kYXRhTGF5ZXIgPSB3aW5kb3cuZGF0YUxheWVyIHx8IFtdOyIpO2RvY3VtZW50LndyaXRlbG4oIiAgZnVuY3Rpb24gZ3RhZygpe2RhdGFMYXllci5wdXNoKGFyZ3VtZW50cyk7fSIpO2RvY3VtZW50LndyaXRlbG4oIiAgZ3RhZygnanMnLCBuZXcgRGF0ZSgpKTsiKTtkb2N1bWVudC53cml0ZWxuKCIiKTtkb2N1bWVudC53cml0ZWxuKCIgIGd0YWcoJ2NvbmZpZycsICdVQS0xNTQ3NTc5"} -01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1703,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":146,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385140171515,"flow_src_last_pkt_time":1654385140959776,"flow_dst_last_pkt_time":1654385142015753,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":424,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":765,"flow_dst_max_l4_payload_len":8640,"flow_src_tot_l4_payload_len":1625,"flow_dst_tot_l4_payload_len":79973,"midstream":1,"thread_ts_usec":1654385142015753,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":331,"avg":84919.3,"max":408625,"stddev":132393.4,"var":17528006656.0,"ent":3.3,"data": [380392,4573,408625,215737,457,986,1014,178521,331,482,379636,185383,1426,654,331743,5741,174159,6079,334,924,170502,413,6008,1070,341,710,169481,463,585,5307,422]},"pktlen": {"min":490,"avg":2615.9,"max":8706,"stddev":2200.3,"var":4841425.0,"ent":4.6,"data": [831,1506,1267,502,1506,1506,7266,4386,1506,1506,2518,490,2946,8706,1506,2946,8706,2946,1506,1506,7266,1506,1506,2946,1506,1506,2946,1506,1506,2946,1506,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,16,0,12]},"directions": [0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02169{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1703,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":146,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385140171515,"flow_src_last_pkt_time":1654385140959776,"flow_dst_last_pkt_time":1654385142015753,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":424,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":765,"flow_dst_max_l4_payload_len":8640,"flow_src_tot_l4_payload_len":1625,"flow_dst_tot_l4_payload_len":79973,"midstream":1,"thread_ts_usec":1654385142015753,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":331,"avg":84919.3,"max":408625,"stddev":132393.4,"var":17528006656.0,"ent":3.3,"data": [380392,4573,408625,215737,457,986,1014,178521,331,482,379636,185383,1426,654,331743,5741,174159,6079,334,924,170502,413,6008,1070,341,710,169481,463,585,5307,422]},"pktlen": {"min":476,"avg":2601.9,"max":8692,"stddev":2200.3,"var":4841425.0,"ent":4.6,"data": [817,1492,1253,488,1492,1492,7252,4372,1492,1492,2504,476,2932,8692,1492,2932,8692,2932,1492,1492,7252,1492,1492,2932,1492,1492,2932,1492,1492,2932,1492,1492]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,16,0,12]},"directions": [0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.859029770,7.746788025,7.815745831,5.897830009,7.640064240,7.862792492,7.967751980,7.950705051,7.860798836,7.868959904,7.893837929,5.886357784,7.845828056,7.976538658,7.857397079,7.933415890,7.973951340,7.934168339,7.877964020,7.860165596,7.967057228,7.876602173,7.849090099,7.929278374,7.849063396,7.848120213,7.928964138,7.852302074,7.863938808,7.928197861,7.863379478,7.881860733]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385142293700,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":517,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385142293700,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"119.28.164.143","src_port":51888,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01205{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_packet_id":1,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":571,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":571,"pkt_l4_len":537,"thread_ts_usec":1654385142293700,"pkt":"tKXvZygQnLbQ0+MzCABFAAItm2FAAEAGvpfAqAJ+dxykj8qwAFA1Ocr3U6+amlAYAfbg8QAAR0VUIC9xem9uZS9vcGVuYXBpL3FjLTEuMC4xLmpzIEhUVFAvMS4xDQpIb3N0OiBxem9uZXN0eWxlLmd0aW1nLmNuDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpJbnRlcnZlbnRpb246IDxodHRwczovL3d3dy5jaHJvbWVzdGF0dXMuY29tL2ZlYXR1cmUvNTcxODU0Nzk0Njc5OTEwND47IGxldmVsPSJ3YXJuaW5nIg0KQWNjZXB0OiAqLyoNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NClJlZmVyZXI6IGh0dHA6Ly9tYW5nYXdlYi4xa3h1bi5tb2JpLw0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC45DQoNCg=="} 01226{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1714,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385142293700,"flow_src_last_pkt_time":1654385142293700,"flow_dst_last_pkt_time":1654385142293700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":517,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385142293700,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"119.28.164.143","src_port":51888,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Tencent","proto_id":"7.285","encrypted":0,"breed":"Acceptable","category_id":6,"category":"SocialNetwork","hostname":"qzonestyle.gtimg.cn","http": {"url":"qzonestyle.gtimg.cn\/qzone\/openapi\/qc-1.0.1.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} @@ -892,7 +892,7 @@ 01280{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1835,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":162,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385146284849,"flow_src_last_pkt_time":1654385146284849,"flow_dst_last_pkt_time":1654385146284849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385146284849,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49396,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/00dd6bfe750c02c8d10d7112d143f322.jpg?format=webp","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} 00909{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1836,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146253018,"flow_dst_last_pkt_time":1654385146458654,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":351,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":351,"pkt_l4_len":317,"thread_ts_usec":1654385146458654,"pkt":"nLbQ0+MztKXvZygQCABFAAFR8fdAADYG95QOiIhswKgCfgBQwNwlgdAMRlWmyoAYAHrh2AAAAQEICpoJIgUeulbiSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjkuNy40DQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI1OjQ2IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogNDU0MjYNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkFjY2Vzcy1Db250cm9sLUFsbG93LU9yaWdpbjogKg0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0yNTkyMDAwLCBtdXN0LXJldmFsaWRhdGUNCkV0YWc6IDhjZTAyMDA1YjJiYjVmYzc5Nzk1NTc1NmIwM2EzMTk2OTI2ZTc5OTYNCg0K"} 02472{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1837,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146253018,"flow_dst_last_pkt_time":1654385146460775,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146460775,"pkt":"nLbQ0+MztKXvZygQCABFAAXU8fhAADYG8xAOiIhswKgCfgBQwNwlgdEpRlWmyoAQAHoGUwAAAQEICpoJIgUeulbi\/9j\/4AAQSkZJRgABAQAAAQABAAD\/2wBDAAgGBgcGBQgHBwcJCQgKDBQNDAsLDBkSEw8UHRofHh0aHBwgJC4nICIsIxwcKDcpLDAxNDQ0Hyc5PTgyPC4zNDL\/2wBDAQkJCQwLDBgNDRgyIRwhMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjIyMjL\/wgARCAI6AbIDASIAAhEBAxEB\/8QAGwAAAgMBAQEAAAAAAAAAAAAAAAMBAgQFBgf\/xAAaAQADAQEBAQAAAAAAAAAAAAAAAQIDBAUG\/9oADAMBAAIQAxAAAAH20E27BKcXAViJSJBAEhBIEEgQTAAAAASAAAAAAAAAEBIQABEwAAAAyCYGXpdICAoRFNwtkoAAADMSVVpqBeaXSmYkJglIAAAAAAAAiQIAAACQAAAAAAAImAAAgAABsACAAi1YGypYShsBVi2AAJAAJku6gAIJgVglBICAAAAAAAAAAgAAAcgCAAAAAAAAgAZEwAAwCBkTAAAXiRKCQIiasYAkAAq1B1ciQkiUiQCQBAAAAAABHBH348TWtPcnj9iXpIw7lmTAEkASEBIAEEBMEDkiQAGETA4JhhEwNkrvMyAKKMAraoOxAJQSXF5kmJICQBSRIAAAQArL5Z36Hy8UrVkpqnoEMlN24W0\/TdLxXUM\/QCrTncBkkCArYAAK2i4AAilwFgOiJhsYu6VgFIAAAFSQdLxISRIiJAgAYRIAAhDvOu+bnfmvalJnNLC0l73E50VemP06LGdLmaDHTMFRNYhVM0AZFAGXWwkAEABQtI6xcEsut0yVXSsQCkqAANzMSkAAABAAQEDkgDJx9ua+jJze9zsq519KVKk70Bo0q68vDsTtTZsyJvLSitdH1LZdyzXVoJJaiqSJCzU3aYRJESQEgABATS9BzathAAUtIAABS8BJEgAARMBWsVm2Cl5vi51ZuvXsZs6OeujmqhJl8+0EdHLzxdsy0Vb6VRS06eXq3XR3cdyXUbyHzPQSWUMtFiIrcCs1sOYkEEASRQL0IKm6wGi2EgAAAAABEgABEAmjO859smtLOd8Tgex8t2Oin66M1LXQ7fRjVuNtYGKurTNb+DdjWXdk6+tS1kiH00KJvS7yU9Kh7SkTM2rcABorMIraYHUuAuGwOrKWFIDQAERMBYACllywqK0VJ59Zipkq+V9Hy9aw9Hg9zdc\/cnWFc3cuLjdXXLha9EVOLVtTFchtdlbVcqHLWKq52JSM0rpWk1y2ZpjEtM5iQUQKG6c8g8iWgAAAKlqp2AaAEAAVVaYqqyiay9I3lWnm4Y35dF6Y85kG\/V1nZ7D7LaNvJ1IkmIlI9QzKHP6GbU7vlalCmMzFWOe51pbldoty\/PRz8nrZRY1dKm1Nc2rM3MQsvS9LjMCGpAAiRFCwnIQKaTWXF8T875PN9BzFzu6eZuWxOc59mY9nzek7Z5Pf62Xsehg6OO+jdzdTjUp81mi12p05QmtHQvzFHouj571riMHUiJ8L6LozpfMs6ueuO\/RRyZ6KL14WuSvTjpztX0XOhLRXuBkRMBJEgRMIAAirKjOb0M0JDVO4OpiNGYiZglr5mPwnXHtfEev5\/ZHFZW+uXa9X8899ydeyVsmk78yrO3l4TKizC12uvRaRl6VHrOVO5SOrWrSedn043vszp6EMqhvltiTjdHL3bZt\/bqW52up1zUUWiLAABEgAAAhvmonZbkXjLqP4PoODsrMmzeWjuyfhnx7fI9f4\/ezkJ9r5O4zd\/hQV73fxup5fdptTJtz8HteD9h1PoRJVM3YcBHpb5daxVj6VVVGHFaTqwdA6cet2ZnUwQ2Y5ufqomNbsuvTNkRZKbiE9FkXBgAokoFgAXz+qJebyeiwxlye4\/NehpQ96Oz05uW3ksvs\/"} -01742{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1846,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385145219802,"flow_src_last_pkt_time":1654385146051643,"flow_dst_last_pkt_time":1654385146466639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":1052,"flow_dst_tot_l4_payload_len":96620,"midstream":1,"thread_ts_usec":1654385146466639,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49354,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":360,"avg":76988.1,"max":831841,"stddev":179465.8,"var":32207955968.0,"ent":2.4,"data": [207030,367,1074,749,203546,401,538,843,360,1168,622,204026,463,1910,808,831841,413644,1524,1634,381,916,201620,415,562,974,897,365]},"pktlen": {"min":351,"avg":3118.2,"max":10146,"stddev":2492.5,"var":6212617.0,"ent":4.6,"data": [592,351,1506,8706,2946,1506,1506,2946,1506,1506,5826,4386,1506,1506,1506,5826,2946,2946,3956,592,351,1506,8706,10146,5826,2946,1506,1506,2946,4386,4386,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02141{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1846,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385145219802,"flow_src_last_pkt_time":1654385146051643,"flow_dst_last_pkt_time":1654385146466639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":1052,"flow_dst_tot_l4_payload_len":96620,"midstream":1,"thread_ts_usec":1654385146466639,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49354,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":360,"avg":76988.1,"max":831841,"stddev":179465.8,"var":32207955968.0,"ent":2.4,"data": [207030,367,1074,749,203546,401,538,843,360,1168,622,204026,463,1910,808,831841,413644,1524,1634,381,916,201620,415,562,974,897,365]},"pktlen": {"min":337,"avg":3104.2,"max":10132,"stddev":2492.5,"var":6212617.0,"ent":4.6,"data": [578,337,1492,8692,2932,1492,1492,2932,1492,1492,5812,4372,1492,1492,1492,5812,2932,2932,3942,578,337,1492,8692,10132,5812,2932,1492,1492,2932,4372,4372,1492]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.836778641,5.800940037,7.833999634,7.976774216,7.942587852,7.846837997,7.855956078,7.933282375,7.886686802,7.866371155,7.968765736,7.957736492,7.885743618,7.873675346,7.876061440,7.966520309,7.932492733,7.934986115,7.950095177,5.861396790,5.841276169,7.808639050,7.978169918,7.980235577,7.968087673,7.920913696,7.863669872,7.851905346,7.935641766,7.952698708,7.959656239,7.886331558]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 02483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1850,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146470951,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146470951,"pkt":"nLbQ0+MztKXvZygQCABFAAXUjohAADYGVoEOiIhswKgCfgBQwQSWIbNSmarBiIAQAHrnQQAAAQEICpoJIhIeulb6KGbrQ9NgAoPeIQXK8aNsRvWmWOG2+mJUfVc1tOfBUFm08iHXJpNv2Owf5\/8LnH1ete7iHIgeIQ+NvC5\/VL\/aRL84vFpH3hpuKGie89N\/ltwx+Jf3dMlyw07W7lY\/ANl1EAJvmqFKZxvNP\/7dp2qkMzGNaCj8Doc1sJJRQQ+ao9WYQoMiZ2FUxVUX6mhkQjNYtI4Xmy+wKkhyEHukERva96HY\/dXbvojGVj3HwIwCL7Uu4KCXJCOxCdfzRsyBCPbX85Xo3\/0i+EMzczsTrgKFypwzGJAzBLllK8mrlen1AbXKws\/iFuX9EFW9oTIIiG0ZW4bG5oE4h95E6fNS8I4kaDxPobJq1QBkoPqrtXoiEHjpKULTrft3zYnFpDwQu2eTvwy15CQ2tec5f5m1CtyPkJ8oKSdO\/aLi94jceiOZXraTb6+VbZVTT5v7KqPOtYsl8CgtLKBY9Ot78tCrSByNPAMDNF2pyABksBqbgNk+1a0f6z45tFT7oVWfhgbXl\/on\/kQ2tjjIKII+MrdKpU\/7Pps04g33RP6S4I8ga81Yz5R07ZIyJT6iuback6Gsu\/EUAaiVehLWhou34+zaMkfX4oW8nsmfVHl1TpepxDvzCEYnOi4OxvRscjYz8+bDhvRI9oB6DKa80JOZpGqnO4SIevnAUQte4KcbZKPz6qauxFKMjOPb+Fi92JZNBzuBuVci4AUSISUJZ9pDO344tYqlcxAnz5Lub9aL3azUFNTDSxweDEjd8pW4pwan1wijpkqLHf0vi8uNupO8FH0kib57l4ZodhscgY1lQi\/YP8qhWC\/Ub1YGeDcgEMSVmhxKOxrRmEMxZJH0\/SPVC1Q45KguC3L2a2vUkm\/rWbFirVKvRVj2Z6smUDwqdOzzvBk383pjRzwKiZn+50Qqi6vXyDKsGTAy7P8x6VRpnIzzPW60jAuNOX3Z8JKsQSoQbU7WWYxRsEMq2vDpEdVZDnVZhQNpQTkqwDBMcvnxKwGz371ROj3c1NoOOfCqOGX6dcQUiRIk77k05t4r7lBDoi3JaCOltfNkcyuik3r+d2D8rJRDa0aEaUWI7HzkzGE5xCg05dBJQ+GbxLjA+7YlokrbWDOVI5+7T2BJvj5Z2gSS4bQyr5V6clNZrOF9yEP7TY6KekfQFoBuQkiruOmgQDE3GJilpZpNsJut4YIT7F0OaRSKrHaXWfoS4Pjff1AtIHgB\/bHOLbEtnRDxHNLviswASL0Q8jLLlz3TRCqT8v4o7cRzUn+2eKJxSTko0F7LWInRcpNe9+Y+33MXMVaDAOeHkemly1HrRGPpJskPnYelD9BE\/N2ZrEmqz0vzx+lyA9i46mr4QvLytJqjP9O\/HSqlA1Kx9fxOAXNcAxSgUCEYxWhNuKuqJnLtxuQZR208YZRatEdYzf9DdIBrZeDV9KCfxPH6XHmKZM6Tw3RIrVgIvV1ORu9gNP4ZxWngguwIFKkqm\/QJwvcuq8ge\/\/zWwxnlXlHBvEJwP5OtKAK0XftE6rJHP2e+bJbxwmb93eYXIbhGdyhKZmqch04CLGO8ZQspqifdGuUIlfUuJjFC7hqacsNLSVicuPJzBOyU2NXprEYWc\/OZbxibYqlUXx1QnIHQ5VZlumABcc0\/1T3FfnECTGn8GRjjkVVUZpIueMMQIx3l8RzJtDm1\/VpZNOhOyDZV1UCnbO7S2SykG2XtX4RCuY7OXA8IZ2JnjkHuxMay4A3uSWOFpP5WNNUcHjze\/bYJSsUoGQ\/ieU17tPeq+kN+I0skTj9BNmaip64x8FfSWbU+sFOV0QwBozGD+Lr+4Fx7eGgUibMhfEp33ZyZZa3ve8AZrylaG4wCMpTMxS0GbDni7A5CuyPiGXxt+Ero\/x3NbA0EZstWz0F5lDlbQrK1AfXK7WKby1kb1HGIl\/BAQCaQBP6s"} 14193{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1851,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146472685,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":10146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":10146,"pkt_l4_len":10112,"thread_ts_usec":1654385146472685,"pkt":"nLbQ0+MztKXvZygQCABFACeUjolAADYGNMAOiIhswKgCfgBQwQSWIbjymarBiIAQAHqBoQAAAQEICpoJIhIeulb6tgJjnFx8hVIwXR4iVS\/qWz5n+Fxjae7ZlUqBpnRyPdUMUd+QilKzXl7OrNKxG+xfS7TEH288LHzxu8ZitSenHMt52H\/QkEpV69+4AxmflPbcyhYuNqtaP02igUNEXeHnE\/ugkiQLtQdebb8RWtY9VsgDPz9GUtPkZLj16g263T23juO9fsws38GXyF\/QUkl47exxYxCkNwjcpk2rfKmm3nQg7N6W0jqeFp1mCVWfSdnf1Y7Ic0aAspDn0dYX7ERrxAbYuaTLxEKrjn9xjqvkkkgS5vTMQo\/QuHb23Cix7tuT4Z1trzTW8hydtgFvdta227DotNH3yGBi4f+L\/4sXuucsl\/ZYz2EwWxq5jcSLqELfJHxFWvLyS92f\/OP922wdIMEUfGBrUGM\/B3JtuZ3WiM5qe4JQxMfqsdaQSk4KNPI7lDEQlXw1h0iteFlx\/\/sbXUFb7a6zxAGqKLOfVJ8nwgmuJ2JJ7a50wGQcZ5nLknIFyLr5KlKTMbvqLWFs2LMvOv6V3ngFYSqCpTCGvq3EMOwjXIRIIPG0xirKad\/WrPQ8qnK75ee\/4IVUZVYuQzRd7olXfWjNWoMU2XKEWOHVqY0lXpUYEDS21smZjZOKOEbaDcPJR3IR2tSF8v7lmhDnC7A1Q\/ZMUecW1YHLZoxctM+TtOWZT+8NOrxJea3YCm9Yx1kAaAeNlJkXZxTsZx9fiGRUsKJUp87laAJvDIbOMmd8r1aoYTkTFmU\/sSJ8mQf2rPRf1eOXfHgrWYTr5hLNs7M38fDRwMZyvGfVF9JaZJr7oby8iyXNXc7zTY2L\/7mbvHkCPWlgDez3Db3GmjmR1B4zzKCnOT+ig1lwwIJo1WP+cxiw7N2K9r3vspvR5Vcuvuh7tgHpWqmAWhI6fetLr\/c2Vl0iiMIIre8vZpLEHW\/nohVeVVUderzf2dVhF2EtWAMquqz+sXVK0WGqetxa0ic3Oqtaq26N2z5MTbOtJmKxpBzaXCwnIzJfbkvT7NrL2Wy0YeTpBNp\/qObq5eeNpmjp1rcehffZdHdR\/PROFB3yNO91UKg3br6J36EchQjn+HHAfILGeZwZXM7g1tOqRvHe74tZLlvy11rPmfX1clEcNLCqdrXEZs6S1hXdICGrhpqkYawHpcEPmYXJpM3IoQIL6\/UfuOmin8lEdLYY6JkRJggUKNF3GopOMtqlw7cN6WYvnHBpqPv+d126Z4G+wSDqysaWGFBAN5NvcQbJbC6Ll61fYucNIkqNOL0YpI0ckzNHkzp7ppuY8oO9Fo0pVc\/ohgagsAS706RZzqtBM771ss7i6ivGHfRBZEjjDIPKsv2Sde9W91iB5ZG1lvOyoiXq+e07SLSxfFtviLdcctt4TbAeowmTgePDz0y3L9AurZZjU4HIorixz5KJ77M2+G+AlWnTOSYKMX0u9tKolMpL1eyCxnoAOfARlh5LFdSrBlImUb8\/QcBlj5qeZRDZQU0B+EzmE+arAHNjN51kGTW6D7VQMJR7u4gZ3CgkHpJn92AK61mPx3iPbbQMIpDgyBDREkqY+81rw9F+VEBGuxGn2OHvqi\/vOzeKm9iM0LloHBhmNL2zynkkneVPICTPD5SM+wMcfYdktvf7olC7djwltDQ1vQJ\/I6RAWfvx2ILm38PTiTvZIBEmYnoBQhOQ0E9Tb4QLfGTKne4btkpduZDgVkqDxDm78xzn71taOI7rLMzMH0SBU\/TziyBk+2oShCxYgmdU0iKDT8r46zjZTZS6v8mEtsdjmBbH7cPpyTT7gKEtnM8zptXWSIhlVykpGlFGFVQescLnpMRvIoRiJxd6HY25i8Q8badO8aZYOw0ti21cGDZu\/crSHqlLbfNys9iM3fwPZY8F2upWh4BROkh4t+NK7aItRWXKGLcjiH8o43WjkrzjhZ62eQB5Wlcc+8CD6CzKirazoV4LzmmyoNOd79K6CEyxZs7LfkoWUz13vIVl5saV+gwv\/uDP2Ytl2FPCGdgA\/v6tuERAYkXOh8gIh1RlzkPREpEf18veddCRJ8z6MI1K9LoTela\/e9o2mTY2e78QaKnXoqh+gJEKGbQQuqA2rJhJstN3uX\/EaXiA2PLbbBotmQW0YcCmKQgJE\/mvmHOw1Qun\/4swBH6823HVEWmKBvS0oVgAqI74vcVeVMBLwWco9z3HlrXT3tEaneofEZozkE7cn9vQB9DnL+4knS9sv3ucRAaCXIaxI7xyr3FbUUZ5Rzhe0H\/cYTVgieCFjpL\/MHbGwM8eU85\/OtgxMEUVvx+FYdQ\/Xus4ZI3uf5Sccum7RwRDv8sIndEhRGPvW6LqHIsTfNccr79CHKeIR7FkuijEUaO\/OqYmPbzQ9YkqFMB0+Tu2de\/pxeyvudZ\/WVSNhP43OsfPzA72r+zg5t61EFhlrL5bWOOEBWzBkPF1I8X818Sf5\/376K5qlegKQkwXbKRdlJ+dBlPBuUql1J0vaDbHbdtkri1pYwK7wgzini332ipIKeGOeTt5wWKs\/UJc8BSkGmhIG8Xe4f\/NsV5rrZCacV9nG2hTZxgeB0tylrutu\/sCHQNDsVGkcvI3gBB3q\/0vTOgej\/JcQ4b1+hotEGJylJ+eyNmc8vorXCiSHXRHzvzK6jk4pp+0UjXNTxLiHVg4qUFAuiZDIaFzX4O6D8VhmHlbVkYqgJqOX\/uGR2w48wcRx9Vc808nXu61mwFTYRoiQq6\/ejhNCo1BFujUS+hAxzQetpO\/K5aXDdT5Q4tardwiCey5R\/S0MvN5lfkF6zaPhPSYKgg\/PVYZCAciZA3MsJgF49NaKBsik5yEhsb0fgHIH4GeJ4dVGypxdg+2R4daILk6+rl5UnRJPB7824ueIIesQbwA0lA8APOM9i8n2eIOONbuW4Fch\/s9RoyFD0e4YfBpbfMeHceRyVw\/U8NAA5miKE7gJ9GuxC\/pLi8D+krZcFlG5qjZxha\/2jvFLl0bUDdodexooW3iKcNN3NfGh0KXY0d1erClHiGv\/E2Ibb5QUKKhz1HCVfievXCuKd+iXQXwtn5XRQBAaoXdqYslwAQowDTy2gnBMtD6ROBrw\/dyxwRv6sH1TAiCU27nx40639\/Kn+\/kwQflJnb5sjgxAjt821QivnJMxkYJXQSes9hrIx1+nbdW5JwYP22DoX\/Iaf70c5QuYAq3SeuASr+5zuspK2w5qYnsSROZDDRK1QTlHH6uPedRlv9zXiHIQFrgkR2ksd74RBk+t2ovUESSY2bLpgp8wt6Rc7avWpejX4lK\/vTU+HrSv009gZNULrkFU9\/s6bchhE7dkLoaS9\/GzcGhWo3CsP2t0nCGb\/Td2B4xrEPMjPUmL4ec+Izyi00UCIQHdfHsIo6Yd9+hdY7bTkFVVpPGwAIAMYFlXoP+4dIvcw0SwDKskFVWrE53M6bGPKkMA9fESSRf2TnVsJt15VCvXBWWkgs1da5ZsxB8Hxz\/dYLjutOpGakDlN+mjMre8L7PKV4IjOXfFHcklueZlHFfMiKOoAxAnQsxhugdCoiNxI4bCX\/geE0qtc5uywOU\/zahO8RvxDDLxVByl6CpsYll7DpRqay8ia0LpurHZOx2CQoD15zpPDCwpCtrdWUoyRdrGsxmrJ2BOXmiQvThstJVPjn7OD60GBa9VTfhetSOE5A33Rrn5fog05TTsAblGiM3m9yb24drHjEj4HLA0FzYwHEpoPH2DAxRl\/HcA1RuOiYRnNIrcG7werbjY1M3Sa327qYs+3pKFYs\/a35vcUkW6dvfmHWdKRgkl\/lQ8+agNAxx7ytNkTHTtIqy7B8vZAL8KUlPxSj0gt6f0aahHlR4x8+DpVQ03HO6DciE1DtOwpSAVp71Kx1IN67DvbZE5puszzpjMOBMXrHN6EAiyiDkBLRIljHommON+R\/R7kjaffp+gcXAJOOcCJgwyYulXqPEcVjm1lVMWAs1unY+V\/F+uNEJlU+n7ycALtMx8JoapYqpZ\/YERl98enXpnS4JSwG+uXe5eti6wMKtUHR0CpD0ZTaMF8UeGRH7e42Bzv0p2Tu8+lmtnPsKgFOqy4qM8flcxd6FbT51bQmVGBKOz9hsmN+xzNeSS+G06P+gRajneelM9Ml6rshA5Ze9XZNevJ5URGA3+\/4zmL4ZChYcdSj\/dpBrk7KKsyykmGEDSTp0wnUcOoEbwOwdwy0yJSEcPdp5r4I630fJq1ThajSOsveqsNFTGmChRopw616UtUsJ34ZHIEkewDajBG9ciLWIlp9JmiNQA5sdS6h9RnDTz4gD0aZFiDLoQvN9kPOuOrWZL1brHSxQcSnrfMBFNQDS\/T2UGyKc\/3NhjlcLneltmMwChouJwrB1wWnIC01Oz5ybtO8pgf3mNoiFgyjsWkdAUm\/Ilybd1rbLiMUzw1mCAstjt4EOmL7ov3wAjxxXQps5EmW554KBvP1pDfN2rrVJj8KZ39yz2IbgzFEgyGCjwvymAdcelaUJTipIuCs9RDJdcgmqgxPTZvY0sCT6yaegqEtX8mPz0dFB1wQRMIMB3iywLf+BD8w2hn9fbF88bQRFOTjbN9RJAZwgsHlzOUW0OITmS8gMTFjKFJXyDwGQs4V5LS7fkoeavVxpcEnLxnIotXgNPlS6kU3L2b+eqbGq3yEqaqKVaaCBZKDHd4RSvx6acZ5pMN5tixoPl4VRZTUbncjR7CqssSBkstKemgBJcL5ptv5lHRt8KC8r\/D8drxpQU6SzlMe8Tdv4CsPsMIr9ShohN+dGdO\/Q+YZ4MlJdXIWpPVis9KcBa3BMSAQLL+wlyCrC1DxOauyiJX0pZwmBAP3uFWYpTYr755AsZF7IZSWbLH99OcdO6P4QCsINoDJupHWX0kT9\/ILwvpJZdiJQ78usj3ggE6ufPm5r97uptNSwYWvSBqmpmh7Os4JXPxuC\/oYA9qP+88oU+8sIO935wIdjeKeCSU612zzY7tJRMPJqwyaKqX3F2Ml4mDMtJUpcDHDxd5wHlvcRljGERWhx34qQJ0JL1LapC2Yuq4xWUrbCUWIVjCtmYEfa\/GCOhoSh\/4je8dI1vcbamF7eNP7KRXq8\/j7\/0nPmbGsfJ87rF4KGJE3MFdoClkAlUUrRLaHhiG4eZ9J4RLozN7GBOCkVWWHN5ZAcZUx66oyu0r3mEpWpEYuxlZEtQ0a+RcselQYXz6IuCnJGCHSF5B1YQT8dtCh9Y2xHMplEk9aMjzAZ5TsQ0q0NkXMybToCx5ubpzAZVkBaOnBDwCW5JzH3qkO4m1Y8AzssNxnQddR29gzWPYQyg0Dcxm1OWwVAXNJ6\/SX+S4aDPDV8ymCuPPXQzFDKaJwJOJBrmrARsHZLfI8bbIQ48Fh4G63fa81NkkjBQxfp9npgdy\/bdQCu13ZEFuauYxibrh62hDGVsCl\/5SGVGkTy9NgczZgb\/uar58fVvbN7SIf7HV8afG1gmewssOzVfLq0EfY3Ny8+KiXGGbDHWzNN+mc76\/nymmxBGf58LS4248blw+sucBQGQVLLDUzJUq6oCJofVMo41GsNYXtH6fOPynAzsThq0D8e+jjNCAqLVtm8ZFeahT2ZPmol+LspHBXCkp\/yVPnNsRXEIy1hHfAlZS0eNlJe3RBx3FXhymlEy7K44Tcf5Ni76LhiEOGvYVTVMa27PUfsI40MkT70x7ieJ6FYRIKzUIbAeMHnpEkcHFPy4DbfR3wCD0UChKwSlx6Kady5x470xmBx8VRGz7irKrOxiLKUIWgrzkoggeZwA+lAGQDrqHT4AOKTC4DlKf9XMt2yEfQN1DUxCliAnWe1v3AxbxHAnyrrdBz6rSSe\/EJcFEJPHQDm+UYHvApVKxi\/gRer4sQcA9Qcm4hgZstp4uGyIRjL3SbYY5uAltDI2U+EomQE+SZc99KHDAr0k8k8hb9Gg70cpj29qmGLTPb5l\/3DHw3hH2ywNNERWgs\/V2+UZND4pdNNwRg\/WA+n9o67rtYl6LGQao0ud4GmQNsHYt2eZIgivRYvM3TBPzIaE0iufnYlLjU5EqGxmZxYs40fwTKrnZoQgbAPIbIFFZg6BoCWJhCmgJD78iD4XdzxPvjyshu5A2Z2bNVwSD1OLUxDVRqMgDlcZKJfm2T44YKUT52rhectH4b2OTCH8c1O1WuFpSgRsi9xHBFQHaShA1XiZk+5tiBMMFCLFcC4MqRhIryL1Xt9kVjVw+bLo7UNTs4gMlwM8op3FwFU9JdV1TUw4911Ic+da4z2g0M4eomEnD16ypzV9YvE7PbfX4mG6DIOC7sus4qkeLeUGh+og8npF10LZ6uMQ7NO1jiICa74N4qYd3biZ2PKKCUPsRwiQ8GC4+aFT2\/CElHV9Tus86MeNo1mbxN0MelU9Tv3Re3vPhxieigjbNNg7c8NH1lbKWgphzZEQvqW\/1D\/3eHKWu+1spZcYRk1Cz9Xq47QMTDt1ObhcMRa5MC4OOHU9i+rgy4fH6BSRbTrht3nvfqMzfW\/xgs33D0hwh1eVnBf0PGbhUThT1lBj1exyTJfY0HWfjSfQMcp7I77rxN3+YWgUHV7XikoArasQLBJv4w7LEHyPYY\/+Vj6MwrFWHNchEMNzwTrvd5gF2snhY5eOtRIPg+818Q42DU6OcV4f8vlnYUQXHJ8SkRn+4youn3U7Flx6hzGqd2Kq6kiCNHucaRMmTmTslKYPmix\/DLodndpVGjrAX1amNgwhKlXOsAMB0\/QNROKmcB4zyic9xrBg56IIaTIyKlzKqtQmPzvNxhGKlRMnOEmeJz484gugsUkGQRSGZsTn752c5fp\/IEqJ8uO06Q2Vk9ObzNlHD2qPgNr3K3prb\/xFlwsiNhd3rnU5zIz258tFai7AkGw02iNoM0TXj+mXQMzdOfh3mJ0aCjK6QIj06WOb49ENoiSpchtn\/rXre0PqCm0oC0LPzaEBWDuGyE4WXyH4B7RRFmEYW5slZ9NTVAoOblrF12bwGWUWZDXYeyloF6n2uG\/o9NeOXOAgOMUn6Qv7n9BuhyeC2CiXSHy9y1DZpR8fSv4tPvT6pSWBaQzn5OybvIa4qPoDDAr\/aevKfSF2fAXnhgGWBUOOTRt+hLhFaJNdtqvRBdx51pBwyIqerZQgU5FRr8SgKQNR2Y2UhyDv23ipzi5YxCcOTZ2jTSqzkEdi3KYA\/wG2cHQGq45NoCTDSnVcPFIudxM\/3a5ry93rXYJZAqX2xeRag6MeTog5DxqXTWxNXleuzrGrp18MJKeuCGoRELstSBk\/OXSRnOOFYAISrRtIKiI1BDl2DG1FmmhToIftE+V7CVluP2754NMSG9uzEeQs3I3J20AiKP212JKOjSwfMFHbTzB6c\/OS\/Dm0j1XZljzAYlUs\/kR1qNINEaMAzMk2pimuLm1hyN5pCk7gZCbYyWGF19\/AwcjkwRD7ghvW+nZXFjdan8PU2wH+591yQMbZ4MbTPbDRHzTL7S+MBYJ2\/sXwg2MY2ZLdztxWVvTvwKnb4PuBIochmxGSp1IXlXQtqTgOX5IOA87fk9yU8i9gc\/SBU9pLrPV3l7cVmIltaUP1TvVwUXppaij\/K5aaC2mJHbFTV4B7kJBIBm8TkDKSz4XSAvvMjAepqD1w\/bbYOlro\/h5d5JOSsR9PyLluINE\/74JuqI68WT6pjkeMox1U3aIghcOOrBvzNoBWC2zU3s0wAhOhXJ5utKtCv\/KPcWNPLlyQqVLFYwGgRuUQqNX0zUfdr0E2gdcPE6qpwGANOs9GCCLDTiiLS7bWx0EfgcReMav5+JEGXSdNByKxrvNDELfM2q+bwY61CR38rzDlmu+d7kCAJE0MfDfOLlvE8jPIcfNslyerg2Niox3zzOOsva9xFQ+7GfKZNfnjZtuNFyHUvIFbrlEpcW2H3B5GCMp18jQh8pWrdZczJcc4Aac0gIh\/f+5s4pgV0LPnYCY8HlcVR4B4j4rf4MStSEHzAfZpX\/kYYtsvurzT9EVgYdMvT8FS4jH1W2j\/U2PegzKYNnP3wpYj9CFYKs2jYvLJ6jvD1XhhfR3HRnE4jc6VMq+DDRHlKhG+mti4SyS7RbgLoH\/gHbyMTarFmt2bNHYKgQjqXC0LQQBv31rntuVVHOOazc1DgG+ROX4T5TvwQs6eGOsWbdrcKWpAUmYroutV5glxQd3vGWZ4LdHNLGKqFDSFYJ1I0CTO38x\/0iw1\/MjeLEzEax+jzi2\/wKhjbPMsNk8t68JhGz+VuwI+Z5Ej3HZjM1rMIfExPRP63c49wg47vGSDiML3Kmr\/StRE1KB\/dkvjdDFkp81ryiM0pXrciOaFy7FbL0Dp3fZxLadEpfIvFfiC+mJ2Ig0nQBpqbcfxtk+uFym\/A3yclkZJ8EsWa66dmsk7IUIuXnp3apKNGJQGgbKfLFoWVWK9YsgIPRVOO75R7xDUz9q+\/wdhL6Bvp4iVjP\/YAR07vo9gAmjCQqesZTMhTVAMuXwlERPWl4wtpF0b5ylA4weK63l5VHHeTekepPlmM2ZPgEhPena+eVgrgDpDeBxLVpfjhJdh2pAkFl\/Itj9E+vplhUX79GInBhWr\/Rf6Tjy0aYfZr0bWyYSBA4lA\/R3m1Twy1xWEASJIZt7RakdMzwqSqsG9lO3ibhG4+RjlC4e4GdCGiyDQQToec08qlMrsb6jxurIYsIGEk0i7kTLCjGpt\/7opsmGBM18NONK6EMJiKHTtJSfE6GUrWpQuY5SLFCm6gA8oYUuWrxKHfQRd\/xxiqUOBihtPkSKSDaltV17NwQz36J\/hq7FSp7FqFWILEjYV11Cz4Q8VPxjhoJHSi13GdXpUqGm0GBbQeg63FDVhJQnw1kGtMib2Yf9xU\/2NEYFFK7LIAJAM2C\/v7UelbF21DXicOd67I3RYOxT1R0rQngFVKN0WCK5NYlT7XyG7Vg7YSWOnN7\/AUvIifx6LyicWi1MO\/4j\/tgTPePrYWavU05+b\/X0YGJw0tiFpwX9M80SUeMxuOtQytXsEqklHKltggwksPL2krZgWHjICBOqob2ykobwQ0UULykY9YgOW56Wme\/aLiUQFq0Q7CcJZ89xJ\/42FYJa5lXYH0P\/TM4DppbEtyPFNh\/67NoELB1LkZzEi9PSKyDlIw46NiRT+b8O5ewhbmvpaPcyjC4QGwhHZzbE41F12Gy\/a+cthlvd2qqfwaADTIaDQaJdI025YNkamWe4oPvNi3l6\/btVtWfpldldFiHyFKr1pGyZMk9EyWmCwq3P2mU8qw0zx4eaidYcuaF11F2nyih\/1jIDMAv6DecOtXXxaC9t22nVGRSN2I8zQDT9Yv+g6EKkg5IoICNkMCVyz92eHyfhPo7u23FiB\/HYWhItSJu930LbuZ16E7PJVHYerZwOmqZ\/vHjb4AV0+CE1EBQsVH\/i2r5kHBpovfS7O+8V08ldfPT9A3jWuRmId2jZeFrX0Y1jW9PPFq3kN\/8Ayx7DJya0qzksVuotjIrX0kEdictLzsbhV5\/0DRM7eZLpfc2JKjGndPrkLjiwchhqshbFfpzbxelwMx6zZvb7VmHdVgFsZB2ze7oFfvO81oB5QZJiUVbpxPx2JNOIx\/pUhvvI87IOIge9wOl382BYu3R4q7BkQ7nVP831IaIBxMgFCR7ue0QA5EdpeatlCYAih6CSKLm\/EIRwc3WEUYMdgE7QnPHHL087HqX\/nntbgbSfLUOAnAXQkrDsSI\/TSAxhBaBv4lWfhqaBNKqEQBg5aP\/h0Ai59KLBeMmkDbSqMKamByL5gQBIpRS9y4DrX\/1ERo9Ya59pxvDSpoLKXesALpxgN9RW16xMT7IlPWcBlscjLpFdFLypa5KLH+JTwfsacKE+sa45b49P3tnkUng6KPAvvPrEfY5j4Ds9+GkLoSbIbH5pITuii2U++Fgyh5URgBWDAKBXhsyZpFCAu8Ej+EFhSgesLmUb51pN1UQjHpHOpNKENl9i0RNhG6FXM1qXkmMu2OfRbi2cGhS3Uag2V3K3TnWZOyuwPzDfHVNY2hiKBItohKS2Toqg3LdwIX4ALpN6jwmMY1vJ5pN8xpvy8BhSbpE+drY\/Um26d\/568MLTQYvxke7bs6JitpSjGt4aTSaLzEFOAlJHpgrPvyGdkbKOopCOalf5VBHqUYEqNlCcQJZGcKuibaA+CKhOcASVH\/dVK\/LKcHrVhSKTaRPzOYsOR8cAZDnbAUwFggdNoyi5AiVdH7pYEQi563d4YRRkaDPChr2MwLzQE5Z2eygLLEUTjZauDGSZY2STnngf\/IFlcIvrZPeVh\/jylOHbUswONx8QlhfQYnnpy\/R85Na3DWMvwXLNBAqERWkZZKomQMIbQIRE0qyaS8pD\/S1iK2i0+KCh9nzrezGe2syhY9R0fJ\/XdWKevEaiI7kaqf1UefkR+nEV5Ton0W3N+LiNBqHq9gt0TY4ck8lB4MOrVIWh06NYI4dqR2XxG3d8UkPSyGsXZLY2DwVVGbGGG3rwPTBOXnxm94DBLqQATM9q5DPAAAx2DozZw5dByVWvjGoJA8EL9VQXQu1lEGLqJYNQyIVCkF6QW+5MjxYTioE4qtS8rNVnHqY4P21Cf03AxWuudr20+kG92517E9SQKKnas+QXUuGUrnpUjVl4By\/KUFnJ2+xdKCPpA+KrtUxlUnhmAvK7qpU\/U5QYVZWIgUVItSRUkOwG5PSUEUhbpCYjr6yl6lY88iNEysyPHFRS9YSqySI0eVc4rm8ImRTMH+ksOCPGH2De5Qn59KEuuVAecGPg2\/Mcddhn3Py+S8ulYnzyXMfE3XFNwHBvEiriFlv0XIjjwyA0r9hXwjK+aNKve2FnBMWar\/l13ISuiDDW9Wbg2B0b\/vKVaotaIqupOH3j6LXyhskiKT3XLI7kub+w00Rn3C\/2vUOopzgJn\/xBSioIUg8DQ8T8MFORO644OuC8Zg2RMpkd0tJgqM3LWCw3sxuSh6Vb4bnbfBDuAymXSjn9qOspEuBCeA1Hnqk6Z7EQbzo0cy649zYnv2ti9ahEUhoAM6L1YzTESZlB15lVjy0qDCdjPm+\/hz\/W0kOxYPfdhaIMKTSj9xaVgzMeNpmM0S5rGQwr3gvyFZt1867yMXPHyrpdt1UNsFQKFZyfbkG32GuCiNPP1\/QS9MzblcB5bksx08NY02uG5jalIPOsl3bAejoidRCqbCltzBCzag4e7AV8mQbO9hTv9z3eezvEGVMUsgiRjtDYdjvfVGBECkbf0ru9ReTmeGO+XvPbgeh2Ytdam\/apmAzbSJi1xS8AmGJUoNBA\/uhYrOfNjLMBec+NJqM9y9hzTfVeV7g8deX08XKP6Wz1myxKm8StLXGSkGfZS4O8ue1F0t+84XKj+3ZDouQUimMXjbIfKPaQhrIbUMK0vNtEpl+VtmSV4maqKwSVJ7EKWx8mI97X35iYPD1tvVSsC+LuPG1sPdvVCWQAiSx5sPOhx+nY9D0WgWtXvsyxMmXXwsz5yDIIG9aKaobKMQUTL8bZhrsfxI8oD2agVb2nqUAjSKOh9zA\/9wytMaN25ANVHe3gBEJur2EU0X3hOY5ITCD6HlgNXujbF0w1pIHw20BLpqBwQEEkLcHAg4VHX4BErQ1dBihCwT\/2cz8UPavHA1vbsDMAzxL7HBUf8cyofB6qUwvEP4\/O8z3KDrPpiGvBX3vGX2DmaYPwalg\/6jfs0hNG48mzt8+KrQoPXg1DYsRhwUShkGdH18juAZnuezGG9WMvdB3335J6xvq5xPaNlLrnyvPE00KysWdfWJefGmFNb2PjVNQ4jPs4ADPpqCp5NS55LkgFbcWZeLdV54Km98\/nNOiq72XXX0hVCnoHf7x8MuDyH5Z99myGbQTEr28pbGOfPXI3Jc\/u6q48VW7Gf2nEAWjg3fhYvhsAxhuosw\/1EaG6p\/ZbJTxd6CN4JLT5seUTCi3M9JEJm0rqpM4PDjdjWIAgDQqDPY76K1vB2PLk1lvfOfzwYGVj3zOxWP0mFhNK94nD7N3RdWWhuPITS4+5DaaxXzX1CQvIHK3CFA7j\/mjof5K5e\/1VV5szNtlTZHK4KZbzNnrMdm\/VWJGF0BrOVYUt0Sbox8qJLr6\/GwQJMk6Qenqonnn0f\/MPHWKYj1T5qszcd6n99XKbhzvW6nsb5wfGdaVhsp0WI+f7oMOfujihusQHk42NzfeiHuuZye5bILBKJs43YVrDT4cJSW6dKJkyg2t0rrscPlPNCdX2lPQIvq7EnSH3ACRL20hMeltlKW6O5c7ChXj+Pz\/Eb+vmo0e3DNCUI9apyyp2e3PgufsUcIkO13EGoqcXkimky1tZgX\/9bmhoxlxxUD7MhwUa3BuDottTACLzOvV\/prJ82LaEy\/UQo153zPT+JiyiUiAubV5ORlTSfUKA0OMLpIIUp7cc4fTDsEA80uypKBtae4x0LEbe+n7ERSTiUt2rWa5b0en217CsosrDNp0yJJlyM50Y6SPOGqvMInpBnZCX4ar7m7Zn4pvvNMmY4zwvG2KltKcdpuRZoVaWabSaRpQFcZCpDOa0fDb76nxwiIzH9mK2mlJ2VXZ35a2mmQVjdIfHxQAD20lwC9v9NtkfHuvd5D1Zomk4+i3C4WCanyKbxgGWu9ey2RAtqmKIAodDCCQCPfDkDQXsrdCM\/GdiC8RaY\/PlhKudY7Hsg9Dkvri1jMKoPWaTG0EQTLgPENU4tW5db8rawHN6ag0I37KiQuV7bX4Us+KYD\/G0wjqbsc0MNgE5TopN83GfdbMHM47m8xslieKIeWwh2yhJ0oDDe+ycS5D3yGepy2vgQj7gcZPpNZzHI8dW1I9\/d2z12KhcP1EFKOVbJ3C+agb7xgmovXLvnNR5ve1uu\/2B3sHt1h20WuMptiUGSKyUWmXjED5ECXcUOtBUk52E67\/Fcp\/1WVIMkNx8FYoRMsHmOR67K+ptMDhks2raXq6u0EVRyUNZ31hfwA9d2f5gfWL7BCev\/xhVW7Vc7Row0PSNajmpiuzsVqnaCAIZY9M70CrsgZ3vtmFqVaU89UJD7q4n6Pu9YGh4K9SDiG1gY0EG4QWHI6lp9FpFfXNvA8Db2MG7aAkeQ1nZaljfPy4SPh6KU\/ocbwtWf0JnzPYS+CU1qKrnG1G4Qo+UzoAWIIORIsCHCthQaxukg3CAu5XzfhZtc3nRZS9IUtvQORxhZ+HSpozkqS5VLdbWAOlsWGIGpkEmQOT4VSvcv8Scw3nEnf5f57Mckwfcv\/48CL9BxG2tl9S5im9NV0esQBS4x4GlPGhzmBLibFPumvGL0AoFt844Lbo7iayKSyKSGH4rNVBladJTlmIwV5N5wMjROgBK\/85+vHqE3VUGS6njvdkSBSy987XyMa161au6wYLeBOKQeGotUtQS0Ln52T9ESjQDQU89uoKDcxpbDZx3cEZSkiDymkaUkQAKRrkFrvO7l21XPFy1VRYVBGst0rDU\/XllzzY\/0y6OEd7cx9YYlrYJfcA\/HalWy2e+\/NJQZ0jg2hXvDZSj"} 01296{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1851,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":161,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385146276790,"flow_src_last_pkt_time":1654385146276790,"flow_dst_last_pkt_time":1654385146472685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":526,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":10080,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":11520,"midstream":1,"thread_ts_usec":1654385146472685,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49412,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/13aeb81a47e7632ccdf1aefee19ea65e.jpg?format=webp","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} @@ -903,9 +903,9 @@ 04438{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1860,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_packet_id":2,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146500483,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2946,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2946,"pkt_l4_len":2912,"thread_ts_usec":1654385146500483,"pkt":"nLbQ0+MztKXvZygQCABFAAt0gVJAADYGXhcOiIhswKgCfgBQwORvtMvRImpQ7oAQAHplgQAAAQEICpoJIiweulb6+ZKcD+KnwfgPmxIli1SDP0WB+TC+gZ2zUZ1MJYnOEnfgrEfocekJHaOM+Eztu22jDjbrklrlhsLXwktGW5jFzoZr3Ytu7HRoxyemV6NLVS1v4GRaLHUchrowoMimCyOxZHfNMnA0GNdZ10WtBsw4gEq8H4X8y8f3\/RYH5Mn6eEzqjI8sPaA+ORFtFcdQ+TmjpdZPUsTpyl+nLhU\/9GpHgFqC51W1e7CLdEBDq\/FQ2WwcSw4ZRTbi\/WGpayOUjE4QZtyN0YXULC8rCWHS4N1MsqhVl2K8H4X8y8f3wgnA\/Jk\/Twlux8TrGuEW5nLXTDPqGMQAlYiMJpFjD2haZrB7TzXXPMjVOcqB6d6igpIOmaJ7Y0Mrz2\/yEfvD5pWGi27w9bKORzLvk9ue8s4aiSRSmdLv8x2K8H4X8y8R8w82CiFh+T6YwGSptZ8TjC0FXdnJzdcE9uEyZwnCOep1wtTzpxjxgEqVLJABXHJLpS3bD6ip0PC8K7M\/yCNVfrglIVQ4OuF2gykfOcPmMbjrz6bh1RnUy5\/MdivB+F\/MvEfOMae6F\/kz9fTSf9smb1on3k+Iw7BNmS0w7MRktM8Ff0Xj9teNF8yzhLN9Jw6SBbhxxSs+M6O4bTT17SVdMQjaF+od5bknXbynCwEsZiOD2GyrhdKmNjvU4f8AG3\/MdivB+KdZllzOEugJUa2YWL\/J9aj6bQ3CMt2YfYZsFk7yyBnI7ZuzfktnJM8b72B45z44I7RsxuiJlZCW6LUdmRB1qCOgwTgI1k8kxEblTVuyjGQPDs14YOevoKw+ODo3i1ks4XE2bddW9CQgJt\/y3Yrwfjg64GjfvwiDex7cLF\/kwZyfP0quvVEcRYOMIYp5ETODXaWekEYIkDknM53nDjYsO5h8fopHtsi3VbhwS0xs7wlfY7RrfW4ggHRM4TVKy\/xlLF9ZudYs668Jlec31c3Uc4T6djHl6evUbLRtfynYrLT6x1eC2dIZO6R+eFivyZGSOkc21mpHBAjzTIn\/AMSAFqMsjPuzkhyEJLBGBy8WixGRGPj9CZ0fSPWNduT2zXAXBq4nWNVvTCfY2zMzKo93KeUCRF6QE5wqyJvtTuTQGRGx\/JdivB+EzowvA\/kwsD5ctdc9OWzlwbY\/hrOD0Tni7E1kzleJbw9c6TkztjQ2kFPTJ85GkJslvP6P0PmszQmBvhmsCpmV\/h5i\/wAKrtF9NiRwGbcho55wUuZm1QZNpkDtIp4QJBZux9ivGin\/AJ3YrwfhExDC8D+TCwO8xwl0xEbplWQ+OiXecqXG0mM\/yC0Q1JW27xCupVnhwyNdqtGTB6hU1mIgYa3XkU6RaOBRM7p+gp7ZXnVVY96yCCx1XTFmQz6loZ6wCyJiCZwo+r6JMZNRGntVDWuYW4s1nNM4YzptecOUlfSFv5XYrwfiqxYSXgfnnDK29jq6xf15wB2wMYa4OCHbMRrmnJUYKd0pn3uDcKWa8mN5mWssYXS+kp75S0NFRuwhKCjGq0wy2w+2tc6xMcQnczdpgsyJ1yC7ORsHTkidr6jFgpD+vB\/kdivG2SwV7JLwHzQgnsSsQF+zT0zOQjjEMVjw1haSkSCIifKvKC3mj5Y0dhyZTzYXaZ7OnSY+nXWc6hLZVtLsn02hItxp6DxJvpBmdcW05ScHryidMCdwrPYVhHQPlWZqvh\/wL5OxXhXaTPVs5T4eTzWpdZai96\/dJXUiQ+eG1NuMULl2+GOXFVBmq1wm1t\/e7SKgbUIjtjB3B5nYWMiVDAyzGQARrrMR25zOkcj8wWkqvOVKuOPHP92npNYb2SGVWylvqJyWCWEusWTUQWLpMWbUEJpj1Nflwp2yKgEK58uzhHT6ziEWLnUyjSKtpinmyDXPhX5PSLmemNZ4TvLZtjYws1JcAW4uOUNJUomsWOsxoMaFkbJg5iIk8I9Qh4CFtmqo7zGeZ07Yc9uR8tMiJ+iY7hvIdWRnXLIsDkMHOvOm4d1lQ6yBacLn\/orawufLsV4Pwr5HPbhlxHpzGGCPYCVM5Dw0dMy7hb4EQKWREd\/lAFhbTj\/UlXsoXgqgc4iw4YZo6D7\/AH9QZYAKLGGAZan3j45a8jnvynzGRGn1V3dPItxhFUZnpBLJE0yLhzcOf\/QMCqI2VfjnHYvwfhXkvC\/moyXHqNcWyJH25Z4YBlXpwghd3It+SbIacSD9e5DuGB1I\/DDh1lrQkmTqSUkyJMYzTc0y6jfonJ7ly\/Y\/VPhfyyMGJmatA2IvCpBymdETpKz96fyI\/FjcV4OOyvkfhfyEdy5jIORz1i8EoITTMYZ++bEgYTuztmvYygA7dR4nKdPs\/wDw0zq\/aH2p3aQOLIQwz3nymfojI7R9AnHTPwgdx6HpPmI1WJQYXYkr1QJ6s93qGc3elCtP\/NjcX4Key\/kfiJ2zWsxhaGBeJ8o1WRRM5K9W+m7jArmsyWkPuY37mAexVQ5kXU0Ol\/C2LyFCUzUZEJPolcISMZ2\/RM6RPx5TkZHn6TnvSASnpryIVGEDnZWtFSC8xDZDqFgVsUvbDHCziMaQj9Nxfg\/CvJ+P1lewWpC+M\/6sCZkNcauJgI3w0ZNgAKljG0gDaLZnelnTaUaZvIcuELkDXrEtlHTJncf0T3k\/lzjyHnlrymdCnzSWEJ3AMzYkcVaIbDRK45dYBywMMGsuRy5a9HTpTo1ha148OjF+D8K8lm2cIcjAcwV+pXyCd2XLPUJYmwhjbBnuKA05Wo0dldu4Sx0blik+naLpoHxzmdIpJ61iOCVdZ4HTyeBVMZwOsIWKAKWPj6DwI1OnG2rOwsuJEcMIlkyzWETOFTgxYxYBbtHcsVZ++f8AFjw7F+D8K8zyPyCuqyFFt9OvAg2TduQkFnrFRwADHEUV5jbjLYDJbmFI8hZ1YLvFVu5HHJ2iPjmU6zSWYwsrW2WWBiD\/AOcmnOWY0r\/r6D8VQ3sSDZj08TLkwL+ipeK+PjCfGziF0rbMrfyi\/h\/puL8Hge2dYnJnTBEjKtW6C9YmNcmRAGx1Y4ZIQ+Ggc9HrT7Vi5kwvhzpZYCcnTQp751N8rOVzxV\/WfHjkU4sd7K49tceW9lgtFriIXfLRX0lnDo7qn2MdshEdzZ1D64xjC2q4wwt3IZ2n4p\/pneRHtsyhUh728KWWTws4KukVDqGu\/dGxWWHQfL08wKvuCRAldq02w2xcfI8OLS1BZJ8ojWW+zHDGOLc2PGT2jKi9Wp7Ruxc7n2D1jdnEJ1bz1KM38qJQK\/Ue0AyXaxr2V5ayN9p02bX65ILqcI\/UD35cOTKU5BwZ69QfZt6mdSJwrBzgsMyozo9GisNg6WrPunvNSdLUc4nbDmdosbUeZzxhFukYyqW3BONN2JL3sLVu7Lk\/d+jTNBjE7SlOgw2S0ie8BM5vFS5sEXKPHLgvv4XaSVZ27AGTJFFiyFUbGq3Z04CqqN4luHFjERq\/HDsxXmr\/ACFj1JSXVziFY6tzFTtbHMtcIZx\/bI8zGmFODGuTi+2AzbkPjIPaxs+6Hxlufd9Jea8iA6smBV3iBGN+6bVnrEU8gnJzTP8AHi1pcQr9cDHTKc6Wx75u7mP2gPtBGhktMo27Z3nlqPuBMRnDq0mdpm4xP71yuq+PEKK44Vg+IjWYXkhGPyz2xLNkkWRGvIO5QO6NkjkRnfNxRkmUYepQE9uU+I8TGuI7ZGDIjBM1yy37X0jn+P8AaG5Zfpa4XT3ZOT853LwyA57ZBhnnNCy3\/KR+WrlL89j4Zp\/y4v8AGvIwsPLXkfOD4LwHwH48ixnn+5+I+fIsHxi8H4fu15sfn\/Q5+585HngHyblr+Wv8c5\/acmI3bRzwx\/YYmdP\/xAAqEQACAgEE"} 02485{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1882,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_packet_id":3,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146710077,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385146710077,"pkt":"nLbQ0+MztKXvZygQCABFAAXUgVlAADYGY7AOiIhswKgCfgBQwORvtNcRImpQ7oAQAHoCWgAAAQEICpoJIwAeulfZAgICAQUBAQAAAAAAAQIREAMSITEgQRMiBDJRIzBCYXFigf\/aAAgBAwEBPwHwT4w8bm3USMYxX27PjlLlkYJD1Ir2KafTHpqx2v26HH3EU7EPHsmL+zZdjdCUtT\/h\/wCYGlBdk9ZRG5T\/AGdDWmlwPa+iMpR7N6l0ONfqTpkZl4smLFZlwJ4RYo0N2fI62kNaCW0nq+oEYe2LTjRLbfBpxi0ShGOLeEqLojK8TEIcrzqO3Ylm6Q5WXh4it\/Bzp8mhX\/0nJRnwSL\/jx6LJiwvBZk8vKtPgk3XJPreicVGA2JWdFi5KxEmIXeGX5NCid8FFcDQp0uUKM5Kie6L+w\/5EuCUaFGzZQuTo2ut6JOxZZXik3yNC4VjUeyjckLklSIytWa7W2vYkmuySo9YuyL5H2afdeiqIrF5Xgl\/TY2N4TEvtRONS2lx0o17Kjsv2OLi7JKL5RJJxtF5SpFlXEu+xf2dSdQoVpk408I0dNzdnxJ6m01dNQR+5OcktjPjTIxsktuIw9smx\/wAkJR28k6vgXkot9ZVOZqcITTJaf8FGjqqCpm9p77F95W2JqH1kS1N8ro+0SLUGSlZGKXI3Q3YkuhRvhdmpGmIWJK8qbXWfx+Z0a8eLGqE+CUZVbO4kokG0+DfIUmjfLKkX6KwnTs1J7neL8oxbIxSVGjppcjjaJx2umM+W4bTTltZrxqmiiiisR021Z1i\/DabfGOjYoqIuRKsfkwtWIsuiWpujtEhtIaKKN\/1rzssrPRZKddn4rc3eWrRqR2yaFiKoRLUjdCeGhupULKyi8PvD1odHy30PcnyaGvt\/4KSasnrbejT1dySNWMlLk6xFNsrkdCdEluO0NclYRtLihixY2Wh8TGjsiq4NLX+N89EoqfJopxZrxuGLNL9icK5HhD46yxriy8PwfeNRdPwmaWq48Gm7ZPofYjS\/ZH5MtsaFTjQtMdLosReKoQ1fg8Ujbu4I\/iR9s\/J0VCKccT7I9o3VTJMl2McmhycuxG\/Ho3F4trsv+CzvwWdOfHJrx3QeJ94+T60zQ1r+jNT9i\/Kv5wmJknYv9DZ6OUX4ItpkJzlKia2yaJYYnTsb9mnpSkT09vh0PoeIsbTRvOH7JZXglFnEI2Tm27Y3Ymd8iVmlpQ9iiakOGihtCd8Ej14XheC8FI1NVylRZSNpVY0Hx\/zE198r9jVRNkY8DWGsIZWI5eGuSvBmh7QpfU1JrsfIhGq7Q+RSGhrCXhVi\/t6LakamrtG5SEuBCJdeHY8VwesLEJblfihFihJkdJezo1OZFliOmSXAvBlG2O2\/FKvFo\/0RnXSPkmW\/bHqpdF+8oqz0dYjKuzchsZtf7ZoXlFWa0Psj5GNtlCVj4wxcFikNZoaw39PBE+jaxyFO1WNPs1K8ExliOxPCbXI5buiKHed7khl0hdY9nAo2bafB8basTou8cnwzZKO10N4WGy0WaenvQ9GSKaHxhP61iSuNEVUaFbXJRSE+ax2Vj4qSbNLRdHxcck5W2xiy2Xj8OdTocV\/A9GLNT8Z+iUUl1ybvullFexssQo2KVMkLs+NY\/I1NumxK3QxZeIqzQ\/dFn5WrKKVGnxBH5CjdlXK8rovLEx9FkjT1px6I\/k8Wz8rWUo8Dd4jl5\/GX9RFmq0+JLgjq7VtRrS5P8h5cjdZbGUV7OyhH+JrO8IhC1ZsPj+o8RNOPs03T7Jz3G+sN\/dDxaaxGBTLsXAvsS44Gzo0tRPgm7wl6NpRN1F4oSIcxxLhFtyw\/2RJ0OTZFcclIRSJOiLuPJdZkuCH16GhcGirdlY1l9co0lwdGoyixolyQXsTxeGf6EiRBWa6pcEHyW3wM0VwRijUjRNWhixodGoy7wj\/Ej+7Xl\/\/EACoRAAICAQQBBAICAwEBAAAAAAABAhEDEBIhMSIEEzJBUWEgQhQzQwWB"} 01282{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1882,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385146276743,"flow_dst_last_pkt_time":1654385146710077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":514,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":514,"flow_dst_tot_l4_payload_len":4320,"midstream":1,"thread_ts_usec":1654385146710077,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"hkbn.content.1kxun.com","http": {"url":"hkbn.content.1kxun.com\/manga-hant\/images\/project\/cartoons\/f05074256b39572ad852c1c95eb5f8a7.jpg","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} -01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1985,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":159,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146263001,"flow_src_last_pkt_time":1654385147139518,"flow_dst_last_pkt_time":1654385147568107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":85228,"midstream":1,"thread_ts_usec":1654385147568107,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49370,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83908.6,"max":876517,"stddev":182026.6,"var":33133680640.0,"ent":2.6,"data": [216812,1301,1174,217584,379,838,730,814,206371,3184,729,1431,202135,477,2906,412,436,624,742,876517,236517,1,2089,899,206105,416]},"pktlen": {"min":351,"avg":2761.9,"max":15906,"stddev":3042.0,"var":9253906.0,"ent":4.4,"data": [580,351,1506,4386,1506,5826,1506,1506,1506,1506,1506,2946,1506,4386,2946,2946,8706,1506,1506,1506,1506,1506,1506,1506,1204,592,351,7266,15906,4386,1506,1506]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,17,0,10]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2000,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385147163604,"flow_dst_last_pkt_time":1654385147585918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":97896,"midstream":1,"thread_ts_usec":1654385147585918,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":354,"avg":81334.7,"max":886861,"stddev":181110.5,"var":32801005568.0,"ent":2.6,"data": [223740,209594,1687,207155,354,1309,724,462,462,1177,203967,420,1398,676,628,3543,886861,237591,464,978,2452,823,206716,876,409,919,651]},"pktlen": {"min":351,"avg":3157.8,"max":18786,"stddev":3724.0,"var":13867893.0,"ent":4.3,"data": [580,2946,1506,1506,11586,1506,1506,2946,1506,1506,1506,7266,1506,1506,1506,1506,4386,1506,2946,4253,592,351,1506,8706,18786,1506,2946,1506,1506,5826,1506,1330]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,17,0,11]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} -01741{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2008,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385146253018,"flow_src_last_pkt_time":1654385147560064,"flow_dst_last_pkt_time":1654385147928387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1554,"flow_dst_tot_l4_payload_len":113644,"midstream":1,"thread_ts_usec":1654385147928387,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49372,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":119296.6,"max":899707,"stddev":203504.9,"var":41414242304.0,"ent":3.0,"data": [205636,2121,1,224803,394,328,1444,193718,403,372,1728,1281,1888,225980,899707,237971,1,2439,199154,468,952,1305,407339,371504,1478]},"pktlen": {"min":351,"avg":3665.9,"max":18786,"stddev":4182.9,"var":17496908.0,"ent":4.3,"data": [580,351,1506,4386,2946,4386,1506,1506,1506,1506,5826,1506,1506,1506,2946,4386,5826,3732,592,351,7266,15906,1506,1506,7266,1506,5826,654,580,351,7801,18786]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,14]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02137{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1985,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":159,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146263001,"flow_src_last_pkt_time":1654385147139518,"flow_dst_last_pkt_time":1654385147568107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":85228,"midstream":1,"thread_ts_usec":1654385147568107,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49370,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83908.6,"max":876517,"stddev":182026.6,"var":33133680640.0,"ent":2.6,"data": [216812,1301,1174,217584,379,838,730,814,206371,3184,729,1431,202135,477,2906,412,436,624,742,876517,236517,1,2089,899,206105,416]},"pktlen": {"min":337,"avg":2747.9,"max":15892,"stddev":3042.0,"var":9253907.0,"ent":4.4,"data": [566,337,1492,4372,1492,5812,1492,1492,1492,1492,1492,2932,1492,4372,2932,2932,8692,1492,1492,1492,1492,1492,1492,1492,1190,578,337,7252,15892,4372,1492,1492]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,17,0,10]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1],"entropies": [5.857450962,5.836749077,7.826755047,7.934190273,7.674187660,7.939618587,7.839453220,7.840780735,7.846045494,7.830045223,7.801501751,7.909759045,7.855455875,7.935122013,7.917196274,7.838707447,7.965010166,7.842932224,7.847500801,7.848862648,7.845387459,7.829781055,7.842148304,7.830836773,7.812441826,5.880833626,5.847996712,7.975015640,7.987394810,7.957153320,7.871502399,7.839539528]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02148{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2000,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":160,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385146276743,"flow_src_last_pkt_time":1654385147163604,"flow_dst_last_pkt_time":1654385147585918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1040,"flow_dst_tot_l4_payload_len":97896,"midstream":1,"thread_ts_usec":1654385147585918,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49380,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":354,"avg":81334.7,"max":886861,"stddev":181110.5,"var":32801005568.0,"ent":2.6,"data": [223740,209594,1687,207155,354,1309,724,462,462,1177,203967,420,1398,676,628,3543,886861,237591,464,978,2452,823,206716,876,409,919,651]},"pktlen": {"min":337,"avg":3143.8,"max":18772,"stddev":3724.0,"var":13867894.0,"ent":4.3,"data": [566,2932,1492,1492,11572,1492,1492,2932,1492,1492,1492,7252,1492,1492,1492,1492,4372,1492,2932,4239,578,337,1492,8692,18772,1492,2932,1492,1492,5812,1492,1316]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,17,0,11]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.862786770,7.902865887,7.781876564,7.771229267,7.963672161,7.848064899,7.850860119,7.915616512,7.853264332,7.865233421,7.839958668,7.951301098,7.843721867,7.832941532,7.839491367,7.869894028,7.948531628,7.838067055,7.923059940,7.938112259,5.870801449,5.836921215,7.830684185,7.978819847,7.990375519,7.851813316,7.925859928,7.854060650,7.888266563,7.969222546,7.854313850,7.852722645]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02140{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2008,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1654385146253018,"flow_src_last_pkt_time":1654385147560064,"flow_dst_last_pkt_time":1654385147928387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":514,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":18720,"flow_src_tot_l4_payload_len":1554,"flow_dst_tot_l4_payload_len":113644,"midstream":1,"thread_ts_usec":1654385147928387,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"14.136.136.108","src_port":49372,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":119296.6,"max":899707,"stddev":203504.9,"var":41414242304.0,"ent":3.0,"data": [205636,2121,1,224803,394,328,1444,193718,403,372,1728,1281,1888,225980,899707,237971,1,2439,199154,468,952,1305,407339,371504,1478]},"pktlen": {"min":337,"avg":3651.9,"max":18772,"stddev":4182.9,"var":17496908.0,"ent":4.3,"data": [566,337,1492,4372,2932,4372,1492,1492,1492,1492,5812,1492,1492,1492,2932,4372,5812,3718,578,337,7252,15892,1492,1492,7252,1492,5812,640,566,337,7787,18772]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,14]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1],"entropies": [5.863167286,5.867280483,7.343351841,7.933300972,7.883011341,7.923881531,7.831630230,7.793837070,7.811074257,7.877987385,7.956270695,7.807632446,7.787700176,7.808306217,7.895200729,7.941674709,7.934331417,7.911615372,5.884228706,5.838101864,7.975082397,7.990115643,7.874265194,7.866392612,7.972415924,7.851024628,7.967773914,7.664193153,5.866144657,5.879995346,7.941644669,7.977370262]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385156800184,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":423,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":423,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":423,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385156800184,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.217.18.98","src_port":44368,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01094{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_packet_id":1,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":489,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":489,"pkt_l4_len":455,"thread_ts_usec":1654385156800184,"pkt":"tKXvZygQnLbQ0+MzCABFAAHb3B5AAEAG2pzAqAJ+rNkSYq1QAFBdWbpPyM9cBIAYAfaELwAAAQEICmU8LGE7CqI\/R0VUIC90YWcvanMvZ3B0LmpzIEhUVFAvMS4xDQpIb3N0OiB3d3cuZ29vZ2xldGFnc2VydmljZXMuY29tDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzUuMCAoTGludXg7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMTsgd3YpIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS84My4wLjQxMDMuMTA2IE1vYmlsZSBTYWZhcmkvNTM3LjM2DQpBY2NlcHQ6ICovKg0KWC1SZXF1ZXN0ZWQtV2l0aDogY29tLnNjZW5ld2F5Lmthbmthbg0KUmVmZXJlcjogaHR0cDovL21hbmdhd2ViLjFreHVuLm1vYmkvDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkNCg0K"} 01222{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2035,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":163,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385156800184,"flow_src_last_pkt_time":1654385156800184,"flow_dst_last_pkt_time":1654385156800184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":423,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":423,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":423,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385156800184,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.217.18.98","src_port":44368,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.GoogleServices","proto_id":"7.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","http": {"url":"www.googletagservices.com\/tag\/js\/gpt.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} @@ -927,7 +927,7 @@ 02024{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2060,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":168,"flow_packet_id":1,"flow_src_last_pkt_time":1654385157001678,"flow_dst_last_pkt_time":1654385157001678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1185,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1185,"pkt_l4_len":1151,"thread_ts_usec":1654385157001678,"pkt":"tKXvZygQnLbQ0+MzCABFAASTjHtAAEAGODHAqAJ+oXUNHcQAAFCrgt7ji0XD5YAYAfZ2PgAAAQEICrrGVbOXEVcWR0VUIC9pbWFnZXMvbGlzdF9kZWZhdWx0LnBuZyBIVFRQLzEuMQ0KSG9zdDogbWFuZ2F3ZWIuMWt4dW4ubW9iaQ0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDExOyBzZGtfZ3Bob25lX3g4NiBCdWlsZC9SU1IxLjIwMTAxMy4wMDE7IHd2KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBWZXJzaW9uLzQuMCBDaHJvbWUvODMuMC40MTAzLjEwNiBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KQWNjZXB0OiBpbWFnZS93ZWJwLGltYWdlL2FwbmcsaW1hZ2UvKiwqLyo7cT0wLjgNClgtUmVxdWVzdGVkLVdpdGg6IGNvbS5zY2VuZXdheS5rYW5rYW4NClJlZmVyZXI6IGh0dHA6Ly9tYW5nYXdlYi4xa3h1bi5tb2JpL2Nzcy9hcHAuY3NzPzE0OTA1DQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXAsIGRlZmxhdGUNCkFjY2VwdC1MYW5ndWFnZTogZW4tVVMsZW47cT0wLjkNCkNvb2tpZTogX19xY193SWQ9NDcyOyBwZ3ZfcHZpZD0xNTc5MTk5MjgwOyBhY2Nlc3NfdG9rZW49bnVsbDsgX19nYWRzPUlEPWZjMGYyMmY3OGQ4MmZiNDQtMjJjNDllMTdhOGNkMDBjMTpUPTE2NTQzODUxNDM6UlQ9MTY1NDM4NTE0MzpTPUFMTklfTVlxQy1PUjQwVGFRTFBJdTd2aGtaLS1VMXRtLVE7IF9nYT1HQTEuMi42OTQ1MjQ1MjguMTY1NDM4NTE0MjsgX2dpZD1HQTEuMi4yMDQ5ODYxNjI3LjE2NTQzODUxNDM7IF9nYXQ9MTsgX2dhdF9ndGFnX1VBXzE1NDc1NzkyOV81Nz0xOyBfdHRfZW5hYmxlX2Nvb2tpZT0xOyBfdHRwPWU4NDYzOWI3LTk0MDAtNDA2Yy05N2UxLTAzZjhkYTQ4MTVmODsgaXNfc2F2ZV9jb29raWU9dXNJTXZIa3hQNEpEWGhjOyBfY3JlYXRlX2RhdGU9MjAyMi82LzQ7IG5vbl9uYXRpdmVfZG9tYWluPWh0dHBzOi8vYWtlbWFuZ2Eub3ItZnJuZC5jb207IF92ZXJzaW9uPXYyMDIwMDUwNTsgX2dlbmVyYWxfc3Vic2NyaWJlPTI7IGNsb3Vkb3dsc191dWlkPTM1YmYzNmRmLTBiYWUtZTA5Mi1mMmIxLWI3MzlmNTZjM2VjZDsgY2xvdWRvd2xzX2lzX3N1YnNjcmliZT0xOyBzdWJzY3JpYmVfZ2VuZXJhbF90b2tlbj0zNWJmMzZkZi0wYmFlLWUwOTItZjJiMS1iNzM5ZjU2YzNlY2Q7IGxhc3RfdXJsPW51bGwNCg0K"} 01213{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2060,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":168,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385157001678,"flow_src_last_pkt_time":1654385157001678,"flow_dst_last_pkt_time":1654385157001678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1119,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1119,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1119,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385157001678,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":50176,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"mangaweb.1kxun.mobi","http": {"url":"mangaweb.1kxun.mobi\/images\/list_default.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36","detected_os":"Android 11"}}} 01550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2061,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":164,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156962711,"flow_dst_last_pkt_time":1654385157145999,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":748,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":748,"pkt_l4_len":714,"thread_ts_usec":1654385157145999,"pkt":"nLbQ0+MztKXvZygQCABFAALe44NAADQG7t2hdQ0dwKgCfgBQw9yTFLQsi9xmdIAYAPSXNAAAAQEICpcRV7G6xlWMSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMzY2DQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTE2ZSINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAFFQTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/CDfnXgAAABp0Uk5TAOEQHt3X0s4WI+fFBvPkMNPJq0tAC7VRUC7\/IHCDAAAAsklEQVRYw+3W6wqDMAwF4Fi13nX3y3n\/Bx1dmT\/mYBZSsHK+BziEkiYRIiIiIiLaC3M6Sxx9B1wkBlMBGO6iz3Rwil60XSs441O01T65aESbOcJpIySXvuZctOUHOKV+cm3hZBGSCziVEW2Nf2cboeYSb63N\/rASZhqxmoS5YbVhO1WHvPWGOuS7r1P5jYsZksjkW87rNLbMvBvbSbw0NvrnDnnILInryd98REREREQ\/vAAzzxwTVWsbZwAAAABJRU5ErkJggg=="} -01786{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":150,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1654385140835391,"flow_src_last_pkt_time":1654385156967826,"flow_dst_last_pkt_time":1654385157149701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":434,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":14400,"flow_src_tot_l4_payload_len":6674,"flow_dst_tot_l4_payload_len":81693,"midstream":1,"thread_ts_usec":1654385157149701,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45416,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1118853.2,"max":6045020,"stddev":2029038.4,"var":4116996947968.0,"ent":3.0,"data": [188503,1,1404,179436,1430,692,418,2433,676,270050,61,644,3892849,3428911,186128,186289,192621,208977,367165,352334,5253796,5339015,3643,6045020,5959115,408,493,194856,189377]},"pktlen": {"min":500,"avg":2827.5,"max":14466,"stddev":2993.9,"var":8963654.0,"ent":4.4,"data": [500,2946,2946,8706,2946,7266,1506,1506,14466,1506,2946,2946,7266,7266,4092,817,709,819,1525,821,1415,817,1530,1079,2946,1144,1169,1506,1506,1589,1180,1097]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,7,0,13]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02185{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":150,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1654385140835391,"flow_src_last_pkt_time":1654385156967826,"flow_dst_last_pkt_time":1654385157149701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":434,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":14400,"flow_src_tot_l4_payload_len":6674,"flow_dst_tot_l4_payload_len":81693,"midstream":1,"thread_ts_usec":1654385157149701,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"161.117.13.29","src_port":45416,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1118853.2,"max":6045020,"stddev":2029038.4,"var":4116996947968.0,"ent":3.0,"data": [188503,1,1404,179436,1430,692,418,2433,676,270050,61,644,3892849,3428911,186128,186289,192621,208977,367165,352334,5253796,5339015,3643,6045020,5959115,408,493,194856,189377]},"pktlen": {"min":486,"avg":2813.5,"max":14452,"stddev":2993.9,"var":8963654.0,"ent":4.4,"data": [486,2932,2932,8692,2932,7252,1492,1492,14452,1492,2932,2932,7252,7252,4078,803,695,805,1511,807,1401,803,1516,1065,2932,1130,1155,1492,1492,1575,1166,1083]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,7,0,13]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,1],"entropies": [5.943944454,7.829628944,7.931543350,7.979783535,7.931476593,7.968062401,7.861111164,7.864268780,7.984925747,7.877884388,7.929042339,7.930032253,7.967924595,7.974642754,7.952368736,5.943904400,6.386446476,5.942170143,7.482911110,5.931495190,6.238120556,5.934639931,6.488353729,5.849187374,6.477306366,6.757167339,5.825885773,6.421376705,7.814886093,7.859082222,5.823412418,6.869374752]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 01703{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2063,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":165,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156971856,"flow_dst_last_pkt_time":1654385157153682,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":832,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":832,"pkt_l4_len":798,"thread_ts_usec":1654385157153682,"pkt":"nLbQ0+MztKXvZygQCABFAAMy+MlAADQG2UOhdQ0dwKgCfgBQw+Q76a9lejKjSIAYAPQgmwAAAQEICpcRV7e6xlWVSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogNDUwDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTFjMiINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAG9QTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/L9MC0QAAACR0Uk5TAJSpvW0XB\/bWdRD8t6aZi3E3AvPs3s20r6B8d2dTI0U7LisEPmah4wAAAN5JREFUWMPt1MkOglAMheGi3AsOgDhP4NT3f0YhYiQGMcg9iYvzr7rpt2lSYYwxxhhj7C172I4F0nykCrFLuSiei\/sOWhYa9\/JIKxol69S5PNMqDyYHR8eyr89WKUrWtQXIiCv6kxqduJSPdXl5diinC60VDAevon2\/h5JoS+u8szd85BdjrG3tOtO1Ra+VDn6lva+0ksbT+DNucHQGo0MDo\/0bil7kgqITi6InqaDo6RhGZ4KiVwZGzwRFL68w2rN96f0n+iR9aRM2y5HtRUflfNk0ybERxhhjjLG\/7A7dOIR9fLd0dQAAAABJRU5ErkJggg=="} 01228{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2064,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":166,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156978849,"flow_dst_last_pkt_time":1654385157162185,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":574,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":574,"pkt_l4_len":540,"thread_ts_usec":1654385157162185,"pkt":"nLbQ0+MztKXvZygQCABFAAIwUYBAADQGgY+hdQ0dwKgCfgBQw\/TiBgbELqLpRYAYAPSjggAAAQEICpcRV8K6xlWcSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMTkzDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLWMxIg0KRXhwaXJlczogRnJpLCAwMiBTZXAgMjAyMiAyMzoyNTo1NyBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9Nzc3NjAwMA0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCg0KiVBORw0KGgoAAAANSUhEUgAAAFoAAABaBAMAAADKhlwxAAAAD1BMVEUAAAD\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/+PQt5oAAAABHRSTlMA8a0mzjE4JAAAAF1JREFUWMPt0LsNgDAMRVEgC\/DJACAYANgg6O0\/E0qKpLIipYt0T2PryYXtAQAA9OpdzlTdsd45sDivkKYeaSuBYZK0x+aSvhIYRklzbLwUctA+Xd+k\/cr6BwEAwA+l3hHvzEdfEgAAAABJRU5ErkJggg=="} 01547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2065,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":167,"flow_packet_id":2,"flow_src_last_pkt_time":1654385156997634,"flow_dst_last_pkt_time":1654385157178524,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":746,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":746,"pkt_l4_len":712,"thread_ts_usec":1654385157178524,"pkt":"nLbQ0+MztKXvZygQCABFAALcrA1AADQGJlahdQ0dwKgCfgBQw\/a\/BfvNoaiIL4AYAPQ5GAAAAQEICpcRV9K6xlWuSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNTo1NyBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvcG5nDQpDb250ZW50LUxlbmd0aDogMzY0DQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQpMYXN0LU1vZGlmaWVkOiBGcmksIDE2IE9jdCAyMDIwIDA3OjExOjEwIEdNVA0KRVRhZzogIjVmODk0NzhlLTE2YyINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjU6NTcgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNColQTkcNChoKAAAADUlIRFIAAABaAAAAWggDAAAAD3axMAAAAFFQTFRFAAAA\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/CDfnXgAAABp0Uk5TAOEQHt3X0s4WI+fFBvPkMNPJq0tAC7VRUC7\/IHCDAAAAsElEQVRYw+3WWQ7DIAwEUCckUMjWfZn7H7RC\/DTqR4OE1SDNO8DIssC2EBERERHRv13Orei4AsMoGh4TAKdR99ghGjSyXzMid5PyfJeyD1KeD4hOGj0xqe5eJbtHdDRSnmkQWY1+tw5Rp5FtbOq3l1y2+cEGpOzsurHZvEieCZvd91N1Vq9380Jy3nUtv\/FzhtQy+dbzuo4ts4TVbqxkoz+\/75AKrqd08xERERERKXoDf5McEz6WWVMAAAAASUVORK5CYII="} @@ -942,14 +942,14 @@ 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385176795709,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":207,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385176795709,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38316,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":1,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":273,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":273,"pkt_l4_len":239,"thread_ts_usec":1654385176795709,"pkt":"tKXvZygQnLbQ0+MzCABFAAEDkpJAAEAGvoDAqAJ+rGl5UpWsAFD4\/KHAFVJVKoAYAfbp1wAAAQEICvK1uWDJom0fR0VUIC92aWRlb19rYW5rYW4vaW1hZ2VzL3ZpZGVvcy80MDcwMS04ZmE3ZDkxNmM1NWUzMWY5MGZhNTVmNDUwYjcxNjUwNS5qcGcgSFRUUC8xLjENCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpIb3N0OiBwaWMuMWt4dW4uY29tDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANClVzZXItQWdlbnQ6IG9raHR0cC8zLjEwLjANCg0K"} 01062{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2085,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385176795709,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385176795709,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":207,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385176795709,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38316,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"pic.1kxun.com","http": {"url":"pic.1kxun.com\/video_kankan\/images\/videos\/40701-8fa7d916c55e31f90fa55f450b716505.jpg","code":0,"content_type":"","user_agent":"okhttp\/3.10.0"}}} -01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2087,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":141,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":28,"flow_first_seen":1654385136206220,"flow_src_last_pkt_time":1654385176599830,"flow_dst_last_pkt_time":1654385177114485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":23040,"flow_src_tot_l4_payload_len":838,"flow_dst_tot_l4_payload_len":163493,"midstream":1,"thread_ts_usec":1654385177114485,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3011180.5,"max":39119714,"stddev":10152453.0,"var":103072311279616.0,"ent":1.3,"data": [353699,3771,104,303718,4300,92,205833,106,880957,368900,1,5053,392939,352227,1591,70,2344,55,1451,285655,2146,39119714,38675191,1,2923,335353,3681]},"pktlen": {"min":273,"avg":5201.3,"max":23106,"stddev":6479.7,"var":41986288.0,"ent":4.1,"data": [278,386,1506,1506,10146,2946,2946,23106,1506,1506,1172,273,386,18786,7757,278,387,1506,21666,4386,17346,4386,10146,5826,1506,5159,273,388,1506,11586,2946,2946]},"bins": {"c_to_s": [0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,7,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02167{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2087,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":141,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":28,"flow_first_seen":1654385136206220,"flow_src_last_pkt_time":1654385176599830,"flow_dst_last_pkt_time":1654385177114485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":23040,"flow_src_tot_l4_payload_len":838,"flow_dst_tot_l4_payload_len":163493,"midstream":1,"thread_ts_usec":1654385177114485,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":46184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3011180.5,"max":39119714,"stddev":10152453.0,"var":103072311279616.0,"ent":1.3,"data": [353699,3771,104,303718,4300,92,205833,106,880957,368900,1,5053,392939,352227,1591,70,2344,55,1451,285655,2146,39119714,38675191,1,2923,335353,3681]},"pktlen": {"min":259,"avg":5187.3,"max":23092,"stddev":6479.7,"var":41986280.0,"ent":4.1,"data": [264,372,1492,1492,10132,2932,2932,23092,1492,1492,1158,259,372,18772,7743,264,373,1492,21652,4372,17332,4372,10132,5812,1492,5145,259,374,1492,11572,2932,2932]},"bins": {"c_to_s": [0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,7,0,16]},"directions": [0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1],"entropies": [5.840793610,5.758453846,7.221220016,7.581106663,7.944396973,7.912007809,7.918235779,7.968857765,7.829185963,7.833258629,7.814552307,5.918824673,5.722350121,7.963245392,7.958693981,5.886214256,5.716395378,7.016712666,7.971186638,7.917016029,7.966053009,7.937659740,7.962855339,7.935114861,7.850684166,7.933465481,5.848567009,5.760809898,7.509957790,7.938345909,7.890325069,7.878456116]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00958{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2093,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":169,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176794071,"flow_dst_last_pkt_time":1654385177118137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":387,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":387,"pkt_l4_len":353,"thread_ts_usec":1654385177118137,"pkt":"nLbQ0+MztKXvZygQCABFAAF1WjBAADYGAHGsaXlSwKgCfgBQlbaIVDfjwISJoIAYAOs4SwAAAQEICsmibd\/ytbleSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDg3MzAzDQpMYXN0LU1vZGlmaWVkOiBTdW4sIDI5IE1heSAyMDIyIDAzOjI3OjU1IEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KRVRhZzogIjYyOTJlODNiLTE1NTA3Ig0KRXhwaXJlczogRnJpLCAwMiBTZXAgMjAyMiAyMzoyNjoxNiBHTVQNCkNhY2hlLUNvbnRyb2w6IG1heC1hZ2U9Nzc3NjAwMA0KQWNjZXB0LVJhbmdlczogYnl0ZXMNCg0K"} 02534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2094,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":169,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176794071,"flow_dst_last_pkt_time":1654385177118137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177118137,"pkt":"nLbQ0+MztKXvZygQCABFAAXUWjFAADYG\/BCsaXlSwKgCfgBQlbaIVDkkwISJoIAQAOsFsgAAAQEICsmibd\/ytble\/9j\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APgjVdV+IGpeNdTTTtd1OT\/iYShQt3If4z715latCnfmZ4ajObaSOi0zwV+0DrcSLpOm67cMW4EbSsen1ryK+aYKk\/enY7KeExc0rRubK\/Ab9smSMS2nw88XzK33THaTNn8jXGs\/ytys6y+86P7OzBL4GMPwE\/bXkJVfhP44LDsbGcVX9u5Zf+NH7w\/s\/MP+fbIJvgF+24fkf4R+NPqbWerWd5V\/z+X3g8uzD\/n2xY\/2Z\/24rhd0fwk8X\/iJB\/M0\/wC38q\/5+on+zcw\/kf3kkX7K\/wC3VOdsfwk8Xk9vmcfzapef5Sl\/GX4gssx\/8j+9Fgfsj\/t9Bdw+DnjFuP4Nzfyas3n2Uv8A5er8S1luYL7D\/D\/MY\/7Kv7e8QP8AxZTx6cf3LKdv5U\/7cyt\/8vl94\/7OzDrTZm3v7PH7cFqStz8GfiCCOv8AxK7v+grSOcZY9qy+8h4HHL\/l2\/uMq8+C\/wC2LaqWuvhV49QDqW0y7\/wrVZrlvSsvvM3gsb1hL7iinw2\/aqlk8qP4feOGbOCF066OP0qv7UwCX8aP3oSwmLf\/AC7l9zNTT\/gP+2Hf\/wCp+H3i9Af+e6yR\/wDoRFc887yuG9ZfI1jgMa1pTZrWv7Nf7Ygw8nhfX4x3Mt2ygfiWrlnn+WW0maLLsd1gXrb4P\/tRaU+24stVJHUJflz\/AOOk1xTznLpbTf3MpZfjVo4\/idL4f+HH7SdyQh0LWyfe7Kj\/AMeIry6+cZf0q\/mb08vxr3j+KOx0n4QfH3CreaPrKE9N2oqB+r1xf2vQl8E2\/lL\/ACOlYKUfjVvmv8zft\/gv8cXj\/d22ok44X+2IM\/8Ao2iOOnLbm\/8AAZf5DdKnHeUV\/wBvR\/zKOq\/Aj9qa4UjR\/C\/iCcnp5N3E3\/tWuunjacfjbXyl\/kYTo8\/wST\/7ej\/mcN4r\/Z4\/bdTcYfhb44kHP\/HvbNJ\/6Cxr06GZ5fH4qn33OWeDxTeiv81\/med+IPhH+2JprN9t+FfxCjx1zpNx\/SvUpZplb\/5fx\/8AAjllgsd\/I\/uOR1fSf2hdLYrq3h\/x"} 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2099,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176794172,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":388,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":388,"pkt_l4_len":354,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAF2wDBAADYGmm+saXlSwKgCfgBQlar6OK3h5ubbqoAYAOuKlwAAAQEICsmibeLytbleSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDEwMzg1NA0KTGFzdC1Nb2RpZmllZDogU2F0LCAwNCBKdW4gMjAyMiAwMzo1OTo1MiBHTVQNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkVUYWc6ICI2MjlhZDhiOC0xOTVhZSINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjY6MTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNCg=="} 02495{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2100,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176794172,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAXUwDFAADYGlhCsaXlSwKgCfgBQlar6OK8j5ubbqoAQAOs8UgAAAQEICsmibeLytble\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/APxm8Z+KPFA8aauF8RX5zqlxgfa34HmMPWva0SR823uUD4p8UeWNviO+GOn+mPz+tLqTd3BfFXipSR\/wkl\/06fa3\/wAabsK7uTR+K\/FH3P8AhI73noftb\/41DsldibZctvF3iaPKSeIb\/pwftb\/41zVUnaxzO7LcXirxJIgP\/CSX3TnN2\/H61jsYzukWIvFfiZo+PEN8M4GBdP8A41EtGZ3d9x8vizxTH848SX3A6G7fA\/Wkkrm8dI6CL4u8Sn5h4jvlzgEfanyf1pNPYtPTRmlZeK\/ErbR\/wkl\/nop+1P1HXvXLO97vQjmfNY6Xw\/4p8TPEWOu3j4bORdPn68mvPrNc9jKpJy0O68NeKPEWVjbxDeYQggi4bJPX1rzar3aMndPc7jSfGniSCBJjrV0V6BTOcrng\/XNedUTlawc0rXuXLXxnrZxI2vXPyqRlZW2j8M1nOMkXGavqdV4N8Z6+t5GravdOAAxzOcZPTvxXHXU+VibZ634Q8ZavqN8LY6jcCIJl5ROc9O\/0rxsQpKO4Jytub8PxJu7nWrdI9SuOCY2UznBHY+3SuKanGDuxqUl1Pdfhb4r12LS4rl9SeQXUiR4LdBnkGvn8ZKTd0\/xYnJoufGzxJrcdpLNbajKI44huEa\/Nwfu5\/KuGlzd2\/mEHd6s8ni8fa1bJ9pm1abMnDDfg7v6cVpNVHLe3zZ0atrUhPxD1GS3aa31W4eXac7nwWHehc\/Nq3+Jeq0uaXhH4i67Ff2oTVJZGJ3bSxyPcn29PaionOD95\/eVd9z6h8E\/Fe\/n8GRG3uTvdcbUQbgSOSSeg614FeNVS3f3stylyo5nXviX4pgmaZtUUCMHG3A2+xHauCvKd7OT+9kx5m\/I6Pwj8X4odCtr3xTdxutwTsdSDg\/3fbiuVxqybs397HCN3ZnoPg3x7jT0utNuo\/LaTa+1QBjt1715OL9onrJ\/ezohLl2PqH4J+JTrXhiNjKrlMKxVQOa5cBXqwxNuZ\/efX5LUU6Lj2Nb4k67Ho+hPdTSIc"} 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2103,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":2,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385177120274,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":388,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":388,"pkt_l4_len":354,"thread_ts_usec":1654385177120274,"pkt":"nLbQ0+MztKXvZygQCABFAAF2OPRAADcGIKysaXlSwKgCfgBQlawVUlUq+Pyij4AYAOskNgAAAQEICsmibePytblgSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IG9wZW5yZXN0eS8xLjEzLjYuMQ0KRGF0ZTogU2F0LCAwNCBKdW4gMjAyMiAyMzoyNjoxNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDExNjQ1NA0KTGFzdC1Nb2RpZmllZDogVHVlLCAyNCBNYXkgMjAyMiAwMzoyODozNyBHTVQNCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNCkVUYWc6ICI2MjhjNTBlNS0xYzZlNiINCkV4cGlyZXM6IEZyaSwgMDIgU2VwIDIwMjIgMjM6MjY6MTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTc3NzYwMDANCkFjY2VwdC1SYW5nZXM6IGJ5dGVzDQoNCg=="} 02498{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2104,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":171,"flow_packet_id":3,"flow_src_last_pkt_time":1654385176795709,"flow_dst_last_pkt_time":1654385177120454,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1506,"pkt_l4_len":1472,"thread_ts_usec":1654385177120454,"pkt":"nLbQ0+MztKXvZygQCABFAAXUOPVAADcGHE2saXlSwKgCfgBQlawVUlZs+Pyij4AQAOvAhQAAAQEICsmibePytblg\/9j\/4AAQSkZJRgABAQAAAQABAAD\/4QAwRXhpZgAATU0AKgAAAAgAAQExAAIAAAAOAAAAGgAAAAB3d3cubWVpdHUuY29tAP\/bAEMAAgEBAQEBAgEBAQICAgICBAMCAgICBQQEAwQGBQYGBgUGBgYHCQgGBwkHBgYICwgJCgoKCgoGCAsMCwoMCQoKCv\/bAEMBAgICAgICBQMDBQoHBgcKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCgoKCv\/AABEIAeABkAMBEQACEQEDEQH\/xAAfAAABBQEBAQEBAQAAAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EAACAQMDAgQDBQUEBAAAAX0BAgMABBEFEiExQQYTUWEHInEUMoGRoQgjQrHBFVLR8CQzYnKCCQoWFxgZGiUmJygpKjQ1Njc4OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoOEhYaHiImKkpOUlZaXmJmaoqOkpaanqKmqsrO0tba3uLm6wsPExcbHyMnK0tPU1dbX2Nna4eLj5OXm5+jp6vHy8\/T19vf4+fr\/xAAfAQADAQEBAQEBAQEBAAAAAAAAAQIDBAUGBwgJCgv\/xAC1EQACAQIEBAMEBwUEBAABAncAAQIDEQQFITEGEkFRB2FxEyIygQgUQpGhscEJIzNS8BVictEKFiQ04SXxFxgZGiYnKCkqNTY3ODk6Q0RFRkdISUpTVFVWV1hZWmNkZWZnaGlqc3R1dnd4eXqCg4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TFxsfIycrS09TV1tfY2dri4+Tl5ufo6ery8\/T19vf4+fr\/2gAMAwEAAhEDEQA\/AM3xD4j8QR63dH+1L3ck7AhpTgjPBPp9a\/VPccFof5r162IeInzSlfmfV935klt4p8UWcKZ1e5k3sD5byHgdiM9Ki0XpY3p4nF04JqUtfN\/5kWoeK\/FN8+06lKMqeFmI9\/XkU1GNtjSWKxMre9L73\/mVZ\/FfiJIVhGrTjBypM5IH5UcsexMq2Itbmd\/8T\/zHjxZrAsGh\/tq4Eh6l5zkH+tCjFO9ivb1fZNObv3u\/8xfDesa7dXksk+szZhQBczHkk9+4470q0o2VkVgJ16lV3nLTzf8AmdDFe+IrjJfVroKgIGJSFJ9Ov6elcz5bbHt0nXvrKX3v\/MxvH2reIn8O3E66xdI1tiSOQzkHk8qPY56VVGSjOyW5GL9q8O5OUtPN\/wCZ523jPxLMm0+ILsqByDM3ynOeK6ZKDd0jx1VxCfxy+9\/5lC48T+JplCrr13ye07c+3Xilyx7HRDE1oy1nL72UbvXPEka7pPEV4WzgkXDf40nCL6HbDG4iX2397\/zMy\/8AFHii1yo8S3hJ4P8ApLcdfek4xS2O+jiK1RfE\/vf+Zz2oeLfFKsVHiC8JP3Nty3Hr0NZ8sb7HqUq1a1uZ\/ezNuPF3ifcT\/wAJBfjjki6b\/GjljfY7KdWra3O\/vZTbxZ4tdhu8R3oPQK10x4\/OhxS6HWqtRbSf3sp3HizxZsGfEN7gc83b\/wCNRKMexvGtUT+J\/eyrc+LfFrMWXxHfZwMf6U3T86nlj2OilWqcvxP72VX8V+LSPKl8RXxXA4+0vyc9eDRyx7HTGtUvpJ\/eyC68YeKVk\/d+JdQjAXDbLx8n8CaOWL6GsKtXl1k382UZPF3jEyYPjLUeucNdMQP1qOWK3R1Rrzt1+9kT+KfF8YP\/ABU92TnJH2t846etLkS6Gyrzl9p\/eyGTxV4uljUQa\/enqWzev19Ov+eKlxT6IpVpqWsn97M6bxP4uZR\/xUWolif+f5+ffrWbp0+qOyFeo38T+8py+KPFyqsv\/CUamoYEjdeP\/Q0nSp9jup4yq7q\/"} -01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385176794172,"flow_src_last_pkt_time":1654385178155648,"flow_dst_last_pkt_time":1654385178652815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":414,"flow_dst_tot_l4_payload_len":190898,"midstream":1,"thread_ts_usec":1654385178652815,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38314,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":128804.8,"max":1361476,"stddev":284817.3,"var":81120911360.0,"ent":2.5,"data": [326102,180,328843,179,2720,177591,469,1313,2855,118,155,777,2306,401346,1361476,293524,1,1093,2137,2758,88,201,2770,309632,1485]},"pktlen": {"min":273,"avg":6044.5,"max":15906,"stddev":5319.9,"var":28301384.0,"ent":4.4,"data": [273,388,1506,1506,2946,7266,1506,8706,2946,15906,1506,1506,4386,13026,8706,2946,1506,15906,13200,273,388,1506,5826,15906,11586,10146,4386,14466,2946,2946,13026,4386]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,21]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02146{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":170,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1654385176794172,"flow_src_last_pkt_time":1654385178155648,"flow_dst_last_pkt_time":1654385178652815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":207,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":207,"flow_dst_max_l4_payload_len":15840,"flow_src_tot_l4_payload_len":414,"flow_dst_tot_l4_payload_len":190898,"midstream":1,"thread_ts_usec":1654385178652815,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"172.105.121.82","src_port":38314,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":128804.8,"max":1361476,"stddev":284817.3,"var":81120911360.0,"ent":2.5,"data": [326102,180,328843,179,2720,177591,469,1313,2855,118,155,777,2306,401346,1361476,293524,1,1093,2137,2758,88,201,2770,309632,1485]},"pktlen": {"min":259,"avg":6030.5,"max":15892,"stddev":5319.9,"var":28301380.0,"ent":4.4,"data": [259,374,1492,1492,2932,7252,1492,8692,2932,15892,1492,1492,4372,13012,8692,2932,1492,15892,13186,259,374,1492,5812,15892,11572,10132,4372,14452,2932,2932,13012,4372]},"bins": {"c_to_s": [0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,21]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.862609386,5.739748001,7.483025551,7.871859074,7.907062054,7.948117256,7.824954033,7.955245495,7.912051678,7.957016468,7.844995975,7.818977833,7.915155411,7.942556381,7.931100368,7.889071465,7.843290806,7.954283714,7.957226276,5.824898720,5.733853340,7.490488529,7.941090584,7.961003304,7.942962170,7.945000648,7.908642769,7.925697327,7.901566505,7.900532722,7.942762852,7.917910576]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.1kxun","proto_id":"7.295","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385181857708,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":409,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":409,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":409,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385181857708,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.117.221.10","src_port":59324,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01077{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_packet_id":1,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":475,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":475,"pkt_l4_len":441,"thread_ts_usec":1654385181857708,"pkt":"tKXvZygQnLbQ0+MzCABFAAHNXapAAEAG0trAqAJ+aHXdCue8AFBxmTfMTd+OWYAYAfYKZgAAAQEIColJBIxVzQaLR0VUIC9zZGsvdnBhZG4tc2RrLWNvcmUtdjEuanMgSFRUUC8xLjENCkhvc3Q6IG0udnBvbi5jb20NCkNvbm5lY3Rpb246IGtlZXAtYWxpdmUNClVzZXItQWdlbnQ6IE1vemlsbGEvNS4wIChMaW51eDsgQW5kcm9pZCAxMTsgc2RrX2dwaG9uZV94ODYgQnVpbGQvUlNSMS4yMDEwMTMuMDAxOyB3dikgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgVmVyc2lvbi80LjAgQ2hyb21lLzgzLjAuNDEwMy4xMDYgTW9iaWxlIFNhZmFyaS81MzcuMzYoTW9iaWxlOyB2cGFkbi1zZGstYS12NC42LjQpDQpBY2NlcHQ6ICovKg0KWC1SZXF1ZXN0ZWQtV2l0aDogY29tLnNjZW5ld2F5Lmthbmthbg0KQWNjZXB0LUVuY29kaW5nOiBnemlwLCBkZWZsYXRlDQpBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC45DQoNCg=="} 01212{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2269,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":172,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385181857708,"flow_src_last_pkt_time":1654385181857708,"flow_dst_last_pkt_time":1654385181857708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":409,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":409,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":409,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385181857708,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.117.221.10","src_port":59324,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"m.vpon.com","http": {"url":"m.vpon.com\/sdk\/vpadn-sdk-core-v1.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/83.0.4103.106 Mobile Safari\/537.36(Mobile; vpadn-sdk-a-v4.6.4)","detected_os":"Android 11"}}} @@ -1017,11 +1017,11 @@ 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385184982489,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00881{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":1,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":328,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":328,"pkt_l4_len":294,"thread_ts_usec":1654385184982489,"pkt":"tKXvZygQnLbQ0+MzCABFAAE6JG9AAEAG2MrAqAJ+EkBnHo80AFAYADoNP4BZp4AYAfY9sQAAAQEICpxRp3YAJw3ER0VUIC9ydi9lbmR2NC5odG1sP21vZj0xJmVjX2lkPTQmbW9mX3VpZD05MTE5OSZuX2ltcD0xJnVuaXRfaWQ9ODg4MSZzZGtfdmVyc2lvbj1tYWxfOC43LjQgSFRUUC8xLjENClVzZXItQWdlbnQ6IERhbHZpay8yLjEuMCAoTGludXg7IFU7IEFuZHJvaWQgMTE7IHNka19ncGhvbmVfeDg2IEJ1aWxkL1JTUjEuMjAxMDEzLjAwMSkNCkhvc3Q6IGh5YmlyZC5yYXlqdW1wLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KQWNjZXB0LUVuY29kaW5nOiBnemlwDQoNCg=="} 01151{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2344,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385184982489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385184982489,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"hybird.rayjump.com","http": {"url":"hybird.rayjump.com\/rv\/endv4.html?mof=1&ec_id=4&mof_uid=91199&n_imp=1&unit_id=8881&sdk_version=mal_8.7.4","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001)"}}} -01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2368,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":182,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184927393,"flow_src_last_pkt_time":1654385184927393,"flow_dst_last_pkt_time":1654385184996498,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":183,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":7140,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":129251,"midstream":1,"thread_ts_usec":1654385184996498,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.66.2.90","src_port":35664,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2559.4,"max":14880,"stddev":3288.5,"var":10814189.0,"ent":3.8,"data": [14880,612,571,2499,3579,106,930,2545,9210,1,87,6481,115,1571,2984,1607,79,1540,90,67,2792,6531,3088,2380,1844,2843,73]},"pktlen": {"min":249,"avg":4110.8,"max":7206,"stddev":1776.8,"var":3156934.0,"ent":4.8,"data": [249,797,1494,2922,4350,4350,4350,4350,2922,1494,4350,4350,2922,4350,4350,2922,4350,5778,5778,5778,5778,4350,5778,1494,5778,4350,2922,7206,4350,7206,7206,2922]},"bins": {"c_to_s": [0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,27]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02120{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2368,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":182,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184927393,"flow_src_last_pkt_time":1654385184927393,"flow_dst_last_pkt_time":1654385184996498,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":183,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":7140,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":129251,"midstream":1,"thread_ts_usec":1654385184996498,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.66.2.90","src_port":35664,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2559.4,"max":14880,"stddev":3288.5,"var":10814189.0,"ent":3.8,"data": [14880,612,571,2499,3579,106,930,2545,9210,1,87,6481,115,1571,2984,1607,79,1540,90,67,2792,6531,3088,2380,1844,2843,73]},"pktlen": {"min":235,"avg":4096.8,"max":7192,"stddev":1776.8,"var":3156934.0,"ent":4.8,"data": [235,783,1480,2908,4336,4336,4336,4336,2908,1480,4336,4336,2908,4336,4336,2908,4336,5764,5764,5764,5764,4336,5764,1480,5764,4336,2908,7192,4336,7192,7192,2908]},"bins": {"c_to_s": [0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,27]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.996097565,5.777042866,7.226827621,7.290063858,7.169473648,7.549562454,7.741216660,7.886993408,7.805087090,7.871054173,7.816677570,7.889826775,7.874413013,7.855673790,7.883734226,7.880590916,7.907371998,7.911734104,7.904975414,7.920679092,7.923110485,7.898054600,7.889371872,7.836673737,7.848505497,7.876494408,7.870183945,7.916009903,7.791001797,7.856836319,7.815247536,7.823584557]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 02473{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2407,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1494,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1494,"pkt_l4_len":1460,"thread_ts_usec":1654385185015621,"pkt":"nLbQ0+MztKXvZygQCABFAAXIXwoAAPgGIaESQGcewKgCfgBQjzQ\/gHc7GAA7E4AYAINkpwAAAQEICgAnDeicUad2RWsIZamOljqm7gSNKAkXQCu+hVDQvHNR9FYzcLa6bcMwfHz8+6Ohpq2yX4VCM8MnePOCbl7QzQu6eUE3L+jmBd28oJsXdPPvCN38HeCm8Yfm\/kvPR3Dz+vd\/+5\/+qz\/+F\/\/73\/yP\/8vf\/ov\/+v\/+3\/7l3\/xn\/\/nP6n\/VjBMyedbYcXZ\/o\/OF7mdeh9Hhr\/RfIfMv43vvKuRdCur\/FFM9E59fEn2SOA2NKnl1bdNivqb2mOXNXHq1\/YMX1\/Ovvr+Ls8avbLeJu\/n+XUe8voOwYRiE416SRHkHbuH3JI7AK5hcYzixRhEYhd8jOEmi6zWCkdiKXBEYCfi+gog\/Et\/23iV5mL96vr5z8qbJ03dVHEbNXOMfCP\/4uyrDZ\/hnarl7h38mQu9N1tzbJ+HHYOnfwgd4YKemZxmEk6Yfkz3lh\/aJu5CbeloHFbHt+TJXIpxmxZgsZHiRMOZFvKzyDdgT70P7AneujlPtVyx1Ci8u7Wd7MtsuMwhfTyvOMfV9uKfpBVoFiWcijlTzRwo97G1lTY77npOvQt2eMaaQrdoht73lsx1+nZwlg+BlIhnXXbgLsHWy5C\/CTrdrpvOys4hB5bmgib5vMJLqdEuhL1RVueIWhr1W24corWULSQqDfGNsr1HdHI4FJV+WwuEwhjFLFwqL5Xy27akNzx1XpbTfbywRws5chR\/VzSRUHZ82JFfLUbM21UlmqXQlB5CS01wcLs0xrplUXKuatlxW\/JnKqnFYcvIJ+HnXlDQp0jzZWW7b+IreDkRwtvod2OSadqez+8PJQr11ODo3W9Sq9lB21UYv1nbZnPkKxY3GO2VJgKi3y86OY2lDWQkA3y1giPPL0I8WU8XJRBa7HXzc3Kr4uITR5JDT0WTaYXbC9v5VWfTptvCOnVLv18ciGZlm2dHCfrfBJ8PAq77hGFHEh2RHh+SoYiYL45XZJMJ1SZZMbDASfdSvphUfow01aDWyqsWVpJirq1bhq16jM844FVx6sRj6QlADNWTuRMUGtyRUymqEmNkJt0Yb1N1graqbbda1j4vrOEyE7tb2An3aY8uYGHAX8\/rsNN6gbsLJaXGuswDrrwixB2A37Y+RJEMuQhm9tVPq3bKPTkuFNlJk4shWDhxGJ4gRxe1aHQH+OdOeb5ZAybp4QOtbdJVZhbI7fRHTpmi3Db68nJpjZBHlst+pE6dd\/auVOTRGjFYfMxlXYZeV5CtjfADQStuORhXR14nj+JExkEESLQhVIgsxAsrbUusYDOsmiIS0OxhmECNGsnePTqNm9Ybk0jiCIUUMk0Q6bo9XikfzcXHRxBU2KhFA7wFnV9mu0s+4T+Cmvs31pVGdu01zTdMqOQbatST8XeSiGb9xLLVobbjVxgASHcVY6Z0cEk1Zw70WhNMSziSBuvEt6nPBEkkYPUs89VCHjedyHoevTwhpwRtTvVC9cjscTpkEl70Q5ZcEM0iBVlOrZshoxaxTCyVqkcFaQaTJND7qiruC9vSgHxhROJty2frJRGcUkW\/T8bzArQu62Aj8pZfq5WnpurUmhYNXBBstPB0HdLEt67HP9CUNcHaVL\/py5Tv+IiqnHSGMtLAtT2aEyysT7VlU2B1c0UynpCL4dONoCBQZiWBCCob59IQIU9r6hD5FW92974pfH398cuCh13wO5v+Bzpq+x4zOk7NmVkyoZTPht8XqNPclVgd+dr30ls5urO+xrXKEf+KEQVxrl2X5Oea+B7dP8f2vfeAhlpy7jKenuJahub4U2SPWInq+hVn3Kp7Xjnw5Mt72ttIa3qJmWSX5OaelWMO1q4cTtae5TXSrzL1EZlCA5nHYN3tCgikSvSDqTjQq48xf4eq4x89aD51T5RZZJ\/zYX3eIruVriHTZcy9vlhIyXU6UT8Gkvj5OMbHU"} 04501{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2408,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":3,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2922,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":2922,"pkt_l4_len":2888,"thread_ts_usec":1654385185015621,"pkt":"nLbQ0+MztKXvZygQCABFAAtcXwsAAPgGHAwSQGcewKgCfgBQjzQ\/gHzPGAA7E4AYAINH0wAAAQEICgAnDeicUad24XFtV7Rg10duU4UTlxkMf+4hbiOeKWSTGwnHrK\/bcVHDmrmHVT1QbFoe9jUro5dI5TdYvpHS0y1rjoh+0U3zcCtX9rblxRoi5FhuCbqzSJTCJ\/SCO4zZZSPYNE6w5HSVgAaV0y2oWClZOTWZhlvMk\/XLRpM2IbCWurCzT+9+nnf\/OWUMYJ35yVcMM8b6\/R\/\/1f\/5x\/\/+v\/rM8TWeCOPgXR\/Wn9HNbJqvANEK619BcRX6k+IzZvpCAIbt5MNPYdScnyfOCY1\/TyD1rf7duf9o+anpe+Lk86r6HoqW4GHx6Znn1+7nR8VPBz8nS9L5cAeE+tP9z7LkZg6+ssfPLHPhW3ltM+PZT5K8\/\/msfZakyRs7mbt7Xv7\/5l\/\/85\/obM72VPyqzrNvqjRrU2d+wff86N\/86\/\/y1dOAvpLFbex7cuAdHr+ancs7IF7TArMobu\/azMv7LMnv2ZI\/Gupcy2kBmgQdfr79Efcrp\/mm7gDzHc7PmZXzYaydhcl9sn\/Bdl7f8evdzu42\/KM6\/2CPyGFz2XrOAlzQ68abCb\/NI1L4Z494f\/7\/wYeXvY12b\/v45AFpVjEKiukvMgW7N34KJ1mHT5uII8wicQAf7cIJq5oahpZLfYWtbiLN8Nh5vTFcczsoLYRSQOpr5+wJefBB0Bcjqs8OVij5zI4Q8US3kT6+pov1ZlWX1ZbBLAo\/CWVvJs7o7OLKwNZicOUC1akI83ha4yIZMssUw8P1miwuy6UgRf4eU5Z4nB6XmLKp3MOmhnDsUnscvDaHlhO5ju5pELGc1S1KGIjCWSnZkCldR8tC3DNDZhx2FKPl6Ci6COlwEwia\/ctaSG\/KNTGIWOI6zxgGatnGGthaTk1Dl52EoUGrXjVsYFdBMq6zs3e4rH0Kz4xNdXR5SSjlJSGkp+XAetsK67orj5IjKZ9wGSH8hV8441VbQeRVqYj9GmcyBGz12el6BMEvIWJjscDyTLrh3gbg\/hA7bG\/IFWoEHieVcL0Fga3fQZtUIvBGrA4DAHWEdWYmHNmovkcclhbSpgp39QFulyfMoKwtehAkztJTKuJ6VmqPjURtjSFB1eFWH1Yc7LQ6dAu7tRLspVXE29p+fTlt3DU5BIU4qVWEQhjVxOQJJno\/tO47JaUb5kHb4cxZFH\/xjOAXlxRYQ3maguAXxIPDq5+U3s2e6xvHBz+qA9znj+qA0r3OzF78\/m\/\/m3\/x5GWK3\/9f\/8f\/9On2j\/\/DZ+rf\/K\/\/8y+4ISevvLvD+vmDL13\/qNtPXbbJM1cS1\/MvdrRzDv0vjv8pQXvOIP9JD\/cE7a+oLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwnaLwna3zq1eknQnu9fUpheUpheUpheUpheUpheUpheUpj+Q0th+u1o6CVB+wXdvKCbF3Tzgm5e0M0LunlBN\/8+oJu\/A9z8u0vQrpCfFX85I7tCnPBbGSm\/lk30zbTs9WqNEysUXZM4hpMYDijwEhBJBF+uEHC\/esnKvn9esrJfsrJfsrJfsrJfsrK\/dtYvWdkvWdn\/qKzsr2DFb8iy\/jbI+v87\/boZGvre\/q+mYD9X+y2Z2M+J2D+hfcm9nhP5\/pG515+TmJ\/6\/\/ct9fpHOdZMY39Dhb8G6D\/nW\/8jnNtLgvVLgvV\/PAnWP1o8\/7C\/j\/GrCdn3b9X++rjgVxOy5zr\/lhOyP3X5907ILoBTEbN4znv+kQ+d\/VichUew\/T3fvn\/\/\/udb4HMLzxvoT2hNXDD+vDu9qpsx8R\/BjlUk9vhhnsjPvM9fbh60mXtP2067WZA3b3\/43ScSuJ+\/Jh1o\/589f\/f5q7983TbBO\/IvX383f1X7D26e5NWHfwLD8Hfzt4KHVQ4c8Yd\/EgTBd\/P3kwdgm3k3fgA95Uny3bved25AP7N3flfHk\/\/O9q5t3XxAYPiffvcurb\/95OP9S+H\/7Ie8bRKwU3yAf7mheXxfntrFuygOo2R+sfDuSdIqdOw38MP939t7ww\/zd6D\/EIBt6F1gp3ECpLWz+l3tV3HwcX72AGbrwUsevObB8x7a5CFPHpL4IUIeIvQhWj5E2EOEP0Srh6LyH9zc8x+CvEofgthPPDBjD4kfAgt5iLOibR5mie3Ktx+KByfJ3VvZ5o3\/0EQPjfcQVQ9Pm9mDXTWxm\/gPdh2D5jwf7JBJDVoMXbuY9TLfttXcEahdPcxoZb7Ms188AHtsHzK7e6j9uxJ\/SO0qjDMwbYXtzab0Af74JEztJ4Dls0xPkzBP59O0NzPI+eFpHczTl9hF7X\/4dPPd8wNgk+5To59HDLbN52qAajtO9WADA8jG9DP1u3tXwLZiO5u1VqV28tHzkx\/uGvXAsqruh4EfZoW\/ayIwsDD6CMSv\/Lp++DQLbtw8z7gXZA9+Os8jaPN5HLPhPzf91F3vz4bwAYfhj0CFbfLDvEY\/82X+x0\/tNtGTHDawHCCCHzQfv9L2zybrqx7KD44P7MB\/KD\/YAVDSD89\/3+DDn\/7px7p1Huq2+FETBP5Pv7sPNXpqAegqr+P7DFR+Ys8I8zuwnIBV2MmzWDMImat8nFtq8uLDu\/e4n85t\/\/D0Qg0Q0Jlif4jmpfjV1IKF6lf3FuKsfrC\/en6fktcP8aOXuy0wqua9C4yk8dnEn0tvXt9n7vXb7+LgzWeW0G+en9f0eLRD2U79N3c4\/frtX8B\/9d4uCrAYmChOvDfx24f4\/b0RPfL95u2PC++fMbb313\/95id0t67nt6yPzdvv\/KT2XzXV+EP8\/v4HGua3lI8N0GLjRm\/8t5\/IT+wfP755+\/DZr8UP4Plnxzf7vNnP+Y\/VPAB69mHApJlkPuHSwBJ58\/Z9H3tN9B2Owd\/7UP0nf\/LGfwT3f1a\/\/e7JQfoQAn9XPQn6ftarDtT62CxeF8Prh\/R95aeP8f3\/5uNcASxxUP40aw\/Vo\/258Dx9Dzmgla1fjfp9lebVmz9NgSP4iwzM6OPrLvb7+57zV3\/69iH5VdYg8YcYTOWdtX6EHzzwkz4CMZ8fgCn+Unj84eNdo\/nTlLiP+TwlVNNUMXBOQJfPdvz67fv0PtFQDDaN2E7+8l0NjNN\/fPMXf+n95fu\/WryF3n7ngomatziwc3BgH2veuH+B\/NUsxJ0kAiNCIO\/t2493TYJOk6dOo8fklzqdRYueuIrH6CsRvKL6sQAPwRee1B7itE2\/4vmuAEI+S\/QkZHEX8idyAznrt++bnIsH33uDvn0Lmv55teC3VPv4EQzgd8CAfuc9jaJ9BPYNvHUc2kBx8\/owQWgFrPKT3HbmVXnsQeF9ufwaZ3z\/Qy4z49sHZzYvv4tdXwF9J9q8pL\/zHhEIyNz++fL7RweI\/7v6r\/8a3NZv\/3z5Af1CQu8k9APyAXk7iwvM+ifKuAdqYBZfP9RvH36XvwUsb2Zr\/Zl7mE3w9du3P6s82+Trhy\/2+\/Yh\/xnHJ10\/vH5W67NhvV54i9cPr571+DMiYP2K2Nbz9gQosyN5zHLQV\/U+iKv60xq7u6G336D9xE3lT57mrq3w62ECdADMMvxZlQf7fV+B7elN+MU3gcl8D7YwtgP1JLD1+ID+BqDJeQd4\/cU3vf0BbP12dYxTHyCeN9nbh+wRzNCncvOwhAF0efgdMtvD1+3NgLKO8v5HLQJf578vZmMBTB7Q8m\/o4LkHoI20SPzGf\/34CMYOhu6N+hxf\/7n9fgZHP\/d4CPpn9d3pfbC\/IdvmsJ\/fwcw0gGp97yej\/jsafJIHuGLgTuclHN\/\/r+\/ONQCTGGmz"} 01165{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2408,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":187,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1654385184982489,"flow_src_last_pkt_time":1654385184982489,"flow_dst_last_pkt_time":1654385185015621,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":262,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":262,"flow_dst_max_l4_payload_len":2856,"flow_src_tot_l4_payload_len":262,"flow_dst_tot_l4_payload_len":4284,"midstream":1,"thread_ts_usec":1654385185015621,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36660,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"hybird.rayjump.com","http": {"url":"hybird.rayjump.com\/rv\/endv4.html?mof=1&ec_id=4&mof_uid=91199&n_imp=1&unit_id=8881&sdk_version=mal_8.7.4","code":0,"content_type":"","user_agent":"Dalvik\/2.1.0 (Linux; U; Android 11; sdk_gphone_x86 Build\/RSR1.201013.001)"}}} -01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2427,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":185,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184944474,"flow_src_last_pkt_time":1654385184944474,"flow_dst_last_pkt_time":1654385185026289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":497,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":497,"flow_dst_max_l4_payload_len":5712,"flow_src_tot_l4_payload_len":497,"flow_dst_tot_l4_payload_len":108528,"midstream":1,"thread_ts_usec":1654385185026289,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36640,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":55,"avg":3272.6,"max":21003,"stddev":4960.2,"var":24603724.0,"ent":3.6,"data": [21003,154,129,3134,1686,3067,15801,2210,2030,2737,73,1485,603,2873,1573,1531,81,114,3525,1587,2816,10499,1437,55,1612]},"pktlen": {"min":563,"avg":3473.0,"max":5778,"stddev":1697.9,"var":2882863.0,"ent":4.8,"data": [563,1494,1494,2922,1494,2922,1494,4350,4350,4350,2922,1494,4350,1494,4350,4350,4350,5778,5778,4350,1494,1494,1494,4350,5778,5778,3214,4202,5590,1538,5778,5778]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,1,21]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02124{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2427,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":185,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1654385184944474,"flow_src_last_pkt_time":1654385184944474,"flow_dst_last_pkt_time":1654385185026289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":497,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":497,"flow_dst_max_l4_payload_len":5712,"flow_src_tot_l4_payload_len":497,"flow_dst_tot_l4_payload_len":108528,"midstream":1,"thread_ts_usec":1654385185026289,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"18.64.103.30","src_port":36640,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":55,"avg":3272.6,"max":21003,"stddev":4960.2,"var":24603724.0,"ent":3.6,"data": [21003,154,129,3134,1686,3067,15801,2210,2030,2737,73,1485,603,2873,1573,1531,81,114,3525,1587,2816,10499,1437,55,1612]},"pktlen": {"min":549,"avg":3459.0,"max":5764,"stddev":1697.9,"var":2882863.0,"ent":4.8,"data": [549,1480,1480,2908,1480,2908,1480,4336,4336,4336,2908,1480,4336,1480,4336,4336,4336,5764,5764,4336,1480,1480,1480,4336,5764,5764,3200,4188,5576,1524,5764,5764]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,1,21]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.799116135,7.840260029,7.837001801,7.939268112,7.819420338,7.933657646,7.851344109,7.947911739,7.957500458,7.951948166,7.927341938,7.869306087,7.937100410,7.834094048,7.880655766,7.952060223,7.945407391,7.962455273,7.963794708,7.945417404,7.845272064,7.833052158,7.834871292,7.945909023,7.953672886,7.962710381,7.899997234,7.937138081,7.962800980,7.869377136,7.964761734,7.964723110]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAWS","proto_id":"7.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00757{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2503,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":180,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184845262,"flow_dst_last_pkt_time":1654385185166661,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":236,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":236,"pkt_l4_len":202,"thread_ts_usec":1654385185166661,"pkt":"nLbQ0+MztKXvZygQCABFAADe9z5AACoGBubKmcQ1wKgCfgBQ5Ybmg6trug1byIAYAPOTtwAAAQEICkyTXI+9cmjoSFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IEFwYWNoZS1Db3lvdGUvMS4xDQpWcGFkbi1TdGF0dXMtQ29kZTogLTI2DQpWcGFkbi1TdGF0dXM6IE5PX0ZJTEwNClZwYWRuLVN0YXR1cy1EZXNjOiANCkNvbnRlbnQtTGVuZ3RoOiAwDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI2OjI0IEdNVA0KDQo="} 00758{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2504,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":181,"flow_packet_id":2,"flow_src_last_pkt_time":1654385184857770,"flow_dst_last_pkt_time":1654385185942149,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":236,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":236,"pkt_l4_len":202,"thread_ts_usec":1654385185942149,"pkt":"nLbQ0+MztKXvZygQCABFAADeE\/tAACoG6inKmcQ1wKgCfgBQ5Yg8Z0+pmkmYKYAYAPN5zQAAAQEICkyTX6y9cmj1SFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IEFwYWNoZS1Db3lvdGUvMS4xDQpWcGFkbi1TdGF0dXMtQ29kZTogLTI2DQpWcGFkbi1TdGF0dXM6IE5PX0ZJTEwNClZwYWRuLVN0YXR1cy1EZXNjOiANCkNvbnRlbnQtTGVuZ3RoOiAwDQpEYXRlOiBTYXQsIDA0IEp1biAyMDIyIDIzOjI2OjI0IEdNVA0KDQo="} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2505,"source":"1kxun.pcap","alias":"nDPId-test","flow_id":188,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654385229374771,"flow_src_last_pkt_time":1654385229374771,"flow_dst_last_pkt_time":1654385229374771,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1440,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1440,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1654385229374771,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"52.29.177.177","src_port":37100,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -1147,9 +1147,9 @@ ~~ total active/idle flows...: 197/197 ~~ total timeout flows.......: 20 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6506595 bytes -~~ total memory freed........: 6506595 bytes -~~ total allocations/frees...: 126674/126674 +~~ total memory allocated....: 6533387 bytes +~~ total memory freed........: 6533387 bytes +~~ total allocations/frees...: 126871/126871 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 18083 chars diff --git a/test/results/443-chrome.pcap.out b/test/results/443-chrome.pcap.out index 43bcb9e63..f0e666f1a 100644 --- a/test/results/443-chrome.pcap.out +++ b/test/results/443-chrome.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037718 bytes -~~ total memory freed........: 6037718 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6037854 bytes +~~ total memory freed........: 6037854 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 2488 chars diff --git a/test/results/443-curl.pcap.out b/test/results/443-curl.pcap.out index 5fb03a6fe..aecbf67d1 100644 --- a/test/results/443-curl.pcap.out +++ b/test/results/443-curl.pcap.out @@ -7,7 +7,7 @@ 01046{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120512991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581113120522725,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01106{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120563403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581113120563403,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01308{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113120522725,"flow_dst_last_pkt_time":1581113120564527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581113120564527,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}} -01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121447770,"flow_dst_last_pkt_time":1581113121447985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":899,"flow_dst_tot_l4_payload_len":10128,"midstream":0,"thread_ts_usec":1581113121447985,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":62811.5,"max":784064,"stddev":190271.5,"var":36203257856.0,"ent":2.2,"data": [38692,38799,9627,47643,2769,1124,2,41874,4,11797,50900,31,39132,3,742,11,18,78,76,38549,8926,46564,784064,784044,367,123,462,127,121,240,248]},"pktlen": {"min":66,"avg":411.2,"max":1506,"stddev":558.7,"var":312115.0,"ent":3.9,"data": [78,74,66,583,66,1506,1506,197,66,66,192,117,123,66,66,119,122,108,133,104,66,104,66,281,66,1506,1506,66,1506,1062,66,1506]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} +02098{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121447770,"flow_dst_last_pkt_time":1581113121447985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":899,"flow_dst_tot_l4_payload_len":10128,"midstream":0,"thread_ts_usec":1581113121447985,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":62811.5,"max":784064,"stddev":190271.5,"var":36203257856.0,"ent":2.2,"data": [38692,38799,9627,47643,2769,1124,2,41874,4,11797,50900,31,39132,3,742,11,18,78,76,38549,8926,46564,784064,784044,367,123,462,127,121,240,248]},"pktlen": {"min":52,"avg":397.2,"max":1492,"stddev":558.7,"var":312115.0,"ent":3.8,"data": [64,60,52,569,52,1492,1492,183,52,52,178,103,109,52,52,105,108,94,119,90,52,90,52,267,52,1492,1492,52,1492,1048,52,1492]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1],"entropies": [4.367087364,5.300120831,4.945419312,4.294172764,5.100070000,7.382002354,7.456428051,6.751153946,4.945419312,4.945419312,6.263377666,5.952023029,6.200525761,4.983880997,4.930902004,5.836982250,5.780514240,5.536261082,5.983234406,5.510023117,5.215455055,5.937692642,5.060803890,7.153983116,5.060803890,7.879748821,7.892062664,5.060803890,7.868061543,7.808748245,5.060803890,7.868031502]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00914{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":109,"source":"443-curl.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":58,"flow_first_seen":1581113120474299,"flow_src_last_pkt_time":1581113121570392,"flow_dst_last_pkt_time":1581113121570364,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":65886,"midstream":0,"thread_ts_usec":1581113121570392,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":55523,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00564{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":109,"source":"443-curl.pcap","alias":"nDPId-test","packets-captured":109,"packets-processed":109,"total-skipped-flows":0,"total-l4-payload-len":66816,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581113121570392} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -18,10 +18,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045766 bytes -~~ total memory freed........: 6045766 bytes -~~ total allocations/frees...: 121603/121603 +~~ total memory allocated....: 6045902 bytes +~~ total memory freed........: 6045902 bytes +~~ total allocations/frees...: 121604/121604 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars -~~ json string max len.......: 1707 chars -~~ json string avg len.......: 1065 chars +~~ json string max len.......: 2103 chars +~~ json string avg len.......: 1238 chars diff --git a/test/results/443-firefox.pcap.out b/test/results/443-firefox.pcap.out index f1eea1139..4acc77f79 100644 --- a/test/results/443-firefox.pcap.out +++ b/test/results/443-firefox.pcap.out @@ -7,7 +7,7 @@ 01106{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488079587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581109488081517,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488123692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581109488123692,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01374{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109488081517,"flow_dst_last_pkt_time":1581109488123785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581109488123785,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"3653a20186a5b490426131a611e01992","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}} -01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109490061876,"flow_dst_last_pkt_time":1581109490062194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1047,"flow_dst_tot_l4_payload_len":13867,"midstream":0,"thread_ts_usec":1581109490062194,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":130384.0,"max":1655693,"stddev":403949.6,"var":163175268352.0,"ent":2.0,"data": [38504,38612,1822,40006,4099,93,2,42327,4,2052,40671,32,38677,3,193774,83,215,231092,9994,47033,1655690,50,1655693,186,15,177,176,149,321,109,243]},"pktlen": {"min":66,"avg":532.7,"max":1506,"stddev":610.4,"var":372566.0,"ent":4.1,"data": [78,74,66,583,66,1506,1506,140,66,66,151,332,115,66,66,235,312,96,66,96,66,1506,1506,66,1506,1030,66,1506,1506,66,1506,1030]},"bins": {"c_to_s": [11,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} +02113{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109490061876,"flow_dst_last_pkt_time":1581109490062194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1047,"flow_dst_tot_l4_payload_len":13867,"midstream":0,"thread_ts_usec":1581109490062194,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":130384.0,"max":1655693,"stddev":403949.6,"var":163175268352.0,"ent":2.0,"data": [38504,38612,1822,40006,4099,93,2,42327,4,2052,40671,32,38677,3,193774,83,215,231092,9994,47033,1655690,50,1655693,186,15,177,176,149,321,109,243]},"pktlen": {"min":52,"avg":518.7,"max":1492,"stddev":610.4,"var":372566.0,"ent":4.0,"data": [64,60,52,569,52,1492,1492,126,52,52,137,318,101,52,52,221,298,82,52,82,52,1492,1492,52,1492,1016,52,1492,1492,52,1492,1016]},"bins": {"c_to_s": [11,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1],"entropies": [4.367087364,5.366787434,4.894361019,5.219459057,5.100070000,7.372200966,7.462010860,6.339152336,5.022342205,5.022342205,6.101534367,7.216136456,6.184206486,5.060803890,5.060803890,6.919060707,7.232208252,5.746105194,5.176993370,5.774940014,4.930902004,7.873261929,7.864090443,5.022342205,7.874901772,7.771182060,4.983880520,7.883468628,7.853567600,4.945418835,7.868775368,7.782253265]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00921{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":667,"source":"443-firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":316,"flow_dst_packets_processed":351,"flow_first_seen":1581109488041083,"flow_src_last_pkt_time":1581109496480905,"flow_dst_last_pkt_time":1581109496480819,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":7675,"flow_dst_tot_l4_payload_len":406398,"midstream":0,"thread_ts_usec":1581109496480905,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53096,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":667,"source":"443-firefox.pcap","alias":"nDPId-test","packets-captured":667,"packets-processed":667,"total-skipped-flows":0,"total-l4-payload-len":414073,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581109496480905} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -18,10 +18,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6062002 bytes -~~ total memory freed........: 6062002 bytes -~~ total allocations/frees...: 122162/122162 +~~ total memory allocated....: 6062138 bytes +~~ total memory freed........: 6062138 bytes +~~ total allocations/frees...: 122163/122163 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars -~~ json string max len.......: 1719 chars -~~ json string avg len.......: 1075 chars +~~ json string max len.......: 2118 chars +~~ json string avg len.......: 1250 chars diff --git a/test/results/443-git.pcap.out b/test/results/443-git.pcap.out index d228ad538..1048a7ea4 100644 --- a/test/results/443-git.pcap.out +++ b/test/results/443-git.pcap.out @@ -7,7 +7,7 @@ 01053{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657744320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581113657751016,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01113{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657863699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1424,"midstream":0,"thread_ts_usec":1581113657863699,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}} 01417{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113657751016,"flow_dst_last_pkt_time":1581113657863749,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3550,"midstream":0,"thread_ts_usec":1581113657863749,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"github.com","tls": {"version":"TLSv1.2","server_names":"github.com,www.github.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 Extended Validation Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com","alpn":"http\/1.1","fingerprint":"CA:06:F5:6B:25:8B:7A:0D:4F:2B:05:47:09:39:47:86:51:15:19:84"}}} -01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658139408,"flow_dst_last_pkt_time":1581113658139371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":850,"flow_dst_tot_l4_payload_len":8277,"midstream":0,"thread_ts_usec":1581113658139408,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":32615.3,"max":143502,"stddev":53225.8,"var":2832981760.0,"ent":3.2,"data": [110467,110568,6595,119379,41,9,112809,2,11075,123994,112907,571,143502,5,142911,2,6496,2,14,6523,7,6,115,82,1242,13,1267,3,237,2,227]},"pktlen": {"min":66,"avg":351.8,"max":1490,"stddev":464.4,"var":215710.4,"ent":4.0,"data": [78,74,66,583,1490,1490,768,66,66,192,117,66,273,437,140,66,66,100,358,99,66,66,66,164,66,1465,622,66,66,1465,486,66]},"bins": {"c_to_s": [14,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,1,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}} +02095{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658139408,"flow_dst_last_pkt_time":1581113658139371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":850,"flow_dst_tot_l4_payload_len":8277,"midstream":0,"thread_ts_usec":1581113658139408,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":32615.3,"max":143502,"stddev":53225.8,"var":2832981760.0,"ent":3.2,"data": [110467,110568,6595,119379,41,9,112809,2,11075,123994,112907,571,143502,5,142911,2,6496,2,14,6523,7,6,115,82,1242,13,1267,3,237,2,227]},"pktlen": {"min":52,"avg":337.8,"max":1476,"stddev":464.4,"var":215710.4,"ent":4.0,"data": [64,60,52,569,1476,1476,754,52,52,178,103,52,259,423,126,52,52,86,344,85,52,52,52,150,52,1451,608,52,52,1451,472,52]},"bins": {"c_to_s": [14,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,1,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,0,0,1,1,0],"entropies": [4.341937065,5.174957275,4.831954479,4.223120689,6.954095364,7.397567272,7.645401001,5.014835358,4.976373672,6.355282307,5.929066658,4.937911987,6.952417850,7.419026852,6.223026752,4.937911987,4.976373672,5.637029648,7.370140076,5.726850986,4.937911987,4.937911987,4.899450302,6.443542957,4.976373672,7.866954327,7.624365330,5.014835358,5.014835358,7.857865334,7.532955170,5.014835358]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}} 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":70,"source":"443-git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":35,"flow_dst_packets_processed":35,"flow_first_seen":1581113657633853,"flow_src_last_pkt_time":1581113658456571,"flow_dst_last_pkt_time":1581113658456501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1424,"flow_src_tot_l4_payload_len":881,"flow_dst_tot_l4_payload_len":31704,"midstream":0,"thread_ts_usec":1581113658456571,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"140.82.114.4","src_port":55744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Github","proto_id":"91.203","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":70,"source":"443-git.pcap","alias":"nDPId-test","packets-captured":70,"packets-processed":70,"total-skipped-flows":0,"total-l4-payload-len":32585,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581113658456571} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -18,10 +18,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6048145 bytes -~~ total memory freed........: 6048145 bytes -~~ total allocations/frees...: 121566/121566 +~~ total memory allocated....: 6048281 bytes +~~ total memory freed........: 6048281 bytes +~~ total allocations/frees...: 121567/121567 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1702 chars -~~ json string avg len.......: 1066 chars +~~ json string max len.......: 2100 chars +~~ json string avg len.......: 1240 chars diff --git a/test/results/443-opvn.pcap.out b/test/results/443-opvn.pcap.out index 1b31110f7..468a2b9f5 100644 --- a/test/results/443-opvn.pcap.out +++ b/test/results/443-opvn.pcap.out @@ -5,7 +5,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1581153175528454,"flow_dst_last_pkt_time":1581153175550065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1581153175550065,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADYGAkzADMBnwKgBVASqzu1gWZU1YGtar6AScSBwigAAAgQFrAQCCAocQO0VFg2AOQEDAwY="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1581153175550155,"flow_dst_last_pkt_time":1581153175550065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1581153175550155,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+FPAqAFUwAzAZ87tBKpga1qvYFmVNoAQECwALgAAAQEIChYNgE0cQO0V"} 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153176603974,"flow_dst_last_pkt_time":1581153176626109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1581153176626109,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01733{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153177970762,"flow_dst_last_pkt_time":1581153177992252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3449,"flow_dst_tot_l4_payload_len":3196,"midstream":0,"thread_ts_usec":1581153177992252,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":158261.5,"max":1160659,"stddev":364282.7,"var":132701855744.0,"ent":2.7,"data": [21611,21701,1053819,1075076,968,22235,339,57386,57093,21241,11768,32975,174,239,20560,20491,9065,4,19997,11251,22162,19953,19952,207,21422,21230,137,58577,1160659,1122501,1313]},"pktlen": {"min":66,"avg":274.3,"max":1506,"stddev":407.4,"var":166005.6,"ent":4.0,"data": [78,74,66,110,66,122,66,118,66,387,66,1236,66,1506,118,69,118,1506,863,66,118,66,173,66,619,382,66,118,66,152,66,118]},"bins": {"c_to_s": [7,5,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02131{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153177970762,"flow_dst_last_pkt_time":1581153177992252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3449,"flow_dst_tot_l4_payload_len":3196,"midstream":0,"thread_ts_usec":1581153177992252,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":158261.5,"max":1160659,"stddev":364282.7,"var":132701855744.0,"ent":2.7,"data": [21611,21701,1053819,1075076,968,22235,339,57386,57093,21241,11768,32975,174,239,20560,20491,9065,4,19997,11251,22162,19953,19952,207,21422,21230,137,58577,1160659,1122501,1313]},"pktlen": {"min":52,"avg":260.3,"max":1492,"stddev":407.4,"var":166005.6,"ent":3.8,"data": [64,60,52,96,52,108,52,104,52,373,52,1222,52,1492,104,55,104,1492,849,52,104,52,159,52,605,368,52,104,52,138,52,104]},"bins": {"c_to_s": [7,5,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,1,1],"entropies": [4.398337364,5.141623974,4.810735226,5.491009712,5.116507530,5.561252594,4.971283913,5.772772789,5.078045845,6.141608238,5.116507530,6.862905025,4.887658596,7.272125721,5.704599857,5.040360451,5.785276413,6.812845707,7.438625336,5.154969215,5.830996513,4.908878326,6.252464294,5.009745598,7.575043678,7.235865593,4.971283913,5.734311104,5.063528538,6.235281944,5.217375278,5.826463223]},"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00913{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":46,"source":"443-opvn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":21,"flow_first_seen":1581153175528454,"flow_src_last_pkt_time":1581153184491293,"flow_dst_last_pkt_time":1581153184491180,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3974,"flow_dst_tot_l4_payload_len":4543,"midstream":0,"thread_ts_usec":1581153184491293,"l3_proto":"ip4","src_ip":"192.168.1.84","dst_ip":"192.12.192.103","src_port":52973,"dst_port":1194,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":46,"source":"443-opvn.pcap","alias":"nDPId-test","packets-captured":46,"packets-processed":46,"total-skipped-flows":0,"total-l4-payload-len":8517,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1581153184491293} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039023 bytes -~~ total memory freed........: 6039023 bytes -~~ total allocations/frees...: 121534/121534 +~~ total memory allocated....: 6039159 bytes +~~ total memory freed........: 6039159 bytes +~~ total allocations/frees...: 121535/121535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars -~~ json string max len.......: 1738 chars -~~ json string avg len.......: 1056 chars +~~ json string max len.......: 2136 chars +~~ json string avg len.......: 1230 chars diff --git a/test/results/443-safari.pcap.out b/test/results/443-safari.pcap.out index c2508ab65..9b2bdf4aa 100644 --- a/test/results/443-safari.pcap.out +++ b/test/results/443-safari.pcap.out @@ -7,7 +7,7 @@ 01084{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359639845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1581109359641072,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01150{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359683686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1581109359683686,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01352{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109359641072,"flow_dst_last_pkt_time":1581109359683783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":233,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":233,"flow_dst_tot_l4_payload_len":2880,"midstream":0,"thread_ts_usec":1581109359683783,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"www.ntop.org","tls": {"version":"TLSv1.2","server_names":"www.ntop.org","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"f9fcb52580329fb6a9b61d7542087b90","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Let's Encrypt, CN=Let's Encrypt Authority X3","subjectDN":"CN=www.ntop.org","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"DB:A7:E4:3E:6D:BB:21:AB:68:47:35:E8:0B:8F:15:DF:DB:C7:C9:6F"}}} -01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360694080,"flow_dst_last_pkt_time":1581109360694172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":9828,"midstream":0,"thread_ts_usec":1581109360694172,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":70482.6,"max":695650,"stddev":174729.3,"var":30530334720.0,"ent":2.6,"data": [38199,38303,1123,39767,4074,97,2,42774,4,225660,264285,31,38670,4,1586,32,19,43,88,40010,28,9938,48247,695603,124,695650,120,128,123,103,125]},"pktlen": {"min":66,"avg":398.7,"max":1506,"stddev":559.6,"var":313139.8,"ent":3.9,"data": [78,74,66,299,66,1506,1506,168,66,66,151,109,115,66,66,111,108,100,394,96,66,66,96,66,1506,1506,66,1506,66,1030,66,1506]},"bins": {"c_to_s": [11,3,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} +02095{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360694080,"flow_dst_last_pkt_time":1581109360694172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":9828,"midstream":0,"thread_ts_usec":1581109360694172,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":70482.6,"max":695650,"stddev":174729.3,"var":30530334720.0,"ent":2.6,"data": [38199,38303,1123,39767,4074,97,2,42774,4,225660,264285,31,38670,4,1586,32,19,43,88,40010,28,9938,48247,695603,124,695650,120,128,123,103,125]},"pktlen": {"min":52,"avg":384.7,"max":1492,"stddev":559.6,"var":313139.8,"ent":3.8,"data": [64,60,52,285,52,1492,1492,154,52,52,137,95,101,52,52,97,94,86,380,82,52,52,82,52,1492,1492,52,1492,52,1016,52,1492]},"bins": {"c_to_s": [11,3,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1],"entropies": [4.335837364,5.333454132,4.945418835,5.728343010,5.176993370,7.389316082,7.427206516,6.413387775,4.945418835,4.906957150,6.036595821,5.811348915,6.124800682,4.945419312,4.983880520,5.883585453,5.842953205,5.796744347,7.425425053,5.590555668,5.047091484,5.085553169,5.773722649,4.983880520,7.878831863,7.880546093,4.945418835,7.877892971,4.808815002,7.814340115,4.945418835,7.877443314]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00916{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":41,"source":"443-safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":20,"flow_first_seen":1581109359601646,"flow_src_last_pkt_time":1581109360696066,"flow_dst_last_pkt_time":1581109360695416,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":328,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":797,"flow_dst_tot_l4_payload_len":16406,"midstream":0,"thread_ts_usec":1581109360696066,"l3_proto":"ip4","src_ip":"192.168.1.13","dst_ip":"178.62.197.130","src_port":53031,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":41,"source":"443-safari.pcap","alias":"nDPId-test","packets-captured":41,"packets-processed":41,"total-skipped-flows":0,"total-l4-payload-len":17203,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1581109360696066} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -18,10 +18,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043824 bytes -~~ total memory freed........: 6043824 bytes -~~ total allocations/frees...: 121535/121535 +~~ total memory allocated....: 6043960 bytes +~~ total memory freed........: 6043960 bytes +~~ total allocations/frees...: 121536/121536 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars -~~ json string max len.......: 1705 chars -~~ json string avg len.......: 1068 chars +~~ json string max len.......: 2100 chars +~~ json string avg len.......: 1240 chars diff --git a/test/results/4in6tunnel.pcap.out b/test/results/4in6tunnel.pcap.out index 76012c966..afbfbc7f6 100644 --- a/test/results/4in6tunnel.pcap.out +++ b/test/results/4in6tunnel.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035757 bytes -~~ total memory freed........: 6035757 bytes -~~ total allocations/frees...: 121491/121491 +~~ total memory allocated....: 6035893 bytes +~~ total memory freed........: 6035893 bytes +~~ total allocations/frees...: 121492/121492 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 938 chars diff --git a/test/results/6in4tunnel.pcap.out b/test/results/6in4tunnel.pcap.out index 67bff0c25..97ef1b782 100644 --- a/test/results/6in4tunnel.pcap.out +++ b/test/results/6in4tunnel.pcap.out @@ -4,7 +4,7 @@ 00628{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1444236893450580,"flow_dst_last_pkt_time":1444236893450580,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1444236893450580,"pkt":"ACKQ3jvZAAAkzoE0CABFAAB8tYFAAP8pFzeuA0kYuGn\/GmAAAAAAQDo\/IAEEcB8XAT8+lw7\/\/nNN7CYEqIAAAQAgAAAAAAIksAGAAOC9XY8BWl1OFVYAAAAAqN0GAAAAAAAQERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"} 00627{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1444236893450580,"flow_dst_last_pkt_time":1444236893555356,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1444236893555356,"pkt":"AAAkzoE0ACKQ3jvZCABFAAB8xlZAAPgpDWK4af8argNJGGAAAAAAQDo3JgSogAABACAAAAAAAiSwASABBHAfFwE\/PpcO\/\/5zTeyBAN+9XY8BWl1OFVYAAAAAqN0GAAAAAAAQERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"} 00711{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1444236894230722,"flow_dst_last_pkt_time":1444236893555356,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":200,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":200,"pkt_l4_len":166,"thread_ts_usec":1444236894230722,"pkt":"ACKQ3jvZAAAkzoE0CABFAAC6tdFAAP8pFqmuA0kYuGn\/GmAAAAAAfjpAIAEEcB8WAT8AAAAAAAAAAiYEqIAAAQAgAAAAAAIksAEBA9KAAAAAAGAAAAAATgY2JgSogAABACAAAAAAAiSwASABBHAfFwE\/JaMykhb5LOAD4exLUvt9fRlwFpiAGABJEPkAAAEBCAq0MT0ACHX6xhcDAwApoxPniAjxmmXGKxqxVV6nOvla9FPS7Dtl2rRDlmVhpOKK9OFyB\/XihP8="} -01600{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":494998.2,"max":1005120,"stddev":454962.0,"var":206990442496.0,"ent":4.2,"data": [104776,780142,221063,1000457,1001744,1001146,1001712,1005120,1001052,1000771,1001064,1001072,1001370,999940,1001888,1003131,365420,1118,348987,4072,96728,99146,95730,758,97863,1021,105,98080,140,8789,539]},"pktlen": {"min":106,"avg":250.4,"max":1911,"stddev":383.0,"var":146712.7,"ent":4.2,"data": [138,138,200,138,138,138,138,138,138,138,138,138,138,138,138,138,138,133,133,273,261,114,114,106,310,106,1504,1911,106,106,268,159]},"bins": {"c_to_s": [0,0,4,11,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,2,8,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1]},"directions": [0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,1,0,0,0,0]}} +01994{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":494998.2,"max":1005120,"stddev":454962.0,"var":206990442496.0,"ent":4.2,"data": [104776,780142,221063,1000457,1001744,1001146,1001712,1005120,1001052,1000771,1001064,1001072,1001370,999940,1001888,1003131,365420,1118,348987,4072,96728,99146,95730,758,97863,1021,105,98080,140,8789,539]},"pktlen": {"min":92,"avg":236.4,"max":1897,"stddev":383.0,"var":146712.7,"ent":4.1,"data": [124,124,186,124,124,124,124,124,124,124,124,124,124,124,124,124,124,119,119,259,247,100,100,92,296,92,1490,1897,92,92,254,145]},"bins": {"c_to_s": [0,0,4,11,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,2,8,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1]},"directions": [0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,1,0,0,0,0],"entropies": [5.680680275,5.741242886,5.591180325,5.686768055,5.741242886,5.686768055,5.741242886,5.664551258,5.741242886,5.729067326,5.773500919,5.648445129,5.741242886,5.664551258,5.725113869,5.680680275,5.735155106,4.719979763,4.710355759,4.773607731,4.870984077,5.180728912,5.772128105,5.515571117,5.818006039,5.609004974,6.932967663,6.965810776,5.515571117,5.514929771,6.708754063,6.001224995]}} 00779{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":32,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236901127917,"flow_dst_last_pkt_time":1444236901118187,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":276,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":2127,"flow_dst_tot_l4_payload_len":4797,"midstream":0,"thread_ts_usec":1444236901127917,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00818{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"6in4tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":66,"flow_dst_packets_processed":61,"flow_first_seen":1444236893450580,"flow_src_last_pkt_time":1444236915478638,"flow_dst_last_pkt_time":1444236915586195,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":72,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1470,"flow_dst_max_l4_payload_len":1877,"flow_src_tot_l4_payload_len":11600,"flow_dst_tot_l4_payload_len":24375,"midstream":0,"thread_ts_usec":1444236915586195,"l3_proto":"ip4","src_ip":"174.3.73.24","dst_ip":"184.105.255.26","l4_proto":41,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":127,"source":"6in4tunnel.pcap","alias":"nDPId-test","packets-captured":127,"packets-processed":127,"total-skipped-flows":0,"total-l4-payload-len":35975,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1444236915586195} @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039324 bytes -~~ total memory freed........: 6039324 bytes -~~ total allocations/frees...: 121614/121614 +~~ total memory allocated....: 6039460 bytes +~~ total memory freed........: 6039460 bytes +~~ total allocations/frees...: 121615/121615 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars -~~ json string max len.......: 1605 chars -~~ json string avg len.......: 1021 chars +~~ json string max len.......: 1999 chars +~~ json string avg len.......: 1206 chars diff --git a/test/results/6in6tunnel.pcap.out b/test/results/6in6tunnel.pcap.out index a8c1c0eac..b02318e76 100644 --- a/test/results/6in6tunnel.pcap.out +++ b/test/results/6in6tunnel.pcap.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037323 bytes -~~ total memory freed........: 6037323 bytes -~~ total allocations/frees...: 121499/121499 +~~ total memory allocated....: 6037595 bytes +~~ total memory freed........: 6037595 bytes +~~ total allocations/frees...: 121501/121501 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 809 chars diff --git a/test/results/BGP_Cisco_hdlc_slarp.pcap.out b/test/results/BGP_Cisco_hdlc_slarp.pcap.out index a5cee2461..37c1ac23c 100644 --- a/test/results/BGP_Cisco_hdlc_slarp.pcap.out +++ b/test/results/BGP_Cisco_hdlc_slarp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036047 bytes -~~ total memory freed........: 6036047 bytes -~~ total allocations/frees...: 121501/121501 +~~ total memory allocated....: 6036183 bytes +~~ total memory freed........: 6036183 bytes +~~ total allocations/frees...: 121502/121502 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 505 chars ~~ json string max len.......: 916 chars diff --git a/test/results/BGP_redist.pcap.out b/test/results/BGP_redist.pcap.out index 890703fa3..471194e71 100644 --- a/test/results/BGP_redist.pcap.out +++ b/test/results/BGP_redist.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035670 bytes -~~ total memory freed........: 6035670 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035806 bytes +~~ total memory freed........: 6035806 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 195 chars ~~ json string max len.......: 901 chars diff --git a/test/results/EAQ.pcap.out b/test/results/EAQ.pcap.out index 946ee8165..0be3b6d9a 100644 --- a/test/results/EAQ.pcap.out +++ b/test/results/EAQ.pcap.out @@ -224,9 +224,9 @@ ~~ total active/idle flows...: 31/31 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6090271 bytes -~~ total memory freed........: 6090271 bytes -~~ total allocations/frees...: 121995/121995 +~~ total memory allocated....: 6094487 bytes +~~ total memory freed........: 6094487 bytes +~~ total allocations/frees...: 122026/122026 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 1147 chars diff --git a/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out index 76fc0fe75..9d6f70a0e 100644 --- a/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out +++ b/test/results/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out @@ -20,15 +20,15 @@ 00912{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1228468958657176,"flow_dst_last_pkt_time":1228468958718407,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":339,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":339,"pkt_l4_len":305,"thread_ts_usec":1228468958718407,"pkt":"AAglAXLkABZGR+C\/CABFuAFFHeUAAD0RBJ7AqGTbioSpZRPEE8QBMRfZU0lQLzIuMCAxMDAgVHJ5aW5nDQpDYWxsLUlEOiBTRDQ5MDk3MDEtOWZmMTFiZjcyZWI0YTM0N2M5Mjk3NGQ4ZmJiYzI2NjgtYW84bzNpMQ0KQ29udGVudC1MZW5ndGg6IDANCkNTZXE6IDEgSU5WSVRFDQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9U0Q0OTA5NzAxLTAwZTlkNDc4DQpUbzogPHNpcDowNjE5NjMxNzdAaXRhbHRlbC5pdDt1c2VyPXBob25lPg0KVmlhOiBTSVAvMi4wL1VEUCAxMzguMTMyLjE2OS4xMDE6NTA2MDticmFuY2g9ejloRzRiS2Z2MmY0MDEwNzg3aDNhOHExMjgwLjENCg0K"} 01088{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1228468958657176,"flow_dst_last_pkt_time":1228468958819466,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":469,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":469,"pkt_l4_len":435,"thread_ts_usec":1228468958819466,"pkt":"AAglAXLkABZGR+C\/CABFuAHHHeYAAD0RBBvAqGTbioSpZRPEE8QBs3VMU0lQLzIuMCAxODAgUmluZ2luZw0KQ2FsbC1JRDogU0Q0OTA5NzAxLTlmZjExYmY3MmViNGEzNDdjOTI5NzRkOGZiYmMyNjY4LWFvOG8zaTENCkNvbnRhY3Q6IDxzaXA6MDYxOTYzMTc3QDE5Mi4xNjguMTAwLjIxOTo1MDYwPg0KQ29udGVudC1MZW5ndGg6IDANCkNTZXE6IDEgSU5WSVRFDQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9U0Q0OTA5NzAxLTAwZTlkNDc4DQpTZXJ2ZXI6IEFyY29yL0FyY29yLTEuMDIuMDA1dDINClRvOiA8c2lwOjA2MTk2MzE3N0BpdGFsdGVsLml0O3VzZXI9cGhvbmU+O3RhZz02MTcyNjM2MTY0Nzk2MTZFLTMzMTcxNTUyMC01MzM2Zjc4NS0xODc0MTAyMDUNClZpYTogU0lQLzIuMC9VRFAgMTM4LjEzMi4xNjkuMTAxOjUwNjA7YnJhbmNoPXo5aEc0YktmdjJmNDAxMDc4N2gzYThxMTI4MC4xDQoNCg=="} 01111{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1228468958651179,"flow_dst_last_pkt_time":1228468958820487,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":488,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":488,"pkt_l4_len":454,"thread_ts_usec":1228468958820487,"pkt":"ABEKVkXQAAglAXLqCABFAAHaAABAAIARbCEKIzxkCiM8SBPEE8QBxvK8U0lQLzIuMCAxODAgUmluZ2luZw0KVmlhOiBTSVAvMi4wL1VEUCAxMC4zNS42MC43Mjo1MDYwO2JyYW5jaD16OWhHNGJLLmlJaUlpSS4wYTIzMjgxOS5lOWQ0YmQNClRvOiA8c2lwOjA2MTk2MzE3N0BpdGFsdGVsLml0O3VzZXI9cGhvbmU+O3RhZz1TRDQ5MDk3OTktNjE3MjYzNjE2NDc5NjE2RS0zMzE3MTU1MjAtNTMzNmY3ODUtMTg3NDEwMjA1DQpGcm9tOiA8c2lwOnVuYXZhaWxhYmxlQGhvc3Rwb3J0aW9uPjt0YWc9MDBlOWQ0NzgNCkNhbGwtSUQ6IDAwZTlkNGE1MDBlOWQ0OC0wMDE1LTAwMDEtMDAwMC0wMDAwQDEwLjM1LjQwLjI1DQpDU2VxOiAxIElOVklURQ0KQ29udGFjdDogPHNpcDowNjE5NjMxNzctaWtodXVlcDViaTEyM0AxMC4zNS42MC4xMDA6NTA2MDt0cmFuc3BvcnQ9dWRwPg0KQ29udGVudC1MZW5ndGg6IDANClNlcnZlcjogQXJjb3IvQXJjb3ItMS4wMi4wMDV0Mg0KDQo="} -01748{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228468963851351,"flow_dst_last_pkt_time":1228468963854227,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":372,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":3039,"midstream":0,"thread_ts_usec":1228468963854227,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":1691733.2,"max":4370196,"stddev":2031243.2,"var":4125948903424.0,"ent":3.7,"data": [147,2580,146,4369720,177,4369379,142,4370170,85,4370186,150,4369866,79,4370149,291,4370036,88,4369436,150,3508424,3524296,204367,192966,657514,15,652477,151,4369658,82,4370196,609]},"pktlen": {"min":87,"avg":168.8,"max":414,"stddev":98.9,"var":9786.3,"ent":4.8,"data": [87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,376,414,94,101,88,88,293,165,88,88,293,165]},"bins": {"c_to_s": [0,15,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,7,0,0,0,7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02146{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228468963851351,"flow_dst_last_pkt_time":1228468963854227,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":372,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":3039,"midstream":0,"thread_ts_usec":1228468963854227,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":1691733.2,"max":4370196,"stddev":2031243.2,"var":4125948903424.0,"ent":3.7,"data": [147,2580,146,4369720,177,4369379,142,4370170,85,4370186,150,4369866,79,4370149,291,4370036,88,4369436,150,3508424,3524296,204367,192966,657514,15,652477,151,4369658,82,4370196,609]},"pktlen": {"min":73,"avg":154.8,"max":400,"stddev":98.9,"var":9786.3,"ent":4.7,"data": [73,73,278,150,73,73,278,150,73,73,278,150,73,73,278,150,73,73,278,150,362,400,80,87,74,74,279,151,74,74,279,151]},"bins": {"c_to_s": [0,15,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,7,0,0,0,7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1],"entropies": [5.184563637,5.058271885,5.379110336,5.406789303,5.184563637,5.179216385,5.374631405,5.446616650,5.168875217,5.151818752,5.378158569,5.424983501,5.206613541,5.151818752,5.376394272,5.444680214,5.168875217,5.134762764,5.362365723,5.408768177,5.778869152,5.247618675,5.299749374,5.105933189,5.158446312,5.175271988,5.367991447,5.455423832,5.202299118,5.175271988,5.384085178,5.429594994]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00778{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468965434208,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965434208,"pkt":"ABgYesP\/AAglAXLqCABFuADIHecAAD0RDLUKIzxkChcBNDzcQXQAtEC7gAgAAGfPFaAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="} 00880{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468965434208,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468965434208,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1228468965455031,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965455031,"pkt":"ABgYesP\/AAglAXLqCABFuADIHegAAD0RDLQKIzxkChcBNDzcQXQAtEAagAgAAWfPFkAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="} 00748{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":47,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1228468965474173,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1228468965474173,"pkt":"ABgYesP\/AAglAXLqCABFuADIHekAAD0RDLMKIzxkChcBNDzcQXQAtD95gAgAAmfPFuAOrw6v1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1dXV1Q=="} -01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":90,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468966054624,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468966054624,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1438,"avg":20013.4,"max":39530,"stddev":4863.7,"var":23655656.0,"ent":4.9,"data": [20823,19142,39530,1438,19970,20000,19294,20526,19616,19873,20995,20283,18519,20415,19722,19948,20367,20228,19700,20355,19296,20527,20111,20020,19630,19979,19869,20276,20190,19810,19964]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02148{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":90,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1228468965434208,"flow_src_last_pkt_time":1228468966054624,"flow_dst_last_pkt_time":1228468965434208,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1228468966054624,"l3_proto":"ip4","src_ip":"10.35.60.100","dst_ip":"10.23.1.52","src_port":15580,"dst_port":16756,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1438,"avg":20013.4,"max":39530,"stddev":4863.7,"var":23655656.0,"ent":4.9,"data": [20823,19142,39530,1438,19970,20000,19294,20526,19616,19873,20995,20283,18519,20415,19722,19948,20367,20228,19700,20355,19296,20527,20111,20020,19630,19979,19869,20276,20190,19810,19964]},"pktlen": {"min":200,"avg":200.0,"max":200,"stddev":0.0,"var":0.0,"ent":5.0,"data": [200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [1.668765187,1.658265829,1.688265920,1.668265820,1.688265920,1.664491415,1.674491525,1.654990792,1.678265929,1.688265920,1.674491405,2.400679350,2.428031683,2.447857141,2.461457968,2.439298868,2.470501661,2.457857370,2.473841906,2.452007294,2.451812983,2.430955410,2.434056997,2.410386086,2.416019678,2.457857370,2.467857122,2.455026150,2.458799601,2.438038588,2.441251755,2.457820177]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00931{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2026,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":29,"flow_dst_packets_processed":29,"flow_first_seen":1228468937630923,"flow_src_last_pkt_time":1228468981331384,"flow_dst_last_pkt_time":1228468981333255,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":541,"flow_dst_max_l4_payload_len":515,"flow_src_tot_l4_payload_len":2694,"flow_dst_tot_l4_payload_len":5839,"midstream":0,"thread_ts_usec":1228468983833618,"l3_proto":"ip4","src_ip":"10.35.40.22","dst_ip":"10.23.1.42","src_port":2944,"dst_port":2944,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Megaco","proto_id":"181","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3128,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468958651923,"flow_src_last_pkt_time":1228469002203721,"flow_dst_last_pkt_time":1228469002181512,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":9868,"flow_dst_tot_l4_payload_len":8158,"midstream":0,"thread_ts_usec":1228469002203721,"l3_proto":"ip4","src_ip":"10.35.40.25","dst_ip":"10.35.40.200","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":263,"avg":2809077.0,"max":27628387,"stddev":6895590.0,"var":47549159309312.0,"ent":2.5,"data": [1429,5975,263,162733,421,6673080,696,6843298,378,2041486,761,2040704,344,12449,653,131771,424,27628387,388,27585469,481,6913792,703,6841323,326,83992,388,88136,409,19767,961]},"pktlen": {"min":304,"avg":605.3,"max":923,"stddev":211.9,"var":44888.2,"ent":4.9,"data": [919,919,304,304,488,488,825,825,452,452,894,894,425,425,793,793,493,493,460,460,572,572,846,846,364,364,475,475,452,452,923,923]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,2,4,2,0,0,0,0,0,0,0,0,0,2,0,2,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,2,0,0,4,2,0,2,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,1,1,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02163{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3128,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1228468958651923,"flow_src_last_pkt_time":1228469002203721,"flow_dst_last_pkt_time":1228469002181512,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":9868,"flow_dst_tot_l4_payload_len":8158,"midstream":0,"thread_ts_usec":1228469002203721,"l3_proto":"ip4","src_ip":"10.35.40.25","dst_ip":"10.35.40.200","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":263,"avg":2809077.0,"max":27628387,"stddev":6895590.0,"var":47549159309312.0,"ent":2.5,"data": [1429,5975,263,162733,421,6673080,696,6843298,378,2041486,761,2040704,344,12449,653,131771,424,27628387,388,27585469,481,6913792,703,6841323,326,83992,388,88136,409,19767,961]},"pktlen": {"min":290,"avg":591.3,"max":909,"stddev":211.9,"var":44888.2,"ent":4.9,"data": [905,905,290,290,474,474,811,811,438,438,880,880,411,411,779,779,479,479,446,446,558,558,832,832,350,350,461,461,438,438,909,909]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,2,4,2,0,0,0,0,0,0,0,0,0,2,0,2,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,2,0,2,0,0,4,2,0,2,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,1,1,1,1,0,0,0,0],"entropies": [5.687162399,5.687162399,5.626669884,5.626669884,5.571601391,5.571601391,5.667925358,5.667925358,5.573338985,5.573338985,5.690092564,5.690092564,5.617296219,5.617296219,5.771171570,5.771171570,5.591165543,5.591165543,5.621240139,5.621240139,5.739367962,5.739367962,5.722489834,5.722489834,5.587724209,5.587724209,5.563357353,5.563357353,5.591295242,5.591295242,5.709114552,5.709114552]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3304,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1228468958657176,"flow_src_last_pkt_time":1228469002345812,"flow_dst_last_pkt_time":1228469002339397,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":338,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":884,"flow_dst_max_l4_payload_len":833,"flow_src_tot_l4_payload_len":5213,"flow_dst_tot_l4_payload_len":5205,"midstream":0,"thread_ts_usec":1228469003871960,"l3_proto":"ip4","src_ip":"138.132.169.101","dst_ip":"192.168.100.219","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00930{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3304,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1228468958651179,"flow_src_last_pkt_time":1228469002344280,"flow_dst_last_pkt_time":1228469002341564,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":5330,"flow_dst_tot_l4_payload_len":5170,"midstream":0,"thread_ts_usec":1228469003871960,"l3_proto":"ip4","src_ip":"10.35.60.72","dst_ip":"10.35.60.100","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00933{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3304,"source":"FAX-Call-t38-CA-TDM-SIP-FB-1.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":20,"flow_first_seen":1228468958651923,"flow_src_last_pkt_time":1228469002344653,"flow_dst_last_pkt_time":1228469002342941,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":383,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":881,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":10660,"flow_dst_tot_l4_payload_len":10340,"midstream":0,"thread_ts_usec":1228469003871960,"l3_proto":"ip4","src_ip":"10.35.40.25","dst_ip":"10.35.40.200","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} @@ -48,10 +48,10 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6251430 bytes -~~ total memory freed........: 6251430 bytes -~~ total allocations/frees...: 128744/128744 +~~ total memory allocated....: 6252110 bytes +~~ total memory freed........: 6252110 bytes +~~ total allocations/frees...: 128749/128749 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 513 chars -~~ json string max len.......: 1769 chars -~~ json string avg len.......: 1140 chars +~~ json string max len.......: 2168 chars +~~ json string avg len.......: 1339 chars diff --git a/test/results/IEC104.pcap.out b/test/results/IEC104.pcap.out index bf2a83cdd..7caa53bd2 100644 --- a/test/results/IEC104.pcap.out +++ b/test/results/IEC104.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037700 bytes -~~ total memory freed........: 6037700 bytes -~~ total allocations/frees...: 121512/121512 +~~ total memory allocated....: 6037972 bytes +~~ total memory freed........: 6037972 bytes +~~ total allocations/frees...: 121514/121514 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 914 chars diff --git a/test/results/KakaoTalk_chat.pcap.out b/test/results/KakaoTalk_chat.pcap.out index 6bd3faf34..bc4127c72 100644 --- a/test/results/KakaoTalk_chat.pcap.out +++ b/test/results/KakaoTalk_chat.pcap.out @@ -151,7 +151,7 @@ 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069031611243,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069031611243,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":113,"pkt_l4_len":77,"thread_ts_usec":1430069031611243,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAGHTnUAAQAbVXgoYUrw2\/\/3H5i8UZ+uf0VkGiXPCgBgCYxkQAAABAQgKAAKTKDTnT0kXAwEAKNOo\/lFrrxEtj1oyrBEybZXAvF7754xqLjvuYfV0gCpDpumAA3\/lW60="} 01016{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":186,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069031611243,"flow_src_last_pkt_time":1430069031611243,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069031611243,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58927,"dst_port":5223,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01873{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069031042945,"flow_src_last_pkt_time":1430069031534339,"flow_dst_last_pkt_time":1430069031721991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":997,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":2489,"flow_dst_tot_l4_payload_len":4397,"midstream":0,"thread_ts_usec":1430069031721991,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":92,"avg":37756.1,"max":174316,"stddev":43491.6,"var":1891518208.0,"ent":4.0,"data": [36956,40344,305,47699,3998,72083,702,123993,153,15869,671,16632,152,12207,67230,35950,15778,732,105866,38147,60424,4517,92,3936,174316,67658,16785,16968,108490,672,81115]},"pktlen": {"min":56,"avg":272.1,"max":1336,"stddev":386.9,"var":149674.2,"ent":3.9,"data": [76,60,56,621,60,56,1336,174,56,56,1336,949,56,56,1053,56,314,113,101,56,56,109,846,103,93,101,56,477,56,56,56,56]},"bins": {"c_to_s": [10,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,3,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02267{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069031042945,"flow_src_last_pkt_time":1430069031534339,"flow_dst_last_pkt_time":1430069031721991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":997,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":2489,"flow_dst_tot_l4_payload_len":4397,"midstream":0,"thread_ts_usec":1430069031721991,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.70","src_port":43581,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":92,"avg":37756.1,"max":174316,"stddev":43491.6,"var":1891518208.0,"ent":4.0,"data": [36956,40344,305,47699,3998,72083,702,123993,153,15869,671,16632,152,12207,67230,35950,15778,732,105866,38147,60424,4517,92,3936,174316,67658,16785,16968,108490,672,81115]},"pktlen": {"min":40,"avg":256.1,"max":1320,"stddev":386.9,"var":149674.2,"ent":3.8,"data": [60,44,40,605,44,40,1320,158,40,40,1320,933,40,40,1037,40,298,97,85,40,40,93,830,87,77,85,40,461,40,40,40,40]},"bins": {"c_to_s": [10,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,3,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1],"entropies": [4.650922298,5.150120735,4.884183884,6.666303635,4.612587929,4.981687069,6.409718037,5.859195709,4.780641556,4.730641365,7.017275810,6.970731735,4.680641651,4.730641365,7.788617134,4.881686687,7.033622742,6.130742073,5.968101501,4.830641270,4.830641270,5.971898556,7.719824314,5.908120155,5.773283005,5.968101501,4.780641556,7.527770996,4.830641270,5.031687260,4.931687355,5.031687260]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":210,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069035398200,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035398200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069035398200,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"210.103.240.15","src_port":42332,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":210,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035398200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069035398200,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAChV8UAAQAbFkwoYUrzSZ\/APpVwBu+YrTKNirTiWUBFpAB9mAAA="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":211,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1430069035398200,"flow_dst_last_pkt_time":1430069035537940,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069035537940,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACgkaUAAjgapG9Jn8A8KGFK8AbulXGKtOJbmK0ykUBCkj3bOAAA="} @@ -165,7 +165,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":220,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1430069035967627,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1430069036008002,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACxGQkAA+AZ8VB8NRFQKGFK8AbuwnWIYU8F1uP30YBIRHOshAAACBAV4"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":221,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1430069036010596,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069036010596,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAACjw1kAAPwaKxAoYUrwfDURUsJ0Bu3W4\/fRiGFPCUBA5CNq2AAA="} 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":222,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1430069035967627,"flow_src_last_pkt_time":1430069036012946,"flow_dst_last_pkt_time":1430069036008002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069036012946,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"31.13.68.84","src_port":45213,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","tls": {"version":"TLSv1","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} -01624{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3723,"avg":501416.6,"max":3802978,"stddev":831986.8,"var":692202045440.0,"ent":3.7,"data": [995911,1037903,49316,6684,695526,683563,56000,2329864,2320373,251618,299011,4547,4395,4089,3723,105469,239411,242157,376495,82611,125763,244537,287323,18128,164581,238983,428131,146027,274079,3802978,24719]},"pktlen": {"min":56,"avg":225.0,"max":1336,"stddev":352.3,"var":124085.1,"ent":3.9,"data": [76,76,60,56,240,60,56,60,240,56,1336,56,1336,56,1043,56,178,56,103,56,710,56,85,56,358,56,99,56,196,56,83,132]},"bins": {"c_to_s": [11,0,1,1,1,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,0]}} +02022{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3723,"avg":501416.6,"max":3802978,"stddev":831986.8,"var":692202045440.0,"ent":3.7,"data": [995911,1037903,49316,6684,695526,683563,56000,2329864,2320373,251618,299011,4547,4395,4089,3723,105469,239411,242157,376495,82611,125763,244537,287323,18128,164581,238983,428131,146027,274079,3802978,24719]},"pktlen": {"min":40,"avg":209.0,"max":1320,"stddev":352.3,"var":124085.1,"ent":3.7,"data": [60,60,44,40,224,44,40,44,224,40,1320,40,1320,40,1027,40,162,40,87,40,694,40,69,40,342,40,83,40,180,40,67,116]},"bins": {"c_to_s": [11,0,1,1,1,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,0],"entropies": [4.685176849,4.685176849,4.968303204,4.931687355,5.173561573,5.104666710,4.981687546,4.658042908,5.164632797,4.931687355,6.476998329,4.734184265,7.115762234,4.784183979,6.729174137,4.884183884,6.557168484,4.881687164,5.730113029,4.834184170,7.744181156,4.881687164,5.543020725,4.884183884,7.357668877,4.981687546,5.880825043,4.834184170,6.839711666,4.981687546,5.593678474,6.365212917]}} 02004{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":223,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069026370215,"flow_src_last_pkt_time":1430069036014563,"flow_dst_last_pkt_time":1430069032269782,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":654,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1689,"flow_dst_tot_l4_payload_len":3666,"midstream":0,"thread_ts_usec":1430069036014563,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35503,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","tls": {"version":"TLSv1","server_names":"*.facebook.com,facebook.com,*.fbsbx.com,*.fbcdn.net,*.xx.fbcdn.net,*.xy.fbcdn.net,fb.com,*.fb.com,*.facebookcorewwwi.onion,facebookcorewwwi.onion,*.fbcdn23dssr3jqnq.onion,fbcdn23dssr3jqnq.onion,*.fbsbx2q4mvcl63pw.onion,fbsbx2q4mvcl63pw.onion,*.m.facebook.com,*.messenger.com,messenger.com,*.m.facebookcorewwwi.onion,*.xx.fbcdn23dssr3jqnq.onion,xx.fbcdn23dssr3jqnq.onion,*.xy.fbcdn23dssr3jqnq.onion,xy.fbcdn23dssr3jqnq.onion,*.xz.fbcdn.net,xz.fbcdn.net,*.xz.fbcdn23dssr3jqnq.onion,xz.fbcdn23dssr3jqnq.onion,m.facebookcorewwwi.onion","ja3":"dff8a0aa1c904aaea76c5bf624e88333","ja3s":"6c13ac74a6f75099ef2480748e5d94d2","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_RC4_128_SHA","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance CA-3","subjectDN":"C=US, ST=CA, L=Menlo Park, O=Facebook, Inc., CN=*.facebook.com","fingerprint":"A4:FB:65:F8:A1:57:FE:0D:C0:17:C1:B5:51:62:63:3A:18:73:A0:B4"}}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":228,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069036068122,"flow_dst_last_pkt_time":1430069036068122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069036068122,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":228,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1430069036068122,"flow_dst_last_pkt_time":1430069036068122,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1430069036068122,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADwqSkAAPwalnwoYUryt\/GECircBu1PEJ3oAAAAAoAI5CI51AAACBAV4BAIICgALDTAAAAAAAQMDBw=="} @@ -187,7 +187,7 @@ 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069060011328,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069060011328,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":83,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":83,"pkt_l4_len":47,"thread_ts_usec":1430069060011328,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAENCkUAAQAbmZgoYUrzYOtyuwEEBuxTXAEVlWZivUBiMAAFrAAAVAwEAFnnuS9reX0mqADPiihp3NglZFsDnKQA="} 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":325,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069060011328,"flow_src_last_pkt_time":1430069060011328,"flow_dst_last_pkt_time":1430069060011328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069060011328,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01899{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069064769263,"flow_dst_last_pkt_time":1430069064804816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":522,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1362,"flow_dst_tot_l4_payload_len":3690,"midstream":0,"thread_ts_usec":1430069064804816,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":1852833.4,"max":27030701,"stddev":6601250.5,"var":43576507498496.0,"ent":1.5,"data": [41748,45806,2228,39459,11261,448395,183,2868,498749,183,122,36927,124176,229920,321990,23011,161804,229858,405273,183,57404,108246,75989,156006,245086,67993,69489,26937805,56885,27030701,8087]},"pktlen": {"min":56,"avg":214.8,"max":1336,"stddev":348.1,"var":121165.0,"ent":3.9,"data": [76,60,56,240,60,56,1336,1336,1043,56,56,56,178,56,103,56,578,56,85,56,215,328,56,56,94,56,85,56,83,132,56,56]},"bins": {"c_to_s": [10,0,1,1,1,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02297{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1430069036068122,"flow_src_last_pkt_time":1430069064769263,"flow_dst_last_pkt_time":1430069064804816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":522,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":1362,"flow_dst_tot_l4_payload_len":3690,"midstream":0,"thread_ts_usec":1430069064804816,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"173.252.97.2","src_port":35511,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":1852833.4,"max":27030701,"stddev":6601250.5,"var":43576507498496.0,"ent":1.5,"data": [41748,45806,2228,39459,11261,448395,183,2868,498749,183,122,36927,124176,229920,321990,23011,161804,229858,405273,183,57404,108246,75989,156006,245086,67993,69489,26937805,56885,27030701,8087]},"pktlen": {"min":40,"avg":198.8,"max":1320,"stddev":348.1,"var":121165.0,"ent":3.7,"data": [60,44,40,224,44,40,1320,1320,1027,40,40,40,162,40,87,40,562,40,69,40,199,312,40,40,78,40,69,40,67,116,40,40]},"bins": {"c_to_s": [10,0,1,1,1,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,0,1,1],"entropies": [4.718510151,5.042055130,4.931687355,5.220941067,4.748951435,4.981687069,6.464412689,7.117209911,6.734959602,4.834183693,4.884183884,4.884183884,6.501401424,4.931686878,5.853732109,4.834183693,7.664524555,4.981687069,5.600991726,4.784183979,6.880613327,7.129980087,5.031687260,4.981687069,5.767374516,4.884183884,5.543020248,4.884183884,5.563827038,6.334234238,5.031687260,5.031687260]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00884{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":334,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069030119696,"flow_src_last_pkt_time":1430069030119696,"flow_dst_last_pkt_time":1430069030119696,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":111,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":111,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":111,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069065046729,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"10.188.191.1","l4_proto":"icmp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":341,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1430069072945990,"flow_dst_last_pkt_time":1430069031611243,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1430069072945990,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADTTnkAAQAbVigoYUrw2\/\/3H5i8UZ+uf0YYGiXPCgBQCY5HBAAABAQgKAAKjTTTnT0k="} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":342,"source":"KakaoTalk_chat.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069072986762,"flow_src_last_pkt_time":1430069072986762,"flow_dst_last_pkt_time":1430069072986762,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1430069072986762,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"54.255.253.199","src_port":58964,"dst_port":5223,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} @@ -247,10 +247,10 @@ ~~ total active/idle flows...: 38/38 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6234015 bytes -~~ total memory freed........: 6234015 bytes -~~ total allocations/frees...: 122431/122431 +~~ total memory allocated....: 6239183 bytes +~~ total memory freed........: 6239183 bytes +~~ total allocations/frees...: 122469/122469 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars -~~ json string max len.......: 2042 chars -~~ json string avg len.......: 1270 chars +~~ json string max len.......: 2302 chars +~~ json string avg len.......: 1400 chars diff --git a/test/results/KakaoTalk_talk.pcap.out b/test/results/KakaoTalk_talk.pcap.out index cb7ac4d5e..0d294aad5 100644 --- a/test/results/KakaoTalk_talk.pcap.out +++ b/test/results/KakaoTalk_talk.pcap.out @@ -59,8 +59,8 @@ 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":130,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1430069171998328,"flow_dst_last_pkt_time":1430069171127448,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069171998328,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAH4AAEAAPxHbJAoYUrwByQGuLDlaBQBqX6qByAAMC4ZVGUMDyNdZMqzZvFL5masXDZVA6JQCTSwYzII6r0J+H6ebHDpiG6\/AGpupgF2zzgl2ppSiLVPnYiD98U8UjOQ2fRfyw\/ugiovyQFT+lfaAAAACkQQ8eHVaWMSL\/A=="} 00640{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1430069172038153,"flow_dst_last_pkt_time":1430069170975714,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069172038153,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAH4AAEAAQBHaJAoYUrwByQGuKB1aBwBqXmKByAAMVJql2trT+4JMtrXIu\/DNYLUyrcCH4nJIkwVlTlKbwLjRHdwKTf1t+cEG2dNtu5tj5fpNWxpJ1GyPSnYq1Tkhei6L7QH9KpD9dMR2BEbVSkSAAAACiCDm5WucO1eQLg=="} 00644{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":141,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1430069172038153,"flow_dst_last_pkt_time":1430069172127570,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1430069172127570,"pkt":"AAACEgAAAAAAAAAAAAAIAEUoAH4AAEAAGhH\/\/AHJAa4KGFK8WgcoHQBqY8SByAAMC4ZVGUMDyNdZMqzZvFL5masXDZVA6JQCTSwYzII6r0J+H6ebHDpiG6\/AGpupgF2zzgl2ppSiLVPnYiD98U8UjOQ2fRfyw\/ugiovyQFT+lfaAAAACkQQ8eHVaWMSL\/A=="} -01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":145,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1430069171118750,"flow_src_last_pkt_time":1430069172108954,"flow_dst_last_pkt_time":1430069172193000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":56,"flow_dst_max_l4_payload_len":148,"flow_src_tot_l4_payload_len":1101,"flow_dst_tot_l4_payload_len":793,"midstream":0,"thread_ts_usec":1430069172193000,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":11320,"dst_port":23044,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":66595.3,"max":389008,"stddev":72818.7,"var":5302568960.0,"ent":4.2,"data": [2106,92,91278,244,98327,122,103547,389008,99365,152,41687,34149,94086,1190,99945,98542,31952,72327,100128,1037,27862,87799,99732,30,76142,16052,99243,84228,99884,1099,113099]},"pktlen": {"min":99,"avg":103.2,"max":192,"stddev":16.7,"var":278.8,"ent":5.0,"data": [100,99,99,99,99,99,99,99,123,99,99,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99]},"bins": {"c_to_s": [0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,9,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01725{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069171389136,"flow_src_last_pkt_time":1430069172366187,"flow_dst_last_pkt_time":1430069172379615,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":770,"midstream":0,"thread_ts_usec":1430069172379615,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":10268,"dst_port":23046,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":4181,"avg":63468.7,"max":143921,"stddev":37951.6,"var":1440325376.0,"ent":4.7,"data": [36072,39245,140350,102021,35217,98114,7904,55847,41962,93445,6775,89905,91767,48217,40192,100067,12024,81512,89386,6988,84107,40741,87677,54901,38818,107880,4181,87555,68482,32257,143921]},"pktlen": {"min":99,"avg":106.6,"max":192,"stddev":20.8,"var":434.5,"ent":5.0,"data": [123,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,166,141,99]},"bins": {"c_to_s": [0,13,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02104{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":145,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1430069171118750,"flow_src_last_pkt_time":1430069172108954,"flow_dst_last_pkt_time":1430069172193000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":56,"flow_dst_max_l4_payload_len":148,"flow_src_tot_l4_payload_len":1101,"flow_dst_tot_l4_payload_len":793,"midstream":0,"thread_ts_usec":1430069172193000,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":11320,"dst_port":23044,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":66595.3,"max":389008,"stddev":72818.7,"var":5302568960.0,"ent":4.2,"data": [2106,92,91278,244,98327,122,103547,389008,99365,152,41687,34149,94086,1190,99945,98542,31952,72327,100128,1037,27862,87799,99732,30,76142,16052,99243,84228,99884,1099,113099]},"pktlen": {"min":83,"avg":87.2,"max":176,"stddev":16.7,"var":278.8,"ent":5.0,"data": [84,83,83,83,83,83,83,83,107,83,83,176,99,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83]},"bins": {"c_to_s": [0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,9,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1],"entropies": [5.993387222,5.923110008,5.808535576,5.840019703,5.914015293,5.832631588,5.914015770,5.855021000,6.200585842,6.019496441,5.775343418,6.698559761,6.165978909,5.899013996,5.936404705,5.904920578,5.802630901,6.042388916,5.947206974,5.889919281,5.864114761,5.946004391,5.961005211,5.938111305,5.775344849,6.018292904,5.994196892,5.880824089,6.018293381,5.947206020,5.880824566,6.019496441]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069171389136,"flow_src_last_pkt_time":1430069172366187,"flow_dst_last_pkt_time":1430069172379615,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":770,"midstream":0,"thread_ts_usec":1430069172379615,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"1.201.1.174","src_port":10268,"dst_port":23046,"l4_proto":"udp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":4181,"avg":63468.7,"max":143921,"stddev":37951.6,"var":1440325376.0,"ent":4.7,"data": [36072,39245,140350,102021,35217,98114,7904,55847,41962,93445,6775,89905,91767,48217,40192,100067,12024,81512,89386,6988,84107,40741,87677,54901,38818,107880,4181,87555,68482,32257,143921]},"pktlen": {"min":83,"avg":90.6,"max":176,"stddev":20.8,"var":434.5,"ent":5.0,"data": [107,176,99,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,150,125,83]},"bins": {"c_to_s": [0,13,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,1,0,0,0,1],"entropies": [6.182826996,6.676399708,6.166987896,5.773637295,5.758635521,5.947207451,6.042389393,5.855524540,5.888211727,5.874918938,5.873714447,5.962208271,5.880824566,5.816429138,5.874918461,5.914016247,5.961004734,5.962207794,5.986305714,5.970099449,5.789143085,5.936405182,5.874918938,5.927813530,5.971302986,6.010401249,5.946002960,5.985101223,5.817630768,6.659305096,6.296253204,6.043592453]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069180329901,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069180329901,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":83,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":83,"pkt_l4_len":47,"thread_ts_usec":1430069180329901,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAENCkkAAQAbmZQoYUrzYOtyuwEEBuxTXAEVlWZivUBiMAAFrAAAVAwEAFnnuS9reX0mqADPiihp3NglZFsDnKQA="} 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":691,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069180329901,"flow_src_last_pkt_time":1430069180329901,"flow_dst_last_pkt_time":1430069180329901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":27,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069180329901,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"216.58.220.174","src_port":49217,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} @@ -68,9 +68,9 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1470,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1430069193291327,"flow_dst_last_pkt_time":1430069193291327,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069193291327,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACg66EAAjgYtFq38egEKGFK8AbvLm\/Ii35zxwsMTUBSkcjKfAAA="} 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2099,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069201833106,"flow_src_last_pkt_time":1430069201833106,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069201833106,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"203.205.151.233","src_port":53974,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2099,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1430069201833106,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069201833106,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOw0AAQAYrdAoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtk1IAAABAQgKAALVpswmIb5QFA=="} -02243{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2117,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069163715308,"flow_src_last_pkt_time":1430069202114386,"flow_dst_last_pkt_time":1430069181143378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":746,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2452,"flow_dst_tot_l4_payload_len":3072,"midstream":0,"thread_ts_usec":1430069202114386,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2289,"avg":1800875.8,"max":20336762,"stddev":4155046.5,"var":17264411672576.0,"ent":2.9,"data": [141571,151855,11750,244934,5676,231720,5279,268921,267944,260468,295685,6066894,6069489,2289,183686,177368,76049,36560,148072,8359650,8675995,4516,469818,147369,147094,2564,694885,724152,479767,20336762,1138366]},"pktlen": {"min":68,"avg":241.5,"max":920,"stddev":230.0,"var":52885.8,"ent":4.5,"data": [76,76,68,210,68,920,68,394,302,814,574,68,782,68,238,366,68,68,238,68,254,68,238,68,366,68,238,238,68,80,254,254]},"bins": {"c_to_s": [8,0,0,0,1,7,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,1,0,1,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,0,0,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02642{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2117,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069163715308,"flow_src_last_pkt_time":1430069202114386,"flow_dst_last_pkt_time":1430069181143378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":746,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2452,"flow_dst_tot_l4_payload_len":3072,"midstream":0,"thread_ts_usec":1430069202114386,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":32968,"dst_port":8080,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2289,"avg":1800875.8,"max":20336762,"stddev":4155046.5,"var":17264411672576.0,"ent":2.9,"data": [141571,151855,11750,244934,5676,231720,5279,268921,267944,260468,295685,6066894,6069489,2289,183686,177368,76049,36560,148072,8359650,8675995,4516,469818,147369,147094,2564,694885,724152,479767,20336762,1138366]},"pktlen": {"min":52,"avg":225.5,"max":904,"stddev":230.0,"var":52885.8,"ent":4.4,"data": [60,60,52,194,52,904,52,378,286,798,558,52,766,52,222,350,52,52,222,52,238,52,222,52,350,52,222,222,52,64,238,238]},"bins": {"c_to_s": [8,0,0,0,1,7,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,1,0,1,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,0,0,1,1,0,0],"entropies": [4.739262104,5.194311619,5.168681622,5.344344139,5.053296566,7.386932850,5.077241421,7.234003544,7.051656723,7.730213165,7.626702785,5.130219936,7.729208469,5.130219936,7.004224300,7.276331425,5.168681622,5.053296566,6.966996193,5.168681622,7.017478943,5.091758251,6.947218895,5.130219936,7.270596504,5.168681622,6.928867817,6.919858456,5.130219936,5.071470261,7.064198494,7.072602749]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2182,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1430069202570380,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069202570380,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOxEAAQAYrcwoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtkz+AAABAQgKAALV8MwmIb5QFA=="} -02245{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2227,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069164966834,"flow_src_last_pkt_time":1430069202329230,"flow_dst_last_pkt_time":1430069203383368,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":794,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2842,"flow_dst_tot_l4_payload_len":3488,"midstream":0,"thread_ts_usec":1430069203383368,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":183,"avg":2444481.5,"max":21237091,"stddev":5342425.0,"var":28541506813952.0,"ent":2.9,"data": [148041,148315,14374,196289,3692,185608,22217,228394,215698,291656,316833,4536377,4872620,301514,147949,147858,122284,336243,8596588,8810699,73731,557586,700867,602508,20472016,917846,21237091,519257,336,183,1054260]},"pktlen": {"min":68,"avg":267.1,"max":920,"stddev":266.4,"var":70953.5,"ent":4.4,"data": [76,76,68,210,68,920,68,394,302,766,734,68,862,846,68,366,68,238,68,366,68,238,238,68,80,254,254,430,68,68,68,80]},"bins": {"c_to_s": [9,0,0,0,1,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02644{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2227,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1430069164966834,"flow_src_last_pkt_time":1430069202329230,"flow_dst_last_pkt_time":1430069203383368,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":794,"flow_dst_max_l4_payload_len":852,"flow_src_tot_l4_payload_len":2842,"flow_dst_tot_l4_payload_len":3488,"midstream":0,"thread_ts_usec":1430069203383368,"l3_proto":"ip4","src_ip":"10.24.82.188","dst_ip":"110.76.143.50","src_port":58857,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":183,"avg":2444481.5,"max":21237091,"stddev":5342425.0,"var":28541506813952.0,"ent":2.9,"data": [148041,148315,14374,196289,3692,185608,22217,228394,215698,291656,316833,4536377,4872620,301514,147949,147858,122284,336243,8596588,8810699,73731,557586,700867,602508,20472016,917846,21237091,519257,336,183,1054260]},"pktlen": {"min":52,"avg":251.1,"max":904,"stddev":266.4,"var":70953.5,"ent":4.3,"data": [60,60,52,194,52,904,52,378,286,750,718,52,846,830,52,350,52,222,52,350,52,222,222,52,64,238,238,414,52,52,52,64]},"bins": {"c_to_s": [9,0,0,0,1,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,1],"entropies": [4.685176373,5.185489655,5.156889915,5.339006424,5.207143307,7.375075340,5.233812809,7.382006645,6.995015144,7.704098225,7.705970764,5.248330116,7.776240349,7.756853104,5.171406746,7.334384441,5.130220413,7.042468071,5.207143307,7.231501102,5.171406746,6.845736027,6.836727142,5.130220413,5.138105392,7.055267334,7.030057430,7.403200150,5.248330116,5.168681622,5.248330116,5.220060349]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.KakaoTalk","proto_id":"91.193","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2278,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1430069204049811,"flow_dst_last_pkt_time":1430069201833106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":70,"pkt_l4_len":34,"thread_ts_usec":1430069204049811,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAADZOxUAAQAYrcgoYUrzLzZfp0tYfkMl8NsazTa2QgBgBtkxqAAABAQgKAALWhMwmIb5QFA=="} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2798,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1430069210863623,"flow_src_last_pkt_time":1430069210863623,"flow_dst_last_pkt_time":1430069210863623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1430069210863623,"l3_proto":"ip4","src_ip":"173.194.117.229","dst_ip":"10.24.82.188","src_port":443,"dst_port":38380,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2798,"source":"KakaoTalk_talk.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1430069210863623,"flow_dst_last_pkt_time":1430069210863623,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":56,"pkt_l4_len":20,"thread_ts_usec":1430069210863623,"pkt":"AAACEgAAAAAAAAAAAAAIAEUAACih+UAAjgbKWq3CdeUKGFK8AbuV7IoFQj5TpMuVUBSklweYAAA="} @@ -126,10 +126,10 @@ ~~ total active/idle flows...: 20/20 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6192800 bytes -~~ total memory freed........: 6192800 bytes -~~ total allocations/frees...: 124914/124914 +~~ total memory allocated....: 6195520 bytes +~~ total memory freed........: 6195520 bytes +~~ total allocations/frees...: 124934/124934 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars -~~ json string max len.......: 2250 chars -~~ json string avg len.......: 1373 chars +~~ json string max len.......: 2649 chars +~~ json string avg len.......: 1573 chars diff --git a/test/results/NTPv2.pcap.out b/test/results/NTPv2.pcap.out index 8fb287fa7..95b428e1e 100644 --- a/test/results/NTPv2.pcap.out +++ b/test/results/NTPv2.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035670 bytes -~~ total memory freed........: 6035670 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035806 bytes +~~ total memory freed........: 6035806 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 988 chars diff --git a/test/results/NTPv3.pcap.out b/test/results/NTPv3.pcap.out index 0d6e78fa2..778910345 100644 --- a/test/results/NTPv3.pcap.out +++ b/test/results/NTPv3.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035670 bytes -~~ total memory freed........: 6035670 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035806 bytes +~~ total memory freed........: 6035806 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 895 chars diff --git a/test/results/NTPv4.pcap.out b/test/results/NTPv4.pcap.out index 043553bf3..f80e6fff7 100644 --- a/test/results/NTPv4.pcap.out +++ b/test/results/NTPv4.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035670 bytes -~~ total memory freed........: 6035670 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035806 bytes +~~ total memory freed........: 6035806 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 895 chars diff --git a/test/results/Oscar.pcap.out b/test/results/Oscar.pcap.out index 17be1bd21..397b3eff7 100644 --- a/test/results/Oscar.pcap.out +++ b/test/results/Oscar.pcap.out @@ -4,7 +4,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1434606464176482,"flow_dst_last_pkt_time":1434606464176482,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1434606464176482,"pkt":"AAxCW5ILDE3pmjdICABFAABAZ9pAAEAGAAAKHh0Dsu0Y+fd9Abu9oGylAAAAALAC\/\/\/zOQAAAgQFtAEDAwUBAQgKFdAS4wAAAAAEAgAA"} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1434606464176482,"flow_dst_last_pkt_time":1434606464205135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1434606464205135,"pkt":"DE3pmjdIAAxCW5ILCABFAAAsd\/VAAG8GoM+y7Rj5Ch4dAwG7933\/L+hsvaBspmASQABaVgAAAgQFUAAA"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1434606464205258,"flow_dst_last_pkt_time":1434606464205135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1434606464205258,"pkt":"AAxCW5ILDE3pmjdICABFAAAo27ZAAEAGAAAKHh0Dsu0Y+fd9Abu9oGym\/y\/obVAQ\/\/\/zIQAA"} -01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":3883141.0,"max":58215154,"stddev":14267685.0,"var":203566836875264.0,"ent":1.3,"data": [28653,28776,8916,42424,33521,518,478,147,33511,33418,288,33636,843,34123,226,44565,44326,32783,32790,157,115,322,31348,31096,58175544,58215154,3,39626,1457397,1490083,502580]},"pktlen": {"min":54,"avg":186.5,"max":1414,"stddev":263.3,"var":69345.6,"ent":4.2,"data": [78,60,54,369,64,54,619,54,106,144,54,70,1414,351,54,80,60,166,511,54,284,54,266,60,349,90,60,92,54,92,60,90]},"bins": {"c_to_s": [11,4,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0]}} +01978{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":3883141.0,"max":58215154,"stddev":14267685.0,"var":203566836875264.0,"ent":1.3,"data": [28653,28776,8916,42424,33521,518,478,147,33511,33418,288,33636,843,34123,226,44565,44326,32783,32790,157,115,322,31348,31096,58175544,58215154,3,39626,1457397,1490083,502580]},"pktlen": {"min":40,"avg":172.5,"max":1400,"stddev":263.3,"var":69345.6,"ent":4.0,"data": [64,46,40,355,50,40,605,40,92,130,40,56,1400,337,40,66,46,152,497,40,270,40,252,46,335,76,46,78,40,78,46,76]},"bins": {"c_to_s": [11,4,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0],"entropies": [4.441382408,4.871388912,4.661769390,7.090702057,4.724371910,4.661769390,5.245636463,4.661769390,4.009517670,4.346171379,4.611769676,4.280395031,3.817430019,3.863874197,4.611769676,4.309496880,4.501398563,3.542632341,4.154665947,4.611769676,3.726292849,4.611769199,5.504406452,4.457919598,3.418277502,4.801239491,4.544876099,5.035846710,4.611769676,4.478143215,4.501398087,4.761171341]}} 00866{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00867{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":32,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606524600171,"flow_dst_last_pkt_time":1434606524130160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1138,"flow_dst_tot_l4_payload_len":3047,"midstream":0,"thread_ts_usec":1434606524600171,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":71,"source":"Oscar.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":38,"flow_dst_packets_processed":33,"flow_first_seen":1434606464176482,"flow_src_last_pkt_time":1434606536630487,"flow_dst_last_pkt_time":1434606536630387,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":315,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":1504,"flow_dst_tot_l4_payload_len":3946,"midstream":0,"thread_ts_usec":1434606536630487,"l3_proto":"ip4","src_ip":"10.30.29.3","dst_ip":"178.237.24.249","src_port":63357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -17,10 +17,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039748 bytes -~~ total memory freed........: 6039748 bytes -~~ total allocations/frees...: 121559/121559 +~~ total memory allocated....: 6039884 bytes +~~ total memory freed........: 6039884 bytes +~~ total allocations/frees...: 121560/121560 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 1585 chars -~~ json string avg len.......: 1023 chars +~~ json string max len.......: 1983 chars +~~ json string avg len.......: 1216 chars diff --git a/test/results/TivoDVR.pcap.out b/test/results/TivoDVR.pcap.out index 8a731c6fa..330cc4e9f 100644 --- a/test/results/TivoDVR.pcap.out +++ b/test/results/TivoDVR.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035671 bytes -~~ total memory freed........: 6035671 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035807 bytes +~~ total memory freed........: 6035807 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 912 chars diff --git a/test/results/WebattackRCE.pcap.out b/test/results/WebattackRCE.pcap.out index cc17c95ab..25c2dc788 100644 --- a/test/results/WebattackRCE.pcap.out +++ b/test/results/WebattackRCE.pcap.out @@ -3197,9 +3197,9 @@ ~~ total active/idle flows...: 797/797 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7500763 bytes -~~ total memory freed........: 7500763 bytes -~~ total allocations/frees...: 134771/134771 +~~ total memory allocated....: 7609155 bytes +~~ total memory freed........: 7609155 bytes +~~ total allocations/frees...: 135568/135568 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars ~~ json string max len.......: 1704 chars diff --git a/test/results/WebattackSQLinj.pcap.out b/test/results/WebattackSQLinj.pcap.out index 75203712a..1a44410a7 100644 --- a/test/results/WebattackSQLinj.pcap.out +++ b/test/results/WebattackSQLinj.pcap.out @@ -63,9 +63,9 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6054262 bytes -~~ total memory freed........: 6054262 bytes -~~ total allocations/frees...: 121726/121726 +~~ total memory allocated....: 6055486 bytes +~~ total memory freed........: 6055486 bytes +~~ total allocations/frees...: 121735/121735 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 1324 chars diff --git a/test/results/WebattackXSS.pcap.out b/test/results/WebattackXSS.pcap.out index 8be038ee6..4490bccd8 100644 --- a/test/results/WebattackXSS.pcap.out +++ b/test/results/WebattackXSS.pcap.out @@ -34,7 +34,7 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1499346957283356,"flow_dst_last_pkt_time":1499346957283502,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346957283502,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQy\/7+F1DJk3pVMKAScSDJ8AAAAgQFtAQCCAoD4q86ATjdwwEDAwc="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":80,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1499346957284023,"flow_dst_last_pkt_time":1499346957283476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346957284023,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0F6xAAD4GriysEAABwKgKMsv8AFD6Ecppc0a7\/oAQAOWsxgAAAQEICgE43cMD4q86"} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1499346957284024,"flow_dst_last_pkt_time":1499346957283502,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346957284024,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0iO1AAD4GPOusEAABwKgKMsv+AFCTelUw\/hdQyoAQAOVo+AAAAQEICgE43cMD4q86"} -01849{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346956870305,"flow_src_last_pkt_time":1499346960890984,"flow_dst_last_pkt_time":1499346960891254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":7926,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":13653,"midstream":0,"thread_ts_usec":1499346960891254,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":259407.4,"max":2805230,"stddev":698816.2,"var":488344092672.0,"ent":2.4,"data": [124,911,4,880,1546,2266,23623,26506,34185,32207,1143,1040,156,926,221,412,39847,69861,111250,1094,61600,62698,1083,842694,846614,3833,131682,132698,1100,2804194,2805230]},"pktlen": {"min":66,"avg":586.0,"max":7992,"stddev":1374.1,"var":1888110.1,"ent":3.5,"data": [74,74,66,375,66,578,66,408,1198,431,807,454,1514,7992,66,66,66,66,377,571,66,407,571,66,625,429,66,423,587,66,66,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02248{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346956870305,"flow_src_last_pkt_time":1499346960890984,"flow_dst_last_pkt_time":1499346960891254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":7926,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":13653,"midstream":0,"thread_ts_usec":1499346960891254,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52200,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":259407.4,"max":2805230,"stddev":698816.2,"var":488344092672.0,"ent":2.4,"data": [124,911,4,880,1546,2266,23623,26506,34185,32207,1143,1040,156,926,221,412,39847,69861,111250,1094,61600,62698,1083,842694,846614,3833,131682,132698,1100,2804194,2805230]},"pktlen": {"min":52,"avg":572.0,"max":7978,"stddev":1374.1,"var":1888110.0,"ent":3.4,"data": [60,60,52,361,52,564,52,394,1184,417,793,440,1500,7978,52,52,52,52,363,557,52,393,557,52,611,415,52,409,573,52,52,52]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1],"entropies": [4.638340950,5.106241703,4.916693211,5.861679077,4.916693211,5.770593166,4.916693211,5.961223125,7.451019764,5.951989651,7.265627861,5.935786247,7.624871254,7.963999748,4.906957626,4.908878326,4.945419312,4.868495941,5.956186771,5.832140923,4.983880997,5.975498676,5.839316845,4.945419312,5.879628181,5.695242882,4.945419312,5.977171898,5.846479416,4.976374149,5.053297043,4.945418835]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":100,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603214,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346976603214,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603214,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976603214,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8Un9AAD4Gc1GsEAABwKgKMsxKAFAevqLeAAAAAKACchDe8gAAAgQFtAQCCAoBOPChAAAAAAEDAwc="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1499346976603214,"flow_dst_last_pkt_time":1499346976603366,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976603366,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzEoKnmxhHr6i36AScSCi1wAAAgQFtAQCCAoD4sIYATjwoQEDAwc="} @@ -52,7 +52,7 @@ 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1499346976999789,"flow_dst_last_pkt_time":1499346976999944,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499346976999944,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzGAmGFC+ciJO0aAScSCizgAAAgQFtAQCCAoD4sJ7ATjxBAEDAwc="} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1499346977000540,"flow_dst_last_pkt_time":1499346976999925,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346977000540,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0Z5JAAD4GXkasEAABwKgKMsxeAFDFSpaWtwyVpoAQAOXRDgAAAQEICgE48QQD4sJ7"} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1499346977000543,"flow_dst_last_pkt_time":1499346976999944,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499346977000543,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0v9VAAD4GBgOsEAABwKgKMsxgAFByIk7RJhhQv4AQAOVB1gAAAQEICgE48QQD4sJ7"} -01840{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346977842457,"flow_dst_last_pkt_time":1499346977841725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":4344,"flow_src_tot_l4_payload_len":2998,"flow_dst_tot_l4_payload_len":14938,"midstream":0,"thread_ts_usec":1499346977842457,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":79927.5,"max":856251,"stddev":206521.8,"var":42651250688.0,"ent":2.7,"data": [152,921,4,863,1492,2144,20680,25919,42487,6012,44423,1321,232,1259,67,51,1208,273,437,68644,70522,37847,60433,98253,1091,851698,856251,4579,109710,139259,29522]},"pktlen": {"min":66,"avg":627.0,"max":4410,"stddev":1050.3,"var":1103191.5,"ent":3.8,"data": [74,74,66,375,66,578,66,408,1200,66,431,807,66,454,4410,4410,752,66,66,66,377,571,66,407,571,66,625,429,66,449,1870,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02239{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1499346976603214,"flow_src_last_pkt_time":1499346977842457,"flow_dst_last_pkt_time":1499346977841725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":559,"flow_dst_max_l4_payload_len":4344,"flow_src_tot_l4_payload_len":2998,"flow_dst_tot_l4_payload_len":14938,"midstream":0,"thread_ts_usec":1499346977842457,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52298,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":79927.5,"max":856251,"stddev":206521.8,"var":42651250688.0,"ent":2.7,"data": [152,921,4,863,1492,2144,20680,25919,42487,6012,44423,1321,232,1259,67,51,1208,273,437,68644,70522,37847,60433,98253,1091,851698,856251,4579,109710,139259,29522]},"pktlen": {"min":52,"avg":613.0,"max":4396,"stddev":1050.3,"var":1103191.5,"ent":3.7,"data": [60,60,52,361,52,564,52,394,1186,52,417,793,52,440,4396,4396,738,52,52,52,363,557,52,393,557,52,611,415,52,435,1856,52]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0],"entropies": [4.605007648,5.060326576,4.878231525,5.859004021,4.825252533,5.712884426,4.916693211,5.889322281,7.407968998,4.930902481,5.868651867,7.247689247,4.853979111,5.863908291,7.905287266,7.943071842,7.650606155,4.892440796,4.930902481,4.839461803,5.855611324,5.816545963,4.830034733,5.891600132,5.824794292,4.815517426,5.864365101,5.691962719,4.894361496,5.912110329,7.768774033,4.961857319]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01218{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1499346976677111,"flow_src_last_pkt_time":1499346977863501,"flow_dst_last_pkt_time":1499346976677196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":364,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":364,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346977863501,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52300,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"205.174.165.68","http": {"url":"205.174.165.68\/dv\/dvwa\/js\/dvwaPage.js","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:45.0) Gecko\/20100101 Firefox\/45.0","detected_os":"Linux x86_64"}}} 01208{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":144,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1499346976999785,"flow_src_last_pkt_time":1499346977870159,"flow_dst_last_pkt_time":1499346976999925,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346977870159,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52318,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"205.174.165.68","http": {"url":"205.174.165.68\/dv\/favicon.ico","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:45.0) Gecko\/20100101 Firefox\/45.0","detected_os":"Linux x86_64"}}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":188,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499346983175773,"flow_src_last_pkt_time":1499346983175773,"flow_dst_last_pkt_time":1499346983175773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499346983175773,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52386,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -192,7 +192,7 @@ 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":659,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1499347042150116,"flow_dst_last_pkt_time":1499347042150116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347042150116,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8q1JAAD4GGn6sEAABwKgKMs8MAFB23Zv2AAAAAKACchBK9gAAAgQFtAQCCAoBOTCkAAAAAAEDAwc="} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":660,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1499347042150116,"flow_dst_last_pkt_time":1499347042150244,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347042150244,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzwwb3aSHdt2b96AScSCFcgAAAgQFtAQCCAoD4wIbATkwpAEDAwc="} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":661,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1499347042150994,"flow_dst_last_pkt_time":1499347042150244,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347042150994,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0q1NAAD4GGoWsEAABwKgKMs8MAFB23Zv3G92kiIAQAOUkegAAAQEICgE5MKQD4wIb"} -01986{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":665,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347033203906,"flow_src_last_pkt_time":1499347043160870,"flow_dst_last_pkt_time":1499347042153970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347043160870,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52910,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":609904.1,"max":3808906,"stddev":940979.2,"var":885441822720.0,"ent":3.7,"data": [97,845,3808060,3808906,3088,3867,1010444,1014181,3805,246952,250608,3613,1037920,1041646,3765,265406,269174,3736,1020088,1024520,4409,240929,244611,3693,1033112,1036761,3674,252788,256472,3667,1006191]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571022.8,"ent":4.2,"data": [74,74,66,651,66,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02385{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":665,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347033203906,"flow_src_last_pkt_time":1499347043160870,"flow_dst_last_pkt_time":1499347042153970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347043160870,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52910,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":609904.1,"max":3808906,"stddev":940979.2,"var":885441822720.0,"ent":3.7,"data": [97,845,3808060,3808906,3088,3867,1010444,1014181,3805,246952,250608,3613,1037920,1041646,3765,265406,269174,3736,1020088,1024520,4409,240929,244611,3693,1033112,1036761,3674,252788,256472,3667,1006191]},"pktlen": {"min":52,"avg":716.8,"max":1921,"stddev":755.7,"var":571022.9,"ent":4.2,"data": [60,60,52,637,52,1919,52,435,1822,52,637,1920,52,435,1822,52,637,1921,52,435,1822,52,637,1920,52,435,1822,52,637,1918,52,435]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.481729507,5.039574623,4.844108105,6.027367115,4.861793995,7.775769711,4.938717365,5.904430389,7.740994930,4.900255680,6.023871899,7.767442703,4.900255680,5.872165680,7.741530418,4.938717365,6.025243759,7.782982349,4.938717365,5.858062744,7.742496490,4.736229897,5.995160103,7.771011829,4.683251381,5.862007141,7.737675190,4.786791325,6.021321297,7.770700932,4.861794472,5.879370689]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347043416905,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043416905,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347043416905,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53018,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043416905,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347043416905,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8okxAAD4GI4SsEAABwKgKMs8aAFDJVZOtAAAAAKACchD\/ewAAAgQFtAQCCAoBOTHhAAAAAAEDAwc="} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1499347043416905,"flow_dst_last_pkt_time":1499347043417034,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347043417034,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQzxosqk4zyVWTrqAScSB+QwAAAgQFtAQCCAoD4wNXATkx4QEDAwc="} @@ -360,7 +360,7 @@ 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1195,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":1,"flow_src_last_pkt_time":1499347107719375,"flow_dst_last_pkt_time":1499347107719375,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347107719375,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8GMdAAD4GrQmsEAABwKgKMtG8AFANSWhrAAAAAKACchClXQAAAgQFtAQCCAoBOXCsAAAAAAEDAwc="} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1196,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":2,"flow_src_last_pkt_time":1499347107719375,"flow_dst_last_pkt_time":1499347107719520,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347107719520,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ0byrN2AMDUlobKAScSBU8gAAAgQFtAQCCAoD40IjATlwrAEDAwc="} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1197,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":84,"flow_packet_id":3,"flow_src_last_pkt_time":1499347107720082,"flow_dst_last_pkt_time":1499347107719520,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347107720082,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0GMhAAD4GrRCsEAABwKgKMtG8AFANSWhsqzdgDYAQAOXz+AAAAQEICgE5cK0D40Ij"} -01894{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1198,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347097460010,"flow_src_last_pkt_time":1499347107720768,"flow_dst_last_pkt_time":1499347107453968,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347107720768,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53584,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":127,"avg":653377.9,"max":4898512,"stddev":1185987.6,"var":1406566662144.0,"ent":3.5,"data": [127,684,4897818,4898512,8582,9379,243178,246717,3562,1041173,1044833,3840,241167,245261,3969,1005489,1009493,3958,240995,244588,3615,1008862,1012541,3693,268328,273700,5337,1005565,1009604,4099,266047]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.6,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02293{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1198,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347097460010,"flow_src_last_pkt_time":1499347107720768,"flow_dst_last_pkt_time":1499347107453968,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347107720768,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":53584,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":127,"avg":653377.9,"max":4898512,"stddev":1185987.6,"var":1406566662144.0,"ent":3.5,"data": [127,684,4897818,4898512,8582,9379,243178,246717,3562,1041173,1044833,3840,241167,245261,3969,1005489,1009493,3958,240995,244588,3615,1008862,1012541,3693,268328,273700,5337,1005565,1009604,4099,266047]},"pktlen": {"min":52,"avg":713.7,"max":1920,"stddev":750.9,"var":563862.5,"ent":4.2,"data": [60,60,52,435,52,1823,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637,1918,52,435,1822,52,637,1919,52,435,1822,52,637]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.605007172,5.106241703,4.892748356,5.892271042,4.892748356,7.736833572,4.861793995,6.022665024,7.761230469,4.983880997,5.891326904,7.737265587,4.868495941,6.024899483,7.792784691,4.945419312,5.879211426,7.737951756,4.945419312,6.019626617,7.772718906,4.906957626,5.895821571,7.739050388,4.853979111,6.015067101,7.782599449,4.906957626,5.886952400,7.740243912,4.870416641,6.043610573]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":6,"flow_first_seen":1499346976677111,"flow_src_last_pkt_time":1499346982914483,"flow_dst_last_pkt_time":1499346982914560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":5330,"flow_src_tot_l4_payload_len":759,"flow_dst_tot_l4_payload_len":6093,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52300,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1499346976999785,"flow_src_last_pkt_time":1499346982906448,"flow_dst_last_pkt_time":1499346982906527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1707,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":1707,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52318,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00892{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1207,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499346976999789,"flow_src_last_pkt_time":1499346982607912,"flow_dst_last_pkt_time":1499346982607149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347109003737,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":52320,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} @@ -577,7 +577,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1708,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":1,"flow_src_last_pkt_time":1499347172098409,"flow_dst_last_pkt_time":1499347172098409,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347172098409,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8dk5AAD4GT4KsEAABwKgKMtRaAFDNItnFAAAAAKACchAyrAAAAgQFtAQCCAoBOa+LAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1709,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":2,"flow_src_last_pkt_time":1499347172098409,"flow_dst_last_pkt_time":1499347172098530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347172098530,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1FoQ75vBzSLZxqAScSAB9QAAAgQFtAQCCAoD44ECATmviwEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1710,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":119,"flow_packet_id":3,"flow_src_last_pkt_time":1499347172099279,"flow_dst_last_pkt_time":1499347172098530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347172099279,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0dk9AAD4GT4msEAABwKgKMtRaAFDNItnGEO+bwoAQAOWg\/AAAAQEICgE5r4sD44EC"} -01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1714,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":114,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347163177633,"flow_src_last_pkt_time":1499347173124164,"flow_dst_last_pkt_time":1499347172102919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347173124164,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54268,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":107,"avg":608768.2,"max":3827235,"stddev":943347.2,"var":889903972352.0,"ent":3.7,"data": [107,901,3826349,3827235,3096,3895,1023011,1026934,3928,268230,273681,5427,1005208,1009216,4030,256246,259862,3614,1006897,1010591,3696,250084,253817,3763,1011263,1016096,4808,241019,244651,3645,1020517]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.6,"var":570947.8,"ent":4.2,"data": [74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1931,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02389{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1714,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":114,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347163177633,"flow_src_last_pkt_time":1499347173124164,"flow_dst_last_pkt_time":1499347172102919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347173124164,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54268,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":107,"avg":608768.2,"max":3827235,"stddev":943347.2,"var":889903972352.0,"ent":3.7,"data": [107,901,3826349,3827235,3096,3895,1023011,1026934,3928,268230,273681,5427,1005208,1009216,4030,256246,259862,3614,1006897,1010591,3696,250084,253817,3763,1011263,1016096,4808,241019,244651,3645,1020517]},"pktlen": {"min":52,"avg":716.8,"max":1921,"stddev":755.6,"var":570947.8,"ent":4.2,"data": [60,60,52,637,52,1921,52,435,1822,52,637,1920,52,435,1822,52,637,1920,52,435,1822,52,637,1919,52,435,1822,52,637,1917,52,435]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.638340950,5.039574623,4.854287148,6.029434681,4.892748833,7.778367043,4.983880997,5.926498413,7.738680363,4.930902481,6.053852081,7.756084442,4.945419312,5.899237633,7.743415833,4.908878326,6.045033455,7.770442009,4.930902481,5.892504692,7.745852947,5.022342682,6.052529335,7.776908875,4.983880997,5.921900749,7.741519928,4.906957626,6.052155972,7.775801659,4.945419312,5.897080421]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1717,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347173373791,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373791,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347173373791,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54376,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1717,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_packet_id":1,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373791,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347173373791,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8XK1AAD4GaSOsEAABwKgKMtRoAFDpcOxnAAAAAKACchACbwAAAgQFtAQCCAoBObDKAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1718,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":120,"flow_packet_id":2,"flow_src_last_pkt_time":1499347173373791,"flow_dst_last_pkt_time":1499347173373905,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347173373905,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1GhwCsiK6XDsaKAScSBElAAAAgQFtAQCCAoD44JBATmwygEDAwc="} @@ -800,7 +800,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2235,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":1,"flow_src_last_pkt_time":1499347235716450,"flow_dst_last_pkt_time":1499347235716450,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347235716450,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8wLxAAD4GBRSsEAABwKgKMtb+AFAtaC0QAAAAAKACchA+VwAAAgQFtAQCCAoBOe2sAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2236,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":2,"flow_src_last_pkt_time":1499347235716450,"flow_dst_last_pkt_time":1499347235716582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347235716582,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1v760xqZLWgtEaAScSBmwwAAAgQFtAQCCAoD478iATntrAEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2237,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":3,"flow_src_last_pkt_time":1499347235717314,"flow_dst_last_pkt_time":1499347235716582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347235717314,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0wL1AAD4GBRusEAABwKgKMtb+AFAtaC0R+tMamoAQAOUFywAAAQEICgE57awD478i"} -01891{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2247,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":152,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347228091325,"flow_src_last_pkt_time":1499347237016547,"flow_dst_last_pkt_time":1499347236759533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16317,"midstream":0,"thread_ts_usec":1499347237016547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54956,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":567530.0,"max":3642588,"stddev":903579.0,"var":816455024640.0,"ent":3.6,"data": [95,698,3641887,3642588,3124,4095,234104,238457,4183,1006077,1010963,4878,233120,236850,3778,1005601,1010652,5027,236201,239833,3605,1006827,1010500,3683,232616,236267,3614,1034871,1038879,4091,256266]},"pktlen": {"min":66,"avg":727.7,"max":1935,"stddev":750.8,"var":563712.5,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1929,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02290{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2247,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":152,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347228091325,"flow_src_last_pkt_time":1499347237016547,"flow_dst_last_pkt_time":1499347236759533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16317,"midstream":0,"thread_ts_usec":1499347237016547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":54956,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":567530.0,"max":3642588,"stddev":903579.0,"var":816455024640.0,"ent":3.6,"data": [95,698,3641887,3642588,3124,4095,234104,238457,4183,1006077,1010963,4878,233120,236850,3778,1005601,1010652,5027,236201,239833,3605,1006827,1010500,3683,232616,236267,3614,1034871,1038879,4091,256266]},"pktlen": {"min":52,"avg":713.7,"max":1921,"stddev":750.8,"var":563712.5,"ent":4.2,"data": [60,60,52,435,52,1823,52,637,1919,52,435,1822,52,637,1915,52,435,1822,52,637,1921,52,435,1822,52,637,1919,52,435,1822,52,637]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.571673870,5.060326576,4.892748356,5.911661148,4.892748833,7.739586830,4.755836964,6.006965160,7.753130913,4.870416641,5.890732765,7.738875389,4.906957626,6.010314941,7.782026768,4.906957626,5.890962601,7.741142273,4.945419312,6.027306080,7.776299953,4.945419312,5.905275345,7.742319107,4.983880997,6.020912647,7.756708145,4.906957626,5.913722038,7.742949486,4.945419312,6.050437927]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2253,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260432,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347238260432,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2253,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":1,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260432,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347238260432,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8N5lAAD4GjjesEAABwKgKMtcYAFCMG8exAAAAAKACchBCbAAAAgQFtAQCCAoBOfAoAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2254,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1499347238260432,"flow_dst_last_pkt_time":1499347238260538,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347238260538,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ1xiQuLeAjBvHsqAScSA1kAAAAgQFtAQCCAoD48GeATnwKAEDAwc="} @@ -1019,7 +1019,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2770,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":1,"flow_src_last_pkt_time":1499347300263398,"flow_dst_last_pkt_time":1499347300263398,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347300263398,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8bohAAD4GV0isEAABwKgKMtmuAFBvk0I9AAAAAKACchClRQAAAgQFtAQCCAoBOiy1AAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2771,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":2,"flow_src_last_pkt_time":1499347300263398,"flow_dst_last_pkt_time":1499347300263526,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347300263526,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ2a7Gy0E5b5NCPqAScSCcEAAAAgQFtAQCCAoD4\/4rATostQEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2772,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":195,"flow_packet_id":3,"flow_src_last_pkt_time":1499347300264292,"flow_dst_last_pkt_time":1499347300263526,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347300264292,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0bolAAD4GV0+sEAABwKgKMtmuAFBvk0I+xstBOoAQAOU7GAAAAQEICgE6LLUD4\/4r"} -01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2779,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":190,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347291442976,"flow_src_last_pkt_time":1499347301278351,"flow_dst_last_pkt_time":1499347300267830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16422,"midstream":0,"thread_ts_usec":1499347301278351,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55632,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":601942.8,"max":3784925,"stddev":935922.8,"var":875951489024.0,"ent":3.7,"data": [124,875,3784070,3784925,3065,3805,1003969,1007602,3694,223699,227380,3680,1007795,1011581,3778,255776,259460,3650,1007868,1011955,4221,230369,234793,4295,1037481,1041928,4473,238345,242041,3668,1009864]},"pktlen": {"min":66,"avg":730.9,"max":1935,"stddev":755.9,"var":571323.5,"ent":4.2,"data": [74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02389{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2779,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":190,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347291442976,"flow_src_last_pkt_time":1499347301278351,"flow_dst_last_pkt_time":1499347300267830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16422,"midstream":0,"thread_ts_usec":1499347301278351,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55632,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":601942.8,"max":3784925,"stddev":935922.8,"var":875951489024.0,"ent":3.7,"data": [124,875,3784070,3784925,3065,3805,1003969,1007602,3694,223699,227380,3680,1007795,1011581,3778,255776,259460,3650,1007868,1011955,4221,230369,234793,4295,1037481,1041928,4473,238345,242041,3668,1009864]},"pktlen": {"min":52,"avg":716.9,"max":1921,"stddev":755.9,"var":571323.5,"ent":4.2,"data": [60,60,52,637,52,1921,52,435,1822,52,637,1920,52,435,1822,52,637,1921,52,435,1822,52,637,1920,52,435,1822,52,637,1920,52,435]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.550921917,5.018822670,4.892748833,6.038469315,4.878231525,7.804656506,4.945419312,5.886735916,7.737145901,4.945419312,6.004831314,7.766214371,4.861793995,5.894402504,7.741394520,4.983880997,6.054348946,7.774952888,4.983880997,5.889629364,7.739490032,4.830034733,6.038223267,7.778916836,4.868495941,5.871979713,7.739353657,4.892440319,6.027006149,7.758635521,4.945419312,5.859021187]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2782,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347301520809,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347301520809,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55740,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2782,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_packet_id":1,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520809,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347301520809,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80Q9AAD4G9MCsEAABwKgKMtm8AFCdpvzgAAAAAKACchC7RgAAAgQFtAQCCAoBOi3vAAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2783,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":196,"flow_packet_id":2,"flow_src_last_pkt_time":1499347301520809,"flow_dst_last_pkt_time":1499347301520933,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347301520933,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ2bw9W3Mnnab84aAScSAIWgAAAgQFtAQCCAoD4\/9lATot7wEDAwc="} @@ -1252,7 +1252,7 @@ 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347235716450,"flow_src_last_pkt_time":1499347241682595,"flow_dst_last_pkt_time":1499347241682043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55038,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347243683907,"flow_dst_last_pkt_time":1499347243683316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3304,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347238260432,"flow_src_last_pkt_time":1499347243683907,"flow_dst_last_pkt_time":1499347243683316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347364061294,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":55064,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -01889{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3305,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1499347355229572,"flow_src_last_pkt_time":1499347365069246,"flow_dst_last_pkt_time":1499347365072209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347365072209,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56306,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":634913.3,"max":4805402,"stddev":1169757.4,"var":1368332173312.0,"ent":3.4,"data": [124,694,4804702,4805402,3052,3844,248597,252202,3707,1022416,1026219,3805,225184,229157,49,3959,1026815,1030902,4151,232536,236200,80,3611,1006031,1010739,4812,233237,236850,3621,1007952,1011661]},"pktlen": {"min":66,"avg":709.6,"max":1934,"stddev":708.0,"var":501313.9,"ent":4.3,"data": [74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1514,486,66,449,1836,66,651,1514,486,66,449,1836,66,651,1934,66,449,1836]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,7]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02288{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3305,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1499347355229572,"flow_src_last_pkt_time":1499347365069246,"flow_dst_last_pkt_time":1499347365072209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347365072209,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56306,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":634913.3,"max":4805402,"stddev":1169757.4,"var":1368332173312.0,"ent":3.4,"data": [124,694,4804702,4805402,3052,3844,248597,252202,3707,1022416,1026219,3805,225184,229157,49,3959,1026815,1030902,4151,232536,236200,80,3611,1006031,1010739,4812,233237,236850,3621,1007952,1011661]},"pktlen": {"min":52,"avg":695.6,"max":1920,"stddev":708.0,"var":501313.9,"ent":4.2,"data": [60,60,52,435,52,1823,52,637,1920,52,435,1822,52,637,1500,472,52,435,1822,52,637,1500,472,52,435,1822,52,637,1920,52,435,1822]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,7]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,0,1],"entropies": [4.605007172,5.106241703,4.969672203,5.887770653,4.931210041,7.737622738,4.900255680,6.023592472,7.759787560,4.945419312,5.879158020,7.735323429,4.945419312,6.020521164,7.675088406,7.536506176,4.770353794,5.889800072,7.738374233,5.022342682,6.041303158,7.670452118,7.573883533,4.983880997,5.897212029,7.740057945,4.983880997,6.042107105,7.747768879,4.945419312,5.886207581,7.738952160]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3307,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347365320773,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347365320773,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56414,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3307,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_packet_id":1,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320773,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347365320773,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8CZFAAD4GvD+sEAABwKgKMtxeAFCYJmWsAAAAAKACchAXCwAAAgQFtAQCCAoBOmw9AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3308,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":233,"flow_packet_id":2,"flow_src_last_pkt_time":1499347365320773,"flow_dst_last_pkt_time":1499347365320933,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347365320933,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3F6n4QiemCZlraAScSAl0wAAAgQFtAQCCAoD5D2zATpsPQEDAwc="} @@ -1481,7 +1481,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3844,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":1,"flow_src_last_pkt_time":1499347428671151,"flow_dst_last_pkt_time":1499347428671151,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347428671151,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8vFFAAD4GCX+sEAABwKgKMt8CAFCqwBZKAAAAAKACchATUQAAAgQFtAQCCAoBOqobAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3845,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":2,"flow_src_last_pkt_time":1499347428671151,"flow_dst_last_pkt_time":1499347428671287,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347428671287,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3wITPWXXqsAWS6AScSAbpgAAAgQFtAQCCAoD5HuRATqqGwEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3846,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_packet_id":3,"flow_src_last_pkt_time":1499347428672036,"flow_dst_last_pkt_time":1499347428671287,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347428672036,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0vFJAAD4GCYasEAABwKgKMt8CAFCqwBZLEz1l2IAQAOW6rQAAAQEICgE6qhsD5HuR"} -01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3853,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":265,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347419786749,"flow_src_last_pkt_time":1499347429693747,"flow_dst_last_pkt_time":1499347428675378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499347429693747,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56994,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":606310.6,"max":3818967,"stddev":944243.6,"var":891595915264.0,"ent":3.7,"data": [126,889,3818133,3818967,2889,3638,1026811,1031184,4412,231903,235642,3751,1006981,1010745,3756,236240,239931,3646,1008869,1012823,4179,228551,232759,4019,1040911,1048342,7412,251595,255221,3632,1017670]},"pktlen": {"min":66,"avg":730.7,"max":1934,"stddev":755.5,"var":570797.2,"ent":4.2,"data": [74,74,66,651,66,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02389{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3853,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":265,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347419786749,"flow_src_last_pkt_time":1499347429693747,"flow_dst_last_pkt_time":1499347428675378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499347429693747,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":56994,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":606310.6,"max":3818967,"stddev":944243.6,"var":891595915264.0,"ent":3.7,"data": [126,889,3818133,3818967,2889,3638,1026811,1031184,4412,231903,235642,3751,1006981,1010745,3756,236240,239931,3646,1008869,1012823,4179,228551,232759,4019,1040911,1048342,7412,251595,255221,3632,1017670]},"pktlen": {"min":52,"avg":716.7,"max":1920,"stddev":755.5,"var":570797.2,"ent":4.2,"data": [60,60,52,637,52,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637,1918,52,435]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.638340950,5.039574623,4.854287148,6.026527405,4.931210518,7.777307510,4.983880997,5.879386902,7.740555286,4.906958103,6.039316654,7.777638435,4.983880997,5.853911400,7.740018845,4.930902481,6.019202709,7.769432068,4.983880997,5.861763954,7.746566296,4.906957626,6.037178040,7.786467552,4.906957626,5.895909309,7.742385864,4.983880997,6.017253876,7.766935825,4.945419312,5.907352448]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3862,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347431192783,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3862,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_packet_id":1,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192783,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347431192783,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8+sNAAD4GywysEAABwKgKMt8cAFA\/1VZRAAAAAKACchA7pAAAAgQFtAQCCAoBOqySAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3863,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_packet_id":2,"flow_src_last_pkt_time":1499347431192783,"flow_dst_last_pkt_time":1499347431192884,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347431192884,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ3xwMzQFkP9VWUqAScSCsZgAAAgQFtAQCCAoD5H4HATqskgEDAwc="} @@ -1706,7 +1706,7 @@ 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4384,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":1,"flow_src_last_pkt_time":1499347493167254,"flow_dst_last_pkt_time":1499347493167254,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347493167254,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8VdJAAD4Gb\/6sEAABwKgKMuGyAFCUXbzFAAAAAKACchBBjAAAAgQFtAQCCAoBOukXAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4385,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":2,"flow_src_last_pkt_time":1499347493167254,"flow_dst_last_pkt_time":1499347493167378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347493167378,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ4bJdzKzTlF28xqAScSB5WQAAAgQFtAQCCAoD5LqNATrpFwEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4386,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":309,"flow_packet_id":3,"flow_src_last_pkt_time":1499347493168132,"flow_dst_last_pkt_time":1499347493167378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347493168132,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0VdNAAD4GcAWsEAABwKgKMuGyAFCUXbzGXcys1IAQAOUYYAAAAQEICgE66RgD5LqN"} -01893{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4387,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":304,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347484263170,"flow_src_last_pkt_time":1499347493168704,"flow_dst_last_pkt_time":1499347492935868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347493168704,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57684,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":567039.8,"max":3536204,"stddev":877375.9,"var":769788411904.0,"ent":3.7,"data": [126,910,3535287,3536204,3041,3865,353475,357566,4142,1009473,1013529,4051,235924,239646,3697,1007485,1011210,3722,236124,239766,3661,1007627,1011378,3776,240922,244715,3743,1011730,1015517,3791,232129]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.6,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02292{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4387,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":304,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347484263170,"flow_src_last_pkt_time":1499347493168704,"flow_dst_last_pkt_time":1499347492935868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347493168704,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57684,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":567039.8,"max":3536204,"stddev":877375.9,"var":769788411904.0,"ent":3.7,"data": [126,910,3535287,3536204,3041,3865,353475,357566,4142,1009473,1013529,4051,235924,239646,3697,1007485,1011210,3722,236124,239766,3661,1007627,1011378,3776,240922,244715,3743,1011730,1015517,3791,232129]},"pktlen": {"min":52,"avg":713.7,"max":1920,"stddev":750.9,"var":563862.5,"ent":4.2,"data": [60,60,52,435,52,1823,52,637,1918,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.550921917,5.006241322,4.808815002,5.875412941,4.774691582,7.740199566,4.646709919,6.001397610,7.775830746,4.755031586,5.850878716,7.738961697,4.793493271,5.989969254,7.789359570,4.870416641,5.872076035,7.741474628,4.817437649,5.998672962,7.788164616,4.831954956,5.868983269,7.740512848,4.831954956,6.002839088,7.786237717,4.831954956,5.862294197,7.736440182,4.793493271,5.982177258]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4393,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347494446547,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347494446547,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57792,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4393,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_packet_id":1,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347494446547,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8G1FAAD4Gqn+sEAABwKgKMuHAAFAmKfEGAAAAAKACchB6MQAAAgQFtAQCCAoBOupXAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4394,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":310,"flow_packet_id":2,"flow_src_last_pkt_time":1499347494446547,"flow_dst_last_pkt_time":1499347494446686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347494446686,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ4cATAV39JinxB6AScSBKYAAAAgQFtAQCCAoD5LvNATrqVwEDAwc="} @@ -1944,7 +1944,7 @@ 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":271,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347428671151,"flow_src_last_pkt_time":1499347433734524,"flow_dst_last_pkt_time":1499347433733752,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57090,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347436733809,"flow_dst_last_pkt_time":1499347436733067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":272,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347431192783,"flow_src_last_pkt_time":1499347436733809,"flow_dst_last_pkt_time":1499347436733067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347556766549,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":57116,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":342,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347547687536,"flow_src_last_pkt_time":1499347557536513,"flow_dst_last_pkt_time":1499347556527820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16419,"midstream":0,"thread_ts_usec":1499347557536513,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58360,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":602879.4,"max":3809547,"stddev":940726.8,"var":884966883328.0,"ent":3.7,"data": [124,686,3808906,3809547,3416,4144,1007073,1011285,4302,225901,229521,3769,1021770,1025776,4116,233969,238478,4482,1006263,1010669,4325,238452,243200,4543,1006668,1011166,4498,253524,257102,3581,1008005]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571097.9,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02389{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4921,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":342,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347547687536,"flow_src_last_pkt_time":1499347557536513,"flow_dst_last_pkt_time":1499347556527820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16419,"midstream":0,"thread_ts_usec":1499347557536513,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58360,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":602879.4,"max":3809547,"stddev":940726.8,"var":884966883328.0,"ent":3.7,"data": [124,686,3808906,3809547,3416,4144,1007073,1011285,4302,225901,229521,3769,1021770,1025776,4116,233969,238478,4482,1006263,1010669,4325,238452,243200,4543,1006668,1011166,4498,253524,257102,3581,1008005]},"pktlen": {"min":52,"avg":716.8,"max":1921,"stddev":755.7,"var":571097.9,"ent":4.2,"data": [60,60,52,637,52,1920,52,435,1822,52,637,1920,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1921,52,435]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.638340950,5.106241703,4.969671726,6.036019325,4.969671726,7.763245583,5.022342682,5.918416023,7.743572712,4.906957626,6.001263142,7.780893326,4.906957626,5.904815674,7.746741772,4.983880997,6.035089493,7.783490658,4.983880997,5.917668343,7.744116783,4.945419312,6.018520355,7.767279625,4.868495941,5.905341148,7.745261192,4.861793995,6.048130512,7.761913776,4.815517426,5.915553093]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4927,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347557789292,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789292,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347557789292,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":58468,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4927,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_packet_id":1,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789292,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347557789292,"pkt":"ABm5CmnxAMGxFOsxCABFAAA82zBAAD4G6p+sEAABwKgKMuRkAFBn0PMDAAAAAKACchD2DAAAAgQFtAQCCAoBOygzAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4928,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":348,"flow_packet_id":2,"flow_src_last_pkt_time":1499347557789292,"flow_dst_last_pkt_time":1499347557789349,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347557789349,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5GT+u1l1Z9DzBKAScSChLQAAAgQFtAQCCAoD5PmoATsoMwEDAwc="} @@ -2169,7 +2169,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5444,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":1,"flow_src_last_pkt_time":1499347618757865,"flow_dst_last_pkt_time":1499347618757865,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347618757865,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8UcRAAD4GdAysEAABwKgKMub0AFCevDJ5AAAAAKACchBBkQAAAgQFtAQCCAoBO2O9AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5445,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":2,"flow_src_last_pkt_time":1499347618757865,"flow_dst_last_pkt_time":1499347618757988,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347618757988,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5vRXo2m0nrwyeqAScSBIAQAAAgQFtAQCCAoD5TUyATtjvQEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5446,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":385,"flow_packet_id":3,"flow_src_last_pkt_time":1499347618758844,"flow_dst_last_pkt_time":1499347618757988,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347618758844,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0UcVAAD4GdBOsEAABwKgKMub0AFCevDJ6V6NptYAQAOXnBwAAAQEICgE7Y74D5TUy"} -01893{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5461,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":380,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347611162032,"flow_src_last_pkt_time":1499347621032822,"flow_dst_last_pkt_time":1499347621031071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347621032822,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59042,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":143,"avg":636768.6,"max":4822860,"stddev":1172576.8,"var":1374936236032.0,"ent":3.4,"data": [143,1062,4821803,4822860,2874,5990,221999,227886,4985,1013,1004953,1011219,4071,265484,269299,3619,1019861,1023488,4016,238184,242252,4785,1005968,1010668,4015,237942,242400,5048,1010956,1015950,5036]},"pktlen": {"min":66,"avg":709.6,"max":1935,"stddev":759.8,"var":577334.1,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1935,66,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02292{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5461,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":380,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347611162032,"flow_src_last_pkt_time":1499347621032822,"flow_dst_last_pkt_time":1499347621031071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4255,"flow_dst_tot_l4_payload_len":16323,"midstream":0,"thread_ts_usec":1499347621032822,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59042,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":143,"avg":636768.6,"max":4822860,"stddev":1172576.8,"var":1374936236032.0,"ent":3.4,"data": [143,1062,4821803,4822860,2874,5990,221999,227886,4985,1013,1004953,1011219,4071,265484,269299,3619,1019861,1023488,4016,238184,242252,4785,1005968,1010668,4015,237942,242400,5048,1010956,1015950,5036]},"pktlen": {"min":52,"avg":695.6,"max":1921,"stddev":759.8,"var":577334.1,"ent":4.1,"data": [60,60,52,435,52,1823,52,637,1921,52,52,435,1822,52,637,1919,52,435,1822,52,637,1921,52,435,1822,52,637,1919,52,435,1822,52]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0],"entropies": [4.638340950,5.106241703,4.931210041,5.869386673,4.815825462,7.741599560,4.861793995,5.992467880,7.779530048,4.892440796,4.892440796,5.846882820,7.743978024,4.906957626,6.006172180,7.770215034,4.945419312,5.875662804,7.742156029,4.830034256,6.027259350,7.759240150,4.906957626,5.861507416,7.742101192,4.868495941,5.986130238,7.747363091,4.983880997,5.861079216,7.737266064,4.983880997]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5462,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347621256083,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347621256083,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59150,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5462,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_packet_id":1,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347621256083,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8Hc9AAD4GqAGsEAABwKgKMucOAFD+NnvhAAAAAKACchCWIwAAAgQFtAQCCAoBO2YuAAAAAAEDAwc="} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5463,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":386,"flow_packet_id":2,"flow_src_last_pkt_time":1499347621256083,"flow_dst_last_pkt_time":1499347621256213,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347621256213,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ5w6DP0I9\/jZ74qAScSCV\/QAAAgQFtAQCCAoD5TejATtmLgEDAwc="} @@ -2400,7 +2400,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6001,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":1,"flow_src_last_pkt_time":1499347684563427,"flow_dst_last_pkt_time":1499347684563427,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347684563427,"pkt":"ABm5CmnxAMGxFOsxCABFAAA82yNAAD4G6qysEAABwKgKMumyAFDf7X8iAAAAAKACchBwtAAAAgQFtAQCCAoBO6QBAAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6002,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":2,"flow_src_last_pkt_time":1499347684563427,"flow_dst_last_pkt_time":1499347684563554,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347684563554,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ6bLDIQ3O3+1\/I6AScSAnSAAAAgQFtAQCCAoD5XV2ATukAQEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6003,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":424,"flow_packet_id":3,"flow_src_last_pkt_time":1499347684564308,"flow_dst_last_pkt_time":1499347684563554,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347684564308,"pkt":"ABm5CmnxAMGxFOsxCABFAAA02yRAAD4G6rOsEAABwKgKMumyAFDf7X8jwyENz4AQAOXGTwAAAQEICgE7pAED5XV2"} -01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6010,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":419,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347675703973,"flow_src_last_pkt_time":1499347685575239,"flow_dst_last_pkt_time":1499347684567341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347685575239,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59732,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":604343.1,"max":3767000,"stddev":933372.4,"var":871184138240.0,"ent":3.7,"data": [122,677,3766369,3767000,3476,4237,1039907,1045427,5545,227268,230918,3646,1037098,1040865,3812,252859,256647,3763,1024020,1027777,3716,237350,240983,3608,1007832,1011497,3720,234952,238656,3696,1007191]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.7,"var":571022.8,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02389{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6010,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":419,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347675703973,"flow_src_last_pkt_time":1499347685575239,"flow_dst_last_pkt_time":1499347684567341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16418,"midstream":0,"thread_ts_usec":1499347685575239,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59732,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":604343.1,"max":3767000,"stddev":933372.4,"var":871184138240.0,"ent":3.7,"data": [122,677,3766369,3767000,3476,4237,1039907,1045427,5545,227268,230918,3646,1037098,1040865,3812,252859,256647,3763,1024020,1027777,3716,237350,240983,3608,1007832,1011497,3720,234952,238656,3696,1007191]},"pktlen": {"min":52,"avg":716.8,"max":1921,"stddev":755.7,"var":571022.9,"ent":4.2,"data": [60,60,52,637,52,1920,52,435,1822,52,637,1918,52,435,1822,52,637,1921,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,435]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.571673870,5.106241703,4.892748833,6.023725510,4.854287148,7.786217690,4.945419312,5.883897781,7.741504192,4.983880997,6.049694538,7.769575596,4.830034256,5.875819206,7.739855289,4.945419312,5.995629787,7.765204906,4.831954956,5.869315147,7.744027615,4.945419312,6.017279625,7.784244537,4.753110886,5.875353813,7.744633198,4.945419312,6.029817104,7.765758514,4.945419312,5.879001617]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6022,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347687089585,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347687089585,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":59852,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6022,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_packet_id":1,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347687089585,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8UahAAD4GdCisEAABwKgKMunMAFBn2\/fQAAAAAKACchBthwAAAgQFtAQCCAoBO6Z4AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6023,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":425,"flow_packet_id":2,"flow_src_last_pkt_time":1499347687089585,"flow_dst_last_pkt_time":1499347687089686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347687089686,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ6cx2j8kIZ9v30aAScSCy+wAAAgQFtAQCCAoD5XftATumeAEDAwc="} @@ -2645,7 +2645,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6545,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":1,"flow_src_last_pkt_time":1499347752308453,"flow_dst_last_pkt_time":1499347752308453,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347752308453,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8qStAAD4GHKWsEAABwKgKMuyOAFBMoE8CAAAAAKACchDvHQAAAgQFtAQCCAoBO+YpAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6546,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":2,"flow_src_last_pkt_time":1499347752308453,"flow_dst_last_pkt_time":1499347752308578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347752308578,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ7I5f6lZGTKBPA6AScSB+SAAAAgQFtAQCCAoD5beeATvmKQEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6547,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":463,"flow_packet_id":3,"flow_src_last_pkt_time":1499347752309233,"flow_dst_last_pkt_time":1499347752308578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347752309233,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0qSxAAD4GHKysEAABwKgKMuyOAFBMoE8DX+pWR4AQAOUdTwAAAQEICgE75ioD5bee"} -01893{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6548,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":458,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347743331813,"flow_src_last_pkt_time":1499347752309607,"flow_dst_last_pkt_time":1499347752053014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347752309607,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60464,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":130,"avg":570935.4,"max":3582115,"stddev":886830.3,"var":786468044800.0,"ent":3.7,"data": [130,887,3581223,3582115,3304,4122,271038,275625,4605,1007486,1011252,3777,268863,273004,4125,1007482,1011640,4170,263574,267468,3888,1019754,1023735,4007,253226,261155,7923,1002871,1011773,8903,255870]},"pktlen": {"min":66,"avg":727.7,"max":1934,"stddev":750.9,"var":563862.7,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1931,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02292{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6548,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":458,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347743331813,"flow_src_last_pkt_time":1499347752309607,"flow_dst_last_pkt_time":1499347752053014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16319,"midstream":0,"thread_ts_usec":1499347752309607,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60464,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":130,"avg":570935.4,"max":3582115,"stddev":886830.3,"var":786468044800.0,"ent":3.7,"data": [130,887,3581223,3582115,3304,4122,271038,275625,4605,1007486,1011252,3777,268863,273004,4125,1007482,1011640,4170,263574,267468,3888,1019754,1023735,4007,253226,261155,7923,1002871,1011773,8903,255870]},"pktlen": {"min":52,"avg":713.7,"max":1920,"stddev":750.9,"var":563862.6,"ent":4.2,"data": [60,60,52,435,52,1823,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637,1917,52,435,1822,52,637,1920,52,435,1822,52,637]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.605007172,5.139575005,4.892748833,5.855112076,4.854287148,7.740097046,4.861793995,5.995685577,7.768898010,4.945419312,5.890089989,7.741286755,4.945419312,6.012487888,7.771459579,4.983880997,5.883958817,7.743787289,4.945419312,5.988662720,7.773043156,4.983880997,5.862193108,7.740000248,4.906957626,5.998622894,7.761761665,4.983880997,5.841221809,7.740222454,4.906957626,6.034659863]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6557,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347753649698,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347753649698,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":60572,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6557,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_packet_id":1,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649698,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347753649698,"pkt":"ABm5CmnxAMGxFOsxCABFAAA825ZAAD4G6jmsEAABwKgKMuycAFCJVjzvAAAAAKACchDDHAAAAgQFtAQCCAoBO+d5AAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6558,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":464,"flow_packet_id":2,"flow_src_last_pkt_time":1499347753649698,"flow_dst_last_pkt_time":1499347753649826,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347753649826,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQ7Jyb\/4pAiVY88KAScSDg6AAAAgQFtAQCCAoD5bjtATvneQEDAwc="} @@ -2868,7 +2868,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7073,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":1,"flow_src_last_pkt_time":1499347816657942,"flow_dst_last_pkt_time":1499347816657942,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347816657942,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8lQ1AAD4GMMOsEAABwKgKMoDqAFAyzLAMAAAAAKACchDUswAAAgQFtAQCCAoBPCUBAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7074,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":2,"flow_src_last_pkt_time":1499347816657942,"flow_dst_last_pkt_time":1499347816658067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347816658067,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQgOp6zxHVMsywDaAScSBOkwAAAgQFtAQCCAoD5fZ1ATwlAQEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7075,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":501,"flow_packet_id":3,"flow_src_last_pkt_time":1499347816658755,"flow_dst_last_pkt_time":1499347816658067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347816658755,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0lQ5AAD4GMMqsEAABwKgKMoDqAFAyzLANes8R1oAQAOXtmgAAAQEICgE8JQED5fZ1"} -01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7082,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":495,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347807664615,"flow_src_last_pkt_time":1499347817702402,"flow_dst_last_pkt_time":1499347816662711,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347817702402,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32906,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":158,"avg":614060.8,"max":3861987,"stddev":952957.6,"var":908128223232.0,"ent":3.7,"data": [158,871,3861200,3861987,3248,3959,1007386,1010966,3670,256861,260494,3559,1018334,1021980,3614,243418,246972,3620,1033482,1037187,3726,244230,248333,4100,1037495,1041661,4162,261455,265110,3630,1039015]},"pktlen": {"min":66,"avg":730.8,"max":1935,"stddev":755.6,"var":570948.0,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1930,66,449,1836,66,651,1935,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02389{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7082,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":495,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347807664615,"flow_src_last_pkt_time":1499347817702402,"flow_dst_last_pkt_time":1499347816662711,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16417,"midstream":0,"thread_ts_usec":1499347817702402,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32906,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":158,"avg":614060.8,"max":3861987,"stddev":952957.6,"var":908128223232.0,"ent":3.7,"data": [158,871,3861200,3861987,3248,3959,1007386,1010966,3670,256861,260494,3559,1018334,1021980,3614,243418,246972,3620,1033482,1037187,3726,244230,248333,4100,1037495,1041661,4162,261455,265110,3630,1039015]},"pktlen": {"min":52,"avg":716.8,"max":1921,"stddev":755.6,"var":570948.0,"ent":4.2,"data": [60,60,52,637,52,1920,52,435,1822,52,637,1920,52,435,1822,52,637,1920,52,435,1822,52,637,1916,52,435,1822,52,637,1921,52,435]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.525758743,5.072907925,4.892748356,6.020434380,4.892748833,7.791048527,4.945419312,5.893647194,7.740782261,4.830034733,6.007053375,7.809398174,4.945419312,5.892089844,7.742994785,4.777055264,6.018450260,7.794157982,4.906957626,5.894688606,7.744627476,4.906957626,6.065685749,7.761301517,4.868495941,5.905168533,7.745905876,4.868495941,6.015729427,7.773281574,4.853978634,5.898605347]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7094,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347819250899,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819250899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347819250899,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33028,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7094,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_packet_id":1,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819250899,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347819250899,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8LORAAD4GmOysEAABwKgKMoEEAFDtQwttAAAAAKACchC8OQAAAgQFtAQCCAoBPCeJAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7095,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":502,"flow_packet_id":2,"flow_src_last_pkt_time":1499347819250899,"flow_dst_last_pkt_time":1499347819251024,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347819251024,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQgQQkyBmr7UMLbqAScSCBwQAAAgQFtAQCCAoD5fj+ATwniQEDAwc="} @@ -3089,7 +3089,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7597,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":1,"flow_src_last_pkt_time":1499347881141710,"flow_dst_last_pkt_time":1499347881141710,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347881141710,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80HhAAD4G9VesEAABwKgKMoOKAFDzHbOCAAAAAKACchDPUgAAAgQFtAQCCAoBPGP6AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7598,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":2,"flow_src_last_pkt_time":1499347881141710,"flow_dst_last_pkt_time":1499347881141852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347881141852,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQg4pPHZMl8x2zg6AScSC0mgAAAgQFtAQCCAoD5jVuATxj+gEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7599,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":537,"flow_packet_id":3,"flow_src_last_pkt_time":1499347881142632,"flow_dst_last_pkt_time":1499347881141852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347881142632,"pkt":"ABm5CmnxAMGxFOsxCABFAAA00HlAAD4G9V6sEAABwKgKMoOKAFDzHbODTx2TJoAQAOVTogAAAQEICgE8Y\/oD5jVu"} -01895{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7606,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":532,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347872187685,"flow_src_last_pkt_time":1499347882404199,"flow_dst_last_pkt_time":1499347882158637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499347882404199,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33580,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":651208.6,"max":4840595,"stddev":1171443.9,"var":1372280717312.0,"ent":3.5,"data": [126,862,4839753,4840595,3674,4464,263225,266840,3672,1005298,1009118,3796,260614,264369,3758,1024972,1028663,3708,266053,269708,3666,1007636,1011884,4257,260865,265134,4231,1006690,1010841,4181,244813]},"pktlen": {"min":66,"avg":727.8,"max":1935,"stddev":751.0,"var":564013.3,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1932,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02294{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7606,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":532,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347872187685,"flow_src_last_pkt_time":1499347882404199,"flow_dst_last_pkt_time":1499347882158637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1869,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499347882404199,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33580,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":126,"avg":651208.6,"max":4840595,"stddev":1171443.9,"var":1372280717312.0,"ent":3.5,"data": [126,862,4839753,4840595,3674,4464,263225,266840,3672,1005298,1009118,3796,260614,264369,3758,1024972,1028663,3708,266053,269708,3666,1007636,1011884,4257,260865,265134,4231,1006690,1010841,4181,244813]},"pktlen": {"min":52,"avg":713.8,"max":1921,"stddev":751.0,"var":564013.3,"ent":4.2,"data": [60,60,52,435,52,1823,52,637,1919,52,435,1822,52,637,1921,52,435,1822,52,637,1918,52,435,1822,52,637,1920,52,435,1822,52,637]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.559092522,5.072907925,4.931210518,5.917668343,4.892748833,7.738794327,4.863714695,6.007505894,7.798718929,5.022342682,5.905847549,7.739555359,4.906957626,6.033310413,7.766191959,4.983880997,5.910769463,7.742557526,4.945419312,6.030111790,7.769622803,4.906957626,5.902417183,7.741934776,4.945419312,6.047390461,7.800710201,4.908878326,5.889702797,7.740861416,5.022342682,6.020066261]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7607,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499347882404247,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347882404247,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":33688,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7607,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_packet_id":1,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404247,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347882404247,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8eWdAAD4GTGmsEAABwKgKMoOYAFA4phxRAAAAAKACchAfsgAAAgQFtAQCCAoBPGU2AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7608,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":538,"flow_packet_id":2,"flow_src_last_pkt_time":1499347882404247,"flow_dst_last_pkt_time":1499347882404320,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347882404320,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQg5hCgWTIOKYcUqAScSA+twAAAgQFtAQCCAoD5jaqATxlNgEDAwc="} @@ -3304,7 +3304,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8117,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":1,"flow_src_last_pkt_time":1499347945720318,"flow_dst_last_pkt_time":1499347945720318,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347945720318,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8sjdAAD4GE5msEAABwKgKMoYqAFDdpBE8AAAAAKACchBFYQAAAgQFtAQCCAoBPKMLAAAAAAEDAwc="} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8118,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":2,"flow_src_last_pkt_time":1499347945720318,"flow_dst_last_pkt_time":1499347945720417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499347945720417,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQhiqh1kGM3aQRPaAScSDqdwAAAgQFtAQCCAoD5nR\/ATyjCwEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8119,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":573,"flow_packet_id":3,"flow_src_last_pkt_time":1499347945721181,"flow_dst_last_pkt_time":1499347945720417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499347945721181,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0sjhAAD4GE6CsEAABwKgKMoYqAFDdpBE9odZBjYAQAOWJfwAAAQEICgE8owsD5nR\/"} -01985{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":569,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347939286105,"flow_src_last_pkt_time":1499347947010010,"flow_dst_last_pkt_time":1499347947009327,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4457,"flow_dst_tot_l4_payload_len":16413,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34278,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":171,"avg":498294.4,"max":2588369,"stddev":688746.1,"var":474371129344.0,"ent":3.7,"data": [171,739,2587661,2588369,3663,4498,1020517,1024859,4382,244684,248374,3703,1042345,1046980,4607,242309,245980,3660,1031191,1034926,3726,241353,245065,3596,495,1025211,1029311,3750,251257,255524,4221]},"pktlen": {"min":66,"avg":718.7,"max":1934,"stddev":762.8,"var":581830.0,"ent":4.2,"data": [74,74,66,651,66,1932,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,66,449,1836,66,651,1932,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02384{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8132,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":569,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499347939286105,"flow_src_last_pkt_time":1499347947010010,"flow_dst_last_pkt_time":1499347947009327,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4457,"flow_dst_tot_l4_payload_len":16413,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34278,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":171,"avg":498294.4,"max":2588369,"stddev":688746.1,"var":474371129344.0,"ent":3.7,"data": [171,739,2587661,2588369,3663,4498,1020517,1024859,4382,244684,248374,3703,1042345,1046980,4607,242309,245980,3660,1031191,1034926,3726,241353,245065,3596,495,1025211,1029311,3750,251257,255524,4221]},"pktlen": {"min":52,"avg":704.7,"max":1920,"stddev":762.8,"var":581830.0,"ent":4.1,"data": [60,60,52,637,52,1918,52,435,1822,52,637,1918,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,52,435,1822,52,637,1918,52]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,1,0],"entropies": [4.605007172,5.039574623,4.969671726,6.030518532,4.931210041,7.775516510,4.945419312,5.902482986,7.745615482,4.945419312,6.037442207,7.774715900,4.983880997,5.896422386,7.742757320,4.945419312,6.040554523,7.771491051,4.868495941,5.892494202,7.744132996,4.853979111,6.017662048,7.776625156,4.868495941,4.861793995,5.911713600,7.744248867,4.817438126,6.033777237,7.744309425,4.906957626]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":498,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347812797349,"flow_src_last_pkt_time":1499347817844555,"flow_dst_last_pkt_time":1499347817843831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32960,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00759{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":498,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347812797349,"flow_src_last_pkt_time":1499347817844555,"flow_dst_last_pkt_time":1499347817843831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32960,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00893{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":8133,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":499,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1499347814066618,"flow_src_last_pkt_time":1499347819845842,"flow_dst_last_pkt_time":1499347819845138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499347947010010,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":32974,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} @@ -3545,7 +3545,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8666,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":1,"flow_src_last_pkt_time":1499348012728762,"flow_dst_last_pkt_time":1499348012728762,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348012728762,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8MbdAAD4GlBmsEAABwKgKMojoAFBoxNXMAAAAAKACchCxggAAAgQFtAQCCAoBPOR7AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8667,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":2,"flow_src_last_pkt_time":1499348012728762,"flow_dst_last_pkt_time":1499348012728872,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348012728872,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQiOhwV55UaMTVzaAScSDp3wAAAgQFtAQCCAoD5rXvATzkewEDAwc="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8668,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":612,"flow_packet_id":3,"flow_src_last_pkt_time":1499348012729471,"flow_dst_last_pkt_time":1499348012728872,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499348012729471,"pkt":"ABm5CmnxAMGxFOsxCABFAAA0MbhAAD4GlCCsEAABwKgKMojoAFBoxNXNcFeeVYAQAOWI5wAAAQEICgE85HsD5rXv"} -01895{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":606,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348002450018,"flow_src_last_pkt_time":1499348012729966,"flow_dst_last_pkt_time":1499348012487215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499348012729966,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34940,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":168,"avg":655391.8,"max":4897215,"stddev":1186666.9,"var":1408178323456.0,"ent":3.5,"data": [168,874,4896388,4897215,3139,3939,250433,254530,4103,1006878,1011034,4128,267330,271177,3882,1007953,1011957,4030,246777,250412,3605,1038702,1042399,3673,241578,245223,3629,1046261,1049943,3750,242035]},"pktlen": {"min":66,"avg":727.8,"max":1934,"stddev":751.0,"var":564013.2,"ent":4.2,"data": [74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02294{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8669,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":606,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348002450018,"flow_src_last_pkt_time":1499348012729966,"flow_dst_last_pkt_time":1499348012487215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16321,"midstream":0,"thread_ts_usec":1499348012729966,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":34940,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":168,"avg":655391.8,"max":4897215,"stddev":1186666.9,"var":1408178323456.0,"ent":3.5,"data": [168,874,4896388,4897215,3139,3939,250433,254530,4103,1006878,1011034,4128,267330,271177,3882,1007953,1011957,4030,246777,250412,3605,1038702,1042399,3673,241578,245223,3629,1046261,1049943,3750,242035]},"pktlen": {"min":52,"avg":713.8,"max":1920,"stddev":751.0,"var":564013.2,"ent":4.2,"data": [60,60,52,435,52,1823,52,637,1920,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.571673870,5.072907925,4.969671726,5.887361526,4.878231525,7.741217613,4.885738850,6.010152817,7.782044411,4.945419312,5.887085915,7.743456841,4.983880997,6.006285667,7.788482189,4.969364166,5.877018929,7.744219303,4.983880997,6.010739803,7.771894455,4.983880997,5.901759148,7.743703842,5.022342682,6.005155087,7.771924019,4.892440796,5.896227837,7.743970394,4.983880997,6.034862995]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":8684,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499348015250467,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250467,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499348015250467,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35074,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8684,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_packet_id":1,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250467,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348015250467,"pkt":"ABm5CmnxAMGxFOsxCABFAAA8SaJAAD4GfC6sEAABwKgKMokCAFA1NK9QAAAAAKACchAI\/gAAAgQFtAQCCAoBPObyAAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":8685,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":613,"flow_packet_id":2,"flow_src_last_pkt_time":1499348015250467,"flow_dst_last_pkt_time":1499348015250592,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348015250592,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQiQJJKiEWNTSvUaAScSDjTwAAAgQFtAQCCAoD5rhmATzm8gEDAwc="} @@ -3762,7 +3762,7 @@ 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9192,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":1,"flow_src_last_pkt_time":1499348077218866,"flow_dst_last_pkt_time":1499348077218866,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348077218866,"pkt":"ABm5CmnxAMGxFOsxCABFAAA80HtAAD4G9VSsEAABwKgKMouKAFBc0\/MNAAAAAKACchBelQAAAgQFtAQCCAoBPSN2AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9193,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":2,"flow_src_last_pkt_time":1499348077218866,"flow_dst_last_pkt_time":1499348077218968,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348077218968,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQi4oOSV5eXNPzDqAScSD5+wAAAgQFtAQCCAoD5vTqAT0jdgEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9195,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":649,"flow_packet_id":3,"flow_src_last_pkt_time":1499348077219749,"flow_dst_last_pkt_time":1499348077218968,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1499348077219749,"pkt":"ABm5CmnxAMGxFOsxCABFAAA00HxAAD4G9VusEAABwKgKMouKAFBc0\/MODkleX4AQAOWZAwAAAQEICgE9I3YD5vTq"} -01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9201,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":643,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348068136241,"flow_src_last_pkt_time":1499348078263151,"flow_dst_last_pkt_time":1499348077222575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499348078263151,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35626,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":619782.1,"max":3953842,"stddev":972474.7,"var":945707024384.0,"ent":3.7,"data": [124,706,3953188,3953842,3024,3763,1020630,1024309,3710,248238,252345,4156,1041683,1045979,4295,255096,258771,3649,1007135,1010804,3655,252666,256217,3575,1010481,1014239,3761,262869,266680,3784,1039870]},"pktlen": {"min":66,"avg":730.7,"max":1934,"stddev":755.5,"var":570797.2,"ent":4.2,"data": [74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02389{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9201,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":643,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1499348068136241,"flow_src_last_pkt_time":1499348078263151,"flow_dst_last_pkt_time":1499348077222575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":585,"flow_dst_max_l4_payload_len":1868,"flow_src_tot_l4_payload_len":4840,"flow_dst_tot_l4_payload_len":16415,"midstream":0,"thread_ts_usec":1499348078263151,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35626,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":619782.1,"max":3953842,"stddev":972474.7,"var":945707024384.0,"ent":3.7,"data": [124,706,3953188,3953842,3024,3763,1020630,1024309,3710,248238,252345,4156,1041683,1045979,4295,255096,258771,3649,1007135,1010804,3655,252666,256217,3575,1010481,1014239,3761,262869,266680,3784,1039870]},"pktlen": {"min":52,"avg":716.7,"max":1920,"stddev":755.5,"var":570797.2,"ent":4.2,"data": [60,60,52,637,52,1920,52,435,1822,52,637,1918,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.605007172,5.106241703,4.969672203,6.010980606,4.854287148,7.776665688,4.983880997,5.869518280,7.738469601,5.022342682,6.005230904,7.777610302,5.022342682,5.854826927,7.740310192,5.022342682,6.000309944,7.769937992,5.022342682,5.859811783,7.741565704,4.983880997,6.018991470,7.775127888,4.983880997,5.899751663,7.740706921,4.945419312,6.032977104,7.768198013,4.945419312,5.894873619]},"ndpi": {"flow_risk": {"1": {"risk":"XSS Attack","severity":"Severe","risk_score": {"total":10,"client":5,"server":5}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9204,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1499348078531918,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078531918,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1499348078531918,"l3_proto":"ip4","src_ip":"172.16.0.1","dst_ip":"192.168.10.50","src_port":35736,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9204,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_packet_id":1,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078531918,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348078531918,"pkt":"ABm5CmnxAMGxFOsxCABFAAA86yNAAD4G2qysEAABwKgKMouYAFAizM+dAAAAAKACchC6tgAAAgQFtAQCCAoBPSS+AAAAAAEDAwc="} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9205,"source":"WebattackXSS.pcap","alias":"nDPId-test","flow_id":650,"flow_packet_id":2,"flow_src_last_pkt_time":1499348078531918,"flow_dst_last_pkt_time":1499348078532057,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1499348078532057,"pkt":"AMGxFOsxABm5CmnxCABFAAA8AABAAEAGw9DAqAoyrBAAAQBQi5glYndPIszPnqAScSAkywAAAgQFtAQCCAoD5vYyAT0kvgEDAwc="} @@ -3995,10 +3995,10 @@ ~~ total active/idle flows...: 661/661 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7386682 bytes -~~ total memory freed........: 7386682 bytes -~~ total allocations/frees...: 137589/137589 +~~ total memory allocated....: 7476578 bytes +~~ total memory freed........: 7476578 bytes +~~ total allocations/frees...: 138250/138250 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars -~~ json string max len.......: 1995 chars -~~ json string avg len.......: 1246 chars +~~ json string max len.......: 2394 chars +~~ json string avg len.......: 1445 chars diff --git a/test/results/activision.pcap.out b/test/results/activision.pcap.out index 8e2e42cf6..50cd40c0a 100644 --- a/test/results/activision.pcap.out +++ b/test/results/activision.pcap.out @@ -36,9 +36,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042253 bytes -~~ total memory freed........: 6042253 bytes -~~ total allocations/frees...: 121577/121577 +~~ total memory allocated....: 6042797 bytes +~~ total memory freed........: 6042797 bytes +~~ total allocations/frees...: 121581/121581 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 912 chars diff --git a/test/results/afp.pcap.out b/test/results/afp.pcap.out index 9db2089c5..da4bb5018 100644 --- a/test/results/afp.pcap.out +++ b/test/results/afp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036105 bytes -~~ total memory freed........: 6036105 bytes -~~ total allocations/frees...: 121503/121503 +~~ total memory allocated....: 6036241 bytes +~~ total memory freed........: 6036241 bytes +~~ total allocations/frees...: 121504/121504 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 910 chars diff --git a/test/results/agora-sd-rtn.pcap.out b/test/results/agora-sd-rtn.pcap.out index 4dca62efb..c663b6c06 100644 --- a/test/results/agora-sd-rtn.pcap.out +++ b/test/results/agora-sd-rtn.pcap.out @@ -192,9 +192,9 @@ ~~ total active/idle flows...: 26/26 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6087928 bytes -~~ total memory freed........: 6087928 bytes -~~ total allocations/frees...: 122140/122140 +~~ total memory allocated....: 6091464 bytes +~~ total memory freed........: 6091464 bytes +~~ total allocations/frees...: 122166/122166 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars ~~ json string max len.......: 927 chars diff --git a/test/results/ah.pcapng.out b/test/results/ah.pcapng.out index 1a6d67175..ab7b9959b 100644 --- a/test/results/ah.pcapng.out +++ b/test/results/ah.pcapng.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037439 bytes -~~ total memory freed........: 6037439 bytes -~~ total allocations/frees...: 121503/121503 +~~ total memory allocated....: 6037711 bytes +~~ total memory freed........: 6037711 bytes +~~ total allocations/frees...: 121505/121505 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 976 chars diff --git a/test/results/aimini-http.pcap.out b/test/results/aimini-http.pcap.out index 341572b30..d2cfcad03 100644 --- a/test/results/aimini-http.pcap.out +++ b/test/results/aimini-http.pcap.out @@ -10,7 +10,7 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1614860229386298,"flow_dst_last_pkt_time":1614860229385965,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229386298,"pkt":"ApXG95WRWgXZu6TVCABFAAAwBP8AAH8GIfsKZQACCmYAAm9WAFCbu7tlAAAAAHACgAEoiAAAAgQFtAMDAQA="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":39,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1614860229386298,"flow_dst_last_pkt_time":1614860229386303,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229386303,"pkt":"WgXZu6TVApXG95WRCABFAAAwBQ0AAIAGAAAKZgACCmUAAgBQb1abu8Cxm7u7ZnASgAEU8QAAAgQFtAMDAQA="} 01204{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":42,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1614860229385965,"flow_src_last_pkt_time":1614860229386487,"flow_dst_last_pkt_time":1614860229386479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":524,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":524,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614860229386487,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28502,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download","hostname":"www.aimini.com","http": {"url":"www.aimini.com\/webcounter\/w.php?___hm=.net_SignUp_&_lh_=http:\/\/www.aimini.net\/member\/signup\/&__Refer_=http:\/\/www.aimini.net\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko\/20110420 Firefox\/3.6.17","detected_os":"Windows"}}} -01650{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614860229383219,"flow_src_last_pkt_time":1614860229387313,"flow_dst_last_pkt_time":1614860229385946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4110,"flow_dst_tot_l4_payload_len":20912,"midstream":0,"thread_ts_usec":1614860229387313,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28501,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":220.0,"max":1148,"stddev":358.7,"var":128687.4,"ent":3.4,"data": [532,1116,414,1004,27,697,105,894,3,1,2,1,1,2,2,191,11,276,4,1,4,2,1,3,3,78,197,1,99,1148,1]},"pktlen": {"min":60,"avg":838.4,"max":1514,"stddev":690.0,"var":476082.3,"ent":4.4,"data": [62,62,62,62,60,649,60,649,1514,1514,1514,1514,1514,1514,1514,290,1514,1514,60,1514,1514,60,1514,1514,60,1514,290,60,60,60,1514,1514]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download"}} +02049{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614860229383219,"flow_src_last_pkt_time":1614860229387313,"flow_dst_last_pkt_time":1614860229385946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4110,"flow_dst_tot_l4_payload_len":20912,"midstream":0,"thread_ts_usec":1614860229387313,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28501,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":220.0,"max":1148,"stddev":358.7,"var":128687.4,"ent":3.4,"data": [532,1116,414,1004,27,697,105,894,3,1,2,1,1,2,2,191,11,276,4,1,4,2,1,3,3,78,197,1,99,1148,1]},"pktlen": {"min":46,"avg":824.4,"max":1500,"stddev":690.0,"var":476082.3,"ent":4.4,"data": [48,48,48,48,46,635,46,635,1500,1500,1500,1500,1500,1500,1500,276,1500,1500,46,1500,1500,46,1500,1500,46,1500,276,46,46,46,1500,1500]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,0,0,0,0],"entropies": [3.876627445,4.083755016,4.256327152,4.460499287,3.752108097,6.013849258,4.032184601,6.031517506,7.687114239,7.864995956,7.665461540,7.860690594,7.831142426,7.843841553,7.850586891,7.036180973,7.689830303,7.865575314,3.752107620,7.667116165,7.864095211,3.752107859,7.832858562,7.845948219,3.752108335,7.852002144,7.046712399,3.988705873,4.032184124,3.988706112,5.843052864,4.502032280]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Aimini","proto_id":"7.99","encrypted":0,"breed":"Fun","category_id":7,"category":"Download"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1614860229388780,"flow_src_last_pkt_time":1614860229388780,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614860229388780,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":28503,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1614860229388780,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229388780,"pkt":"5kBKB+riApXG95NLCABFAAAwBREAAIAGAAAKZQACCmYAAm9XAFCbu+drAAAAAHACgAEU8QAAAgQFtAMDAQA="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"aimini-http.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1614860229389055,"flow_dst_last_pkt_time":1614860229388780,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614860229389055,"pkt":"ApXG95WRWgXZu6TVCABFAAAwBREAAH8GIekKZQACCmYAAm9XAFCbu+drAAAAAHACgAH8gAAAAgQFtAMDAQA="} @@ -34,10 +34,10 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045576 bytes -~~ total memory freed........: 6045576 bytes -~~ total allocations/frees...: 121676/121676 +~~ total memory allocated....: 6046120 bytes +~~ total memory freed........: 6046120 bytes +~~ total allocations/frees...: 121680/121680 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars -~~ json string max len.......: 1655 chars -~~ json string avg len.......: 1074 chars +~~ json string max len.......: 2054 chars +~~ json string avg len.......: 1274 chars diff --git a/test/results/ajp.pcap.out b/test/results/ajp.pcap.out index 29270a63b..4c039d3b9 100644 --- a/test/results/ajp.pcap.out +++ b/test/results/ajp.pcap.out @@ -45,9 +45,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038019 bytes -~~ total memory freed........: 6038019 bytes -~~ total allocations/frees...: 121523/121523 +~~ total memory allocated....: 6038291 bytes +~~ total memory freed........: 6038291 bytes +~~ total allocations/frees...: 121525/121525 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 205 chars ~~ json string max len.......: 1496 chars diff --git a/test/results/alexa-app.pcapng.out b/test/results/alexa-app.pcapng.out index c338ded1f..6e255e708 100644 --- a/test/results/alexa-app.pcapng.out +++ b/test/results/alexa-app.pcapng.out @@ -200,7 +200,7 @@ 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":279,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1490976042101270,"flow_dst_last_pkt_time":1490976042099362,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976042101270,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0AfRAAEAGW7qsECrYNFXR2NSNAbumNE9Ps3pFE4AQAVdxMgAAAQEICgD2TsJtF6Xz"} 01118{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":282,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976041961796,"flow_src_last_pkt_time":1490976042058395,"flow_dst_last_pkt_time":1490976042149888,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":202,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1490976042149888,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01596{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":284,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976041961796,"flow_src_last_pkt_time":1490976042058395,"flow_dst_last_pkt_time":1490976042150550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":202,"flow_dst_tot_l4_payload_len":4344,"midstream":0,"thread_ts_usec":1490976042150550,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54412,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} -01571{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":47,"avg":22128.4,"max":90510,"stddev":31052.4,"var":964249024.0,"ent":3.6,"data": [46971,52965,277,73178,134,18906,393,341,423,88175,318,744,233,8121,32759,75313,63701,49446,70919,806,90510,2043,419,465,407,524,703,47,5315,294,1129]},"pktlen": {"min":66,"avg":594.3,"max":1514,"stddev":637.0,"var":405792.1,"ent":4.1,"data": [74,74,66,268,66,66,1514,1514,1514,833,66,66,66,66,192,1096,308,66,66,1514,1514,66,1514,1514,1514,464,1514,1126,100,66,66,66]},"bins": {"c_to_s": [11,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,0,0]}} +01969{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":47,"avg":22128.4,"max":90510,"stddev":31052.4,"var":964249024.0,"ent":3.6,"data": [46971,52965,277,73178,134,18906,393,341,423,88175,318,744,233,8121,32759,75313,63701,49446,70919,806,90510,2043,419,465,407,524,703,47,5315,294,1129]},"pktlen": {"min":52,"avg":580.3,"max":1500,"stddev":637.0,"var":405792.1,"ent":4.1,"data": [60,60,52,254,52,52,1500,1500,1500,819,52,52,52,52,178,1082,294,52,52,1500,1500,52,1500,1500,1500,450,1500,1112,86,52,52,52]},"bins": {"c_to_s": [11,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,0,0],"entropies": [4.626680851,5.273560524,5.056022167,5.578444004,5.038779736,5.038779736,6.941484451,7.235523224,7.505930424,7.618381500,5.017560482,4.979098797,4.979098797,4.979099274,6.314942837,7.805894852,7.019865036,5.056022167,5.000318527,7.867209435,7.863208771,4.979098797,7.856099606,7.887753487,7.874964714,7.517594337,7.873031139,7.831841469,5.789580822,4.979099274,4.979098797,4.940637589]}} 01601{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1490976041942417,"flow_src_last_pkt_time":1490976042286958,"flow_dst_last_pkt_time":1490976042283855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1030,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1358,"flow_dst_tot_l4_payload_len":15533,"midstream":0,"thread_ts_usec":1490976042286958,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 01149{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":317,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1490976041870965,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976042302047,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":454,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976042302047,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01503{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":319,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1490976041870965,"flow_src_last_pkt_time":1490976042239996,"flow_dst_last_pkt_time":1490976042302667,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":454,"flow_dst_tot_l4_payload_len":4380,"midstream":0,"thread_ts_usec":1490976042302667,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}}} @@ -211,7 +211,7 @@ 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976043611721,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043611721,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976043611721,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":43350,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00193{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":392,"source":"alexa-app.pcapng","alias":"nDPId-test","layer_type":35085,"global_ts_usec":1490976043617123} 00360{"packet_event_id":1,"packet_event_name":"packet","packet_id":392,"source":"alexa-app.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":35085,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1490976043612089,"pkt":"AMDKkaPvePiC0\/vCiQ0CDAoBZRIAwMqRdPh4+ILT+8IAwMqRo+\/dFACgxgAAAAAAAAAAAAAAAAAAAAAA"} -01865{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":394,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976041156517,"flow_src_last_pkt_time":1490976043655892,"flow_dst_last_pkt_time":1490976043654956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4861,"flow_dst_tot_l4_payload_len":5515,"midstream":0,"thread_ts_usec":1490976043655892,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":70,"avg":161219.8,"max":1015894,"stddev":286084.3,"var":81844248576.0,"ent":3.4,"data": [55686,59305,1428,66601,358,70,64102,4784,271,2661,66908,3070,100753,8343,108356,5909,66864,500848,354092,941132,3002,88712,111843,176480,211,64686,9150,104205,1015894,966451,45639]},"pktlen": {"min":54,"avg":380.2,"max":1514,"stddev":485.1,"var":235358.5,"ent":4.0,"data": [74,62,54,261,1514,1514,399,54,54,54,380,60,113,54,1136,60,955,54,1120,1120,60,507,54,1168,60,891,54,54,60,54,60,54]},"bins": {"c_to_s": [12,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02263{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":394,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976041156517,"flow_src_last_pkt_time":1490976043655892,"flow_dst_last_pkt_time":1490976043654956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1114,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4861,"flow_dst_tot_l4_payload_len":5515,"midstream":0,"thread_ts_usec":1490976043655892,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45661,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":70,"avg":161219.8,"max":1015894,"stddev":286084.3,"var":81844248576.0,"ent":3.4,"data": [55686,59305,1428,66601,358,70,64102,4784,271,2661,66908,3070,100753,8343,108356,5909,66864,500848,354092,941132,3002,88712,111843,176480,211,64686,9150,104205,1015894,966451,45639]},"pktlen": {"min":40,"avg":366.2,"max":1500,"stddev":485.1,"var":235358.5,"ent":3.9,"data": [60,48,40,247,1500,1500,385,40,40,40,366,46,99,40,1122,46,941,40,1106,1106,46,493,40,1154,46,877,40,40,46,40,46,40]},"bins": {"c_to_s": [12,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0],"entropies": [4.617588520,5.095174789,4.784183979,5.540180683,6.803335667,7.281946659,7.383058548,4.784183979,4.784183979,4.734184265,7.281152725,4.652828693,6.003940582,4.881687164,7.811503887,4.501398087,7.765291691,4.831687450,7.799355507,7.797914982,4.565871716,7.570134640,4.831686974,7.815543175,4.565872192,7.742568493,4.881687164,4.931687355,4.544876099,4.831687450,4.544876099,4.781687260]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":397,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043811357,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1490976043811357,"pkt":"ePiC0\/vCAMDKkaPvCABFAABP0pFAAEARuxKsECoBrBAq2AA1qVYAO\/ZCveGBgAABAAEAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAHADAABAAEAAAAbAARIFc6H"} 01021{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":397,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976043611721,"flow_src_last_pkt_time":1490976043611721,"flow_dst_last_pkt_time":1490976043811357,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":51,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1490976043811357,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":43350,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"72.21.206.135"}}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":398,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976043814090,"flow_src_last_pkt_time":1490976043814090,"flow_dst_last_pkt_time":1490976043814090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976043814090,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42129,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -271,7 +271,7 @@ 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":495,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976044509891,"flow_src_last_pkt_time":1490976044595782,"flow_dst_last_pkt_time":1490976044687978,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976044687978,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45678,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":511,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":4,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976044649888,"flow_dst_last_pkt_time":1490976044708534,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":615,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976044708534,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01490{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":513,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976044649888,"flow_dst_last_pkt_time":1490976044708747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":615,"flow_dst_tot_l4_payload_len":4380,"midstream":0,"thread_ts_usec":1490976044708747,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}}} -01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":166773.2,"max":835939,"stddev":244032.9,"var":59552047104.0,"ent":3.7,"data": [54151,55408,518,50304,258867,520111,785264,3831,152,61,38,60785,290,133,140,52112,10967,286978,223908,2741,139187,177,171943,179936,143,402714,22375,216464,783828,835939,50504]},"pktlen": {"min":54,"avg":401.0,"max":1514,"stddev":534.6,"var":285800.0,"ent":3.9,"data": [74,62,54,259,60,259,259,60,1514,1514,1514,688,54,54,54,54,180,1514,105,482,60,60,480,54,1514,1210,60,357,54,54,60,54]},"bins": {"c_to_s": [10,0,0,1,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,0,0,1,1,0,0,1,0]}} +01993{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":166773.2,"max":835939,"stddev":244032.9,"var":59552047104.0,"ent":3.7,"data": [54151,55408,518,50304,258867,520111,785264,3831,152,61,38,60785,290,133,140,52112,10967,286978,223908,2741,139187,177,171943,179936,143,402714,22375,216464,783828,835939,50504]},"pktlen": {"min":40,"avg":387.0,"max":1500,"stddev":534.6,"var":285800.0,"ent":3.9,"data": [60,48,40,245,46,245,245,46,1500,1500,1500,674,40,40,40,40,166,1500,91,468,46,46,466,40,1500,1196,46,343,40,40,46,40]},"bins": {"c_to_s": [10,0,0,1,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,0,0,1,1,0,0,1,0],"entropies": [4.639262199,5.093094349,4.881687164,5.568202496,4.549461365,5.554956913,5.568202496,4.565872192,7.128635883,7.312258720,7.415528297,7.604400635,4.781687260,4.881687164,4.831687450,4.781687260,6.335466385,7.875119209,5.923600674,7.493732452,4.609350681,4.565872192,7.514861107,4.781687260,7.858917713,7.840357780,4.609350681,7.350516796,4.881687164,4.931686878,4.609350204,4.881687164]}} 01494{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":582,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976043814984,"flow_src_last_pkt_time":1490976046401041,"flow_dst_last_pkt_time":1490976046398896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5245,"flow_dst_tot_l4_payload_len":5794,"midstream":0,"thread_ts_usec":1490976046401041,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42130,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","server_names":"fls-na.amazon.ca,fls-na.amazon.com,fls-na.amazon.com.br,fls-na.amazon.com.mx","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=fls-na.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2F:16:23:0F:F8:49:12:18:49:55:48:DA:E6:59:D9:B3:BB:0E:41:8A"}}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":599,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976046418630,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046418630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976046418630,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45680,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":599,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1490976046418630,"flow_dst_last_pkt_time":1490976046418630,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976046418630,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8dehAAEAG0QasECrYNF7ohrJwAbub2CWZAAAAAKAC\/\/+NLQAAAgQFtAQCCAoA9lBxAAAAAAEDAwg="} @@ -309,7 +309,7 @@ 01061{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":689,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976047563011,"flow_src_last_pkt_time":1490976047631468,"flow_dst_last_pkt_time":1490976047629213,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":237,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":237,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976047631468,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42143,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01116{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":693,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976047560420,"flow_src_last_pkt_time":1490976047610667,"flow_dst_last_pkt_time":1490976047664674,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1490976047664674,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54427,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","ja3":"5ee142340adf02ded757447e2ff78986","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":704,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490976047563011,"flow_src_last_pkt_time":1490976047631468,"flow_dst_last_pkt_time":1490976047695425,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":237,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":237,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1490976047695425,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42143,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"d199ba0af2b08e204c73d6d81a1fd260","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} -01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":711,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976047050685,"flow_src_last_pkt_time":1490976047738970,"flow_dst_last_pkt_time":1490976047737869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":510,"flow_src_tot_l4_payload_len":18550,"flow_dst_tot_l4_payload_len":666,"midstream":0,"thread_ts_usec":1490976047738970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":114,"avg":44370.0,"max":352057,"stddev":78836.5,"var":6215196160.0,"ent":3.5,"data": [57034,58621,1781,56791,4768,135,59291,267,22886,80040,5852,71839,321,148,565,303,201,1403,296,114,67763,34752,23901,352057,295338,129,57737,650,60553,128,59805]},"pktlen": {"min":54,"avg":657.2,"max":1514,"stddev":676.9,"var":458225.8,"ent":4.2,"data": [74,62,54,313,60,60,210,54,105,820,60,564,1514,1439,1514,1514,1514,1514,1514,1514,83,60,60,60,1514,60,60,1514,1514,60,60,1514]},"bins": {"c_to_s": [4,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,11,0,0],"s_to_c": [11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02138{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":711,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976047050685,"flow_src_last_pkt_time":1490976047738970,"flow_dst_last_pkt_time":1490976047737869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":510,"flow_src_tot_l4_payload_len":18550,"flow_dst_tot_l4_payload_len":666,"midstream":0,"thread_ts_usec":1490976047738970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.24.186","src_port":34034,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":114,"avg":44370.0,"max":352057,"stddev":78836.5,"var":6215196160.0,"ent":3.5,"data": [57034,58621,1781,56791,4768,135,59291,267,22886,80040,5852,71839,321,148,565,303,201,1403,296,114,67763,34752,23901,352057,295338,129,57737,650,60553,128,59805]},"pktlen": {"min":40,"avg":643.2,"max":1500,"stddev":676.9,"var":458225.8,"ent":4.1,"data": [60,48,40,299,46,46,196,40,91,806,46,550,1500,1425,1500,1500,1500,1500,1500,1500,69,46,46,46,1500,46,46,1500,1500,46,46,1500]},"bins": {"c_to_s": [4,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,11,0,0],"s_to_c": [11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,0],"entropies": [4.705928802,5.119034290,4.831687450,5.956132412,4.565872192,4.522393703,6.373359203,4.831687450,5.346002579,7.707840443,4.565872192,7.614433289,7.881308079,7.868000031,7.843427658,7.860275269,7.859666824,7.853141308,7.878274441,7.872379303,5.651857376,4.478915691,4.522393703,4.522393703,7.860081673,4.565871716,4.565872192,7.860362053,7.853739262,4.609350681,4.609350681,7.878521442]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":719,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976047858519,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047858519,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976047858519,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.135","src_port":42144,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":719,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_packet_id":1,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047858519,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976047858519,"pkt":"AMDKkaPvePiC0\/vCCABFAAA84nJAAEAGasSsECrYSBXOh6SgAbtFc7NzAAAAAKAC\/\/9pQAAAAgQFtAQCCAoA9lEBAAAAAAEDAwg="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":721,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":56,"flow_packet_id":2,"flow_src_last_pkt_time":1490976047858519,"flow_dst_last_pkt_time":1490976047907178,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976047907178,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwsPFAAOcG9VBIFc6HrBAq2AG7pKCmhnFJRXOzdHASH\/6\/cgAAAgQFtAEDAwY="} @@ -372,8 +372,8 @@ 01172{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":903,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068061060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976068066460,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01232{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":907,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068174408,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1490976068174408,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01563{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":909,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":6,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068066460,"flow_dst_last_pkt_time":1490976068174770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":221,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":221,"flow_dst_tot_l4_payload_len":3330,"midstream":0,"thread_ts_usec":1490976068174770,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}}} -01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976064452332,"flow_src_last_pkt_time":1490976068084335,"flow_dst_last_pkt_time":1490976068174801,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":7862,"flow_dst_tot_l4_payload_len":9710,"midstream":0,"thread_ts_usec":1490976068174801,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":123,"avg":237241.0,"max":2896813,"stddev":560116.6,"var":313730662400.0,"ent":2.8,"data": [52937,67187,1048,63231,9607,59757,285,20918,462,225,155,1078,225,97487,133,7299,15901,484594,178,170,116007,306256,538314,1116565,2896813,279,153,126,123,583169,913790]},"pktlen": {"min":66,"avg":617.1,"max":1514,"stddev":665.4,"var":442821.7,"ent":4.1,"data": [74,74,66,583,66,222,66,117,1514,1514,139,1514,1514,1495,66,66,66,66,1514,1514,1223,1223,1514,1514,1514,66,78,78,78,78,66,66]},"bins": {"c_to_s": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":41,"avg":102165.5,"max":486056,"stddev":138313.6,"var":19130660864.0,"ent":3.7,"data": [92394,95354,2440,97381,1862,14105,301,61,113369,268,157,49644,132555,83310,183928,260,326122,293069,272379,138,443688,400,541,41,276469,199153,505,44,713,486056,423]},"pktlen": {"min":54,"avg":700.3,"max":1514,"stddev":682.0,"var":465082.8,"ent":4.2,"data": [74,62,54,275,60,60,1514,1514,464,54,54,54,180,105,54,1514,547,60,1514,60,60,1514,1514,1514,225,1514,1514,1514,225,1514,1514,1514]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,1,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1]}} +02144{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976064452332,"flow_src_last_pkt_time":1490976068084335,"flow_dst_last_pkt_time":1490976068174801,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":7862,"flow_dst_tot_l4_payload_len":9710,"midstream":0,"thread_ts_usec":1490976068174801,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.216","src_port":54434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":123,"avg":237241.0,"max":2896813,"stddev":560116.6,"var":313730662400.0,"ent":2.8,"data": [52937,67187,1048,63231,9607,59757,285,20918,462,225,155,1078,225,97487,133,7299,15901,484594,178,170,116007,306256,538314,1116565,2896813,279,153,126,123,583169,913790]},"pktlen": {"min":52,"avg":603.1,"max":1500,"stddev":665.4,"var":442821.7,"ent":4.1,"data": [60,60,52,569,52,208,52,103,1500,1500,125,1500,1500,1481,52,52,52,52,1500,1500,1209,1209,1500,1500,1500,52,64,64,64,64,52,52]},"bins": {"c_to_s": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1],"entropies": [4.705928802,5.273560047,4.979098797,6.082272053,5.000318527,6.571692467,5.056022167,5.591795921,7.858945847,7.890957355,6.413620949,7.866191387,7.874218941,7.863078117,5.038779736,5.000318050,5.000318050,4.884933472,7.878181458,7.882399559,7.840240955,7.842101574,7.879061222,7.879629612,7.876855850,4.940637112,4.991729736,5.085479736,5.116729736,5.116729736,5.056022167,5.000318050]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01995{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":41,"avg":102165.5,"max":486056,"stddev":138313.6,"var":19130660864.0,"ent":3.7,"data": [92394,95354,2440,97381,1862,14105,301,61,113369,268,157,49644,132555,83310,183928,260,326122,293069,272379,138,443688,400,541,41,276469,199153,505,44,713,486056,423]},"pktlen": {"min":40,"avg":686.3,"max":1500,"stddev":682.0,"var":465082.8,"ent":4.2,"data": [60,48,40,261,46,46,1500,1500,450,40,40,40,166,91,40,1500,533,46,1500,46,46,1500,1500,1500,211,1500,1500,1500,211,1500,1500,1500]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,1,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.672595501,5.134760857,4.731687546,5.428875923,4.609350681,4.609350204,7.207319260,7.309862137,7.406122684,4.781687260,4.831686974,4.831686974,6.560224533,5.827393532,4.734183788,7.885433197,7.643744469,4.652828693,7.886434555,4.522393703,4.462504387,7.848043919,7.856681824,7.865322113,6.980444908,7.848917007,7.856569290,7.864667892,6.965065002,7.849271774,7.848181248,7.856681824]}} 01568{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":934,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976067968666,"flow_src_last_pkt_time":1490976068790465,"flow_dst_last_pkt_time":1490976070313997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":16863,"midstream":0,"thread_ts_usec":1490976070313997,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.146","src_port":41691,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"api.amazon.com","tls": {"version":"TLSv1.2","server_names":"api.amazon.com,wsync.us-east-1.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=api.amazon.com","fingerprint":"1D:A3:CD:C3:06:9E:9B:A0:61:1E:1A:75:55:C1:A8:B0:DC:F8:75:2D"}}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":958,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976071237623,"flow_src_last_pkt_time":1490976071237623,"flow_dst_last_pkt_time":1490976071237623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976071237623,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49606,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":958,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":66,"flow_packet_id":1,"flow_src_last_pkt_time":1490976071237623,"flow_dst_last_pkt_time":1490976071237623,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976071237623,"pkt":"AMDKkaPvePiC0\/vCCABFAAA870hAAEAGV6asECrYNF7ohsHGAFAgR7VrAAAAAKAC\/\/9hTwAAAgQFtAQCCAoA9lojAAAAAAEDAwg="} @@ -538,7 +538,7 @@ 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1324,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":91,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976089227335,"flow_src_last_pkt_time":1490976090192268,"flow_dst_last_pkt_time":1490976090038424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090192268,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45714,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1325,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976090192765,"flow_dst_last_pkt_time":1490976090038470,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090192765,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01327{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1327,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":93,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976089426961,"flow_src_last_pkt_time":1490976090196942,"flow_dst_last_pkt_time":1490976090038290,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":996,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":996,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976090196942,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":49630,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.AmazonAlexa","proto_id":"7.110","encrypted":0,"breed":"Acceptable","category_id":32,"category":"VirtAssistant","hostname":"alexa.amazon.com","http": {"url":"alexa.amazon.com\/lib\/bootstrap\/img\/glyphicons-halflings.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}} -01867{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1328,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":80,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976085644885,"flow_src_last_pkt_time":1490976090198099,"flow_dst_last_pkt_time":1490976090039279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":8230,"flow_dst_tot_l4_payload_len":2302,"midstream":0,"thread_ts_usec":1490976090198099,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45703,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":65,"avg":288632.5,"max":1569527,"stddev":416979.2,"var":173871693824.0,"ent":3.7,"data": [325447,332868,307,247719,185,241306,284,257,23807,287,429915,65,1569527,1485936,352980,706902,73800,283,358821,365,256619,3724,240,956217,948562,95336,235551,1125,68,275387,23718]},"pktlen": {"min":54,"avg":385.1,"max":1514,"stddev":516.0,"var":266233.0,"ent":4.0,"data": [74,62,54,293,139,107,54,54,113,1514,188,60,60,188,60,731,54,1514,252,60,539,54,1514,220,539,54,1514,60,571,60,54,1514]},"bins": {"c_to_s": [8,1,0,0,2,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,0,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02264{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1328,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":80,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1490976085644885,"flow_src_last_pkt_time":1490976090198099,"flow_dst_last_pkt_time":1490976090039279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":8230,"flow_dst_tot_l4_payload_len":2302,"midstream":0,"thread_ts_usec":1490976090198099,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45703,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":65,"avg":288632.5,"max":1569527,"stddev":416979.2,"var":173871693824.0,"ent":3.7,"data": [325447,332868,307,247719,185,241306,284,257,23807,287,429915,65,1569527,1485936,352980,706902,73800,283,358821,365,256619,3724,240,956217,948562,95336,235551,1125,68,275387,23718]},"pktlen": {"min":40,"avg":371.1,"max":1500,"stddev":516.0,"var":266233.0,"ent":3.9,"data": [60,48,40,279,125,93,40,40,99,1500,174,46,46,174,46,717,40,1500,238,46,525,40,1500,206,525,40,1500,46,557,46,40,1500]},"bins": {"c_to_s": [8,1,0,0,2,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,0,0],"entropies": [4.705928802,5.176427841,4.831686974,5.818729401,6.126292229,6.106202126,4.781687737,4.781687260,5.941904068,7.857767582,6.910596848,4.609350204,4.462504387,6.922091484,4.565871716,7.688728809,4.831687450,7.879225254,7.100984097,4.652828693,7.572484970,4.831687450,7.874036789,7.033442974,7.572484970,4.831687450,7.874202251,4.652828693,7.581998825,4.652828693,4.731687546,7.891161442]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1343,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":92,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1490976089239508,"flow_src_last_pkt_time":1490976090191085,"flow_dst_last_pkt_time":1490976090313083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313083,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45715,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1345,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976090210793,"flow_dst_last_pkt_time":1490976090313160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313160,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} 01229{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1346,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":91,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1490976089227335,"flow_src_last_pkt_time":1490976090192268,"flow_dst_last_pkt_time":1490976090313192,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976090313192,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45714,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} @@ -562,10 +562,10 @@ 01077{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1443,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091160874,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976091163513,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1449,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":2,"flow_src_last_pkt_time":1490976091048429,"flow_dst_last_pkt_time":1490976091217295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976091217295,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA0Sq8AACcG8u0250hYrBAq2AG7o117lZ8zZBSwSYAS\/\/89vAAAAgQFmAMDCAEEAgEB"} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1450,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":97,"flow_packet_id":3,"flow_src_last_pkt_time":1490976091219669,"flow_dst_last_pkt_time":1490976091217295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976091219669,"pkt":"AMDKkaPvePiC0\/vCCABFAAAo0alAAEAGEv+sECrYNudIWKNdAbtkFLBJe5WfNFAQAVeEFQAA"} -01870{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1452,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":87,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976088631582,"flow_src_last_pkt_time":1490976090996390,"flow_dst_last_pkt_time":1490976091223863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1093,"flow_src_tot_l4_payload_len":7259,"flow_dst_tot_l4_payload_len":2355,"midstream":0,"thread_ts_usec":1490976091223863,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45710,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":159906.1,"max":1191626,"stddev":282043.2,"var":79548358656.0,"ent":3.5,"data": [214415,219069,3661,1161828,1191626,138,43,75944,170423,352,118993,9705,7936,105518,89968,79074,135403,22399,255382,307,202303,1216,199697,125,147,204784,30,11403,221917,129,253154]},"pktlen": {"min":54,"avg":357.0,"max":1514,"stddev":486.7,"var":236894.1,"ent":4.0,"data": [74,62,54,293,293,60,139,107,54,60,192,54,113,1514,60,220,60,60,1147,1514,268,60,555,1514,284,176,60,60,539,1514,204,60]},"bins": {"c_to_s": [4,1,0,1,1,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [10,1,1,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,1,0,0,0,1,0,1,1,1,0,0,1,1,0,0,0,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02267{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1452,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":87,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976088631582,"flow_src_last_pkt_time":1490976090996390,"flow_dst_last_pkt_time":1490976091223863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1093,"flow_src_tot_l4_payload_len":7259,"flow_dst_tot_l4_payload_len":2355,"midstream":0,"thread_ts_usec":1490976091223863,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45710,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":159906.1,"max":1191626,"stddev":282043.2,"var":79548358656.0,"ent":3.5,"data": [214415,219069,3661,1161828,1191626,138,43,75944,170423,352,118993,9705,7936,105518,89968,79074,135403,22399,255382,307,202303,1216,199697,125,147,204784,30,11403,221917,129,253154]},"pktlen": {"min":40,"avg":343.0,"max":1500,"stddev":486.7,"var":236894.1,"ent":3.9,"data": [60,48,40,279,279,46,125,93,40,46,178,40,99,1500,46,206,46,46,1133,1500,254,46,541,1500,270,162,46,46,525,1500,190,46]},"bins": {"c_to_s": [4,1,0,1,1,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [10,1,1,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,1,0,0,0,1,0,1,1,1,0,0,1,1,0,0,0,1,1,1,0,0,1],"entropies": [4.672595501,5.134761333,4.762815475,5.883847237,5.876678944,4.609350204,6.148330688,5.967529297,4.712815285,4.565871716,6.521196365,4.662815094,5.915507793,7.852227211,4.565872192,6.894952297,4.565871716,4.565871716,7.832350731,7.860533714,7.115900993,4.609350204,7.520314217,7.876235962,7.163622856,6.629608631,4.522393703,4.609350204,7.614107132,7.867299557,6.817775249,4.609350204]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01133{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1454,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091345211,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1490976091345211,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01549{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1456,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":96,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976090991595,"flow_src_last_pkt_time":1490976091163513,"flow_dst_last_pkt_time":1490976091346214,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":215,"flow_dst_max_l4_payload_len":1432,"flow_src_tot_l4_payload_len":215,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1490976091346214,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.231.72.88","src_port":41820,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"s3-external-2.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"s3-external-1.amazonaws.com,*.s3-external-1.amazonaws.com,s3-external-2.amazonaws.com,*.s3-external-2.amazonaws.com,*.s3.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"ea615e28cb25adfb2f261151eab3314f","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert Baltimore CA-2 G2","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com Inc., CN=*.s3-external-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"C0:51:D8:FA:6B:58:94:F2:3E:4E:7D:B2:36:5F:02:E4:F0:3F:54:FF"}}} -01870{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1486,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976092170541,"flow_dst_last_pkt_time":1490976092236982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":661,"flow_src_tot_l4_payload_len":8342,"flow_dst_tot_l4_payload_len":1817,"midstream":0,"thread_ts_usec":1490976092236982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":69,"avg":209393.8,"max":1080313,"stddev":303367.1,"var":92031574016.0,"ent":3.7,"data": [1005698,1080313,210230,18680,169715,18028,104975,95,107187,277,11694,34788,143,215183,306,69,21708,195595,278,202797,728,212905,264,205823,10952,236264,754701,277,888900,405375,377261]},"pktlen": {"min":54,"avg":374.5,"max":1514,"stddev":516.5,"var":266795.3,"ent":3.9,"data": [74,74,62,54,293,62,54,139,107,54,54,113,1514,268,60,60,60,555,1514,220,60,715,1514,252,60,571,54,1514,220,60,1514,60]},"bins": {"c_to_s": [7,1,0,0,0,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02267{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1486,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":89,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976088958157,"flow_src_last_pkt_time":1490976092170541,"flow_dst_last_pkt_time":1490976092236982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":661,"flow_src_tot_l4_payload_len":8342,"flow_dst_tot_l4_payload_len":1817,"midstream":0,"thread_ts_usec":1490976092236982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45712,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":69,"avg":209393.8,"max":1080313,"stddev":303367.1,"var":92031574016.0,"ent":3.7,"data": [1005698,1080313,210230,18680,169715,18028,104975,95,107187,277,11694,34788,143,215183,306,69,21708,195595,278,202797,728,212905,264,205823,10952,236264,754701,277,888900,405375,377261]},"pktlen": {"min":40,"avg":360.5,"max":1500,"stddev":516.5,"var":266795.3,"ent":3.8,"data": [60,60,48,40,279,48,40,125,93,40,40,99,1500,254,46,46,46,541,1500,206,46,701,1500,238,46,557,40,1500,206,46,1500,46]},"bins": {"c_to_s": [7,1,0,0,0,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1],"entropies": [4.693347454,4.647432327,5.119034290,4.831686974,5.881499290,5.077367306,4.881687164,6.046293259,6.063190460,4.781687260,4.881687164,5.804432392,7.875989437,7.151407242,4.652828693,4.565872192,4.609350681,7.607057095,7.888786316,6.953813553,4.652828693,7.704366207,7.873492241,7.130478382,4.609350204,7.637624264,4.881687164,7.872291088,6.858013630,4.501398087,7.871377945,4.522393703]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976093238253,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976093238253,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_packet_id":1,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1490976093238253,"pkt":"AMDKkaPvePiC0\/vCCABFAABEWltAAEARM1SsECrYrBAqAaKnADUAMOTtwQkBAAABAAAAAAAAC2RwLWd3LW5hLWpzBmFtYXpvbgNjb20AAAEAAQ=="} 01011{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1492,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":98,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976093238253,"flow_src_last_pkt_time":1490976093238253,"flow_dst_last_pkt_time":1490976093238253,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976093238253,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41639,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"dp-gw-na-js.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -631,12 +631,12 @@ 01560{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1679,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976107479024,"flow_dst_last_pkt_time":1490976107577887,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107577887,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}} 01560{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1689,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":104,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107365068,"flow_src_last_pkt_time":1490976107486585,"flow_dst_last_pkt_time":1490976107622246,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107622246,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40853,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}} 01560{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1693,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976107514712,"flow_dst_last_pkt_time":1490976107625580,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":2695,"midstream":0,"thread_ts_usec":1490976107625580,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","server_names":"skills-store.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=skills-store.amazon.com","alpn":"h2,http\/1.1","fingerprint":"2A:40:0E:E9:9A:EC:7C:0D:40:AA:C9:C5:66:67:00:B8:3E:90:DC:B2"}}} -01844{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1748,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976108033189,"flow_dst_last_pkt_time":1490976108034115,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2227,"flow_dst_tot_l4_payload_len":13907,"midstream":0,"thread_ts_usec":1490976108034115,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":48,"avg":37270.9,"max":325585,"stddev":74532.9,"var":5555151872.0,"ent":3.0,"data": [55943,57350,1409,113314,370,112296,148,3166,65706,1386,70006,242,85334,246615,142,48,84,325585,285,3839,797,233,347,98,286,299,648,356,1116,6749,1201]},"pktlen": {"min":54,"avg":559.4,"max":1514,"stddev":489.8,"var":239933.9,"ent":4.4,"data": [74,62,54,265,1514,1289,54,54,380,60,113,1514,284,60,1035,603,603,603,54,54,1514,1514,755,1115,603,603,603,603,603,603,54,603]},"bins": {"c_to_s": [7,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02242{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1748,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":107,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1490976107455953,"flow_src_last_pkt_time":1490976108033189,"flow_dst_last_pkt_time":1490976108034115,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2227,"flow_dst_tot_l4_payload_len":13907,"midstream":0,"thread_ts_usec":1490976108034115,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40856,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":48,"avg":37270.9,"max":325585,"stddev":74532.9,"var":5555151872.0,"ent":3.0,"data": [55943,57350,1409,113314,370,112296,148,3166,65706,1386,70006,242,85334,246615,142,48,84,325585,285,3839,797,233,347,98,286,299,648,356,1116,6749,1201]},"pktlen": {"min":40,"avg":545.4,"max":1500,"stddev":489.8,"var":239933.9,"ent":4.4,"data": [60,48,40,251,1500,1275,40,40,366,46,99,1500,270,46,1021,589,589,589,40,40,1500,1500,741,1101,589,589,589,589,589,589,40,589]},"bins": {"c_to_s": [7,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,1],"entropies": [4.617588520,5.160700798,4.812815189,5.608482361,7.251046658,7.253318787,4.881687164,4.881687164,7.319745541,4.609350204,6.071163177,7.874879360,7.157014847,4.609350681,7.805180550,7.654304981,7.622537136,7.647720337,4.881687164,4.831687450,7.897753239,7.890997410,7.726983070,7.812017441,7.596513748,7.640295982,7.658002377,7.630609512,7.630146980,7.583954334,4.881687164,7.691880703]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1812,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":2,"flow_src_last_pkt_time":1490976108360248,"flow_dst_last_pkt_time":1490976107366817,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976108360248,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8yY9AAEAGRVisECrYNu8d\/Z+XAbtod6HOAAAAAKAC\/\/8G+AAAAgQFtAQCCAoA9mikAAAAAAEDAwg="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1813,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":106,"flow_packet_id":3,"flow_src_last_pkt_time":1490976108360248,"flow_dst_last_pkt_time":1490976108548394,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976108548394,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwt7hAAOcGsDo27x39rBAq2AG7n5d09wMmaHehz3ASH\/4UgAAAAgQFtAEDAwY="} -01849{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1830,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976108753694,"flow_dst_last_pkt_time":1490976108749413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5131,"flow_dst_tot_l4_payload_len":7946,"midstream":0,"thread_ts_usec":1490976108753694,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":89402.5,"max":932653,"stddev":197976.2,"var":39194591232.0,"ent":3.0,"data": [109911,111642,1568,102004,158,101584,303,1866,56194,150,87519,19070,7646,147913,304065,639361,932653,32742,136,49,686,68,38,318,579,110731,248,1820,214,123,120]},"pktlen": {"min":54,"avg":464.1,"max":1514,"stddev":541.5,"var":293230.8,"ent":4.1,"data": [74,62,54,265,1514,1289,54,54,380,60,113,54,1514,268,60,1514,1514,60,1035,603,603,603,603,603,1483,91,54,54,54,54,54,54]},"bins": {"c_to_s": [11,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01896{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1838,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":88,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1490976088937719,"flow_src_last_pkt_time":1490976109911223,"flow_dst_last_pkt_time":1490976110045165,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":901,"flow_src_tot_l4_payload_len":10414,"flow_dst_tot_l4_payload_len":1844,"midstream":0,"thread_ts_usec":1490976110045165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45711,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":138,"avg":1357450.1,"max":9247029,"stddev":2197151.2,"var":4827473510400.0,"ent":3.5,"data": [992408,1100523,1068,243574,812,17238,3008616,6019841,9247029,138,67248,300,303,66691,669495,281,275185,528033,1079938,2835215,349963,114629,72089,219293,5051089,276,5193864,64990,174211,2275400,2411210]},"pktlen": {"min":54,"avg":439.8,"max":1514,"stddev":556.2,"var":309356.4,"ent":4.0,"data": [74,74,62,62,54,54,293,293,293,139,107,54,54,113,60,1514,1132,1514,1514,1514,60,1132,60,955,54,1514,236,60,859,54,54,60]},"bins": {"c_to_s": [9,1,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":32,"avg":770379.9,"max":19096185,"stddev":3357549.8,"var":11273140961280.0,"ent":1.4,"data": [123577,127990,5388,470526,584,630,42,1232537,1463,5048,697,664,10016,973197,496,53,32,190922,73204,348,171867,142,116971,408177,413652,66693,140934,83299,138,166304,19096185]},"pktlen": {"min":54,"avg":281.5,"max":1514,"stddev":412.9,"var":170449.2,"ent":4.0,"data": [74,62,54,246,60,1514,1514,536,246,246,54,54,54,180,60,60,60,99,54,1514,290,60,212,118,292,247,246,60,60,272,54,356]},"bins": {"c_to_s": [7,0,1,1,0,0,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,0,0,1,1,1,0,0]}} +02247{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1830,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976107365814,"flow_src_last_pkt_time":1490976108753694,"flow_dst_last_pkt_time":1490976108749413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5131,"flow_dst_tot_l4_payload_len":7946,"midstream":0,"thread_ts_usec":1490976108753694,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40854,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":89402.5,"max":932653,"stddev":197976.2,"var":39194591232.0,"ent":3.0,"data": [109911,111642,1568,102004,158,101584,303,1866,56194,150,87519,19070,7646,147913,304065,639361,932653,32742,136,49,686,68,38,318,579,110731,248,1820,214,123,120]},"pktlen": {"min":40,"avg":450.1,"max":1500,"stddev":541.5,"var":293230.8,"ent":4.0,"data": [60,48,40,251,1500,1275,40,40,366,46,99,40,1500,254,46,1500,1500,46,1021,589,589,589,589,589,1469,77,40,40,40,40,40,40]},"bins": {"c_to_s": [11,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0],"entropies": [4.660013676,5.218094349,4.762815475,5.646678925,7.241643429,7.258272171,4.781687260,4.831686974,7.252469063,4.652828693,6.063538551,4.881687164,7.878282547,7.156798363,4.522393703,7.878647804,7.879301548,4.652828693,7.771139622,7.614057541,7.658779144,7.663974285,7.639388084,7.634205341,7.870131969,5.701726913,4.831686974,4.831687450,4.881687164,4.831686974,4.881687164,4.881687164]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02293{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1838,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":88,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1490976088937719,"flow_src_last_pkt_time":1490976109911223,"flow_dst_last_pkt_time":1490976110045165,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":901,"flow_src_tot_l4_payload_len":10414,"flow_dst_tot_l4_payload_len":1844,"midstream":0,"thread_ts_usec":1490976110045165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45711,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":138,"avg":1357450.1,"max":9247029,"stddev":2197151.2,"var":4827473510400.0,"ent":3.5,"data": [992408,1100523,1068,243574,812,17238,3008616,6019841,9247029,138,67248,300,303,66691,669495,281,275185,528033,1079938,2835215,349963,114629,72089,219293,5051089,276,5193864,64990,174211,2275400,2411210]},"pktlen": {"min":40,"avg":425.8,"max":1500,"stddev":556.2,"var":309356.4,"ent":3.9,"data": [60,60,48,48,40,40,279,279,279,125,93,40,40,99,46,1500,1118,1500,1500,1500,46,1118,46,941,40,1500,222,46,845,40,40,46]},"bins": {"c_to_s": [9,1,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,1],"entropies": [4.705928802,4.705928802,5.160700798,5.077367783,4.881687164,4.881687164,5.840246201,5.847414970,5.847414970,6.003486633,5.947547913,4.693943024,4.831686974,6.024143219,4.609350204,7.869801998,7.823491096,7.871860504,7.870593548,7.871356964,4.565872192,7.822906017,4.609350204,7.791450024,4.681686878,7.872803211,6.941987991,4.652828693,7.739228249,4.881687164,4.931686878,4.544876575]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01996{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":32,"avg":770379.9,"max":19096185,"stddev":3357549.8,"var":11273140961280.0,"ent":1.4,"data": [123577,127990,5388,470526,584,630,42,1232537,1463,5048,697,664,10016,973197,496,53,32,190922,73204,348,171867,142,116971,408177,413652,66693,140934,83299,138,166304,19096185]},"pktlen": {"min":40,"avg":267.5,"max":1500,"stddev":412.9,"var":170449.2,"ent":3.9,"data": [60,48,40,232,46,1500,1500,522,232,232,40,40,40,166,46,46,46,85,40,1500,276,46,198,104,278,233,232,46,46,258,40,342]},"bins": {"c_to_s": [7,0,1,1,0,0,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [8,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,0,0,1,1,1,0,0],"entropies": [4.739262104,5.134761333,4.812815189,5.509502888,4.565871716,7.166137695,7.318473339,7.577383041,5.500881672,5.500882149,4.831686974,4.881687164,4.734184265,6.340515137,4.501398087,4.501398087,4.835486889,5.641122818,4.831686974,7.860523701,7.242097378,4.462505341,6.761913776,6.045580387,7.062158108,7.012423515,6.904469013,4.522393703,4.565872192,7.040098190,4.831687450,7.286717415]}} 01664{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1855,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":99,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976093358419,"flow_src_last_pkt_time":1490976114866501,"flow_dst_last_pkt_time":1490976095732113,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3149,"flow_dst_tot_l4_payload_len":4067,"midstream":0,"thread_ts_usec":1490976114866501,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"176.32.101.52","src_port":44001,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"dp-gw-na-js.amazon.com","tls": {"version":"TLSv1.2","server_names":"dp-gw-na.amazon.com,dp-gw-na-js.amazon.com,dp-gw-na.amazon.co.uk,dp-gw-na.amazon.de,dp-gw-na.amazon.co.jp,dp-gw-na.amazon.in","ja3":"731bcada65b0a6f850bada3bdcd716d1","ja3s":"fbe78c619e7ea20046131294ad087f05","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=dp-gw-na.amazon.com","fingerprint":"27:E5:06:34:82:69:BC:97:5E:28:A3:C1:5A:23:81:C7:E3:28:95:8C"}}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1856,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976114879774,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976114879774,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":20922,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1856,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":108,"flow_packet_id":1,"flow_src_last_pkt_time":1490976114879774,"flow_dst_last_pkt_time":1490976114879774,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1490976114879774,"pkt":"AMDKkaPvePiC0\/vCCABFAABBWl1AAEARM1WsECrYrBAqAVG6ADUALQ0pp4sBAAABAAAAAAAACHBpdGFuZ3VpBmFtYXpvbgNjb20AAAEAAQ=="} @@ -739,14 +739,14 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2055,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_packet_id":2,"flow_src_last_pkt_time":1490976134149854,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976134237090,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPIGPkc0VD84rBAq2ABQyxaJEqCkMupghaAScSCurAAAAgQFtAQCCAps+nR5APZytgEDAwg="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2056,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_packet_id":3,"flow_src_last_pkt_time":1490976134238394,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976134238394,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0EjNAAEAG3hysECrYNFQ\/OMsWAFAy6mCFiRKgpYAQAVdNOgAAAQEICgD2cr9s+nR5"} 01314{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2057,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":124,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976134149854,"flow_src_last_pkt_time":1490976134239068,"flow_dst_last_pkt_time":1490976134237090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976134239068,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51990,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ecx.images-amazon.com","http": {"url":"ecx.images-amazon.com\/images\/I\/612xlaOI2NL._SL210_QL95_.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}} -01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2177,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":120,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976134141916,"flow_src_last_pkt_time":1490976134949644,"flow_dst_last_pkt_time":1490976134943908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":15770,"midstream":0,"thread_ts_usec":1490976134949644,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51986,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":121,"avg":51926.5,"max":295198,"stddev":97638.1,"var":9533208576.0,"ent":3.0,"data": [57953,60331,1632,154699,385,386,415,483,524,207,360,156722,299,4146,127,3380,248,131,172,143,126,121,6987,268261,295198,18253,286273,480,356,286588,4334]},"pktlen": {"min":66,"avg":611.0,"max":1514,"stddev":635.8,"var":404189.9,"ent":4.2,"data": [74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,66,66,1514,441,66,66,66,66,66,66,66,613,613,441,78,606,1514,1514,66,66]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02123{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2177,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":120,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1490976134141916,"flow_src_last_pkt_time":1490976134949644,"flow_dst_last_pkt_time":1490976134943908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":15770,"midstream":0,"thread_ts_usec":1490976134949644,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51986,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":121,"avg":51926.5,"max":295198,"stddev":97638.1,"var":9533208576.0,"ent":3.0,"data": [57953,60331,1632,154699,385,386,415,483,524,207,360,156722,299,4146,127,3380,248,131,172,143,126,121,6987,268261,295198,18253,286273,480,356,286588,4334]},"pktlen": {"min":52,"avg":597.0,"max":1500,"stddev":635.8,"var":404189.9,"ent":4.1,"data": [60,60,52,599,52,1500,1500,1500,1500,1500,1500,1500,52,52,1500,427,52,52,52,52,52,52,52,599,599,427,64,592,1500,1500,52,52]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0],"entropies": [4.650922298,5.231404781,5.038780212,6.035903931,5.085056305,7.148868561,7.815765381,7.846660614,7.867961407,7.834940910,7.842315674,7.841011524,5.000318527,5.038780212,7.824505806,6.526866436,5.038780212,5.038780212,5.038780212,5.000318527,5.000318527,5.000318527,5.000318527,6.008402348,6.008402348,6.531550407,5.026865005,5.889882088,7.468186855,7.750551224,5.038780212,5.038780212]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2236,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976136930982,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976136930982,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2236,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":1,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976136930982,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976136930982,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8bqFAAEAGoEasECrYNu8d\/Z+nAbuZbx1qAAAAAKAC\/\/9PLQAAAgQFtAQCCAoA9nPLAAAAAAEDAwg="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2237,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":2,"flow_src_last_pkt_time":1490976136930982,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976137042055,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAwrQVAAOcGuu027x39rBAq2AG7n6dEArKimW8da3ASH\/7pVAAAAgQFtAEDAwY="} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2238,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_packet_id":3,"flow_src_last_pkt_time":1490976137043334,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976137043334,"pkt":"AMDKkaPvePiC0\/vCCABFAAAobqJAAEAGoFmsECrYNu8d\/Z+nAbuZbx1rRAKyo1AQAVczxgAA"} 01069{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2239,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976137044165,"flow_dst_last_pkt_time":1490976137042055,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976137044165,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01234{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2241,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976137044165,"flow_dst_last_pkt_time":1490976137222092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976137222092,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"skills-store.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} -01853{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2267,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976138976244,"flow_dst_last_pkt_time":1490976139259019,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6666,"flow_dst_tot_l4_payload_len":5757,"midstream":0,"thread_ts_usec":1490976139259019,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":141074.2,"max":1107068,"stddev":256640.3,"var":65864265728.0,"ent":3.2,"data": [111073,112352,831,179894,143,45,179940,2913,265,3255,516,135136,162,170164,502171,1107068,16816,231,180,41,28,24,706579,352,9657,355942,325,629177,147816,149,54]},"pktlen": {"min":54,"avg":444.0,"max":1514,"stddev":555.4,"var":308431.6,"ent":4.0,"data": [74,62,54,297,60,139,107,54,54,113,1514,300,60,60,1514,1514,60,1514,135,1514,167,443,91,54,54,54,1514,332,60,1035,603,603]},"bins": {"c_to_s": [7,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [6,2,2,1,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02250{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2267,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":125,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976136930982,"flow_src_last_pkt_time":1490976138976244,"flow_dst_last_pkt_time":1490976139259019,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6666,"flow_dst_tot_l4_payload_len":5757,"midstream":0,"thread_ts_usec":1490976139259019,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":141074.2,"max":1107068,"stddev":256640.3,"var":65864265728.0,"ent":3.2,"data": [111073,112352,831,179894,143,45,179940,2913,265,3255,516,135136,162,170164,502171,1107068,16816,231,180,41,28,24,706579,352,9657,355942,325,629177,147816,149,54]},"pktlen": {"min":40,"avg":430.0,"max":1500,"stddev":555.4,"var":308431.6,"ent":4.0,"data": [60,48,40,283,46,125,93,40,40,99,1500,286,46,46,1500,1500,46,1500,121,1500,153,429,77,40,40,40,1500,318,46,1021,589,589]},"bins": {"c_to_s": [7,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [6,2,2,1,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1],"entropies": [4.672595501,5.093094349,4.831687450,5.938469410,4.522393703,6.167151451,6.033568382,4.831686974,4.881687164,6.044344425,7.863042355,7.143759251,4.522394180,4.565872192,7.864801884,7.864607811,4.565872192,7.861513138,6.401272774,7.883206367,6.629675865,7.515489578,5.831597805,4.781687260,4.831687450,4.712815285,7.866571903,7.334980965,4.565871716,7.784813404,7.636542797,7.660583019]},"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2274,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976139642766,"flow_dst_last_pkt_time":1490976139642766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139642766,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2274,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_packet_id":1,"flow_src_last_pkt_time":1490976139642766,"flow_dst_last_pkt_time":1490976139642766,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976139642766,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8ooBAAEAGTcesECrYNFQ\/OMsYAFAytNZaAAAAAKAC\/\/+zQgAAAgQFtAQCCAoA9nTaAAAAAAEDAwg="} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2275,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":127,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976139643137,"flow_src_last_pkt_time":1490976139643137,"flow_dst_last_pkt_time":1490976139643137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139643137,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51993,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -777,7 +777,7 @@ 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2295,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_packet_id":2,"flow_src_last_pkt_time":1490976139643974,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976139711656,"pkt":"ePiC0\/vCAMDKkVoBCABFAAA8AABAAPIGPkc0VD84rBAq2ABQyx1XQZuRlNdGa6AScSCQFAAAAgQFtAQCCAps+n\/1APZ03AEDAwg="} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2296,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_packet_id":3,"flow_src_last_pkt_time":1490976139713700,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490976139713700,"pkt":"AMDKkaPvePiC0\/vCCABFAAA0MrdAAEAGvZisECrYNFQ\/OMsdAFCU10ZrV0GbkoAQAVcupAAAAQEICgD2dONs+n\/1"} 01314{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2297,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":131,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976139643974,"flow_src_last_pkt_time":1490976139714237,"flow_dst_last_pkt_time":1490976139711656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976139714237,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51997,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ecx.images-amazon.com","http": {"url":"ecx.images-amazon.com\/images\/I\/61Tfp7ZVcoL._SL210_QL95_.png","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Linux; Android 5.1.1; LGLS751 Build\/LMY47V; wv) AppleWebKit\/537.36 (KHTML, like Gecko) Version\/4.0 Chrome\/56.0.2924.87 Mobile Safari\/537.36 PitanguiBridge\/1.16.4.5-[MANUFACTURER=LGE][RELEASE=5.1.1][BRAND=lge][SDK=22][MODEL=LGLS751]","detected_os":"Android 5.1.1"}}} -01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":129,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976139643559,"flow_src_last_pkt_time":1490976140004854,"flow_dst_last_pkt_time":1490976140002371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1094,"flow_dst_tot_l4_payload_len":21002,"midstream":0,"thread_ts_usec":1490976140004854,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51995,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":45,"avg":23229.3,"max":179149,"stddev":43867.1,"var":1924322304.0,"ent":3.1,"data": [31287,34141,578,113361,46407,49,49,50,45,46,11194,1598,7176,179149,121,126,120,120,142,3369,257,407,4520,99192,277,120761,46881,156,255,789,17484]},"pktlen": {"min":66,"avg":757.4,"max":1514,"stddev":681.3,"var":464196.8,"ent":4.3,"data": [74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,1237,1237,66,66,66,66,66,66,66,66,78,613,1514,1514,66,1514,1350,1514,1514,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02121{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2425,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":129,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976139643559,"flow_src_last_pkt_time":1490976140004854,"flow_dst_last_pkt_time":1490976140002371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1094,"flow_dst_tot_l4_payload_len":21002,"midstream":0,"thread_ts_usec":1490976140004854,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51995,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":45,"avg":23229.3,"max":179149,"stddev":43867.1,"var":1924322304.0,"ent":3.1,"data": [31287,34141,578,113361,46407,49,49,50,45,46,11194,1598,7176,179149,121,126,120,120,142,3369,257,407,4520,99192,277,120761,46881,156,255,789,17484]},"pktlen": {"min":52,"avg":743.4,"max":1500,"stddev":681.3,"var":464196.8,"ent":4.3,"data": [60,60,52,599,52,1500,1500,1500,1500,1500,1500,1500,1223,1223,52,52,52,52,52,52,52,52,64,599,1500,1500,52,1500,1336,1500,1500,52]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,0],"entropies": [4.684255600,5.264738083,4.815825462,5.981299400,4.959492683,7.149340153,7.740746498,7.612607002,7.631985664,7.692628384,7.667311668,7.729136467,7.507924080,7.508758068,5.115703106,5.000318050,5.077241421,5.062724590,5.115703106,5.077241421,5.077241421,5.077241421,5.163660049,6.000374794,7.141010284,7.761897087,5.115703106,7.808045864,7.811527252,7.791535378,7.807326794,4.955154419]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976041150466,"flow_src_last_pkt_time":1490976041150466,"flow_dst_last_pkt_time":1490976041151487,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":53,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":53,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":54886,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00878{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976027958387,"flow_src_last_pkt_time":1490976030758514,"flow_dst_last_pkt_time":1490976027958387,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.1","dst_ip":"172.16.42.216","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976031581495,"flow_src_last_pkt_time":1490976031581495,"flow_dst_last_pkt_time":1490976031687199,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":34,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":34,"flow_dst_max_l4_payload_len":73,"flow_src_tot_l4_payload_len":34,"flow_dst_tot_l4_payload_len":73,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":41030,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AmazonAlexa","proto_id":"5.110","encrypted":0,"breed":"Acceptable","category_id":32,"category":"VirtAssistant"}} @@ -794,7 +794,7 @@ 00915{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976029184743,"flow_src_last_pkt_time":1490976029184743,"flow_dst_last_pkt_time":1490976029244910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":161,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":161,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":48155,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976030681470,"flow_src_last_pkt_time":1490976030681470,"flow_dst_last_pkt_time":1490976030890027,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":7358,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2438,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976029669574,"flow_src_last_pkt_time":1490976029669574,"flow_dst_last_pkt_time":1490976029753315,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":84,"midstream":0,"thread_ts_usec":1490976140054622,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":19967,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2440,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976140230625,"flow_dst_last_pkt_time":1490976140359077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":18414,"midstream":0,"thread_ts_usec":1490976140359077,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":42070.0,"max":510931,"stddev":110064.9,"var":12114281472.0,"ent":2.5,"data": [24956,26298,431,110222,135,214,308,354,363,1114,487,409,385,114928,244,126,125,3452,97,26252,252,149,120,119,152,4719,62468,45133,368811,510931,416]},"pktlen": {"min":66,"avg":693.6,"max":1514,"stddev":671.9,"var":451493.0,"ent":4.2,"data": [74,74,66,613,66,66,1514,1514,1514,1514,1514,1514,1514,1514,66,66,66,66,1514,1309,66,66,66,66,66,66,613,1309,78,613,1514,1514]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2440,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":126,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976139642766,"flow_src_last_pkt_time":1490976140230625,"flow_dst_last_pkt_time":1490976140359077,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1641,"flow_dst_tot_l4_payload_len":18414,"midstream":0,"thread_ts_usec":1490976140359077,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.63.56","src_port":51992,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":42070.0,"max":510931,"stddev":110064.9,"var":12114281472.0,"ent":2.5,"data": [24956,26298,431,110222,135,214,308,354,363,1114,487,409,385,114928,244,126,125,3452,97,26252,252,149,120,119,152,4719,62468,45133,368811,510931,416]},"pktlen": {"min":52,"avg":679.6,"max":1500,"stddev":671.9,"var":451493.0,"ent":4.2,"data": [60,60,52,599,52,52,1500,1500,1500,1500,1500,1500,1500,1500,52,52,52,52,1500,1295,52,52,52,52,52,52,599,1295,64,599,1500,1500]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1],"entropies": [4.650921822,5.231404781,5.077241898,5.992787838,5.008132935,4.955154419,7.144702911,7.824075699,7.838180542,7.817303181,7.827538967,7.785875320,7.819852829,7.815253735,5.038779736,5.000318527,4.908877850,5.038779736,7.787726402,7.553128719,5.038780212,5.038780212,5.038779736,5.038780212,5.038780212,5.038780212,6.005241394,7.550778389,5.163660049,6.010917664,7.134511948,7.768814087]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Amazon","proto_id":"7.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2480,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976142629437,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142629437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976142629437,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.29.253","src_port":40878,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2480,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_packet_id":1,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142629437,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976142629437,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8Si5AAEAGxLmsECrYNu8d\/Z+uAbuBOjwrAAAAAKAC\/\/9GYAAAAgQFtAQCCAoA9nYFAAAAAAEDAwg="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2481,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":132,"flow_packet_id":2,"flow_src_last_pkt_time":1490976142629437,"flow_dst_last_pkt_time":1490976142691841,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976142691841,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw0iJAAOcGldA27x39rBAq2AG7n66gUyr3gTo8LHASH\/4OHAAAAgQFtAEDAwY="} @@ -809,7 +809,7 @@ 01230{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2511,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":133,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976150029230,"flow_src_last_pkt_time":1490976150127984,"flow_dst_last_pkt_time":1490976150196755,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":239,"flow_dst_tot_l4_payload_len":85,"midstream":0,"thread_ts_usec":1490976150196755,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45750,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","alpn":"h2,http\/1.1"}}} 00864{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2517,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976022741105,"flow_src_last_pkt_time":1490976022741164,"flow_dst_last_pkt_time":1490976022741105,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":56,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::16","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00873{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2517,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1490976022731312,"flow_src_last_pkt_time":1490976022731374,"flow_dst_last_pkt_time":1490976022731312,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976150210618,"l3_proto":"ip6","src_ip":"::","dst_ip":"ff02::1:ffd3:fbc2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01607{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":33,"avg":3968339.8,"max":120002762,"stddev":21185284.0,"var":448816230694912.0,"ent":0.3,"data": [77142,79508,13198,60889,401,551,135,48584,1797,3570,177758,227426,44512,20026,267154,445550,122636,142,45,33,282451,8709,270484,1626,407007,145,164075,140,290013,120002762,69]},"pktlen": {"min":66,"avg":450.5,"max":1514,"stddev":570.0,"var":324877.8,"ent":4.0,"data": [74,74,66,287,66,1514,1514,640,66,66,66,192,308,66,1430,1430,66,1514,314,110,100,66,66,1514,1017,66,66,1329,100,66,97,66]},"bins": {"c_to_s": [9,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1,0,0],"s_to_c": [7,3,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,1,1]}} +02003{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":33,"avg":3968339.8,"max":120002762,"stddev":21185284.0,"var":448816230694912.0,"ent":0.3,"data": [77142,79508,13198,60889,401,551,135,48584,1797,3570,177758,227426,44512,20026,267154,445550,122636,142,45,33,282451,8709,270484,1626,407007,145,164075,140,290013,120002762,69]},"pktlen": {"min":52,"avg":436.5,"max":1500,"stddev":570.0,"var":324877.8,"ent":3.9,"data": [60,60,52,273,52,1500,1500,626,52,52,52,178,294,52,1416,1416,52,1500,300,96,86,52,52,1500,1003,52,52,1315,86,52,83,52]},"bins": {"c_to_s": [9,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1,0,0],"s_to_c": [7,3,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,1,1],"entropies": [4.739262104,5.306893826,5.017560959,5.448555946,5.115703583,6.960030556,7.238288403,7.584036827,5.017560959,5.094483852,5.041505337,6.602245331,7.164677143,5.041505337,7.862887383,7.863117218,5.115703106,7.885983467,7.259884357,6.084556580,5.826154709,5.094483852,5.132945538,7.862029552,7.810581207,5.115703106,5.077241421,7.851958752,5.873827457,5.132945538,5.636672497,5.115703106]}} 01715{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2519,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976029248822,"flow_src_last_pkt_time":1490976030758212,"flow_dst_last_pkt_time":1490976150757970,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5474,"flow_dst_tot_l4_payload_len":6814,"midstream":0,"thread_ts_usec":1490976150757970,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.197","src_port":55242,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"bdf21e38e1f69776df407235625e75e2","ja3s":"389ed42c02ebecc32e73aa31def07e14","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2531,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976158680003,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158680003,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976158680003,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.94.232.134","src_port":45751,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2531,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":134,"flow_packet_id":1,"flow_src_last_pkt_time":1490976158680003,"flow_dst_last_pkt_time":1490976158680003,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976158680003,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8\/ohAAEAGSGasECrYNF7ohrK3Abt2joLDAAAAAKAC\/\/8pLAAAAgQFtAQCCAoA9nxLAAAAAAEDAwg="} @@ -937,7 +937,7 @@ 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2737,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976187511761,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187511761,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976187511761,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2737,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":1,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187511761,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976187511761,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8IbxAAEAG7nasECrYNu8cspdlAbtMyaYzAAAAAKAC\/\/8I0wAAAgQFtAQCCAoA9oePAAAAAAEDAwg="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2739,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":2,"flow_src_last_pkt_time":1490976187511761,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976187571606,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw3K9AAOcGjI427xyyrBAq2AG7l2UCDLyqTMmmNHASH\/7urAAAAgQFtAEDAwY="} -01615{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":112,"avg":664331.6,"max":8001087,"stddev":1905246.8,"var":3629965115392.0,"ent":2.5,"data": [133822,140403,3233,141605,1309,112,137230,287,136,2714,82197,163,95708,410,359058,405413,633638,688626,100774,373131,50752,202632,7767064,1576,8001087,353783,410110,314766,108314,179,84048]},"pktlen": {"min":54,"avg":438.7,"max":1514,"stddev":584.7,"var":341856.6,"ent":3.9,"data": [74,62,54,261,1514,1514,399,54,54,54,380,60,113,1514,204,60,1514,113,54,1514,60,683,54,1514,300,60,54,60,1514,60,60,54]},"bins": {"c_to_s": [9,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,0,1,0,0,1,1,0,0,0,1,0,1,0,1,1,0]}} +02012{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":112,"avg":664331.6,"max":8001087,"stddev":1905246.8,"var":3629965115392.0,"ent":2.5,"data": [133822,140403,3233,141605,1309,112,137230,287,136,2714,82197,163,95708,410,359058,405413,633638,688626,100774,373131,50752,202632,7767064,1576,8001087,353783,410110,314766,108314,179,84048]},"pktlen": {"min":40,"avg":424.7,"max":1500,"stddev":584.7,"var":341856.6,"ent":3.8,"data": [60,48,40,247,1500,1500,385,40,40,40,366,46,99,1500,190,46,1500,99,40,1500,46,669,40,1500,286,46,40,46,1500,46,46,40]},"bins": {"c_to_s": [9,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,0,1,0,0,1,1,0,0,0,1,0,1,0,1,1,0],"entropies": [4.739262104,5.176427841,4.831687450,5.587803364,6.784171104,7.276063442,7.379589558,4.681686878,4.831686974,4.881687164,7.374952793,4.565872192,6.002931595,7.862873554,6.853326321,4.609350204,7.863068104,6.002931595,4.831687450,7.863775730,4.652828693,7.736141205,4.831687450,7.863870144,7.273199081,4.501398087,4.781687260,4.544876099,7.864799976,4.565871716,4.609350204,4.881687164]}} 01845{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2741,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":142,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976177276176,"flow_src_last_pkt_time":1490976187574979,"flow_dst_last_pkt_time":1490976187571653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":8229,"flow_dst_tot_l4_payload_len":4012,"midstream":0,"thread_ts_usec":1490976187574979,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":50799,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"pitangui.amazon.com","tls": {"version":"TLSv1.2","server_names":"pitangui.amazon.com,guipitan.amazon.com,alexa.amazon.com,echo.amazon.com,alexa.amazon.ca,guipitan.amazon.ca,alexa.amazon.co.jp,guipitan.amazon.co.jp,alexa.amazon.com.mx,guipitan.amazon.com.mx,alexa.amazon.com.br,guipitan.amazon.com.br,alexa.amazon.com.au,guipitan.amazon.com.au,alexa.amazon.cn,guipitan.amazon.cn","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"18e962e106761869a61045bed0e81c2c","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=pitangui.amazon.com","alpn":"h2,http\/1.1","fingerprint":"13:E9:3B:22:22:61:41:53:CA:B6:3A:AE:C8:B7:23:FB:A5:11:2F:24"}}} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2742,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_packet_id":3,"flow_src_last_pkt_time":1490976187575232,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976187575232,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoIb1AAEAG7omsECrYNu8cspdlAbtMyaY0Agy8q1AQAVc5HgAA"} 01159{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2743,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":147,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976187511761,"flow_src_last_pkt_time":1490976187577439,"flow_dst_last_pkt_time":1490976187571606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976187577439,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.28.178","src_port":38757,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1","ja3":"f8f5b71e02603b283e55b50d17ede861","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} @@ -966,7 +966,7 @@ 01195{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2820,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195670657,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976195724734,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01263{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2824,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195762060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1490976195762060,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256"}}} 02327{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2826,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":151,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976195633256,"flow_src_last_pkt_time":1490976195724734,"flow_dst_last_pkt_time":1490976195763002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":185,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":185,"flow_dst_tot_l4_payload_len":3987,"midstream":0,"thread_ts_usec":1490976195763002,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"216.58.194.78","src_port":49067,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.PlayStore","proto_id":"91.228","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"android.clients.google.com","tls": {"version":"TLSv1.2","server_names":"*.google.com,*.android.com,*.appengine.google.com,*.cloud.google.com,*.gcp.gvt2.com,*.google-analytics.com,*.google.ca,*.google.cl,*.google.co.in,*.google.co.jp,*.google.co.uk,*.google.com.ar,*.google.com.au,*.google.com.br,*.google.com.co,*.google.com.mx,*.google.com.tr,*.google.com.vn,*.google.de,*.google.es,*.google.fr,*.google.hu,*.google.it,*.google.nl,*.google.pl,*.google.pt,*.googleadapis.com,*.googleapis.cn,*.googlecommerce.com,*.googlevideo.com,*.gstatic.cn,*.gstatic.com,*.gvt1.com,*.gvt2.com,*.metric.gstatic.com,*.urchin.com,*.url.google.com,*.youtube-nocookie.com,*.youtube.com,*.youtubeeducation.com,*.ytimg.com,android.clients.google.com,android.com,developer.android.google.cn,g.co,goo.gl,google-analytics.com,google.com,googlecommerce.com,urchin.com,www.goo.gl,youtu.be,youtube.com,youtubeeducation.com","ja3":"5bf38a5cbf896cd31eeef4d6ad1503e1","ja3s":"9b1466fd60cadccb848e09c86e284265","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.google.com","fingerprint":"54:A0:1E:03:FF:CB:33:BC:9D:65:DC:D7:BF:6B:04:2B:F9:F3:D5:42"}}} -01577{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":22200.1,"max":105973,"stddev":31062.3,"var":964868608.0,"ent":3.6,"data": [42665,43661,659,44970,3982,526,602,251,50626,787,253,1113,7308,12716,306,65597,42616,4166,48889,363,25248,76421,105973,250,551,581,305,49,101959,2918,1893]},"pktlen": {"min":66,"avg":539.8,"max":1514,"stddev":600.4,"var":360465.6,"ent":4.1,"data": [74,74,66,268,66,1514,1514,1514,833,66,66,66,66,192,1514,781,78,192,1514,78,320,66,66,1514,1514,1514,697,608,143,66,163,66]},"bins": {"c_to_s": [9,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,0,1,1,1,1,1,1,0,1,0]}} +01976{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":22200.1,"max":105973,"stddev":31062.3,"var":964868608.0,"ent":3.6,"data": [42665,43661,659,44970,3982,526,602,251,50626,787,253,1113,7308,12716,306,65597,42616,4166,48889,363,25248,76421,105973,250,551,581,305,49,101959,2918,1893]},"pktlen": {"min":52,"avg":525.8,"max":1500,"stddev":600.4,"var":360465.6,"ent":4.1,"data": [60,60,52,254,52,1500,1500,1500,819,52,52,52,52,178,1500,767,64,178,1500,64,306,52,52,1500,1500,1500,683,594,129,52,149,52]},"bins": {"c_to_s": [9,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,0,1,1,1,1,1,1,0,1,0],"entropies": [4.672595501,5.194312096,4.986606121,5.562634945,5.014835358,6.943727970,7.231536865,7.504313469,7.550236702,5.056022167,4.926120281,5.003043652,4.940637589,6.271958828,7.856376171,7.737624168,5.206705093,6.298671246,7.856991291,5.133970261,7.098200321,5.000318050,4.979098797,7.871394634,7.857693672,7.882867336,7.672193050,7.592197895,6.342199802,4.986606121,6.480828762,4.846472263]}} 01603{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2844,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":149,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1490976195529965,"flow_src_last_pkt_time":1490976195874449,"flow_dst_last_pkt_time":1490976195873685,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4065,"flow_dst_tot_l4_payload_len":11044,"midstream":0,"thread_ts_usec":1490976195874449,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":41828,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.amazon.com","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","alpn":"h2,http\/1.1","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976195921499,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":49,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":49,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976195921499,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":4612,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2861,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":152,"flow_packet_id":1,"flow_src_last_pkt_time":1490976195921499,"flow_dst_last_pkt_time":1490976195921499,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"thread_ts_usec":1490976195921499,"pkt":"AMDKkaPvePiC0\/vCCABFAABNWmZAAEARM0CsECrYrBAqARIEADUAOVP\/iiYBAAABAAAAAAAACWltYWdlcy1uYRFzc2wtaW1hZ2VzLWFtYXpvbgNjb20AAAEAAQ=="} @@ -1027,13 +1027,13 @@ 01278{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2945,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196257995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196261315,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1.2","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01338{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2950,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196300973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1490976196300973,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1.2","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01810{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2952,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196261315,"flow_dst_last_pkt_time":1490976196301692,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":194,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":194,"flow_dst_tot_l4_payload_len":3462,"midstream":0,"thread_ts_usec":1490976196301692,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"amazon.com,amzn.com,uedata.amazon.com,us.amazon.com,www.amazon.com,www.amzn.com,corporate.amazon.com,buybox.amazon.com,iphone.amazon.com,yp.amazon.com,home.amazon.com,origin-www.amazon.com","ja3":"36e9ceaa96dd810482573844f78a063f","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=www.amazon.com","fingerprint":"EF:14:6C:F1:5C:4A:F8:4D:BA:83:C2:1E:6C:5B:ED:C4:FA:34:1C:3E"}}} -01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":54,"avg":32922.3,"max":261773,"stddev":58822.9,"var":3460134400.0,"ent":3.5,"data": [16682,17944,1581,27330,5292,477,511,279,32463,293,12932,291,133,38969,52766,61918,541,272,54,35117,659,5109,216850,261773,199,39363,7450,74173,66612,42132,427]},"pktlen": {"min":66,"avg":631.0,"max":1514,"stddev":624.9,"var":390532.6,"ent":4.2,"data": [74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1343,1514,1514,770,100,66,66,1308,1308,862,100,66,1319,100,78,1514,1514]},"bins": {"c_to_s": [10,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0],"s_to_c": [2,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,0,0,0,0,1,1,0,0,1,0,1,1]}} +01983{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":54,"avg":32922.3,"max":261773,"stddev":58822.9,"var":3460134400.0,"ent":3.5,"data": [16682,17944,1581,27330,5292,477,511,279,32463,293,12932,291,133,38969,52766,61918,541,272,54,35117,659,5109,216850,261773,199,39363,7450,74173,66612,42132,427]},"pktlen": {"min":52,"avg":617.0,"max":1500,"stddev":624.9,"var":390532.6,"ent":4.2,"data": [60,60,52,271,52,1500,1500,1500,750,52,52,52,52,178,310,1329,1500,1500,756,86,52,52,1294,1294,848,86,52,1305,86,64,1500,1500]},"bins": {"c_to_s": [10,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0],"s_to_c": [2,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,0,0,0,0,1,1,0,0,1,0,1,1],"entropies": [4.672595501,5.227645397,4.979098797,5.733110428,5.038779736,7.056696892,7.289340973,7.487235546,7.581061363,5.056022644,5.056022644,5.056022167,5.017560482,6.267822742,7.174037933,7.836223602,7.860962391,7.884104729,7.725840569,5.789581299,4.948144436,4.933627605,7.835659504,7.836359024,7.744181633,5.795281410,4.926120281,7.845304489,5.818537712,4.911738873,7.873147964,7.870454311]}} 01562{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2970,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":154,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490976195984177,"flow_src_last_pkt_time":1490976196473740,"flow_dst_last_pkt_time":1490976196515206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1277,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5359,"flow_dst_tot_l4_payload_len":12694,"midstream":0,"thread_ts_usec":1490976196515206,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41913,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"images-na.ssl-images-amazon.com","tls": {"version":"TLSv1.2","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}}} -01984{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3187,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196651032,"flow_dst_last_pkt_time":1490976196769763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":666,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1652,"flow_dst_tot_l4_payload_len":16510,"midstream":0,"thread_ts_usec":1490976196769763,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":31380.5,"max":241435,"stddev":57224.6,"var":3274655232.0,"ent":3.4,"data": [33996,35089,2227,37919,5059,483,236,42863,280,131,30800,68825,38426,227149,241435,50068,58385,55537,3754,2000,4418,1636,659,7796,67,79,9049,341,3084,756,10250]},"pktlen": {"min":66,"avg":634.4,"max":1514,"stddev":578.4,"var":334504.2,"ent":4.4,"data": [74,74,66,260,66,1514,1514,632,66,66,66,192,117,732,732,117,78,66,1110,441,270,829,919,455,1514,191,571,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,2,0,1,0,0,1,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3187,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":157,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1490976196223999,"flow_src_last_pkt_time":1490976196651032,"flow_dst_last_pkt_time":1490976196769763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":666,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1652,"flow_dst_tot_l4_payload_len":16510,"midstream":0,"thread_ts_usec":1490976196769763,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.85.209.143","src_port":38483,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":31380.5,"max":241435,"stddev":57224.6,"var":3274655232.0,"ent":3.4,"data": [33996,35089,2227,37919,5059,483,236,42863,280,131,30800,68825,38426,227149,241435,50068,58385,55537,3754,2000,4418,1636,659,7796,67,79,9049,341,3084,756,10250]},"pktlen": {"min":52,"avg":620.4,"max":1500,"stddev":578.4,"var":334504.2,"ent":4.3,"data": [60,60,52,246,52,1500,1500,618,52,52,52,178,103,718,718,103,64,52,1096,427,256,815,905,441,1500,177,557,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,2,0,1,0,0,1,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.672595501,5.240227222,5.056022644,5.370272160,5.154164791,6.988568306,7.250431538,7.681571960,5.014835835,5.094483852,5.094484329,6.573484898,6.064765453,7.685264111,7.690067768,6.064765930,5.061889172,5.154164791,7.838786125,7.447540760,7.087004662,7.738961697,7.760296345,7.499400616,7.878207684,6.822522163,7.598652363,7.869508743,7.877407074,7.877415180,7.877339363,7.877696514]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196840676,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":1,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1490976196840676,"pkt":"AMDKkaPvePiC0\/vCCABFAAA\/WmdAAEARM02sECrYrBAqAQqTADUAK8ZJ2BYBAAABAAAAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAE="} 01006{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3210,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196840676,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976196840676,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":50,"avg":57253.4,"max":264056,"stddev":85984.0,"var":7393244160.0,"ent":3.6,"data": [22841,23998,943,22793,6583,564,615,276,39690,124,146,157,6771,37572,46160,226745,213104,3861,222252,264056,50,55344,103406,128,10396,183950,242536,953,71,38628,142]},"pktlen": {"min":66,"avg":546.2,"max":1514,"stddev":595.2,"var":354289.1,"ent":4.2,"data": [74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1351,324,78,1351,1351,944,100,100,66,66,78,1336,1514,1514,522,66,66]},"bins": {"c_to_s": [12,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,0,0,0,0,0,0,0],"s_to_c": [2,2,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0]}} +01984{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":50,"avg":57253.4,"max":264056,"stddev":85984.0,"var":7393244160.0,"ent":3.6,"data": [22841,23998,943,22793,6583,564,615,276,39690,124,146,157,6771,37572,46160,226745,213104,3861,222252,264056,50,55344,103406,128,10396,183950,242536,953,71,38628,142]},"pktlen": {"min":52,"avg":532.2,"max":1500,"stddev":595.2,"var":354289.1,"ent":4.1,"data": [60,60,52,271,52,1500,1500,1500,750,52,52,52,52,178,310,1337,310,64,1337,1337,930,86,86,52,52,64,1322,1500,1500,508,52,52]},"bins": {"c_to_s": [12,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,0,0,0,0,0,0,0],"s_to_c": [2,2,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0],"entropies": [4.705928802,5.306893826,5.094483852,5.740943432,5.077241898,7.061615944,7.289163589,7.495290279,7.599352837,5.094483852,5.017560482,5.094483852,5.017560482,6.445491791,7.218114853,7.854625702,7.211663246,5.042434692,7.851956367,7.855620384,7.792708397,5.812836647,5.812836647,5.056022167,5.132945538,5.093139648,7.841275692,7.859713554,7.867431164,7.510861874,5.094483852,5.094483852]}} 01561{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3336,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":155,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976195985305,"flow_src_last_pkt_time":1490976196879161,"flow_dst_last_pkt_time":1490976196866304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1285,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5470,"flow_dst_tot_l4_payload_len":9856,"midstream":0,"thread_ts_usec":1490976196879161,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"52.84.62.115","src_port":41914,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"images-na.ssl-images-amazon.com","tls": {"version":"TLSv1.2","server_names":"images-na.ssl-images-amazon.com,images-eu.ssl-images-amazon.com,images-fe.ssl-images-amazon.com,m.media-amazon.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=Images-na.ssl-images-amazon.com","alpn":"h2,http\/1.1","fingerprint":"39:3D:27:B3:4D:FA:B4:04:AB:48:7F:5C:CB:A9:9A:95:F5:22:2A:52"}}} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_packet_id":2,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196938799,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1490976196938799,"pkt":"ePiC0\/vCAMDKkaPvCABFAABP7ApAAEARoZmsECoBrBAq2AA1CpMAO2jR2BaBgAABAAEAAAAABmZscy1uYQZhbWF6b24DY29tAAABAAHADAABAAEAAAA7AARIFc55"} 01022{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3347,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1490976196840676,"flow_src_last_pkt_time":1490976196840676,"flow_dst_last_pkt_time":1490976196938799,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":51,"flow_src_tot_l4_payload_len":35,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1490976196938799,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"172.16.42.1","src_port":2707,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Amazon","proto_id":"5.178","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"72.21.206.121"}}} @@ -1044,7 +1044,7 @@ 01063{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3355,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":159,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1490976196942963,"flow_src_last_pkt_time":1490976197026574,"flow_dst_last_pkt_time":1490976197023104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":205,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":205,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976197026574,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47605,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fls-na.amazon.com","tls": {"version":"TLSv1.2","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3357,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1490976197297649,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197297649,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1490976197297649,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"72.21.206.121","src_port":47606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3357,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":1,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197297649,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1490976197297649,"pkt":"AMDKkaPvePiC0\/vCCABFAAA8At9AAEAGSmasECrYSBXOebn2AbvarIm+AAAAAKAC\/\/+uEwAAAgQFtAQCCAoA9othAAAAAAEDAwg="} -01606{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":32,"avg":614473.9,"max":7470598,"stddev":1477715.5,"var":2183643136000.0,"ent":2.8,"data": [168457,171158,1511,108893,4406,1671,697,112679,290,4146,167,6217,127,10389,13091,1079,255,290409,42,32,60,299358,743,529311,1065924,2114234,3665356,7470598,595200,595070,1817122]},"pktlen": {"min":54,"avg":540.2,"max":1514,"stddev":637.5,"var":406420.1,"ent":4.0,"data": [74,62,54,281,60,60,1514,1514,54,54,1514,669,54,54,180,1514,1438,374,60,60,105,60,54,1438,1438,1438,1438,54,60,1438,60,60]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,1,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,1]}} +02004{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":32,"avg":614473.9,"max":7470598,"stddev":1477715.5,"var":2183643136000.0,"ent":2.8,"data": [168457,171158,1511,108893,4406,1671,697,112679,290,4146,167,6217,127,10389,13091,1079,255,290409,42,32,60,299358,743,529311,1065924,2114234,3665356,7470598,595200,595070,1817122]},"pktlen": {"min":40,"avg":526.2,"max":1500,"stddev":637.5,"var":406420.1,"ent":3.9,"data": [60,48,40,267,46,46,1500,1500,40,40,1500,655,40,40,166,1500,1424,360,46,46,91,46,40,1424,1424,1424,1424,40,46,1424,46,46]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,1,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,1],"entropies": [4.626680374,5.134761333,4.831686974,5.716956139,4.609350204,4.505982876,7.141723156,7.316176414,4.831687450,4.812815189,7.392494678,7.608505726,4.881687164,4.831687450,6.348018646,7.864303589,7.858262062,7.260771751,4.390829086,4.347350597,5.864610672,4.390829086,4.684184074,7.859017372,7.859235764,7.859332085,7.859507561,4.784183979,4.347350597,7.859881401,4.457920074,4.501398087]}} 01509{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3359,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":145,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1490976186884448,"flow_src_last_pkt_time":1490976195471370,"flow_dst_last_pkt_time":1490976197346218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":10437,"flow_dst_tot_l4_payload_len":5046,"midstream":0,"thread_ts_usec":1490976197346218,"l3_proto":"ip4","src_ip":"172.16.42.216","dst_ip":"54.239.23.94","src_port":44912,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"mobileanalytics.us-east-1.amazonaws.com","tls": {"version":"TLSv1.2","server_names":"mobileanalytics.us-east-1.amazonaws.com","ja3":"d551fafc4f40f1dec2bb45980bfa9492","ja3s":"159d46e54a2c066ef95e656fdf034e1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=Washington, L=Seattle, O=Amazon.com, Inc., CN=mobileanalytics.us-east-1.amazonaws.com","alpn":"h2,http\/1.1","fingerprint":"87:AD:E9:2D:E8:42:F0:5C:3A:09:13:00:12:93:59:04:84:C3:E2:2D"}}} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3361,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":2,"flow_src_last_pkt_time":1490976197297649,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1490976197355099,"pkt":"ePiC0\/vCAMDKkVoBCABFAAAw5DlAAOcGwhZIFc55rBAq2AG7ufYaDpo72qyJv3ASH\/6iLAAAAgQFtAEDAwY="} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3362,"source":"alexa-app.pcapng","alias":"nDPId-test","flow_id":160,"flow_packet_id":3,"flow_src_last_pkt_time":1490976197356307,"flow_dst_last_pkt_time":1490976197355099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1490976197356307,"pkt":"AMDKkaPvePiC0\/vCCABFAAAoAuBAAEAGSnmsECrYSBXOebn2AbvarIm\/Gg6aPFAQAVfsnQAA"} @@ -1190,10 +1190,10 @@ ~~ total active/idle flows...: 160/160 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7090643 bytes -~~ total memory freed........: 7090643 bytes -~~ total allocations/frees...: 127335/127335 +~~ total memory allocated....: 7112403 bytes +~~ total memory freed........: 7112403 bytes +~~ total allocations/frees...: 127495/127495 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 192 chars -~~ json string max len.......: 2332 chars -~~ json string avg len.......: 1262 chars +~~ json string max len.......: 2388 chars +~~ json string avg len.......: 1290 chars diff --git a/test/results/alicloud.pcap.out b/test/results/alicloud.pcap.out index bad2a5f0c..9781c2cf8 100644 --- a/test/results/alicloud.pcap.out +++ b/test/results/alicloud.pcap.out @@ -111,9 +111,9 @@ ~~ total active/idle flows...: 15/15 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6095622 bytes -~~ total memory freed........: 6095622 bytes -~~ total allocations/frees...: 121867/121867 +~~ total memory allocated....: 6097662 bytes +~~ total memory freed........: 6097662 bytes +~~ total allocations/frees...: 121882/121882 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 919 chars diff --git a/test/results/among_us.pcap.out b/test/results/among_us.pcap.out index c60817442..8dd5ccfca 100644 --- a/test/results/among_us.pcap.out +++ b/test/results/among_us.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035670 bytes -~~ total memory freed........: 6035670 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035806 bytes +~~ total memory freed........: 6035806 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 893 chars diff --git a/test/results/amqp.pcap.out b/test/results/amqp.pcap.out index ec9636bff..3c7b0c072 100644 --- a/test/results/amqp.pcap.out +++ b/test/results/amqp.pcap.out @@ -15,7 +15,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1490904169152163,"flow_dst_last_pkt_time":1490904169152192,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1490904169152192,"pkt":"AAAAAAAAAAAAAAAACABFAAA01sFAAEAGZQB\/AAEBfwAAARYorK7a34rgiptOLIAQDAj\/KAAAAQEICgC+2LgAvti4"} 00715{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1490904169152378,"flow_dst_last_pkt_time":1490904169152192,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":206,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":206,"pkt_l4_len":172,"thread_ts_usec":1490904169152378,"pkt":"AAAAAAAAAAAAAAAACABFAADAPzxAAEAG+\/l\/AAABfwABAayuFiiKm04s2t+K4IAYAV7\/tAAAAQEICgC+2LgAvti4AgABAAAAhAA8AAAAAAAAAAAA7v4AHmFwcGxpY2F0aW9uL3gtcHl0aG9uLXNlcmlhbGl6ZQZiaW5hcnkAAAAAAgAkZjMzYWFlMjctNjlmNC00ZjQ4LWIwYmMtMmVmZGM0NTVjMTI4JGFiZjI3YmI1LTAxNDktM2RiZC1hMmRiLWQzNTcyYzMwOTc5MM4="} 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"amqp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1490904166119482,"flow_src_last_pkt_time":1490904169152864,"flow_dst_last_pkt_time":1490904169156013,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":425,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":448,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":1321,"flow_dst_tot_l4_payload_len":21,"midstream":1,"thread_ts_usec":1490904169156013,"l3_proto":"ip4","src_ip":"127.0.1.1","dst_ip":"127.0.0.1","src_port":5672,"dst_port":44204,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} -01676{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904169595775,"flow_dst_last_pkt_time":1490904169595788,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904169595788,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":224314.8,"max":2001684,"stddev":536643.9,"var":287986745344.0,"ent":2.4,"data": [31,198,177,103,103,2001663,2001684,188,167,98,97,1032593,1032598,113,109,94,93,11037,11041,111,108,94,93,17674,17676,105,104,99,99,412703,412706]},"pktlen": {"min":66,"avg":132.0,"max":395,"stddev":99.5,"var":9895.7,"ent":4.7,"data": [107,66,162,66,369,66,107,66,162,66,369,66,104,66,162,66,395,66,103,66,162,66,271,66,105,66,162,66,325,66,104,66]},"bins": {"c_to_s": [0,6,0,5,0,0,1,0,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +02069{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904169595775,"flow_dst_last_pkt_time":1490904169595788,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904169595788,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":224314.8,"max":2001684,"stddev":536643.9,"var":287986745344.0,"ent":2.4,"data": [31,198,177,103,103,2001663,2001684,188,167,98,97,1032593,1032598,113,109,94,93,11037,11041,111,108,94,93,17674,17676,105,104,99,99,412703,412706]},"pktlen": {"min":52,"avg":118.0,"max":381,"stddev":99.5,"var":9895.7,"ent":4.6,"data": [93,52,148,52,355,52,93,52,148,52,355,52,90,52,148,52,381,52,89,52,148,52,257,52,91,52,148,52,311,52,90,52]},"bins": {"c_to_s": [0,6,0,5,0,0,1,0,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.892737865,4.569115162,5.131951332,4.569115162,5.420554638,4.569115162,4.937272072,4.569115162,5.150565624,4.569115162,5.432780266,4.569115162,4.933847904,4.569115162,5.110024929,4.516136646,5.444756508,4.569115162,4.894715786,4.569115162,5.123056412,4.569115162,5.521058559,4.530653477,4.818450451,4.530653477,5.131469727,4.569115162,5.487017632,4.569115162,4.933847904,4.569115162]},"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00896{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":9,"flow_first_seen":1490904166119482,"flow_src_last_pkt_time":1490904170242659,"flow_dst_last_pkt_time":1490904170206101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":448,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":3469,"flow_dst_tot_l4_payload_len":105,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.1.1","dst_ip":"127.0.0.1","src_port":5672,"dst_port":44204,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00895{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":54,"flow_dst_packets_processed":54,"flow_first_seen":1490904166118902,"flow_src_last_pkt_time":1490904170243601,"flow_dst_last_pkt_time":1490904170243630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":329,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":7295,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44205,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00895{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":160,"source":"amqp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":15,"flow_first_seen":1490904169152163,"flow_src_last_pkt_time":1490904170195756,"flow_dst_last_pkt_time":1490904170195765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2085,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1490904170243630,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.1.1","src_port":44206,"dst_port":5672,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"AMQP","proto_id":"192","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} @@ -28,10 +28,10 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6049673 bytes -~~ total memory freed........: 6049673 bytes -~~ total allocations/frees...: 121670/121670 +~~ total memory allocated....: 6050081 bytes +~~ total memory freed........: 6050081 bytes +~~ total allocations/frees...: 121673/121673 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1681 chars -~~ json string avg len.......: 1076 chars +~~ json string max len.......: 2074 chars +~~ json string avg len.......: 1266 chars diff --git a/test/results/android.pcap.out b/test/results/android.pcap.out index 1b2fcb2f9..81504d425 100644 --- a/test/results/android.pcap.out +++ b/test/results/android.pcap.out @@ -297,7 +297,7 @@ 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871881494,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1582454871881494,"pkt":"xiwDYGpkTGr2n\/YnCABFAABErDBAAEARCRfAqAIQwKgCAZtQADUAMNjjuKUBAAABAAAAAAAAB2FuZHJvaWQKZ29vZ2xlYXBpcwNjb20AAAEAAQ=="} 01013{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":406,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454871881494,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871881494,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454871881494,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"192.168.2.1","src_port":39760,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"android.googleapis.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 01117{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":408,"source":"android.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1582454871829800,"flow_src_last_pkt_time":1582454871890562,"flow_dst_last_pkt_time":1582454871867294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454871890562,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.20.76","src_port":43646,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DataSaver","proto_id":"91.46","encrypted":1,"breed":"Fun","category_id":5,"category":"Web","hostname":"proxy.googlezip.net","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01716{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":431,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1582454871152402,"flow_src_last_pkt_time":1582454871906464,"flow_dst_last_pkt_time":1582454871901421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":819,"flow_dst_tot_l4_payload_len":10828,"midstream":0,"thread_ts_usec":1582454871906464,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":48486.5,"max":404574,"stddev":104241.1,"var":10866214912.0,"ent":3.0,"data": [13673,15022,32725,47474,16568,3,34518,282,386517,404574,19668,197623,221096,19209,15019,27735,41804,1657,22,36,1002,1575,133,18,9,1204,14,1169,2703,19,10]},"pktlen": {"min":66,"avg":430.5,"max":1484,"stddev":552.7,"var":305506.2,"ent":4.0,"data": [74,74,66,246,66,1484,1202,66,66,159,358,66,578,66,100,66,655,66,1484,1484,1421,1484,66,1484,396,102,66,66,66,66,66,66]},"bins": {"c_to_s": [13,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,5,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02113{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":431,"source":"android.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1582454871152402,"flow_src_last_pkt_time":1582454871906464,"flow_dst_last_pkt_time":1582454871901421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":819,"flow_dst_tot_l4_payload_len":10828,"midstream":0,"thread_ts_usec":1582454871906464,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":32996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":48486.5,"max":404574,"stddev":104241.1,"var":10866214912.0,"ent":3.0,"data": [13673,15022,32725,47474,16568,3,34518,282,386517,404574,19668,197623,221096,19209,15019,27735,41804,1657,22,36,1002,1575,133,18,9,1204,14,1169,2703,19,10]},"pktlen": {"min":52,"avg":416.5,"max":1470,"stddev":552.7,"var":305506.2,"ent":3.9,"data": [60,60,52,232,52,1470,1188,52,52,145,344,52,564,52,86,52,641,52,1470,1470,1407,1470,52,1470,382,88,52,52,52,52,52,52]},"bins": {"c_to_s": [13,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,5,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,0,0,0,0,0,0],"entropies": [4.671797276,5.277319908,5.092563152,5.518131256,5.077241421,7.236341000,7.433474064,5.131024837,5.131024837,6.086913109,7.119209766,4.962661266,7.515064716,4.947339535,5.439514160,5.038779736,7.633175850,5.015639782,7.866302967,7.846067905,7.867026806,7.835390091,5.092563152,7.847195148,7.413039684,5.580356598,5.054101467,5.092563152,5.054101467,5.092563152,5.015639782,4.977178097]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01163{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":434,"source":"android.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454871839297,"flow_src_last_pkt_time":1582454871880409,"flow_dst_last_pkt_time":1582454871911317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1582454871911317,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"216.239.38.120","src_port":33014,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","tls": {"version":"TLSv1.3","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01166{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":437,"source":"android.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454871814833,"flow_src_last_pkt_time":1582454871879681,"flow_dst_last_pkt_time":1582454871913572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":594,"flow_dst_max_l4_payload_len":212,"flow_src_tot_l4_payload_len":594,"flow_dst_tot_l4_payload_len":212,"midstream":0,"thread_ts_usec":1582454871913572,"l3_proto":"ip4","src_ip":"192.168.2.16","dst_ip":"172.217.21.202","src_port":51944,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DataSaver","proto_id":"91.46","encrypted":1,"breed":"Fun","category_id":5,"category":"Web","hostname":"datasaver.googleapis.com","tls": {"version":"TLSv1.3","ja3":"554719594ba90b02ae410c297c6e50ad","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":441,"source":"android.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1582454871881494,"flow_dst_last_pkt_time":1582454871920611,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"thread_ts_usec":1582454871920611,"pkt":"TGr2n\/YnxiwDYGpkCABFAABUFXQAAEAR38PAqAIBwKgCEAA1m1AAQNQ0uKWBgAABAAEAAAAAB2FuZHJvaWQKZ29vZ2xlYXBpcwNjb20AAAEAAcAMAAEAAQAAARcABKzZFgo="} @@ -392,9 +392,9 @@ ~~ total active/idle flows...: 63/63 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6392351 bytes -~~ total memory freed........: 6392351 bytes -~~ total allocations/frees...: 122858/122858 +~~ total memory allocated....: 6400919 bytes +~~ total memory freed........: 6400919 bytes +~~ total allocations/frees...: 122921/122921 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2570 chars diff --git a/test/results/anyconnect-vpn.pcap.out b/test/results/anyconnect-vpn.pcap.out index 7a3cd7985..13abc216b 100644 --- a/test/results/anyconnect-vpn.pcap.out +++ b/test/results/anyconnect-vpn.pcap.out @@ -66,7 +66,7 @@ 01148{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245728221,"flow_dst_last_pkt_time":1569687245727730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687245728221,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01302{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":62,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245728221,"flow_dst_last_pkt_time":1569687245772680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1569687245772680,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","alpn":"http\/1.1"}}} 01688{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":68,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687245813667,"flow_dst_last_pkt_time":1569687245851826,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":167,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":5792,"midstream":0,"thread_ts_usec":1569687245851826,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} -01545{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":22175.9,"max":71520,"stddev":21576.5,"var":465545472.0,"ent":4.0,"data": [39490,39550,431,43733,1217,44517,40926,4,40928,1,38216,8,38254,1,33217,1,71520,5,38273,6102,35094,41225,217,42300,2869,5,1,44938,58]},"pktlen": {"min":66,"avg":504.7,"max":1514,"stddev":597.2,"var":356597.6,"ent":4.0,"data": [78,70,66,233,66,1514,66,1514,1514,66,66,1514,1181,66,66,1514,1514,1333,66,66,677,66,141,66,1175,66,359,711,119,66,66,66]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,2,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,0,0,0]}} +01944{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":22175.9,"max":71520,"stddev":21576.5,"var":465545472.0,"ent":4.0,"data": [39490,39550,431,43733,1217,44517,40926,4,40928,1,38216,8,38254,1,33217,1,71520,5,38273,6102,35094,41225,217,42300,2869,5,1,44938,58]},"pktlen": {"min":52,"avg":490.7,"max":1500,"stddev":597.2,"var":356597.6,"ent":4.0,"data": [64,56,52,219,52,1500,52,1500,1500,52,52,1500,1167,52,52,1500,1500,1319,52,52,663,52,127,52,1161,52,345,697,105,52,52,52]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,2,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,0,0,0],"entropies": [4.277806282,5.056655407,4.776611805,5.499976635,4.815073490,7.340889931,4.829590321,7.117477894,7.208638191,4.868052006,4.829590321,7.407335281,5.918903828,4.829590321,4.829590321,6.806384563,7.188310623,7.472460270,4.685171604,4.791129112,7.602285385,4.714205265,6.163617611,4.752666950,7.823616028,4.868052006,7.252848148,7.725178242,5.773176193,4.906513691,4.829590321,4.829590321]}} 01692{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":88,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1569687245688240,"flow_src_last_pkt_time":1569687246009851,"flow_dst_last_pkt_time":1569687246009730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6050,"flow_dst_tot_l4_payload_len":7973,"midstream":0,"thread_ts_usec":1569687246009851,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56919,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"9f1a41f932f274fe47a992310a26a23a","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","alpn":"http\/1.1","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687246891499,"flow_src_last_pkt_time":1569687246891499,"flow_dst_last_pkt_time":1569687246891499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":23,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687246891499,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.76.76","src_port":63107,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1569687246891499,"flow_dst_last_pkt_time":1569687246891499,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1569687246891499,"pkt":"LH6BsEqhNDY7z3UoCABFAAAzrdgAAP8Ra2cKAADjS0tMTPaDADUAH3AoGBgBAAABAAAAAAAABWxvY2FsAAAGAAE="} @@ -172,7 +172,7 @@ 01027{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569687261485620,"flow_src_last_pkt_time":1569687261485620,"flow_dst_last_pkt_time":1569687261501464,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":51,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":51,"flow_dst_max_l4_payload_len":103,"flow_src_tot_l4_payload_len":51,"flow_dst_tot_l4_payload_len":103,"midstream":0,"thread_ts_usec":1569687261501464,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":59222,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lp-rkerur-osx.hsd1.ca.comcast.net","dns": {"num_queries":1,"num_answers":1,"reply_code":3,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":226,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1569687261486499,"flow_dst_last_pkt_time":1569687261506389,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":145,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":145,"pkt_l4_len":111,"thread_ts_usec":1569687261506389,"pkt":"NDY7z3UoLH6BsEqhCABFAACDAABAADoRnvFLS0tLCgAA4wA13rkAbznpXq+BgwABAAAAAQAADUxQLVJLRVJVUi1PU1gEaHNkMQJjYQdjb21jYXN0A25ldAAAHAABwBoABgABAAAcIAAoBmRuczEwMcAiCGRuc2FkbWluwCIBawJtAAAcIAAADhAACTqAAAAcIA=="} 01028{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":226,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1569687261486499,"flow_src_last_pkt_time":1569687261486499,"flow_dst_last_pkt_time":1569687261506389,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":51,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":51,"flow_dst_max_l4_payload_len":103,"flow_src_tot_l4_payload_len":51,"flow_dst_tot_l4_payload_len":103,"midstream":0,"thread_ts_usec":1569687261506389,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"75.75.75.75","src_port":57017,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lp-rkerur-osx.hsd1.ca.comcast.net","dns": {"num_queries":1,"num_answers":1,"reply_code":3,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -02198{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":229,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687260591875,"flow_src_last_pkt_time":1569687261807505,"flow_dst_last_pkt_time":1569687261836138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1195,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":2943,"flow_dst_tot_l4_payload_len":4489,"midstream":0,"thread_ts_usec":1569687261836138,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":272,"avg":79351.4,"max":384774,"stddev":121592.3,"var":14784686080.0,"ent":3.7,"data": [28537,28596,272,35158,11581,46466,4231,33144,2963,31899,1468,30539,1730,30777,254948,281121,5133,31326,314965,342213,26303,53543,25788,25778,4801,30501,2712,28408,358152,384774,2066]},"pktlen": {"min":66,"avg":299.0,"max":1434,"stddev":416.2,"var":173206.9,"ent":4.0,"data": [78,78,66,214,66,1374,66,1261,66,117,66,510,66,477,66,377,66,181,66,791,66,1434,66,1174,66,128,66,136,66,124,66,124]},"bins": {"c_to_s": [9,2,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":229,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687260591875,"flow_src_last_pkt_time":1569687261807505,"flow_dst_last_pkt_time":1569687261836138,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1195,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":2943,"flow_dst_tot_l4_payload_len":4489,"midstream":0,"thread_ts_usec":1569687261836138,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.96.194","src_port":56921,"dst_port":4287,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":272,"avg":79351.4,"max":384774,"stddev":121592.3,"var":14784686080.0,"ent":3.7,"data": [28537,28596,272,35158,11581,46466,4231,33144,2963,31899,1468,30539,1730,30777,254948,281121,5133,31326,314965,342213,26303,53543,25788,25778,4801,30501,2712,28408,358152,384774,2066]},"pktlen": {"min":52,"avg":285.0,"max":1420,"stddev":416.2,"var":173206.9,"ent":3.9,"data": [64,64,52,200,52,1360,52,1247,52,103,52,496,52,463,52,363,52,167,52,777,52,1420,52,1160,52,114,52,122,52,110,52,110]},"bins": {"c_to_s": [9,2,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1],"entropies": [4.328511238,5.005488396,4.776612282,5.402243614,5.091758728,7.442438602,4.882569313,7.578964233,4.916693211,5.863890648,4.829590321,7.531296730,4.969671726,7.509452820,4.882569313,7.315038681,4.993616581,6.548084259,4.959492683,7.706759453,5.014835358,7.870440960,4.921030998,7.786418438,4.882569313,6.148206234,5.014835358,6.198904037,4.921030998,6.028552055,5.091758728,6.119950771]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687262866211,"flow_src_last_pkt_time":1569687262866211,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569687262866211,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"162.222.43.153","src_port":56881,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1569687262866211,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1569687262866211,"pkt":"LH6BsEqhNDY7z3UoCABFAABEAABAAEAGYVoKAADjot4rmd4xAbu3QBvT9S8yS4AYEAD8CwAAAQEIChwNvkTkAuRNDi2ISqeLxJuBXTMcrWivnw=="} 00842{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1569687262866958,"flow_dst_last_pkt_time":1569687262866211,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":292,"pkt_l4_len":258,"thread_ts_usec":1569687262866958,"pkt":"LH6BsEqhNDY7z3UoCABFAAEWAABAAEAGYIgKAADjot4rmd4xAbu3QBvj9S8yS4AYEACf4gAAAQEIChwNvkTkAuRNC2FzYPnyOhEIxzv9HgAAAQAAAAAABf0HAAAAAAAAAFYAAAAAABO4pgAAAfJ1AAAAGzdZOcQAAAAAAAAAAAAAAAAAAAAAAAAAAGwAAAAAEjynVwAAAAAACz6PAAAAAABmQ+JAyo3EgU6LQwAAAAAAAAAAAAAACK7duMsBAQAAAAELYXNg+fI6EQjHO\/0eAAABAAAAAAAF\/QcAAAAAAAAAVgAAAAAAE7imAAAB8nUAAAAbN1k5xAAAAAAAAAAAAAAAAAAAAAAAAAAAbAAAAAASPKdXAAAAAAALPo8AAAAAAAAAAQ=="} @@ -184,7 +184,7 @@ 01251{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":301,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267079534,"flow_dst_last_pkt_time":1569687267077459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687267079534,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01405{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":303,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267079534,"flow_dst_last_pkt_time":1569687267125585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1569687267125585,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA"}}} 01791{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":309,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267166003,"flow_dst_last_pkt_time":1569687267203156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":5792,"midstream":0,"thread_ts_usec":1569687267203156,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} -01538{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":26551.9,"max":138032,"stddev":33142.4,"var":1098418688.0,"ent":3.6,"data": [42362,42438,1999,46916,1210,46124,40336,4,40344,1,37231,6,37243,1,97159,138032,40854,1159,43270,9027,4,1,1,9,1,1,51168]},"pktlen": {"min":66,"avg":531.3,"max":1514,"stddev":619.3,"var":383541.0,"ent":4.1,"data": [78,70,66,218,66,1514,66,1514,1514,66,66,1514,1181,66,66,420,141,66,1031,66,1514,223,1514,223,1514,223,1514,223,66,66,66,66]},"bins": {"c_to_s": [12,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0]}} +01937{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":26551.9,"max":138032,"stddev":33142.4,"var":1098418688.0,"ent":3.6,"data": [42362,42438,1999,46916,1210,46124,40336,4,40344,1,37231,6,37243,1,97159,138032,40854,1159,43270,9027,4,1,1,9,1,1,51168]},"pktlen": {"min":52,"avg":517.3,"max":1500,"stddev":619.3,"var":383541.0,"ent":4.0,"data": [64,56,52,204,52,1500,52,1500,1500,52,52,1500,1167,52,52,406,127,52,1017,52,1500,209,1500,209,1500,209,1500,209,52,52,52,52]},"bins": {"c_to_s": [12,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0],"entropies": [4.215306282,4.950672150,4.700937271,5.452831745,4.700937271,7.337546349,4.738150120,7.112461567,7.211231709,4.791128635,4.791128635,7.407482147,5.922111034,4.791128635,4.829590321,7.350569248,6.160544395,4.791128635,7.794639587,4.868052006,7.862796307,6.916011810,7.871273518,6.899218082,7.872875214,6.733156681,7.846444607,6.809710979,4.829590321,4.767184258,4.829590321,4.829590321]}} 01795{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569687267035097,"flow_src_last_pkt_time":1569687267393587,"flow_dst_last_pkt_time":1569687267393508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1471,"flow_dst_tot_l4_payload_len":13402,"midstream":0,"thread_ts_usec":1569687267393587,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":56929,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","server_names":"*.pandion.viasat.com,pandion.viasat.com","ja3":"c9f0b47c9805f516e6d3900cb51f7841","ja3s":"82f0d8a75fa483d1cfe4b7085b784d7e","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Entrust, Inc., OU=See www.entrust.net\/legal-terms, OU=(c) 2012 Entrust, Inc. - for authorized use only, CN=Entrust Certification Authority - L1K","subjectDN":"C=US, ST=California, L=Carlsbad, O=Viasat Inc., CN=*.pandion.viasat.com","fingerprint":"92:70:CF:E3:69:4B:1D:F4:E2:DE:63:54:EC:DF:40:DB:F3:AC:D1:CA"}}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687267453127,"flow_src_last_pkt_time":1569687267453127,"flow_dst_last_pkt_time":1569687267453127,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569687267453127,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.149","src_port":56865,"dst_port":8008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":1,"flow_src_last_pkt_time":1569687267453127,"flow_dst_last_pkt_time":1569687267453127,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569687267453127,"pkt":"pHczjPFANDY7z3UoCABFAAA0AABAAEAGJU0KAADjCgAAld4hH0glPK3eiXsRe4AREAA75QAAAQEIChwN0AsAIb2q"} @@ -278,7 +278,7 @@ 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":2,"flow_src_last_pkt_time":1569687268746220,"flow_dst_last_pkt_time":1569687268789706,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1569687268789706,"pkt":"NDY7z3UoLH6BsEqhCABFAABMkFUAAPcRuegIJWZbCgAA4wG701sAOF8pFgEAAAAAAAAAAAAAIwMAABcAAAAAAAAAFwEAFGKRvPEadu7FYjYhjKxM1MN8EkEd"} 00664{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_src_last_pkt_time":1569687268790107,"flow_dst_last_pkt_time":1569687268789706,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":161,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":161,"pkt_l4_len":127,"thread_ts_usec":1569687268790107,"pkt":"LH6BsEqhNDY7z3UoCABFAACTQPwAAEARv\/sKAADjCCVmW9NbAbsAf9nwFgEAAAAAAAAAAAEAagEAAF4AAQAAAAAAXgEA7YnEaZ6hZImmhCHr0JUfCBctWVvywlB71JRnxl7mI4ogm7BxyKgEQGFPg0eizi7+AVQMevU74i4erAc5hyngJu8UYpG88Rp27sViNiGMrEzUw3wSQR0AAgA5AQA="} 01000{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":465,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268790107,"flow_dst_last_pkt_time":1569687268836308,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":119,"flow_dst_max_l4_payload_len":188,"flow_src_tot_l4_payload_len":218,"flow_dst_tot_l4_payload_len":236,"midstream":0,"thread_ts_usec":1569687268836308,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01826{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268990048,"flow_dst_last_pkt_time":1569687268992240,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":93,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":157,"flow_dst_max_l4_payload_len":365,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3458,"midstream":0,"thread_ts_usec":1569687268992240,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15801.5,"max":47070,"stddev":18787.6,"var":352972736.0,"ent":3.9,"data": [43486,43887,46602,46963,13778,22397,136,45366,3,1,180,3,8893,184,3220,4,34551,3,41128,530,5716,3654,11825,10035,4233,4600,46982,47070,168,405,3845]},"pktlen": {"min":90,"avg":213.1,"max":407,"stddev":70.7,"var":5001.8,"ent":4.9,"data": [141,90,161,230,135,167,167,167,263,215,215,215,199,151,167,359,311,183,231,167,167,311,167,279,199,407,199,279,167,183,183,343]},"bins": {"c_to_s": [0,0,1,11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,0,2,5,1,2,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,0,1,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,0,1,0,1,0,0,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02225{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569687268746220,"flow_src_last_pkt_time":1569687268990048,"flow_dst_last_pkt_time":1569687268992240,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":93,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":157,"flow_dst_max_l4_payload_len":365,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3458,"midstream":0,"thread_ts_usec":1569687268992240,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"8.37.102.91","src_port":54107,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15801.5,"max":47070,"stddev":18787.6,"var":352972736.0,"ent":3.9,"data": [43486,43887,46602,46963,13778,22397,136,45366,3,1,180,3,8893,184,3220,4,34551,3,41128,530,5716,3654,11825,10035,4233,4600,46982,47070,168,405,3845]},"pktlen": {"min":76,"avg":199.1,"max":393,"stddev":70.7,"var":5001.8,"ent":4.9,"data": [127,76,147,216,121,153,153,153,249,201,201,201,185,137,153,345,297,169,217,153,153,297,153,265,185,393,185,265,153,169,169,329]},"bins": {"c_to_s": [0,0,1,11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,0,2,5,1,2,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,0,1,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,0,1,0,1,0,0,0,1],"entropies": [5.462343693,4.390864372,5.914839268,6.005654812,5.535966873,6.360437393,6.343824863,6.387973785,6.973914146,6.706965446,6.711217403,6.676970959,6.521679401,6.215778828,6.357885838,7.282065392,7.113596439,6.506012440,6.831180573,6.432122707,6.290798664,7.059806824,6.370957851,7.132057190,6.624488354,7.326114655,6.671812534,7.077751637,6.532753944,6.585647583,6.474001408,7.264476776]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"DTLS","proto_id":"30","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":519,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687269094582,"flow_src_last_pkt_time":1569687269094582,"flow_dst_last_pkt_time":1569687269094582,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":4,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687269094582,"l3_proto":"ip4","src_ip":"10.0.0.227","dst_ip":"10.0.0.1","src_port":52595,"dst_port":192,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":519,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1569687269094582,"flow_dst_last_pkt_time":1569687269094582,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":46,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":46,"pkt_l4_len":12,"thread_ts_usec":1569687269094582,"pkt":"LH6BsEqhNDY7z3UoCABFAAAg7WwAAEAReH0KAADjCgAAAc1zAMAADBGuCAEDEA=="} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":578,"source":"anyconnect-vpn.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569687269223066,"flow_src_last_pkt_time":1569687269223066,"flow_dst_last_pkt_time":1569687269223066,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":311,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569687269223066,"l3_proto":"ip4","src_ip":"10.0.0.151","dst_ip":"10.0.0.227","src_port":1900,"dst_port":57547,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -414,10 +414,10 @@ ~~ total active/idle flows...: 69/69 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6327803 bytes -~~ total memory freed........: 6327803 bytes -~~ total allocations/frees...: 125241/125241 +~~ total memory allocated....: 6337187 bytes +~~ total memory freed........: 6337187 bytes +~~ total allocations/frees...: 125310/125310 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars -~~ json string max len.......: 2203 chars -~~ json string avg len.......: 1351 chars +~~ json string max len.......: 2602 chars +~~ json string avg len.......: 1550 chars diff --git a/test/results/anydesk.pcapng.out b/test/results/anydesk.pcapng.out index a18c60109..55f9d1737 100644 --- a/test/results/anydesk.pcapng.out +++ b/test/results/anydesk.pcapng.out @@ -12,7 +12,7 @@ 01506{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199366725,"flow_dst_last_pkt_time":1591342199366001,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1591342199366725,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01568{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199366725,"flow_dst_last_pkt_time":1591342199532111,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":1300,"midstream":0,"thread_ts_usec":1591342199532111,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"}}} 01771{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342199532151,"flow_dst_last_pkt_time":1591342199532596,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":2600,"midstream":0,"thread_ts_usec":1591342199532596,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}} -01572{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":176540.0,"max":1602919,"stddev":394272.9,"var":155451113472.0,"ent":2.8,"data": [164805,164917,612,1082,165028,165426,485,455,339,338,1756,2021,164886,165169,210,191,219,307,218569,218677,606,928,1215453,1216321,7,87,855,7,2,1602919,62]},"pktlen": {"min":54,"avg":406.7,"max":1514,"stddev":555.2,"var":308238.0,"ent":3.9,"data": [74,60,54,317,60,1354,54,1354,54,60,54,1148,60,105,54,94,54,200,60,200,54,125,60,133,1514,1514,1256,60,60,60,1514,1194]},"bins": {"c_to_s": [8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1]}} +01970{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":176540.0,"max":1602919,"stddev":394272.9,"var":155451113472.0,"ent":2.8,"data": [164805,164917,612,1082,165028,165426,485,455,339,338,1756,2021,164886,165169,210,191,219,307,218569,218677,606,928,1215453,1216321,7,87,855,7,2,1602919,62]},"pktlen": {"min":40,"avg":392.7,"max":1500,"stddev":555.2,"var":308238.0,"ent":3.8,"data": [60,46,40,303,46,1340,40,1340,40,46,40,1134,46,91,40,80,40,186,46,186,40,111,46,119,1500,1500,1242,46,46,46,1500,1180]},"bins": {"c_to_s": [8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1],"entropies": [4.772595406,4.903359890,4.834184170,5.369554996,4.390828609,7.460080147,4.834184170,7.770876408,4.834184170,4.609350204,4.734183788,7.619944096,4.390829086,5.750715733,4.765311718,5.803060055,4.765311718,6.743920803,4.390828609,6.830827713,4.834184170,6.275036812,4.434307098,6.390825272,7.863389492,7.871673107,7.811679363,4.390829086,4.390829086,4.390829086,7.887207985,7.841894150]}} 01775{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":40,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1591342199201196,"flow_src_last_pkt_time":1591342201135977,"flow_dst_last_pkt_time":1591342202739154,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5696,"flow_dst_tot_l4_payload_len":5521,"midstream":0,"thread_ts_usec":1591342202739154,"l3_proto":"ip4","src_ip":"192.168.149.129","dst_ip":"51.83.238.219","src_port":43535,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"107030a763c7224285717ff1569a17f3","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}} 00568{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":6964,"source":"anydesk.pcapng","alias":"nDPId-test","packets-captured":6964,"packets-processed":6963,"total-skipped-flows":0,"total-l4-payload-len":2418022,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1613977585247036} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6964,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1613977585247036,"flow_src_last_pkt_time":1613977585247036,"flow_dst_last_pkt_time":1613977585247036,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613977585247036,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":59511,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -39,7 +39,7 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6979,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1613977595407676,"flow_dst_last_pkt_time":1613977595407489,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1613977595407676,"pkt":"2MuK4S0uKDc3AG3ICABFAAAoAABAAEAGthLAqAGywKgBu8tHG54tLA3dVf0iy1AQIABwXwAAAAAAAAAA"} 01369{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6980,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595408312,"flow_dst_last_pkt_time":1613977595407489,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613977595408312,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01790{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6987,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595408312,"flow_dst_last_pkt_time":1613977595549041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":813,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":813,"midstream":0,"thread_ts_usec":1613977595549041,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"201999283915cc31cee6b15472ef3332","ja3s":"4b505adfb4a921c5a3a39d293b0811e1","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","subjectDN":"CN=AnyDesk Client, CN=AnyDesk Client","fingerprint":"86:4F:2A:9F:24:71:FD:0D:6A:35:56:AC:D8:7B:3A:19:E8:03:CA:2E"}}} -02208{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7014,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977601740964,"flow_dst_last_pkt_time":1613977601737415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3926,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5712,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1613977601740964,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":328,"avg":471052.1,"max":3021750,"stddev":868685.8,"var":754614927360.0,"ent":2.9,"data": [491,529,333,431,328,10474,10878,39566,40320,8749,9516,516873,517463,1553,27804,26175,2358,56316,902900,957284,1754245,1753698,16355,71246,2966766,3021750,4006]},"pktlen": {"min":54,"avg":320.3,"max":3980,"stddev":747.4,"var":558552.1,"ent":3.2,"data": [66,66,54,299,60,60,1514,197,54,1340,60,968,94,54,101,60,89,88,60,88,54,3980,60,60,60,93,60,155,54,113,60,130]},"bins": {"c_to_s": [6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1],"s_to_c": [11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +02605{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7014,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977601740964,"flow_dst_last_pkt_time":1613977601737415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3926,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":5712,"flow_dst_tot_l4_payload_len":2727,"midstream":0,"thread_ts_usec":1613977601740964,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":328,"avg":471052.1,"max":3021750,"stddev":868685.8,"var":754614927360.0,"ent":2.9,"data": [491,529,333,431,328,10474,10878,39566,40320,8749,9516,516873,517463,1553,27804,26175,2358,56316,902900,957284,1754245,1753698,16355,71246,2966766,3021750,4006]},"pktlen": {"min":40,"avg":306.3,"max":3966,"stddev":747.4,"var":558552.1,"ent":3.1,"data": [52,52,40,285,46,46,1500,183,40,1326,46,954,80,40,87,46,75,74,46,74,40,3966,46,46,46,79,46,141,40,99,46,116]},"bins": {"c_to_s": [6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1],"s_to_c": [11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0],"entropies": [4.461627960,4.714205742,4.680641174,5.380415440,4.190888405,4.260394573,7.726966381,6.171197891,4.680641174,7.726874828,4.303872585,7.788730145,5.640313625,4.630640984,5.698182583,4.200505257,5.465894222,5.550601006,4.303872585,5.570474148,4.680640697,7.956365585,4.157026768,4.303872585,4.190888405,5.661315441,4.260394096,6.538077354,4.630641460,6.000421047,4.260393620,6.241518974]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00568{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":9485,"source":"anydesk.pcapng","alias":"nDPId-test","packets-captured":9485,"packets-processed":9484,"total-skipped-flows":0,"total-l4-payload-len":4424268,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":7,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":43,"global_ts_usec":1663090549161771} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9485,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549161771,"flow_dst_last_pkt_time":1663090549161771,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1663090549161771,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9485,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1663090549161771,"flow_dst_last_pkt_time":1663090549161771,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1663090549161771,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8b6ZAAEAGlofAqAGAw7WusLyEAbsbAqeoAAAAAKAC+vBE2wAAAgQFtAQCCAo49hnFAAAAAAEDAwc="} @@ -48,7 +48,7 @@ 01163{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":9488,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549180495,"flow_dst_last_pkt_time":1663090549179486,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":289,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1663090549180495,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"29b5a018fa5992fe23560c16af0dc9fc","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"anydesk\/6.2.0\/linux"}}} 01225{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9490,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549180495,"flow_dst_last_pkt_time":1663090549200737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":289,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1663090549200737,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"29b5a018fa5992fe23560c16af0dc9fc","ja3s":"e58f0b3c1e9eefb8ee4f92aeceee5858","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","alpn":"anydesk\/6.2.0\/linux"}}} 01567{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9492,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090549200799,"flow_dst_last_pkt_time":1663090549200825,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":289,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":2528,"midstream":0,"thread_ts_usec":1663090549200825,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","hostname":"","tls": {"version":"TLSv1.2","ja3":"29b5a018fa5992fe23560c16af0dc9fc","ja3s":"e58f0b3c1e9eefb8ee4f92aeceee5858","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=AnyNet Root CA, O=philandro Software GmbH, C=DE","subjectDN":"C=DE, O=philandro Software GmbH, CN=AnyNet Relay","alpn":"anydesk\/6.2.0\/linux","fingerprint":"9E:08:D2:58:A9:02:CD:4F:E2:4A:26:B8:48:5C:43:0B:81:29:99:E3"}}} -01983{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9516,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090558034917,"flow_dst_last_pkt_time":1663090558365585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5817,"flow_dst_tot_l4_payload_len":3029,"midstream":0,"thread_ts_usec":1663090558365585,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":583127.8,"max":8444631,"stddev":2063627.1,"var":4258557067264.0,"ent":1.5,"data": [17715,17815,909,17821,3430,20304,88,41,3772,21850,18137,104,44,888,64188,13442,76786,1527,18418,206643,224790,16,4,18683,18,62779,11,80221,8427892,8444631,313993]},"pktlen": {"min":66,"avg":342.9,"max":1514,"stddev":495.5,"var":245485.5,"ent":3.9,"data": [74,74,66,355,66,1514,66,1146,66,1160,117,66,106,66,213,66,212,66,151,66,159,1514,1514,1287,66,66,106,104,66,151,66,159]},"bins": {"c_to_s": [8,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,2,0,0],"s_to_c": [7,4,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +02379{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9516,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1663090549161771,"flow_src_last_pkt_time":1663090558034917,"flow_dst_last_pkt_time":1663090558365585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5817,"flow_dst_tot_l4_payload_len":3029,"midstream":0,"thread_ts_usec":1663090558365585,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"195.181.174.176","src_port":48260,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":583127.8,"max":8444631,"stddev":2063627.1,"var":4258557067264.0,"ent":1.5,"data": [17715,17815,909,17821,3430,20304,88,41,3772,21850,18137,104,44,888,64188,13442,76786,1527,18418,206643,224790,16,4,18683,18,62779,11,80221,8427892,8444631,313993]},"pktlen": {"min":52,"avg":328.9,"max":1500,"stddev":495.5,"var":245485.5,"ent":3.8,"data": [60,60,52,341,52,1500,52,1132,52,1146,103,52,92,52,199,52,198,52,137,52,145,1500,1500,1273,52,52,92,90,52,137,52,145]},"bins": {"c_to_s": [8,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,2,0,0],"s_to_c": [7,4,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,1,1],"entropies": [4.759216309,5.287539482,5.061608315,5.575212479,5.085552692,7.541802406,5.085552692,7.720355034,5.138531685,7.691242218,6.017449379,5.100070000,6.076607704,5.061608315,6.938662529,5.176993370,6.939621925,5.176993370,6.553288460,5.176993370,6.578802109,7.876228809,7.874102592,7.832963467,5.176993370,5.176993370,6.054868221,5.938801765,5.138531685,6.484602451,5.215455055,6.623850822]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00770{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":9521,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":7,"flow_first_seen":1613977595407425,"flow_src_last_pkt_time":1613977595964011,"flow_dst_last_pkt_time":1613977595963376,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1286,"flow_dst_max_l4_payload_len":914,"flow_src_tot_l4_payload_len":1549,"flow_dst_tot_l4_payload_len":1767,"midstream":0,"thread_ts_usec":1663090558383202,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"192.168.1.187","src_port":52039,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01417{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":9521,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":947,"flow_dst_packets_processed":1555,"flow_first_seen":1613977595379986,"flow_src_last_pkt_time":1613977618224574,"flow_dst_last_pkt_time":1613977618224857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5506,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1977868,"flow_dst_tot_l4_payload_len":24838,"midstream":0,"thread_ts_usec":1663090558383202,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.178","src_port":54164,"dst_port":7070,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TLS.AnyDesk","proto_id":"91.252","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00919{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":9521,"source":"anydesk.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1613977585542630,"flow_src_last_pkt_time":1613977585542630,"flow_dst_last_pkt_time":1613977585553797,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1663090558383202,"l3_proto":"ip4","src_ip":"192.168.1.187","dst_ip":"192.168.1.1","src_port":55376,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AnyDesk","proto_id":"5.252","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} @@ -63,10 +63,10 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6376701 bytes -~~ total memory freed........: 6376701 bytes -~~ total allocations/frees...: 131123/131123 +~~ total memory allocated....: 6377653 bytes +~~ total memory freed........: 6377653 bytes +~~ total allocations/frees...: 131130/131130 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars -~~ json string max len.......: 2213 chars -~~ json string avg len.......: 1352 chars +~~ json string max len.......: 2610 chars +~~ json string avg len.......: 1551 chars diff --git a/test/results/avast.pcap.out b/test/results/avast.pcap.out index 052307414..c5cfc5a02 100644 --- a/test/results/avast.pcap.out +++ b/test/results/avast.pcap.out @@ -87,9 +87,9 @@ ~~ total active/idle flows...: 10/10 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6074855 bytes -~~ total memory freed........: 6074855 bytes -~~ total allocations/frees...: 121729/121729 +~~ total memory allocated....: 6076215 bytes +~~ total memory freed........: 6076215 bytes +~~ total allocations/frees...: 121739/121739 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 902 chars diff --git a/test/results/avast_securedns.pcapng.out b/test/results/avast_securedns.pcapng.out index bd4f43643..33b1a8110 100644 --- a/test/results/avast_securedns.pcapng.out +++ b/test/results/avast_securedns.pcapng.out @@ -224,9 +224,9 @@ ~~ total active/idle flows...: 39/39 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6099586 bytes -~~ total memory freed........: 6099586 bytes -~~ total allocations/frees...: 121944/121944 +~~ total memory allocated....: 6104890 bytes +~~ total memory freed........: 6104890 bytes +~~ total allocations/frees...: 121983/121983 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 502 chars ~~ json string max len.......: 929 chars diff --git a/test/results/bad-dns-traffic.pcap.out b/test/results/bad-dns-traffic.pcap.out index 382171ea5..8721a0249 100644 --- a/test/results/bad-dns-traffic.pcap.out +++ b/test/results/bad-dns-traffic.pcap.out @@ -17,7 +17,7 @@ 01193{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012638093433,"flow_dst_last_pkt_time":1486012635073060,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":364,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1486012638093433,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"46b100fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":5,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012639101974,"flow_dst_last_pkt_time":1486012635073060,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":455,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1486012639101974,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"c75900fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":16,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 01308{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012639101974,"flow_dst_last_pkt_time":1486012639174914,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":91,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":91,"flow_dst_max_l4_payload_len":122,"flow_src_tot_l4_payload_len":455,"flow_dst_tot_l4_payload_len":122,"midstream":0,"thread_ts_usec":1486012639174914,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"c75900fdf525320021636f6d6d616e64202873697276696d65732900.skullseclabs.org","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":16,"rsp_type":16,"rsp_addr":"0.0.0.0"}}} -02034{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012651592518,"flow_dst_last_pkt_time":1486012651846910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":248,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1392,"flow_dst_tot_l4_payload_len":1397,"midstream":0,"thread_ts_usec":1486012651846910,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":63089,"avg":1073977.6,"max":4101854,"stddev":689094.3,"var":474850951168.0,"ent":4.7,"data": [1006460,1005839,1008074,1008541,4101854,73173,63089,1023925,1006666,2080907,1018755,962463,1014062,1012614,1013561,1040293,1038247,1060225,1011738,991100,1041523,1066575,1017786,982256,1029549,1026193,1027755,1007446,2080430,166358,305851]},"pktlen": {"min":95,"avg":129.2,"max":323,"stddev":50.6,"var":2560.6,"ent":4.9,"data": [133,133,133,133,133,164,95,130,95,95,126,95,128,95,130,95,128,95,128,95,126,95,128,95,130,95,128,95,95,174,290,323]},"bins": {"c_to_s": [0,13,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02433{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012651592518,"flow_dst_last_pkt_time":1486012651846910,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":248,"flow_dst_max_l4_payload_len":281,"flow_src_tot_l4_payload_len":1392,"flow_dst_tot_l4_payload_len":1397,"midstream":0,"thread_ts_usec":1486012651846910,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":63089,"avg":1073977.6,"max":4101854,"stddev":689094.3,"var":474850951168.0,"ent":4.7,"data": [1006460,1005839,1008074,1008541,4101854,73173,63089,1023925,1006666,2080907,1018755,962463,1014062,1012614,1013561,1040293,1038247,1060225,1011738,991100,1041523,1066575,1017786,982256,1029549,1026193,1027755,1007446,2080430,166358,305851]},"pktlen": {"min":81,"avg":115.2,"max":309,"stddev":50.6,"var":2560.6,"ent":4.9,"data": [119,119,119,119,119,150,81,116,81,81,112,81,114,81,116,81,114,81,114,81,112,81,114,81,116,81,114,81,81,160,276,309]},"bins": {"c_to_s": [0,13,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1],"entropies": [4.888009548,4.952452183,4.965347767,4.979370117,4.967788696,4.929614544,5.009302616,4.960116863,5.043313503,5.058685303,5.000692368,5.003250122,5.011343002,4.956934929,5.038347244,4.966254234,5.016212940,4.953866959,4.986301899,5.024673939,4.983958244,4.935227871,4.998669147,4.940047741,4.970242500,4.999982357,4.987974167,4.999982834,5.024673939,4.881881237,4.176499844,4.325556755]},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01150{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":172,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":9,"flow_first_seen":1486012623234684,"flow_src_last_pkt_time":1486012630535623,"flow_dst_last_pkt_time":1486012630741119,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":187,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":915,"midstream":0,"thread_ts_usec":1486012676167582,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":35966,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01156{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":229,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":120,"flow_dst_packets_processed":89,"flow_first_seen":1486012635073060,"flow_src_last_pkt_time":1486012686228125,"flow_dst_last_pkt_time":1486012686227663,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":248,"flow_dst_max_l4_payload_len":283,"flow_src_tot_l4_payload_len":26440,"flow_dst_tot_l4_payload_len":22745,"midstream":0,"thread_ts_usec":1486012686228125,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":56354,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01150{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":367,"source":"bad-dns-traffic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":9,"flow_first_seen":1486012623234684,"flow_src_last_pkt_time":1486012630535623,"flow_dst_last_pkt_time":1486012630741119,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":187,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":915,"midstream":0,"thread_ts_usec":1486012726429073,"l3_proto":"ip4","src_ip":"192.168.43.91","dst_ip":"4.2.2.4","src_port":35966,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -39,10 +39,10 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6050291 bytes -~~ total memory freed........: 6050291 bytes -~~ total allocations/frees...: 121895/121895 +~~ total memory allocated....: 6050699 bytes +~~ total memory freed........: 6050699 bytes +~~ total allocations/frees...: 121898/121898 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars -~~ json string max len.......: 2039 chars -~~ json string avg len.......: 1268 chars +~~ json string max len.......: 2438 chars +~~ json string avg len.......: 1468 chars diff --git a/test/results/bitcoin.pcap.out b/test/results/bitcoin.pcap.out index 9645541c3..073f18c02 100644 --- a/test/results/bitcoin.pcap.out +++ b/test/results/bitcoin.pcap.out @@ -10,26 +10,26 @@ 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":20,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328089970465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328089970465,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00671{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328090023170,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328090023170,"pkt":"ACNshovhACPrIpS0CABFAACdT81AAHYGdmdFdjZ6wKgBjiCN2CBFUvMhECrU24AYAQRFgAAAAQEICgA8+QknMuFU+b602XZlcnNpb24AAAAAAFUAAAACfQAAAQAAAAAAAADZsJBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHtggAQAAAAAAAAAAAAAAAAAAAAAA\/\/9FdjZ6II3xDaOK7c9BwgAGwwEA"} 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1301328089970465,"flow_dst_last_pkt_time":1301328090082335,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328090082335,"pkt":"ACNshovhACPrIpS0CABFAABIT85AAHYGdrtFdjZ6wKgBjiCN2CBFUvOKECrU24AYAQQkRgAAAQEICgA8+RAnMuFV+b602XZlcmFjawAAAAAAAAAAAAA="} -01877{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328231627793,"flow_dst_last_pkt_time":1301328234475638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":36033,"midstream":1,"thread_ts_usec":1301328234475638,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9231048.0,"max":141657328,"stddev":28184708.0,"var":794377756606464.0,"ent":1.9,"data": [52705,59165,36072737,6972560,71059721,141657328,28238337,91,32968,6,2,1933055,1,2,1,2,4527,16790,273,4103,461,12118,1136,339,10616,15667,2671,6,3102,4098,7913]},"pktlen": {"min":86,"avg":1196.7,"max":1514,"stddev":570.2,"var":325114.2,"ent":4.8,"data": [171,171,86,127,121,127,110,1514,1514,1514,1514,1045,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02275{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1301328089970465,"flow_src_last_pkt_time":1301328231627793,"flow_dst_last_pkt_time":1301328234475638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":36033,"midstream":1,"thread_ts_usec":1301328234475638,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"69.118.54.122","src_port":55328,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9231048.0,"max":141657328,"stddev":28184708.0,"var":794377756606464.0,"ent":1.9,"data": [52705,59165,36072737,6972560,71059721,141657328,28238337,91,32968,6,2,1933055,1,2,1,2,4527,16790,273,4103,461,12118,1136,339,10616,15667,2671,6,3102,4098,7913]},"pktlen": {"min":72,"avg":1182.7,"max":1500,"stddev":570.2,"var":325114.2,"ent":4.8,"data": [157,157,72,113,107,113,96,1500,1500,1500,1500,1031,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.331577301,4.391512871,4.909439087,5.158895969,4.722836494,5.592147827,4.927504063,7.410189629,7.472129822,7.510345459,7.516362667,7.410877228,3.553941965,3.447642088,3.529692411,3.496179581,3.466899872,3.442958832,3.518888474,3.453003168,3.457215071,3.471271992,3.497405529,3.477877617,3.477765560,3.484272242,3.466756582,3.504224300,3.495511293,3.509394407,3.499261856,3.458781719]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328319392147,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00676{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328319392147,"pkt":"ACPrIpS0ACNshovhCABFAACdlslAAEAG4RzAqAGOSlm15dg0II2cIEOJr5xIoIAY\/\/\/04QAAAQEICicy6kgDS\/0c+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAAC\/sZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/Slm15SCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII2qu+Pk33arXQC9vgEA"} 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":81,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319392147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328319392147,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319451340,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328319451340,"pkt":"ACNshovhACPrIpS0CABFAACdR2RAAHYG+oFKWbXlwKgBjiCN2DSvnEignCBD8oAYAQSuQgAAAQEICgNL\/SInMupI+b602XZlcnNpb24AAAAAAFUAAAAAfQAAAQAAAAAAAAC4sZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHtg0AQAAAAAAAAAAAAAAAAAAAAAA\/\/9KWbXlII1O39\/bLGJPkgAHwwEA"} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1301328319392147,"flow_dst_last_pkt_time":1301328319554549,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328319554549,"pkt":"ACNshovhACPrIpS0CABFAABIR4lAAHYG+rFKWbXlwKgBjiCN2DSvnEkJnCBD8oAYAQTU7AAAAQEICgNL\/S8nMupI+b602XZlcmFjawAAAAAAAAAAAAA="} -01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328419814379,"flow_dst_last_pkt_time":1301328420325069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":204,"flow_dst_tot_l4_payload_len":35103,"midstream":1,"thread_ts_usec":1301328420325069,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":6495327.5,"max":100110670,"stddev":19444800.0,"var":378100231700480.0,"ent":2.0,"data": [59193,103209,9823152,39766075,21773202,100110670,311562,29237037,27,63547,5,128,1815,36336,73,10069,11,2188,6,22497,6,36,5434,1881,16669,98,3307,3200,88,2587,1046]},"pktlen": {"min":86,"avg":1169.3,"max":1514,"stddev":597.2,"var":356626.8,"ent":4.7,"data": [171,171,86,182,121,121,110,121,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02279{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":157,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1301328319392147,"flow_src_last_pkt_time":1301328419814379,"flow_dst_last_pkt_time":1301328420325069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":204,"flow_dst_tot_l4_payload_len":35103,"midstream":1,"thread_ts_usec":1301328420325069,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"74.89.181.229","src_port":55348,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":6495327.5,"max":100110670,"stddev":19444800.0,"var":378100231700480.0,"ent":2.0,"data": [59193,103209,9823152,39766075,21773202,100110670,311562,29237037,27,63547,5,128,1815,36336,73,10069,11,2188,6,22497,6,36,5434,1881,16669,98,3307,3200,88,2587,1046]},"pktlen": {"min":72,"avg":1155.3,"max":1500,"stddev":597.2,"var":356626.8,"ent":4.7,"data": [157,157,72,168,107,107,96,107,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.470258713,4.521859646,5.133765697,5.303792000,4.884179592,4.884179592,5.089661121,4.793436050,3.556293964,3.471724272,3.563110828,3.507483721,3.465379477,3.476032257,3.517805815,3.485985279,3.486981392,3.481694460,3.513358593,3.496114254,3.507799149,3.471463203,3.516937494,3.517798901,3.501855373,3.464563370,3.465409040,3.545469761,3.513061523,3.455718517,3.526946545,3.479244232]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328472925065,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00674{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328472925065,"pkt":"ACPrIpS0ACNshovhCABFAACde+1AAEAGZt3AqAGOQkRTFthXII0tj7Vf9ZidkYAY\/\/+IsAAAAQEICicy8EYAAAAA+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAABYspBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/QkRTFiCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII21Dgd4gTLgpgDgvgEA"} 00982{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472925065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328472925065,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328472987383,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328472987383,"pkt":"ACNshovhACPrIpS0CABFAACdMqtAAG8GgR9CRFMWwKgBjiCN2Ff1mJ2RLY+1yIAY\/5aM3QAAAQEICgBK7W0nMvBG+b602XZlcnNpb24AAAAAAFUAAACcfAAAAQAAAAAAAABZspBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHthXAQAAAAAAAAAAAAAAAAAAAAAA\/\/9CRFMWII0z3Rs+AfeDdwAHwwEA"} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":203,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1301328472925065,"flow_dst_last_pkt_time":1301328473077893,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328473077893,"pkt":"ACNshovhACPrIpS0CABFAABIMqxAAG8GgXNCRFMWwKgBjiCN2Ff1mJ36LY+1yIAY\/5avrAAAAQEICgBK7W4nMvBG+b602XZlcmFjawAAAAAAAAAAAAA="} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":215,"source":"bitcoin.pcap","alias":"nDPId-test","packets-captured":215,"packets-processed":214,"total-skipped-flows":0,"total-l4-payload-len":260266,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":25,"global_ts_usec":1301328538215424} -01907{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":284,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328607711436,"flow_dst_last_pkt_time":1301328616076718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9102,"flow_dst_tot_l4_payload_len":23653,"midstream":1,"thread_ts_usec":1301328616076718,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":8965742.0,"max":134322478,"stddev":25481870.0,"var":649325705166848.0,"ent":2.2,"data": [62318,90510,14042384,39643167,11451980,9238604,22700384,134322478,190526,216456,52,56784,49,15,11,45582876,5468,2949,79677,2390,56420,14875,38291,1106,29429,10233,41403,43,29590,11803,15753]},"pktlen": {"min":86,"avg":1089.6,"max":1514,"stddev":630.5,"var":397582.1,"ent":4.7,"data": [171,171,86,127,127,127,182,127,110,1514,1514,1514,1514,1514,1514,331,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0],"s_to_c": [1,4,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]},"directions": [0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02305{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":284,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1301328472925065,"flow_src_last_pkt_time":1301328607711436,"flow_dst_last_pkt_time":1301328616076718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9102,"flow_dst_tot_l4_payload_len":23653,"midstream":1,"thread_ts_usec":1301328616076718,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"66.68.83.22","src_port":55383,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":8965742.0,"max":134322478,"stddev":25481870.0,"var":649325705166848.0,"ent":2.2,"data": [62318,90510,14042384,39643167,11451980,9238604,22700384,134322478,190526,216456,52,56784,49,15,11,45582876,5468,2949,79677,2390,56420,14875,38291,1106,29429,10233,41403,43,29590,11803,15753]},"pktlen": {"min":72,"avg":1075.6,"max":1500,"stddev":630.5,"var":397582.1,"ent":4.7,"data": [157,157,72,113,113,113,168,113,96,1500,1500,1500,1500,1500,1500,317,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0],"s_to_c": [1,4,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]},"directions": [0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.314049721,4.516415119,5.159438610,5.621953964,5.629888535,5.436272144,5.232412338,5.492824554,5.047397614,6.620144367,6.645269394,6.641551971,6.624248028,6.652445793,6.650110245,6.173855782,3.519509792,3.418695927,3.522331953,3.473526716,3.458976030,3.461488724,3.521340132,3.498308420,3.439558506,3.445366859,3.488321781,3.470211506,3.484444618,3.500530481,3.521874428,3.458418369]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328699728375,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00674{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328699728375,"pkt":"ACPrIpS0ACNshovhCABFAACdK9RAAEAGd8TAqAGOw9oQsthoII1BDXcu4yOzE4AY\/\/9L7wAAAQEICicy+R8AACIN+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAAA7s5BNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/w9oQsiCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII38Ree1v7hQ3gC4wAEA"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":348,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699728375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301328699728375,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699856583,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301328699856583,"pkt":"ACNshovhACPrIpS0CABFAACdBc9AAHUGaMnD2hCywKgBjiCN2GjjI7MTQQ13l4AYAQQ8gQAAAQEICgAAIhwnMvkf+b602XZlcnNpb24AAAAAAFUAAAACfQAAAQAAAAAAAAA4s5BNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/JmCEHthoAQAAAAAAAAAAAAAAAAAAAAAA\/\/\/D2hCyII0FGo5IhpYwXgAKwwEA"} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1301328699728375,"flow_dst_last_pkt_time":1301328699969841,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1301328699969841,"pkt":"ACNshovhACPrIpS0CABFAABIBdlAAHUGaRTD2hCywKgBjiCN2GjjI7N8QQ13l4AYAQRZWQAAAQEICgAAIignMvkg+b602XZlcmFjawAAAAAAAAAAAAA="} -01919{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":390,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328741904043,"flow_dst_last_pkt_time":1301328743741542,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5826,"flow_dst_tot_l4_payload_len":27918,"midstream":1,"thread_ts_usec":1301328743741542,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":2780285.0,"max":41186439,"stddev":7975567.0,"var":63609669419008.0,"ent":2.2,"data": [128208,113258,17195103,11450771,3438749,6775,2755264,41186439,319900,321845,34,347450,8283500,31885,35035,52689,19022,36630,49289,41130,63903,2317,29070,27748,37436,32734,49198,24571,33724,41084,34074]},"pktlen": {"min":86,"avg":1120.5,"max":1514,"stddev":621.5,"var":386298.0,"ent":4.7,"data": [171,171,86,121,121,121,121,127,110,1514,1514,1514,1399,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,3,0,0],"s_to_c": [1,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]},"directions": [0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02317{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":390,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1301328699728375,"flow_src_last_pkt_time":1301328741904043,"flow_dst_last_pkt_time":1301328743741542,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":5826,"flow_dst_tot_l4_payload_len":27918,"midstream":1,"thread_ts_usec":1301328743741542,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"195.218.16.178","src_port":55400,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":2780285.0,"max":41186439,"stddev":7975567.0,"var":63609669419008.0,"ent":2.2,"data": [128208,113258,17195103,11450771,3438749,6775,2755264,41186439,319900,321845,34,347450,8283500,31885,35035,52689,19022,36630,49289,41130,63903,2317,29070,27748,37436,32734,49198,24571,33724,41084,34074]},"pktlen": {"min":72,"avg":1106.5,"max":1500,"stddev":621.5,"var":386298.0,"ent":4.7,"data": [157,157,72,107,107,107,107,113,96,1500,1500,1500,1385,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,3,0,0],"s_to_c": [1,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]},"directions": [0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.383668423,4.444240093,4.982605934,4.668665886,4.713104248,4.762123585,4.780815601,5.560832977,4.996669769,6.587570190,6.648486137,6.600738525,6.599431038,3.406774759,3.373550653,3.345058441,3.338595867,3.355129480,3.392081499,3.337737560,3.285459280,3.329736471,3.341146708,3.315114975,3.270951748,3.318075180,3.308751106,3.279112339,3.298598528,3.384484768,3.426392555,3.339625120]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":495,"source":"bitcoin.pcap","alias":"nDPId-test","packets-captured":495,"packets-processed":494,"total-skipped-flows":0,"total-l4-payload-len":520135,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":0,"total-updates":0,"current-active-flows":5,"total-active-flows":5,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":33,"global_ts_usec":1301329138452825} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":521,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1301329304767401,"flow_src_last_pkt_time":1301329304767401,"flow_dst_last_pkt_time":1301329304767401,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":105,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":105,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":105,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1301329304767401,"l3_proto":"ip4","src_ip":"192.168.1.142","dst_ip":"184.58.165.119","src_port":55487,"dst_port":8333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00675{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":521,"source":"bitcoin.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1301329304767401,"flow_dst_last_pkt_time":1301329304767401,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1301329304767401,"pkt":"ACPrIpS0ACNshovhCABFAACdDAhAAEAGDmvAqAGOuDqld9i\/II0stRatNDMFDIAY\/\/9S8AAAAQEICiczELoAVdzf+b602XZlcnNpb24AAAAAAFUAAAABfQAAAQAAAAAAAACYtZBNAAAAAAEAAAAAAAAAAAAAAAAAAAAAAP\/\/uDqldyCNAQAAAAAAAAAAAAAAAAAAAAAA\/\/8mYIQeII0b7ZMAlkQ1dwALwwEA"} @@ -52,10 +52,10 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6070466 bytes -~~ total memory freed........: 6070466 bytes -~~ total allocations/frees...: 122176/122176 +~~ total memory allocated....: 6071282 bytes +~~ total memory freed........: 6071282 bytes +~~ total allocations/frees...: 122182/122182 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1924 chars -~~ json string avg len.......: 1207 chars +~~ json string max len.......: 2322 chars +~~ json string avg len.......: 1406 chars diff --git a/test/results/bittorrent.pcap.out b/test/results/bittorrent.pcap.out index 6e7605898..6e7979b97 100644 --- a/test/results/bittorrent.pcap.out +++ b/test/results/bittorrent.pcap.out @@ -94,7 +94,7 @@ 00691{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":82,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1455469978413724,"flow_dst_last_pkt_time":1455469978662941,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":185,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":185,"pkt_l4_len":151,"thread_ts_usec":1455469978662941,"pkt":"xCwDBkn+LFbcjDU0CABFAACrdTRAAHcGzXJf6p8QwKgBA6D1zrlkqPSW1A6dPYAYAMM1JwAAAQEICgIQtLMZ3BteE0JpdFRvcnJlbnQgcHJvdG9jb2wAAAAAABAABdz83M+55nDMw91Ax4wWHyvqJDEmLVVUMzQ1MC3wos5cW3r846cWQCoAAADoFABkMTplaTBlNDppcHY0NDpf6p8QMTI6Y29tcGxldGVfYWdvaTQ1ZTE6bWQxMTo="} 01355{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1455469978413724,"flow_dst_last_pkt_time":1455469978678722,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":587,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":587,"pkt_l4_len":553,"thread_ts_usec":1455469978678722,"pkt":"xCwDBkn+LFbcjDU0CABFAAI9dTZAAHcGy95f6p8QwKgBA6D1zrlkqPUN1A6dPYAZAMPqbAAAAQEICgIQtLMZ3BtedXBsb2FkX29ubHlpM2UxMTpsdF9kb250aGF2ZWk3ZTEyOnV0X2hvbGVwdW5jaGk0ZTExOnV0X21ldGFkYXRhaTJlNjp1dF9wZXhpMWUxMDp1dF9jb21tZW50aTZlZTEzOm1ldGFkYXRhX3NpemVpMTkwMDllMTpwaTQxMjA1ZTQ6cmVxcWkyNTVlMTp2MTU6zrxUb3JyZW50IDMuNC41Mjp5cGk1MjkyMWU2OnlvdXJpcDQ6UjfNAWUAAAB0Bf\/\/\/\/\/7\/\/\/\/\/\/\/\/\/f\/\/\/\/9\/\/\/\/3\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/3\/\/\/\/\/\/\/\/\/\/v7\/\/v\/\/\/\/\/7\/\/3\/f\/\/\/\/\/r\/\/\/v\/\/\/\/9\/\/\/\/\/\/\/\/\/+\/\/\/\/\/3\/7\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/9\/\/\/\/\/9\/\/f\/4AAAAAFBAAAACUAAAAFBAAAAJwAAAAFBAAAArkAAAAFBAAAAfAAAAAFBAAAA3QAAAAFBAAAAosAAAAFBAAAAZ8AAAAFBAAAAdUAAAAFBAAAAqwAAAAFBAAAAhUAAAAFBAAAAM0AAAAFBAAAAk4AAAAFBAAAAIAAAAAFBAAAA4IAAAAFBAAAAF4AAAAFBAAAAi0AAAAFBAAAAVYAAAAFBAAAAZcAAAAFBAAAA1AAAAAFBAAAAeYAAAAFBAAAAa8AAAAFBAAAAhcAAAAFBAAAAw0AAAAFBAAAARs="} 01357{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":85,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1455469978422152,"flow_dst_last_pkt_time":1455469978679019,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":586,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":586,"pkt_l4_len":552,"thread_ts_usec":1455469978679019,"pkt":"xCwDBkn+LFbcjDU0CABFAAI8IwBAAHYG\/QBf7cEiwKgBAyw5zrr6gfxfv4GyU4AZAQJxbQAAAQEICgADmIEZ3BtmcGxvYWRfb25seWkzZTExOmx0X2RvbnRoYXZlaTdlMTI6dXRfaG9sZXB1bmNoaTRlMTE6dXRfbWV0YWRhdGFpMmU2OnV0X3BleGkxZTEwOnV0X2NvbW1lbnRpNmVlMTM6bWV0YWRhdGFfc2l6ZWkxOTAwOWUxOnBpMTEzMjFlNDpyZXFxaTI1NWUxOnYxNTrOvFRvcnJlbnQgMy40LjUyOnlwaTUyOTIyZTY6eW91cmlwNDpSN80BZQAAAHQF\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/+\/\/\/+\/\/7\/\/\/\/\/7\/\/\/\/\/\/\/\/\/\/\/\/\/\/v\/\/\/v\/\/v\/\/+P\/\/\/\/\/\/\/7\/\/\/\/\/\/\/\/+\/7\/7\/\/\/\/\/\/7\/\/\/\/\/\/v\/\/3+\/\/+\/\/\/\/\/\/\/\/\/\/\/\/\/9\/\/\/7\/\/\/+\/\/\/\/\/\/\/\/\/\/\/\/\/\/+\/\/\/\/\/\/\/\/\/\/3\/\/gAAAAAUEAAACNQAAAAUEAAACYwAAAAUEAAADgAAAAAUEAAAB1wAAAAUEAAAAyQAAAAUEAAABzQAAAAUEAAACUQAAAAUEAAABYQAAAAUEAAACzQAAAAUEAAAApQAAAAUEAAACtgAAAAUEAAACSAAAAAUEAAACDQAAAAUEAAABIQAAAAUEAAABYwAAAAUEAAAC5wAAAAUEAAAAlQAAAAUEAAABYgAAAAUEAAABlQAAAAUEAAADQQAAAAUEAAAB4wAAAAUEAAABOQAAAAUEAAABSwAAAAUEAAAAfQ=="} -01932{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1455469976336620,"flow_src_last_pkt_time":1455469980135637,"flow_dst_last_pkt_time":1455469980194523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":17,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":176,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":904,"flow_dst_tot_l4_payload_len":20536,"midstream":1,"thread_ts_usec":1455469980194523,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"198.100.146.9","src_port":52915,"dst_port":60163,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12043,"avg":246997.4,"max":919975,"stddev":228791.8,"var":52345696256.0,"ent":4.4,"data": [176832,184047,360999,337345,477634,919975,779765,619481,619422,156869,158080,151021,161242,12043,185627,163549,148908,165750,153542,19235,148725,12813,146117,495893,130312,32142,133808,27318,421482,129521,27423]},"pktlen": {"min":80,"avg":736.4,"max":1506,"stddev":635.2,"var":403438.9,"ent":4.4,"data": [134,146,625,242,80,190,104,100,1506,83,1180,83,623,95,83,403,83,202,623,1506,1506,1506,1506,1506,202,1506,1506,1506,1506,211,1506,1506]},"bins": {"c_to_s": [5,1,1,1,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,0,1,1,1,1,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +02329{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1455469976336620,"flow_src_last_pkt_time":1455469980135637,"flow_dst_last_pkt_time":1455469980194523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":17,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":176,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":904,"flow_dst_tot_l4_payload_len":20536,"midstream":1,"thread_ts_usec":1455469980194523,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"198.100.146.9","src_port":52915,"dst_port":60163,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12043,"avg":246997.4,"max":919975,"stddev":228791.8,"var":52345696256.0,"ent":4.4,"data": [176832,184047,360999,337345,477634,919975,779765,619481,619422,156869,158080,151021,161242,12043,185627,163549,148908,165750,153542,19235,148725,12813,146117,495893,130312,32142,133808,27318,421482,129521,27423]},"pktlen": {"min":66,"avg":722.4,"max":1492,"stddev":635.2,"var":403438.9,"ent":4.4,"data": [120,132,611,228,66,176,90,86,1492,69,1166,69,609,81,69,389,69,188,609,1492,1492,1492,1492,1492,188,1492,1492,1492,1492,197,1492,1492]},"bins": {"c_to_s": [5,1,1,1,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,0,1,1,1,1,0,1,1],"entropies": [6.014183998,6.126387119,4.946569443,5.524954319,4.794059277,3.940484047,5.368589878,4.276479721,7.786795139,4.471814156,7.741641998,4.592490196,7.566695690,4.716621876,4.551665783,7.390619278,4.569711208,2.883123636,7.557919025,4.866727352,7.736888409,7.724407196,7.768088341,7.796109200,3.117206812,7.722576141,7.763302326,7.809885979,7.808127880,3.077500105,7.837090492,7.871365547]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455469980213097,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1455469980213097,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"83.216.184.241","src_port":52927,"dst_port":51413,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00625{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"thread_ts_usec":1455469980213097,"pkt":"LFbcjDU0xCwDBkn+CABFAAB4U25AAEAGAADAqAEDU9i48c6\/yNUzq1kTBM6UFIAYL5vO3wAAAQEIChncIiN4G2eaE0JpdFRvcnJlbnQgcHJvdG9jb2wAAAAAABAABdz83M+55nDMw91Ax4wWHyvqJDEmLVVNMTg2MC1Bjq+Lj4Q+qUQM4PY="} 00941{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":113,"source":"bittorrent.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455469980213097,"flow_src_last_pkt_time":1455469980213097,"flow_dst_last_pkt_time":1455469980213097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1455469980213097,"l3_proto":"ip4","src_ip":"192.168.1.3","dst_ip":"83.216.184.241","src_port":52927,"dst_port":51413,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","bittorrent": {"hash":"dcfcdccfb9e670ccc3dd40c78c161f2bea243126"}}} @@ -141,10 +141,10 @@ ~~ total active/idle flows...: 24/24 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6388904 bytes -~~ total memory freed........: 6388904 bytes -~~ total allocations/frees...: 122040/122040 +~~ total memory allocated....: 6392168 bytes +~~ total memory freed........: 6392168 bytes +~~ total allocations/frees...: 122064/122064 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars -~~ json string max len.......: 1937 chars -~~ json string avg len.......: 1215 chars +~~ json string max len.......: 2334 chars +~~ json string avg len.......: 1413 chars diff --git a/test/results/bittorrent_utp.pcap.out b/test/results/bittorrent_utp.pcap.out index e75e520d5..28a8b204e 100644 --- a/test/results/bittorrent_utp.pcap.out +++ b/test/results/bittorrent_utp.pcap.out @@ -5,7 +5,7 @@ 01035{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385034843882,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":104,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":104,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1456385034843882,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","bittorrent": {"hash":""}}} 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1456385039236076,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1456385039236076,"pkt":"xCwDBkn+LFbcjDU0CABFCACEPR1AAHARR3hS83ErwKgBBf3Jn\/8AcOi+ZDE6YWQyOmlkMjA69\/YAfOoTUG5RTefsvJTyrlFxFfg5OmluZm9faGFzaDIwOvf2AbAuK1Rd0f1URppB\/xHRD5bKZTE6cTk6Z2V0X3BlZXJzMTp0MjoZ4TE6djQ6TFQBATE6eTE6cWU="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1456385040274000,"flow_dst_last_pkt_time":1456385034843882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1456385040274000,"pkt":"xCwDBkn+LFbcjDU0CABFCAAwPfxAAHARRu1S83ErwKgBBf3Jn\/8AHJxJQQBTAhDusvAAAAAAAAAAAOf1AAA="} -01909{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385041276103,"flow_dst_last_pkt_time":1456385041181191,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":14142,"flow_dst_tot_l4_payload_len":872,"midstream":0,"thread_ts_usec":1456385041276103,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":959,"avg":411920.3,"max":5430275,"stddev":1202360.0,"var":1445669502976.0,"ent":2.4,"data": [4392194,1037924,5430275,116819,116920,100471,240441,139898,4463,110556,115010,959,58628,60551,88152,88141,37493,37665,24480,24365,43679,55465,11575,11793,11863,53659,52777,104119,173318,8337,17540]},"pktlen": {"min":62,"avg":511.2,"max":1514,"stddev":600.8,"var":360942.7,"ent":4.1,"data": [146,146,62,72,252,519,62,62,117,271,62,62,146,1514,68,1514,68,1514,68,1514,68,96,1514,68,1514,68,1514,62,62,1051,1051,1051]},"bins": {"c_to_s": [3,0,0,3,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0],"s_to_c": [11,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +02308{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385041276103,"flow_dst_last_pkt_time":1456385041181191,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":14142,"flow_dst_tot_l4_payload_len":872,"midstream":0,"thread_ts_usec":1456385041276103,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":959,"avg":411920.3,"max":5430275,"stddev":1202360.0,"var":1445669502976.0,"ent":2.4,"data": [4392194,1037924,5430275,116819,116920,100471,240441,139898,4463,110556,115010,959,58628,60551,88152,88141,37493,37665,24480,24365,43679,55465,11575,11793,11863,53659,52777,104119,173318,8337,17540]},"pktlen": {"min":48,"avg":497.2,"max":1500,"stddev":600.8,"var":360942.7,"ent":4.0,"data": [132,132,48,58,238,505,48,48,103,257,48,48,132,1500,54,1500,54,1500,54,1500,54,82,1500,54,1500,54,1500,48,48,1037,1037,1037]},"bins": {"c_to_s": [3,0,0,3,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0],"s_to_c": [11,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0],"entropies": [5.803075790,5.866444111,4.474482536,4.231768131,4.447527885,5.267382622,4.667174816,5.259760857,3.872052193,5.423846722,5.259760857,4.750508785,5.806200504,7.847329140,4.531593323,7.839333057,4.619647026,7.837954521,4.582609653,7.820847988,4.619647026,4.109564304,7.831181049,4.693720818,7.634190559,4.693720818,7.787273407,4.892893314,4.750508785,7.761264801,7.781966686,7.702743530]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 01058{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":86,"source":"bittorrent_utp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":47,"flow_dst_packets_processed":39,"flow_first_seen":1456385034843882,"flow_src_last_pkt_time":1456385044298958,"flow_dst_last_pkt_time":1456385054059812,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1472,"flow_dst_max_l4_payload_len":477,"flow_src_tot_l4_payload_len":34679,"flow_dst_tot_l4_payload_len":3198,"midstream":0,"thread_ts_usec":1456385054059812,"l3_proto":"ip4","src_ip":"82.243.113.43","dst_ip":"192.168.1.5","src_port":64969,"dst_port":40959,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"BitTorrent","proto_id":"37","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00567{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":86,"source":"bittorrent_utp.pcap","alias":"nDPId-test","packets-captured":86,"packets-processed":86,"total-skipped-flows":0,"total-l4-payload-len":37877,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1456385054059812} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6300319 bytes -~~ total memory freed........: 6300319 bytes -~~ total allocations/frees...: 121575/121575 +~~ total memory allocated....: 6300455 bytes +~~ total memory freed........: 6300455 bytes +~~ total allocations/frees...: 121576/121576 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars -~~ json string max len.......: 1914 chars -~~ json string avg len.......: 1148 chars +~~ json string max len.......: 2313 chars +~~ json string avg len.......: 1323 chars diff --git a/test/results/bjnp.pcap.out b/test/results/bjnp.pcap.out index 9abdac0a1..92e13b138 100644 --- a/test/results/bjnp.pcap.out +++ b/test/results/bjnp.pcap.out @@ -49,9 +49,9 @@ ~~ total active/idle flows...: 10/10 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6050547 bytes -~~ total memory freed........: 6050547 bytes -~~ total allocations/frees...: 121587/121587 +~~ total memory allocated....: 6051907 bytes +~~ total memory freed........: 6051907 bytes +~~ total allocations/frees...: 121597/121597 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 906 chars diff --git a/test/results/bot.pcap.out b/test/results/bot.pcap.out index 881e3e761..ec6748b8e 100644 --- a/test/results/bot.pcap.out +++ b/test/results/bot.pcap.out @@ -5,7 +5,7 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1645108240233170,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":66,"pkt_l4_len":28,"thread_ts_usec":1645108240233579,"pkt":"AAAMB6wytJaRl+L8gQAATQgARQAAMAAAQAA\/BspbWR9I3ChNpyQAUP0AWPWTl7cGye1wEnIQNMAAAAIEBbQBAQQC"} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1645108240339696,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":64,"pkt_l4_len":20,"thread_ts_usec":1645108240339696,"pkt":"AFBWtlQQQFU5D63CgQAATQgARQAAKBFTQABuBooQKE2nJFkfSNz9AABQtwbJ7Vj1k5hQEPrw2KMAAKqq+vDYow=="} 01127{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240339700,"flow_dst_last_pkt_time":1645108240233579,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1645108240339700,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"atlanteditorino.it","http": {"url":"atlanteditorino.it\/quartieri\/img\/S.Donato_M.Vittoria1930_B.jpg","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (compatible; bingbot\/2.0; +http:\/\/www.bing.com\/bingbot.htm)","detected_os":"bingbot\/2.0"}}} -01685{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240455112,"flow_dst_last_pkt_time":1645108240455337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":33120,"midstream":0,"thread_ts_usec":1645108240455337,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":14326.1,"max":114244,"stddev":36180.2,"var":1309009792.0,"ent":2.2,"data": [409,106526,4,106682,7609,64,117,61,7,4,842,8,6,4,114244,282,105363,69,4,6,123,5,6,4,232,8,61,8,763,123,465]},"pktlen": {"min":64,"avg":1104.5,"max":1498,"stddev":631.2,"var":398369.0,"ent":4.6,"data": [66,66,64,374,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02084{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108240455112,"flow_dst_last_pkt_time":1645108240455337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":33120,"midstream":0,"thread_ts_usec":1645108240455337,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":14326.1,"max":114244,"stddev":36180.2,"var":1309009792.0,"ent":2.2,"data": [409,106526,4,106682,7609,64,117,61,7,4,842,8,6,4,114244,282,105363,69,4,6,123,5,6,4,232,8,61,8,763,123,465]},"pktlen": {"min":46,"avg":1086.5,"max":1480,"stddev":631.2,"var":398369.0,"ent":4.6,"data": [48,48,46,356,46,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,46,46,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,46,46,1480]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1],"entropies": [4.668832779,4.823934078,4.705051422,5.553816795,4.685968399,6.426275253,7.497505188,7.820932388,7.830261230,7.797591209,7.805040359,7.821845531,7.816341877,7.795114517,7.064133644,4.748529911,4.585274220,7.814039707,7.815784454,7.820162296,7.814042091,7.827082157,7.799123287,7.792435646,7.357606411,5.923022270,7.867007732,5.467782974,4.930641174,4.661573410,4.661573410,5.117170334]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00915{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":402,"source":"bot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":115,"flow_dst_packets_processed":287,"flow_first_seen":1645108240233170,"flow_src_last_pkt_time":1645108245896135,"flow_dst_last_pkt_time":1645108245896491,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":316,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":316,"flow_dst_tot_l4_payload_len":406780,"midstream":0,"thread_ts_usec":1645108245896491,"l3_proto":"ip4","src_ip":"40.77.167.36","dst_ip":"89.31.72.220","src_port":64768,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Azure","proto_id":"7.276","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":402,"source":"bot.pcap","alias":"nDPId-test","packets-captured":402,"packets-processed":402,"total-skipped-flows":0,"total-l4-payload-len":407096,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1645108245896491} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6047521 bytes -~~ total memory freed........: 6047521 bytes -~~ total allocations/frees...: 121894/121894 +~~ total memory allocated....: 6047657 bytes +~~ total memory freed........: 6047657 bytes +~~ total allocations/frees...: 121895/121895 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1690 chars -~~ json string avg len.......: 1041 chars +~~ json string max len.......: 2089 chars +~~ json string avg len.......: 1215 chars diff --git a/test/results/bt_search.pcap.out b/test/results/bt_search.pcap.out index eb9913215..683c969a0 100644 --- a/test/results/bt_search.pcap.out +++ b/test/results/bt_search.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6297855 bytes -~~ total memory freed........: 6297855 bytes -~~ total allocations/frees...: 121490/121490 +~~ total memory allocated....: 6297991 bytes +~~ total memory freed........: 6297991 bytes +~~ total allocations/frees...: 121491/121491 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 905 chars diff --git a/test/results/cachefly.pcapng.out b/test/results/cachefly.pcapng.out index 88c3708d1..48b0862e0 100644 --- a/test/results/cachefly.pcapng.out +++ b/test/results/cachefly.pcapng.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6085306 bytes -~~ total memory freed........: 6085306 bytes -~~ total allocations/frees...: 121557/121557 +~~ total memory allocated....: 6085442 bytes +~~ total memory freed........: 6085442 bytes +~~ total allocations/frees...: 121558/121558 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 2608 chars diff --git a/test/results/capwap.pcap.out b/test/results/capwap.pcap.out index cdb66675f..c3f6bbb04 100644 --- a/test/results/capwap.pcap.out +++ b/test/results/capwap.pcap.out @@ -29,7 +29,7 @@ 00645{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1422329005767984,"flow_dst_last_pkt_time":1422329005767224,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":156,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":156,"pkt_l4_len":122,"thread_ts_usec":1422329005767984,"pkt":"uDhh8wWsJOmzR64gCABFwACOANsAAH8RpGDAqAoJwKgKChR+MFwAegAAABACAAAAAAAAAAACAABlAAABACQAAAPoAAAABQIBAAMAQJYAAAEABAcFZgAAQJYAAAAABAEAAAEABAAJQ2lzY28yNTA0BBgABQAAAAAAAAoABsCoCgkAAAAlAAcAQJYAANAAACUACwBAlgAAl1THBF8A"} 00905{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":24,"source":"capwap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422328949167396,"flow_src_last_pkt_time":1422328949167396,"flow_dst_last_pkt_time":1422328949167396,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":65,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":65,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329005767984,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12379,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1422329005767984,"flow_dst_last_pkt_time":1422329015765658,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":115,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":115,"pkt_l4_len":81,"thread_ts_usec":1422329015765658,"pkt":"JOmzR64guDhh8wWsCABFwABlAAVAAP8R5V7AqAoKwKgKCTBcFH4AURfgAQAAABb+\/wAAAAAAAAAAADgBAAAsAAAAAAAAACz+\/1Z4mrz13vIlLHFGU8KNmBPwkXkcj0vpbAEOfTafYoZSAAAABAAvADMBAA=="} -01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329016659899,"flow_dst_last_pkt_time":1422329016659404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1457,"flow_dst_max_l4_payload_len":1457,"flow_src_tot_l4_payload_len":8579,"flow_dst_tot_l4_payload_len":6468,"midstream":0,"thread_ts_usec":1422329016659899,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":751201.9,"max":10093423,"stddev":2531631.0,"var":6409154985984.0,"ent":1.6,"data": [760,9998434,10093423,96372,2625,2,127,182379,1,94,314122,135275,2746,249,111759,1,157255,1,325739,280124,1,39490,1,39481,264,2133,995,502,500]},"pktlen": {"min":106,"avg":512.2,"max":1499,"stddev":485.4,"var":235625.0,"ent":4.4,"data": [156,156,115,106,147,590,590,360,590,590,179,329,420,137,1499,1499,1499,1451,1035,1451,475,155,123,139,155,139,123,891,155,123,139,875]},"bins": {"c_to_s": [0,0,5,3,0,0,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0],"s_to_c": [0,0,1,6,1,0,0,0,1,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0]},"directions": [0,0,1,0,1,0,0,0,1,1,1,1,1,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02119{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329016659899,"flow_dst_last_pkt_time":1422329016659404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1457,"flow_dst_max_l4_payload_len":1457,"flow_src_tot_l4_payload_len":8579,"flow_dst_tot_l4_payload_len":6468,"midstream":0,"thread_ts_usec":1422329016659899,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":751201.9,"max":10093423,"stddev":2531631.0,"var":6409154985984.0,"ent":1.6,"data": [760,9998434,10093423,96372,2625,2,127,182379,1,94,314122,135275,2746,249,111759,1,157255,1,325739,280124,1,39490,1,39481,264,2133,995,502,500]},"pktlen": {"min":92,"avg":498.2,"max":1485,"stddev":485.4,"var":235625.0,"ent":4.4,"data": [142,142,101,92,133,576,576,346,576,576,165,315,406,123,1485,1485,1485,1437,1021,1437,461,141,109,125,141,125,109,877,141,109,125,861]},"bins": {"c_to_s": [0,0,5,3,0,0,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0],"s_to_c": [0,0,1,6,1,0,0,0,1,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0]},"directions": [0,0,1,0,1,0,0,0,1,1,1,1,1,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0],"entropies": [3.893290997,3.893290997,4.830492973,4.615938187,5.436969757,6.642759323,6.913249969,6.397701263,6.902666569,6.846169949,6.368118286,7.090667248,7.118800163,5.456940651,7.874491215,7.866423607,7.870229721,7.867388248,7.782578468,7.843720436,7.507147312,6.314983845,5.763504982,6.039584160,6.280849457,6.035200119,5.804700375,7.759332657,6.342943668,5.774928570,6.117315292,7.735942364]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329017533285,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1422329017533285,"pkt":"JOmzR64guDhh8wWsCABFwABsAAFAAEARpFzAqAoKwKgKCTBcFH8AWAAAACADIAAAAAABBAAAAAAAAABAAABYCiBpDiAAAAAAAABYCiBpDiAAAN0JAECWJQEFKDMU3RsAQJYlAAEcq6fyE50AAEcACwAFJ\/9UIA8C1d0="} 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":116,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329017533285,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329017533285,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -38,7 +38,7 @@ 00760{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":176,"source":"capwap.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1422328963915032,"flow_src_last_pkt_time":1422328966914891,"flow_dst_last_pkt_time":1422328963915032,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":41,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":82,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329025532954,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"255.255.255.255","src_port":49259,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00186{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":192,"source":"capwap.pcap","alias":"nDPId-test","layer_type":375,"global_ts_usec":1422329034072795} 00793{"packet_event_id":1,"packet_event_name":"packet","packet_id":192,"source":"capwap.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":389,"pkt_type":375,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":389,"pkt_l4_len":0,"thread_ts_usec":1422329034032779,"pkt":"AQAMzMzMuDhh8wWsAXeqqgMAAAwgAAK0KHQAAQAUQVBiODM4LjYxZjMuMDVhYwAFAPJDaXNjbyBJT1MgU29mdHdhcmUsIEMyNjAwIFNvZnR3YXJlIChBUDNHMi1LOVc4LU0pLCBWZXJzaW9uIDE1LjIoNClKQTEsIFJFTEVBU0UgU09GVFdBUkUgKGZjMikKVGVjaG5pY2FsIFN1cHBvcnQ6IGh0dHA6Ly93d3cuY2lzY28uY29tL3RlY2hzdXBwb3J0CkNvcHlyaWdodCAoYykgMTk4Ni0yMDEzIGJ5IENpc2NvIFN5c3RlbXMsIEluYy4KQ29tcGlsZWQgVHVlIDMwLUp1bC0xMyAyMjo1NyBieSBwcm9kX3JlbF90ZWFtAAYAG2Npc2NvIEFJUi1DQVAyNjAySS1RLUs5AAIAEQAAAAEBAcwABMCoCgoAAwAWR2lnYWJpdEV0aGVybmV0MC4xAAQACAAAAAMACwAFAQAQAAY8KAAZABCkjQABAAA8KAAAMsg="} -01790{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329049032294,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":283,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4909,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329049032294,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":499857,"avg":1016097.1,"max":3999845,"stddev":875106.2,"var":765810835456.0,"ent":4.6,"data": [499983,500014,499872,2999961,499995,500031,499980,499982,499890,499986,499975,499998,499999,999998,999993,500014,2999827,1000005,999991,500032,1999814,500016,499990,999989,500017,1499983,499857,1999983,999996,999993,3999845]},"pktlen": {"min":122,"avg":195.4,"max":325,"stddev":58.4,"var":3415.7,"ent":4.9,"data": [122,209,296,151,238,151,122,209,325,151,122,122,151,296,151,209,209,296,151,209,122,267,180,209,209,209,267,151,122,209,238,180]},"bins": {"c_to_s": [0,0,6,7,2,9,2,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02189{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"capwap.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1422329017533285,"flow_src_last_pkt_time":1422329049032294,"flow_dst_last_pkt_time":1422329017533285,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":283,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":4909,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329049032294,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"192.168.10.9","src_port":12380,"dst_port":5247,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":499857,"avg":1016097.1,"max":3999845,"stddev":875106.2,"var":765810835456.0,"ent":4.6,"data": [499983,500014,499872,2999961,499995,500031,499980,499982,499890,499986,499975,499998,499999,999998,999993,500014,2999827,1000005,999991,500032,1999814,500016,499990,999989,500017,1499983,499857,1999983,999996,999993,3999845]},"pktlen": {"min":108,"avg":181.4,"max":311,"stddev":58.4,"var":3415.7,"ent":4.9,"data": [108,195,282,137,224,137,108,195,311,137,108,108,137,282,137,195,195,282,137,195,108,253,166,195,195,195,253,137,108,195,224,166]},"bins": {"c_to_s": [0,0,6,7,2,9,2,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.322847843,4.775271893,5.243394375,4.682712078,4.886671543,4.761803627,4.409015179,4.971165657,5.125069618,4.609245777,4.380640507,4.355712414,4.823248386,4.982461452,4.627756596,4.929459095,4.873090267,5.032708645,4.636066914,4.873720646,4.399159431,4.936395168,4.818520069,5.070401192,4.945625305,4.792158127,4.963052750,4.698768139,4.306179047,4.887980938,4.937054634,4.651456833]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":235,"source":"capwap.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1422329005766358,"flow_src_last_pkt_time":1422329005766854,"flow_dst_last_pkt_time":1422329005766358,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":123,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329056532011,"l3_proto":"ip4","src_ip":"192.168.10.10","dst_ip":"255.255.255.255","src_port":12380,"dst_port":5246,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":235,"source":"capwap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1422328949167396,"flow_src_last_pkt_time":1422328949167396,"flow_dst_last_pkt_time":1422328949167396,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":65,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":65,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1422329056532011,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12379,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00920{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":235,"source":"capwap.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":85,"flow_first_seen":1422329005767224,"flow_src_last_pkt_time":1422329054811998,"flow_dst_last_pkt_time":1422329054811504,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1457,"flow_dst_max_l4_payload_len":1457,"flow_src_tot_l4_payload_len":19173,"flow_dst_tot_l4_payload_len":19898,"midstream":0,"thread_ts_usec":1422329056532011,"l3_proto":"ip4","src_ip":"192.168.10.9","dst_ip":"192.168.10.10","src_port":5246,"dst_port":12380,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CAPWAP","proto_id":"247","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -71,10 +71,10 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6053594 bytes -~~ total memory freed........: 6053594 bytes -~~ total allocations/frees...: 121922/121922 +~~ total memory allocated....: 6054274 bytes +~~ total memory freed........: 6054274 bytes +~~ total allocations/frees...: 121927/121927 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 189 chars -~~ json string max len.......: 1795 chars -~~ json string avg len.......: 991 chars +~~ json string max len.......: 2194 chars +~~ json string avg len.......: 1190 chars diff --git a/test/results/cassandra.pcap.out b/test/results/cassandra.pcap.out index 698630575..fd1961ed6 100644 --- a/test/results/cassandra.pcap.out +++ b/test/results/cassandra.pcap.out @@ -10,8 +10,8 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1450889498074112,"flow_dst_last_pkt_time":1450889498074125,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1450889498074125,"pkt":"AAAAAAAAAAAAAAAACABFAAA8AABAAEAGPLp\/AAABfwAAASNStckXl5aGpl5H6aASqqr+MAAAAgT\/1wQCCAon7JNsJ+yTbAEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1450889498074133,"flow_dst_last_pkt_time":1450889498074125,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1450889498074133,"pkt":"AAAAAAAAAAAAAAAACABFAAA01IVAAEAGaDx\/AAABfwAAAbXJI1KmXkfpF5eWh4AQAVb+KAAAAQEICifsk2wn7JNs"} 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":4,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889498080407,"flow_dst_last_pkt_time":1450889498080853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":61,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":70,"midstream":0,"thread_ts_usec":1450889498080853,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} -01734{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889525230546,"flow_dst_last_pkt_time":1450889525227132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":321,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":938,"flow_dst_tot_l4_payload_len":59385,"midstream":0,"thread_ts_usec":1450889525230546,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":1754596.9,"max":26002233,"stddev":6369210.5,"var":40566842720256.0,"ent":1.3,"data": [11,19,249,264,5672,5686,233,620,1533,1593,1631,2318,1136,3494,3539,2825,4760,1891,1781,667,2471,2015,1427,3423,25963183,26002233,1164047,1204436,1335,2304,5708]},"pktlen": {"min":66,"avg":1951.6,"max":25214,"stddev":5902.9,"var":34844344.0,"ent":2.1,"data": [74,74,66,75,66,127,66,97,75,124,75,167,182,193,11145,66,119,557,387,380,257,66,21816,25214,66,124,66,140,147,139,144,157]},"bins": {"c_to_s": [9,2,3,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,2,2,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":66,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889535475611,"flow_dst_last_pkt_time":1450889531765769,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":794,"flow_dst_tot_l4_payload_len":12001,"midstream":0,"thread_ts_usec":1450889535475611,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":2293327.5,"max":25937061,"stddev":6507358.0,"var":42345709961216.0,"ent":2.0,"data": [13,21,671,688,5291,5315,288,749,1660,4537,3374,25897068,25937061,6031,46634,674,28,18,1162,1117,2315,1239,3343,41722,7689860,7730331,832,186,642,40128,3670158]},"pktlen": {"min":66,"avg":466.3,"max":11512,"stddev":1984.7,"var":3939065.0,"ent":1.9,"data": [74,74,66,75,66,127,66,97,75,140,11512,66,201,66,113,140,66,139,66,147,144,66,157,289,66,113,94,66,101,94,66,291]},"bins": {"c_to_s": [10,2,4,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} +02133{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889525230546,"flow_dst_last_pkt_time":1450889525227132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":321,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":938,"flow_dst_tot_l4_payload_len":59385,"midstream":0,"thread_ts_usec":1450889525230546,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":1754596.9,"max":26002233,"stddev":6369210.5,"var":40566842720256.0,"ent":1.3,"data": [11,19,249,264,5672,5686,233,620,1533,1593,1631,2318,1136,3494,3539,2825,4760,1891,1781,667,2471,2015,1427,3423,25963183,26002233,1164047,1204436,1335,2304,5708]},"pktlen": {"min":52,"avg":1937.6,"max":25200,"stddev":5902.9,"var":34844348.0,"ent":2.0,"data": [60,60,52,61,52,113,52,83,61,110,61,153,168,179,11131,52,105,543,373,366,243,52,21802,25200,52,110,52,126,133,125,130,143]},"bins": {"c_to_s": [9,2,3,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,2,2,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,0],"entropies": [4.356947899,4.780833244,4.606328011,4.416564465,4.644789696,5.177784443,4.606328011,4.859959602,4.473884106,5.159387589,4.505033970,5.351017952,4.924544334,5.412157059,3.751090527,4.637282372,5.276634216,4.988539696,5.158010483,4.843147755,4.920887947,4.661226749,5.202728748,4.642983913,4.675744057,5.390335560,4.661226749,5.410961628,4.876290798,5.477229118,5.139830112,5.335116386]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} +02119{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":66,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889535475611,"flow_dst_last_pkt_time":1450889531765769,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":794,"flow_dst_tot_l4_payload_len":12001,"midstream":0,"thread_ts_usec":1450889535475611,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":2293327.5,"max":25937061,"stddev":6507358.0,"var":42345709961216.0,"ent":2.0,"data": [13,21,671,688,5291,5315,288,749,1660,4537,3374,25897068,25937061,6031,46634,674,28,18,1162,1117,2315,1239,3343,41722,7689860,7730331,832,186,642,40128,3670158]},"pktlen": {"min":52,"avg":452.3,"max":11498,"stddev":1984.7,"var":3939065.0,"ent":1.7,"data": [60,60,52,61,52,113,52,83,61,126,11498,52,187,52,99,126,52,125,52,133,130,52,143,275,52,99,80,52,87,80,52,277]},"bins": {"c_to_s": [10,2,4,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.423614979,4.826748371,4.697768211,4.527300358,4.697767735,5.244243145,4.697768211,4.935437202,4.551833153,5.263758659,3.921820164,4.805645943,5.681179523,4.659306049,5.163017273,5.385207176,4.659306049,5.483267784,4.659306049,4.881966591,5.109060287,4.805645943,5.340395927,5.132059097,4.728722572,5.154477119,4.869704247,4.637282848,4.956277847,4.844704151,4.584303856,5.709095955]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":75,"flow_dst_packets_processed":69,"flow_first_seen":1450889498032587,"flow_src_last_pkt_time":1450889698077770,"flow_dst_last_pkt_time":1450889698077758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":25148,"flow_src_tot_l4_payload_len":4772,"flow_dst_tot_l4_payload_len":73452,"midstream":0,"thread_ts_usec":1450889698077770,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46536,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":74,"flow_dst_packets_processed":68,"flow_first_seen":1450889498074112,"flow_src_last_pkt_time":1450889698077769,"flow_dst_last_pkt_time":1450889698077759,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":333,"flow_dst_max_l4_payload_len":11446,"flow_src_tot_l4_payload_len":4963,"flow_dst_tot_l4_payload_len":23921,"midstream":0,"thread_ts_usec":1450889698077770,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":46537,"dst_port":9042,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Cassandra","proto_id":"264","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":286,"source":"cassandra.pcap","alias":"nDPId-test","packets-captured":286,"packets-processed":286,"total-skipped-flows":0,"total-l4-payload-len":107108,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1450889698077770} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6049655 bytes -~~ total memory freed........: 6049655 bytes -~~ total allocations/frees...: 121785/121785 +~~ total memory allocated....: 6049927 bytes +~~ total memory freed........: 6049927 bytes +~~ total allocations/frees...: 121787/121787 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars -~~ json string max len.......: 1739 chars -~~ json string avg len.......: 1102 chars +~~ json string max len.......: 2138 chars +~~ json string avg len.......: 1296 chars diff --git a/test/results/check_mk_new.pcap.out b/test/results/check_mk_new.pcap.out index 46f3adcc3..68703928c 100644 --- a/test/results/check_mk_new.pcap.out +++ b/test/results/check_mk_new.pcap.out @@ -5,7 +5,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1512031663734797,"flow_dst_last_pkt_time":1512031663734824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1512031663734824,"pkt":"8soKyPpERjIA9qTsCABFAAA8AABAAEAG8SLAqGQywKhkFhmc5nZuqQJN1XLoOKAScSBJyAAAAgQFtAQCCAoWUVydKwxrPwEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1512031663734985,"flow_dst_last_pkt_time":1512031663734824,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1512031663734985,"pkt":"RjIA9qTs8soKyPpECABFEAA0gwlAAEAGbhHAqGQWwKhkMuZ2GZzVcug4bqkCToAQAOVJwAAAAQEICisMaz8WUVyd"} 00877{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663734985,"flow_dst_last_pkt_time":1512031663736952,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":15,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":15,"midstream":0,"thread_ts_usec":1512031663736952,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} -01666{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663748376,"flow_dst_last_pkt_time":1512031663748413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":502,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1376,"midstream":0,"thread_ts_usec":1512031663748413,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":27,"avg":877.3,"max":2128,"stddev":812.2,"var":659616.6,"ent":4.3,"data": [27,188,2128,2061,102,68,67,104,1865,1834,72,90,1254,1242,147,158,91,94,1228,1205,176,172,1964,1988,1810,1805,1867,1907,699,663,119]},"pktlen": {"min":66,"avg":109.5,"max":568,"stddev":116.8,"var":13650.4,"ent":4.5,"data": [74,74,66,81,66,331,66,76,66,67,66,75,66,568,66,75,66,84,66,477,66,82,66,82,66,83,66,79,66,131,66,75]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} +02064{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663748376,"flow_dst_last_pkt_time":1512031663748413,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":502,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1376,"midstream":0,"thread_ts_usec":1512031663748413,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":27,"avg":877.3,"max":2128,"stddev":812.2,"var":659616.6,"ent":4.3,"data": [27,188,2128,2061,102,68,67,104,1865,1834,72,90,1254,1242,147,158,91,94,1228,1205,176,172,1964,1988,1810,1805,1867,1907,699,663,119]},"pktlen": {"min":52,"avg":95.5,"max":554,"stddev":116.8,"var":13650.4,"ent":4.4,"data": [60,60,52,67,52,317,52,62,52,53,52,61,52,554,52,61,52,70,52,463,52,68,52,68,52,69,52,65,52,117,52,61]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.777318954,5.266787052,5.116507530,5.382888317,4.972088814,5.429334641,5.063528538,5.369284153,5.025067329,5.119153976,5.025067329,5.200747967,5.025067329,3.834031105,5.063528538,5.200747967,4.972088814,5.439786434,5.116507530,4.356705666,5.078045845,5.383426666,5.078045845,5.414306641,5.078045845,5.456064701,5.116507530,5.341373920,5.010550022,5.388670444,5.116507530,5.245910168]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00923{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":98,"source":"check_mk_new.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":49,"flow_dst_packets_processed":49,"flow_first_seen":1512031663734797,"flow_src_last_pkt_time":1512031663775626,"flow_dst_last_pkt_time":1512031663775645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":4096,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":13758,"midstream":0,"thread_ts_usec":1512031663775645,"l3_proto":"ip4","src_ip":"192.168.100.22","dst_ip":"192.168.100.50","src_port":58998,"dst_port":6556,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"CHECKMK","proto_id":"138","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":98,"source":"check_mk_new.pcap","alias":"nDPId-test","packets-captured":98,"packets-processed":98,"total-skipped-flows":0,"total-l4-payload-len":13758,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1512031663775645} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038483 bytes -~~ total memory freed........: 6038483 bytes -~~ total allocations/frees...: 121585/121585 +~~ total memory allocated....: 6038619 bytes +~~ total memory freed........: 6038619 bytes +~~ total allocations/frees...: 121586/121586 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars -~~ json string max len.......: 1671 chars -~~ json string avg len.......: 1030 chars +~~ json string max len.......: 2069 chars +~~ json string avg len.......: 1204 chars diff --git a/test/results/chrome.pcap.out b/test/results/chrome.pcap.out index bb706e326..0290a7841 100644 --- a/test/results/chrome.pcap.out +++ b/test/results/chrome.pcap.out @@ -11,7 +11,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1620902508740717,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620902508769205,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7+4peZebaYG3EqKAS\/og23AAAAgQFrAQCCAo6mxi5M3SVkQEDAwc="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1620902508769277,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620902508769277,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EvuKAbtgbcSoXmXm24AQECxT5gAAAQEICjN0lag6mxi5"} 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":34,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902508769889,"flow_dst_last_pkt_time":1620902508769205,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902508769889,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902508741011,"flow_dst_last_pkt_time":1620902508774460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1998,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620902508774460,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":57251.0,"max":629043,"stddev":154280.9,"var":23802585088.0,"ent":2.4,"data": [28765,28872,339,29774,6968,212,36564,499,471,13592,322,42282,28,185,11,28620,3,627868,1163,629043,92,171,257,86,255,319,1121,131143,160052,5604,100]},"pktlen": {"min":66,"avg":619.4,"max":1506,"stddev":632.9,"var":400560.7,"ent":4.2,"data": [78,74,66,583,66,1506,1506,66,772,66,146,816,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,717,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02094{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902508741011,"flow_dst_last_pkt_time":1620902508774460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1998,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620902508774460,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":57251.0,"max":629043,"stddev":154280.9,"var":23802585088.0,"ent":2.4,"data": [28765,28872,339,29774,6968,212,36564,499,471,13592,322,42282,28,185,11,28620,3,627868,1163,629043,92,171,257,86,255,319,1121,131143,160052,5604,100]},"pktlen": {"min":52,"avg":605.4,"max":1492,"stddev":632.9,"var":400560.7,"ent":4.2,"data": [64,60,52,569,52,1492,1492,52,758,52,132,802,52,52,355,355,52,52,1492,1492,52,1492,1492,52,1492,1471,52,52,703,52,1492,1492]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1],"entropies": [4.353732109,5.187538624,4.899450302,4.408748150,5.023146629,7.839999199,7.885083199,4.976373196,7.695921421,5.053296566,6.239557743,7.672363281,5.100070000,5.100070477,7.407363892,7.424428940,5.014835358,5.053296566,7.878479958,7.865577221,5.014835358,7.868523121,7.861433029,4.976373672,7.872521877,7.876061916,5.014835358,4.969671726,7.674196243,5.138531685,7.867238522,7.866298676]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01140{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902508769889,"flow_dst_last_pkt_time":1620902508800346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902508800346,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":74,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509272814,"flow_dst_last_pkt_time":1620902509272814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509272814,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1620902509272814,"flow_dst_last_pkt_time":1620902509272814,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620902509272814,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EvuYAbvjd2YSAAAAALAC\/\/+WlQAAAgQFtAEDAwUBAQgKM3SXeAAAAAAEAgAA"} @@ -33,19 +33,19 @@ 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":115,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509303683,"flow_dst_last_pkt_time":1620902509302592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509303683,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":116,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509304055,"flow_dst_last_pkt_time":1620902509302720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509304055,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01098{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":117,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509304589,"flow_dst_last_pkt_time":1620902509303215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620902509304589,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01573{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":111,"avg":37950.2,"max":468764,"stddev":110334.2,"var":12173627392.0,"ent":2.3,"data": [28488,28560,612,28383,2758,30530,2041,28373,116,26422,441785,468764,1748,1393,30158,119,111,182,125,120,237,134,128,266,240,251,495,806,26027,25276,1809]},"pktlen": {"min":66,"avg":631.1,"max":1506,"stddev":638.0,"var":407026.8,"ent":4.2,"data": [78,74,66,701,66,326,66,146,66,369,66,783,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,66,1029,66,770]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,0,1,0,0]}} +01972{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":111,"avg":37950.2,"max":468764,"stddev":110334.2,"var":12173627392.0,"ent":2.3,"data": [28488,28560,612,28383,2758,30530,2041,28373,116,26422,441785,468764,1748,1393,30158,119,111,182,125,120,237,134,128,266,240,251,495,806,26027,25276,1809]},"pktlen": {"min":52,"avg":617.1,"max":1492,"stddev":638.0,"var":407026.8,"ent":4.2,"data": [64,60,52,687,52,312,52,132,52,355,52,769,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,52,1015,52,756]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,0,1,0,0],"entropies": [4.416232109,5.300120831,4.923394680,7.069493294,5.100070000,6.936732292,5.014835358,6.319468975,5.176993370,7.399957657,5.053297043,7.734244347,5.100070477,7.871783733,7.865388870,5.000318050,7.853028297,7.882699490,5.000318050,7.860120296,7.865950584,4.923395157,7.858026981,7.861842632,4.961856365,7.886532307,7.875236988,5.038779736,4.863714218,7.794827461,4.961856365,7.699286461]}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":120,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902509329896,"flow_dst_last_pkt_time":1620902509327995,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":717,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2136,"flow_dst_tot_l4_payload_len":15926,"midstream":0,"thread_ts_usec":1620902509329896,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01141{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":128,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509303389,"flow_dst_last_pkt_time":1620902509333977,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902509333977,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01141{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":132,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509303683,"flow_dst_last_pkt_time":1620902509335101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":635,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620902509335101,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01143{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":136,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509304589,"flow_dst_last_pkt_time":1620902509338226,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620902509338226,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01143{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":143,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509304055,"flow_dst_last_pkt_time":1620902509342220,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620902509342220,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01541{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6344.3,"max":34983,"stddev":11244.6,"var":126440648.0,"ent":3.1,"data": [26769,26817,1326,28249,6762,1293,14,34983,12,374,291,27566,2,26902,1379,1360,1118,15,1124,130,231,245,356,130,118,13,252,11,746,1742]},"pktlen": {"min":66,"avg":542.7,"max":1506,"stddev":598.4,"var":358096.1,"ent":4.1,"data": [78,74,66,583,66,1506,1506,772,66,66,146,772,66,369,66,66,369,66,1506,1506,66,66,1506,1506,66,1506,1506,412,66,66,66,820]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1,0,0,0,0]}} +01940{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6344.3,"max":34983,"stddev":11244.6,"var":126440648.0,"ent":3.1,"data": [26769,26817,1326,28249,6762,1293,14,34983,12,374,291,27566,2,26902,1379,1360,1118,15,1124,130,231,245,356,130,118,13,252,11,746,1742]},"pktlen": {"min":52,"avg":528.7,"max":1492,"stddev":598.4,"var":358096.1,"ent":4.1,"data": [64,60,52,569,52,1492,1492,758,52,52,132,758,52,355,52,52,355,52,1492,1492,52,52,1492,1492,52,1492,1492,398,52,52,52,806]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1,0,0,0,0],"entropies": [4.372218132,5.300120354,4.976373672,4.428920269,5.061608315,7.850123882,7.875483036,7.741683960,5.014835358,4.983880520,6.165837288,7.733215809,5.025067329,7.436167240,5.061608315,5.014835358,7.285673618,5.014835358,7.868979931,7.867131233,4.961856842,4.892748356,7.867380619,7.881838322,5.014835358,7.868318081,7.878070354,7.538454533,4.945418835,4.976373672,4.892748356,7.771022320]}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":240,"source":"chrome.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1620902509276446,"flow_src_last_pkt_time":1620902509372872,"flow_dst_last_pkt_time":1620902509370350,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2057,"flow_dst_tot_l4_payload_len":13178,"midstream":0,"thread_ts_usec":1620902509372872,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64411,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01564{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":114,"avg":7853.2,"max":30653,"stddev":12089.6,"var":146159520.0,"ent":3.4,"data": [29278,29334,864,29011,2497,30653,580,334,26242,1058,2318,28687,1760,236,1984,377,499,883,126,124,243,136,114,251,129,941,26868,117,26169,1503,132]},"pktlen": {"min":66,"avg":713.6,"max":1506,"stddev":675.5,"var":456346.8,"ent":4.3,"data": [78,74,66,701,66,326,66,146,772,66,66,369,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,1506,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1]}} +01963{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":114,"avg":7853.2,"max":30653,"stddev":12089.6,"var":146159520.0,"ent":3.4,"data": [29278,29334,864,29011,2497,30653,580,334,26242,1058,2318,28687,1760,236,1984,377,499,883,126,124,243,136,114,251,129,941,26868,117,26169,1503,132]},"pktlen": {"min":52,"avg":699.6,"max":1492,"stddev":675.5,"var":456346.8,"ent":4.2,"data": [64,60,52,687,52,312,52,132,758,52,52,355,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,52,1492,1492,52,1492,1492]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1],"entropies": [4.459277153,5.300120831,5.053297043,7.112785339,5.138531685,6.956218719,5.014835358,6.314823151,7.726174831,5.100070477,5.138531685,7.359657288,5.053297043,7.866115093,7.869250298,5.053296566,7.869906902,7.896156788,5.091758251,7.882206440,7.875400543,5.091758251,7.869582176,7.850453377,5.091758251,7.881830215,4.931210041,7.872938633,7.859384537,5.014835358,7.875035286,7.879170895]}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":305,"source":"chrome.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620902509273191,"flow_src_last_pkt_time":1620902509394114,"flow_dst_last_pkt_time":1620902509395716,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1421,"flow_dst_tot_l4_payload_len":19283,"midstream":0,"thread_ts_usec":1620902509395716,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64409,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7279.5,"max":38324,"stddev":12250.6,"var":150076944.0,"ent":3.2,"data": [28686,28726,1295,29880,9620,122,15,38324,11,451,233,27995,116,117,14,27547,3,1242,1253,2514,126,125,241,123,122,245,249,230,376,396,25266]},"pktlen": {"min":66,"avg":643.3,"max":1506,"stddev":651.9,"var":424923.8,"ent":4.2,"data": [78,74,66,583,66,1506,1506,772,66,66,146,772,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,66,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1,0,1]}} +01950{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7279.5,"max":38324,"stddev":12250.6,"var":150076944.0,"ent":3.2,"data": [28686,28726,1295,29880,9620,122,15,38324,11,451,233,27995,116,117,14,27547,3,1242,1253,2514,126,125,241,123,122,245,249,230,376,396,25266]},"pktlen": {"min":52,"avg":629.3,"max":1492,"stddev":651.9,"var":424923.8,"ent":4.2,"data": [64,60,52,569,52,1492,1492,758,52,52,132,758,52,52,355,355,52,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,52,1492,52,1492]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1,0,1],"entropies": [4.459277153,5.227644920,5.053297043,4.381318092,5.061608315,7.847862244,7.882750034,7.710128307,4.976373672,5.014834881,6.203536034,7.715669155,5.047091484,5.061608315,7.379821777,7.371205807,5.038779736,5.014835358,7.886833668,7.871653080,5.053297043,7.876582146,7.890680313,5.053297043,7.866287708,7.867833614,5.053297043,7.851022720,4.931210041,7.851374149,5.053297043,7.874514103]}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":316,"source":"chrome.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620902509274034,"flow_src_last_pkt_time":1620902509374250,"flow_dst_last_pkt_time":1620902509399481,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":706,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1303,"flow_dst_tot_l4_payload_len":17152,"midstream":0,"thread_ts_usec":1620902509399481,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64410,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa50c12a5dfa717d9d6ab34e97de79d5","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8151.5,"max":32013,"stddev":12799.0,"var":163814464.0,"ent":3.3,"data": [29778,29819,1050,30027,2482,31460,377,194,32013,8,1,31458,983,109,1078,130,153,122,98,131,118,249,502,124,630,126,1459,27278,100,26052,4586]},"pktlen": {"min":66,"avg":623.7,"max":1506,"stddev":634.7,"var":402848.7,"ent":4.2,"data": [78,74,66,701,66,326,66,146,772,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,799,66,775]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0]}} +01951{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8151.5,"max":32013,"stddev":12799.0,"var":163814464.0,"ent":3.3,"data": [29778,29819,1050,30027,2482,31460,377,194,32013,8,1,31458,983,109,1078,130,153,122,98,131,118,249,502,124,630,126,1459,27278,100,26052,4586]},"pktlen": {"min":52,"avg":609.7,"max":1492,"stddev":634.7,"var":402848.7,"ent":4.2,"data": [64,60,52,687,52,312,52,132,758,52,355,52,52,1492,1492,52,1492,52,1492,52,1492,1492,52,1492,1492,52,1492,52,1492,785,52,761]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0],"entropies": [4.428027153,5.266787052,5.000318050,7.051597595,5.100070000,6.943971634,5.000318050,6.181417465,7.706695080,5.023147106,7.387262821,5.061608315,4.923395157,7.884211063,7.888196468,4.961856365,7.848547459,4.916692734,7.861028194,5.038779736,7.884697914,7.888879299,5.038779736,7.874349594,7.889142036,5.000318050,7.871818066,4.916692734,7.869739056,7.732701302,5.038779736,7.671216488]}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":331,"source":"chrome.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620902509272814,"flow_src_last_pkt_time":1620902509401477,"flow_dst_last_pkt_time":1620902509396846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":709,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620902509401477,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64408,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"1b73862eae8f1711440a446b1ef357fd","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5633,"source":"chrome.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":374,"flow_dst_packets_processed":488,"flow_first_seen":1620902507870345,"flow_src_last_pkt_time":1620902514626667,"flow_dst_last_pkt_time":1620902514626583,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":750,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6885,"flow_dst_tot_l4_payload_len":681088,"midstream":0,"thread_ts_usec":1620902515049384,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64393,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5633,"source":"chrome.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":472,"flow_dst_packets_processed":662,"flow_first_seen":1620902508740717,"flow_src_last_pkt_time":1620902515037845,"flow_dst_last_pkt_time":1620902515037814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":726,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6421,"flow_dst_tot_l4_payload_len":923694,"midstream":0,"thread_ts_usec":1620902515049384,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":64394,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -62,10 +62,10 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6653279 bytes -~~ total memory freed........: 6653279 bytes -~~ total allocations/frees...: 127247/127247 +~~ total memory allocated....: 6654095 bytes +~~ total memory freed........: 6654095 bytes +~~ total allocations/frees...: 127253/127253 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1700 chars -~~ json string avg len.......: 1094 chars +~~ json string max len.......: 2099 chars +~~ json string avg len.......: 1294 chars diff --git a/test/results/citrix.pcap.out b/test/results/citrix.pcap.out index e7ec89712..51fb6e064 100644 --- a/test/results/citrix.pcap.out +++ b/test/results/citrix.pcap.out @@ -4,7 +4,7 @@ 00483{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":0,"flow_dst_last_pkt_time":2099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":24,"thread_ts_usec":2099,"pkt":"ABUXp3Wj4F+5aekiCABFAAAsrVIAAH4GZGsWAAAHFQAACAXWsKkP1nFlD9ZnuWASgAA9vQAAAgQFtAAA3WOanQ=="} 00486{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":2106,"flow_dst_last_pkt_time":2099,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":20,"thread_ts_usec":2106,"pkt":"4F+5aekiABUXp3WjCABFAAAorYQAAIAGYj0VAAAIFgAAB7CpBdYP1me5D9ZxZlAQgABVegAAAAAAAAAAIuNIFQ=="} 00801{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":0,"flow_src_last_pkt_time":2106,"flow_dst_last_pkt_time":8192,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":6,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":6,"midstream":0,"thread_ts_usec":8192,"l3_proto":"ip4","src_ip":"21.0.0.8","dst_ip":"22.0.0.7","src_port":45225,"dst_port":1494,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Citrix","proto_id":"132","encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} -01597{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":0,"flow_src_last_pkt_time":72692,"flow_dst_last_pkt_time":72684,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":343,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":1670,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":72692,"l3_proto":"ip4","src_ip":"21.0.0.8","dst_ip":"22.0.0.7","src_port":45225,"dst_port":1494,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":4689.5,"max":56256,"stddev":12448.2,"var":154958800.0,"ent":2.6,"data": [2099,2106,6093,6094,4120,7122,1007,6,6,6,6,1006,1007,7,5,13,6,1007,6,5,2009,7,5,6,5,1007,5,56256,46119,4116,4114]},"pktlen": {"min":64,"avg":114.3,"max":401,"stddev":63.6,"var":4041.6,"ent":4.8,"data": [64,64,64,64,64,76,212,121,101,102,105,401,97,225,109,147,117,111,109,117,112,97,97,97,114,117,111,109,142,64,64,64]},"bins": {"c_to_s": [5,18,1,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Citrix","proto_id":"132","encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} +01987{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":0,"flow_src_last_pkt_time":72692,"flow_dst_last_pkt_time":72684,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":343,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":1670,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":72692,"l3_proto":"ip4","src_ip":"21.0.0.8","dst_ip":"22.0.0.7","src_port":45225,"dst_port":1494,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":4689.5,"max":56256,"stddev":12448.2,"var":154958800.0,"ent":2.6,"data": [2099,2106,6093,6094,4120,7122,1007,6,6,6,6,1006,1007,7,5,13,6,1007,6,5,2009,7,5,6,5,1007,5,56256,46119,4116,4114]},"pktlen": {"min":50,"avg":100.3,"max":387,"stddev":63.6,"var":4041.6,"ent":4.8,"data": [50,50,50,50,50,62,198,107,87,88,91,387,83,211,95,133,103,97,95,103,98,83,83,83,100,103,97,95,128,50,50,50]},"bins": {"c_to_s": [5,18,1,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0],"entropies": [4.094119072,4.506643772,4.039021015,4.568367004,4.528367043,4.245353222,5.186970711,4.576177120,4.820792675,4.800546169,4.260721207,4.770667076,4.545018196,3.338554859,4.081573486,4.165511131,4.056994915,4.437763214,4.102537632,4.181773186,4.332800388,4.481823921,4.388646603,4.394422054,4.212355614,4.095830441,4.246722221,4.279045105,4.048637390,4.188758850,4.256690979,4.322698593]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Citrix","proto_id":"132","encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} 00863{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"citrix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":75,"flow_dst_packets_processed":25,"flow_first_seen":0,"flow_src_last_pkt_time":1581384,"flow_dst_last_pkt_time":1605466,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":855,"flow_dst_max_l4_payload_len":537,"flow_src_tot_l4_payload_len":3874,"flow_dst_tot_l4_payload_len":1616,"midstream":0,"thread_ts_usec":1605466,"l3_proto":"ip4","src_ip":"21.0.0.8","dst_ip":"22.0.0.7","src_port":45225,"dst_port":1494,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Citrix","proto_id":"132","encrypted":1,"breed":"Acceptable","category_id":14,"category":"Network"}} 00551{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"citrix.pcap","alias":"nDPId-test","packets-captured":100,"packets-processed":100,"total-skipped-flows":0,"total-l4-payload-len":5490,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1605466} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -15,10 +15,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038541 bytes -~~ total memory freed........: 6038541 bytes -~~ total allocations/frees...: 121587/121587 +~~ total memory allocated....: 6038677 bytes +~~ total memory freed........: 6038677 bytes +~~ total allocations/frees...: 121588/121588 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 483 chars -~~ json string max len.......: 1602 chars -~~ json string avg len.......: 987 chars +~~ json string max len.......: 1992 chars +~~ json string avg len.......: 1157 chars diff --git a/test/results/cloudflare-warp.pcap.out b/test/results/cloudflare-warp.pcap.out index 6eee99643..92d3c90c4 100644 --- a/test/results/cloudflare-warp.pcap.out +++ b/test/results/cloudflare-warp.pcap.out @@ -58,9 +58,9 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6071317 bytes -~~ total memory freed........: 6071317 bytes -~~ total allocations/frees...: 121643/121643 +~~ total memory allocated....: 6072405 bytes +~~ total memory freed........: 6072405 bytes +~~ total allocations/frees...: 121651/121651 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 1436 chars diff --git a/test/results/coap_mqtt.pcap.out b/test/results/coap_mqtt.pcap.out index c8f5bc7b6..588ae297d 100644 --- a/test/results/coap_mqtt.pcap.out +++ b/test/results/coap_mqtt.pcap.out @@ -67,29 +67,29 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1455907271483430,"flow_dst_last_pkt_time":1455907271485428,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1455907271485428,"pkt":"CAAnmO\/hCAAnAERyCABFAAAsEMdAAIAG+E3AqDgBwKg4ZdEURF3FmLqAlt6Sd1AYAP++LAAAQAIAAgAA"} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1455907271522028,"flow_dst_last_pkt_time":1455907271485428,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1455907271522028,"pkt":"CAAnAERyCAAnmO\/hCABFAAAo1KhAAEAGdHDAqDhlwKg4AURd0RSW3pJ3xZi6hFAQAOXx0QAA"} 00626{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1455907271585820,"flow_dst_last_pkt_time":1455907271483762,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":137,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":137,"pkt_l4_len":103,"thread_ts_usec":1455907271585820,"pkt":"CAAnmO\/hCAAnAERyCABFAAB7EM0AAIARN+7AqDgBwKg4ZcSHRFwAZzJrQgM1Anj4ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjExIEVFVCAyMDE2In0="} -01840{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1455907267002212,"flow_src_last_pkt_time":1455907271697274,"flow_dst_last_pkt_time":1455907271735420,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":286,"flow_dst_tot_l4_payload_len":367,"midstream":0,"thread_ts_usec":1455907271735420,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53528,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":304137.8,"max":4438876,"stddev":1061040.8,"var":1125807423488.0,"ent":1.6,"data": [72,248,4635,4859,1038,9311,9054,2795,3496,481,2352,21820,23421,198700,4438876,4242440,38504,37941,469,2294,62501,64983,1232,38696,37823,527,2778,66747,69695,1087,39395]},"pktlen": {"min":54,"avg":76.3,"max":140,"stddev":30.1,"var":907.0,"ent":4.9,"data": [66,66,60,73,54,58,114,58,69,59,138,60,114,58,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54]},"bins": {"c_to_s": [11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} -01853{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":162,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907243976582,"flow_src_last_pkt_time":1455907271915318,"flow_dst_last_pkt_time":1455907271915135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53522,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":130,"avg":1802493.1,"max":27505948,"stddev":6724537.0,"var":45219399598080.0,"ent":1.2,"data": [709,199149,27505948,27310358,42735,39960,130,529,60417,61165,1588,38934,37729,553,2947,66282,69491,1247,39646,39140,1019,2437,62744,65305,1790,40465,38726,170,6175,66713,73088]},"pktlen": {"min":54,"avg":77.4,"max":140,"stddev":32.8,"var":1072.6,"ent":4.9,"data": [60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60]},"bins": {"c_to_s": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} -01852{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":163,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907258332152,"flow_src_last_pkt_time":1455907271915337,"flow_dst_last_pkt_time":1455907271915223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915337,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53523,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":237,"avg":876330.8,"max":13150790,"stddev":3197714.5,"var":10225378656256.0,"ent":1.4,"data": [404,199934,13150790,12952309,38608,37989,477,2148,62571,64954,1016,38807,38093,501,2594,66803,69615,1179,39541,39110,979,2406,62938,65497,773,40198,39480,237,5592,67477,73236]},"pktlen": {"min":54,"avg":77.4,"max":140,"stddev":32.8,"var":1072.6,"ent":4.9,"data": [60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60]},"bins": {"c_to_s": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} -01833{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":184,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1455907271483430,"flow_src_last_pkt_time":1455907271957948,"flow_dst_last_pkt_time":1455907271958031,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":60,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":320,"midstream":1,"thread_ts_usec":1455907271958031,"l3_proto":"ip4","src_ip":"192.168.56.101","dst_ip":"192.168.56.1","src_port":17501,"dst_port":53524,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":156,"avg":30616.7,"max":73508,"stddev":26730.8,"var":714536192.0,"ent":4.3,"data": [1998,38598,37069,480,2447,62266,64859,841,38683,38127,461,2290,67273,69748,665,39428,39498,931,2251,63248,65640,1623,40275,38699,156,6124,67250,73508,2463,42357,39863]},"pktlen": {"min":54,"avg":79.0,"max":140,"stddev":33.2,"var":1105.2,"ent":4.9,"data": [140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114]},"bins": {"c_to_s": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +02239{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1455907267002212,"flow_src_last_pkt_time":1455907271697274,"flow_dst_last_pkt_time":1455907271735420,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":286,"flow_dst_tot_l4_payload_len":367,"midstream":0,"thread_ts_usec":1455907271735420,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53528,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":304137.8,"max":4438876,"stddev":1061040.8,"var":1125807423488.0,"ent":1.6,"data": [72,248,4635,4859,1038,9311,9054,2795,3496,481,2352,21820,23421,198700,4438876,4242440,38504,37941,469,2294,62501,64983,1232,38696,37823,527,2778,66747,69695,1087,39395]},"pktlen": {"min":40,"avg":62.3,"max":126,"stddev":30.1,"var":907.0,"ent":4.9,"data": [52,52,46,59,40,44,100,44,55,45,124,46,100,44,46,126,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40]},"bins": {"c_to_s": [11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1],"entropies": [4.523146629,4.808010101,4.370963573,5.094007969,4.634184361,4.533184528,5.525953770,4.586559772,4.953907967,4.699598312,5.658671856,4.370963097,5.525953770,4.632013798,4.267595291,5.562683582,4.539122581,4.634183884,5.525953293,4.684184074,4.677468300,5.578556538,4.370963573,4.582601070,4.634183884,5.473502159,4.634183884,4.632013321,5.594429493,4.294663429,4.555532932,4.684184074]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +02252{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":162,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907243976582,"flow_src_last_pkt_time":1455907271915318,"flow_dst_last_pkt_time":1455907271915135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53522,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":130,"avg":1802493.1,"max":27505948,"stddev":6724537.0,"var":45219399598080.0,"ent":1.2,"data": [709,199149,27505948,27310358,42735,39960,130,529,60417,61165,1588,38934,37729,553,2947,66282,69491,1247,39646,39140,1019,2437,62744,65305,1790,40465,38726,170,6175,66713,73088]},"pktlen": {"min":40,"avg":63.4,"max":126,"stddev":32.8,"var":1072.6,"ent":4.8,"data": [46,42,46,126,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46]},"bins": {"c_to_s": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0],"entropies": [4.462504387,4.630411148,4.327484608,5.610302448,4.685968399,4.634184361,5.482468128,4.634184361,4.722923279,5.610302448,4.370963097,4.729446411,4.534184456,5.565953732,4.634184361,4.768377304,5.610302448,4.370963097,4.729446888,4.634184361,5.525953293,4.634184361,4.722922802,5.626175404,4.370963573,4.729446411,4.634184361,5.522468567,4.684184551,4.768377781,5.610302448,4.414441586]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +02251{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":163,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1455907258332152,"flow_src_last_pkt_time":1455907271915337,"flow_dst_last_pkt_time":1455907271915223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":60,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":448,"midstream":1,"thread_ts_usec":1455907271915337,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":53523,"dst_port":17501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":237,"avg":876330.8,"max":13150790,"stddev":3197714.5,"var":10225378656256.0,"ent":1.4,"data": [404,199934,13150790,12952309,38608,37989,477,2148,62571,64954,1016,38807,38093,501,2594,66803,69615,1179,39541,39110,979,2406,62938,65497,773,40198,39480,237,5592,67477,73236]},"pktlen": {"min":40,"avg":63.4,"max":126,"stddev":32.8,"var":1072.6,"ent":4.8,"data": [46,42,46,126,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46]},"bins": {"c_to_s": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0],"entropies": [4.419025898,4.733946800,4.327484608,5.558483124,4.685968399,4.584184170,5.505953312,4.634183884,4.677468777,5.588438511,4.370963573,4.685968399,4.634183884,5.505952835,4.684184074,4.768377304,5.572565556,4.414441586,4.729446411,4.684184074,5.525953770,4.684184074,4.722923279,5.559791088,4.414441586,4.685968399,4.684184074,5.545953751,4.684184074,4.768377304,5.558483124,4.370963097]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +02232{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":184,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1455907271483430,"flow_src_last_pkt_time":1455907271957948,"flow_dst_last_pkt_time":1455907271958031,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":60,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":320,"midstream":1,"thread_ts_usec":1455907271958031,"l3_proto":"ip4","src_ip":"192.168.56.101","dst_ip":"192.168.56.1","src_port":17501,"dst_port":53524,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":156,"avg":30616.7,"max":73508,"stddev":26730.8,"var":714536192.0,"ent":4.3,"data": [1998,38598,37069,480,2447,62266,64859,841,38683,38127,461,2290,67273,69748,665,39428,39498,931,2251,63248,65640,1623,40275,38699,156,6124,67250,73508,2463,42357,39863]},"pktlen": {"min":40,"avg":65.0,"max":126,"stddev":33.2,"var":1105.2,"ent":4.8,"data": [126,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100]},"bins": {"c_to_s": [13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1],"entropies": [5.604311466,4.599011421,4.615311623,5.545953751,4.615311623,4.705766201,5.566574574,4.311074257,4.626079559,4.615311623,5.484536648,4.511769295,4.624093056,5.568364620,4.303872585,4.627490997,4.684184074,5.518404961,4.615311623,4.649170399,5.582447052,4.370963097,4.669558048,4.634183884,5.525953770,4.684184074,4.768377304,5.588438511,4.370963097,4.555533409,4.684184074,5.520660400]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"MQTT","proto_id":"222","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00627{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":137,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":137,"pkt_l4_len":103,"thread_ts_usec":1455907272856457,"pkt":"CAAnmO\/hCAAnAERyCABFAAB7EWkAAIARN1LAqDgBwKg4ZcSORFwAZ7scQgMdqQeYckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjEyIEVFVCAyMDE2In0="} 00870{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":429,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1455907272858898,"pkt":"CAAnAERyCAAnmO\/hCABFAAAuXhFAAEAR6vbAqDhlwKg4AURcxI4AGvHiYkQdqQeYiy9yL0J1czE3Q21k"} 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":489,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1455907272969405,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907272969405,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/EYMAAIARNzTAqDgBwKg4ZcSORFwAa8WlRgMdqhF5z0YYRXJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxMyBFRVQgMjAxNiJ9"} -01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":588,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1824,"avg":106135.8,"max":117757,"stddev":19323.7,"var":373406144.0,"ent":4.9,"data": [1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114]},"pktlen": {"min":59,"avg":99.6,"max":143,"stddev":38.6,"var":1486.7,"ent":4.9,"data": [138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59]},"bins": {"c_to_s": [0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02164{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":588,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1824,"avg":106135.8,"max":117757,"stddev":19323.7,"var":373406144.0,"ent":4.9,"data": [1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114]},"pktlen": {"min":45,"avg":85.6,"max":129,"stddev":38.6,"var":1486.7,"ent":4.8,"data": [124,47,123,46,122,45,129,52,125,48,122,45,124,47,124,47,126,49,123,46,124,47,123,46,123,46,123,46,129,52,122,45]},"bins": {"c_to_s": [0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.543972015,5.027887821,5.510700703,5.088779926,5.530181885,5.047409534,5.667361259,5.185924053,5.578914642,5.069235325,5.512969971,5.047409534,5.559295654,5.027887344,5.530185699,4.958842754,5.597733021,5.084096432,5.503751278,5.045301914,5.504820824,5.027887821,5.497614384,5.045301437,5.497614384,5.088779926,5.490664959,5.088779926,5.682090759,5.315825462,5.555962563,5.047409534]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1455907274088318,"pkt":"CAAnmO\/hCAAnAERyCABFAAB9EncAAIARNkLAqDgBwKg4ZcSIRFwAaR7GRANSj9XGl0FyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTQgRUVUIDIwMTYifQ=="} 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1032,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1042,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1455907274089637,"pkt":"CAAnAERyCAAnmO\/hCABFAAAwXqNAAEAR6mLAqDhlwKg4AURcxIgAHPHkZERSj9XGl0GLL3IvQnVzMTdDbWQ="} 00636{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1083,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1455907274193327,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":143,"pkt_l4_len":109,"thread_ts_usec":1455907274193327,"pkt":"CAAnmO\/hCAAnAERyCABFAACBEpIAAIARNiPAqDgBwKg4ZcSIRFwAbeMnSANSkLugNTWCkTE2ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjE0IEVFVCAyMDE2In0="} -01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1308,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2441,"avg":111522.4,"max":127663,"stddev":20842.5,"var":434411712.0,"ent":4.9,"data": [2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708]},"pktlen": {"min":60,"avg":100.5,"max":142,"stddev":38.5,"var":1485.6,"ent":4.9,"data": [137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64]},"bins": {"c_to_s": [0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02166{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1308,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2441,"avg":111522.4,"max":127663,"stddev":20842.5,"var":434411712.0,"ent":4.9,"data": [2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708]},"pktlen": {"min":46,"avg":86.5,"max":128,"stddev":38.5,"var":1485.6,"ent":4.9,"data": [123,46,127,50,126,49,128,51,123,46,125,48,126,49,125,48,123,46,124,47,128,51,126,49,123,46,123,46,123,46,127,50]},"bins": {"c_to_s": [0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.503751755,5.045301437,5.557007790,5.123855114,5.607614994,5.043280125,5.664313793,5.241052628,5.514686108,4.950420856,5.534836769,5.027568340,5.639360428,5.084096432,5.610115051,5.084961891,5.505375385,5.088779926,5.607682705,5.070440769,5.642791271,5.133018017,5.545912743,4.930835724,5.488303185,5.088779926,5.491476536,5.045301437,5.523996830,5.088779926,5.658226490,5.203855038]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00635{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907275690777,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/FCAAAIARNJfAqDgBwKg4ZcSPRFwAa2JLRgOAZtDWwMpn\/nJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxNSBFRVQgMjAxNiJ9"} 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1927,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1936,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":30,"thread_ts_usec":1455907275695868,"pkt":"CAAnAERyCAAnmO\/hCABFAAAyX35AAEAR6YXAqDhlwKg4AURcxI8AHvHmZkSAZtDWwMpn\/osvci9CdXMxN0NtZA=="} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2015,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1455907275831283,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1455907275831283,"pkt":"CAAnmO\/hCAAnAERyCABFAACAFEwAAIARNGrAqDgBwKg4ZcSPRFwAbLkURwOAZ6ExGoh1VzNyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTUgRUVUIDIwMTYifQ=="} -01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2067,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1319,"avg":116856.3,"max":131359,"stddev":22365.2,"var":500202464.0,"ent":4.9,"data": [1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537]},"pktlen": {"min":60,"avg":101.2,"max":143,"stddev":38.5,"var":1485.3,"ent":4.9,"data": [139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63]},"bins": {"c_to_s": [0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3210,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5091,"avg":127214.4,"max":172321,"stddev":26264.3,"var":689812928.0,"ent":4.9,"data": [5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564]},"pktlen": {"min":59,"avg":101.1,"max":143,"stddev":38.6,"var":1487.1,"ent":4.9,"data": [141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65]},"bins": {"c_to_s": [0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02166{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2067,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1319,"avg":116856.3,"max":131359,"stddev":22365.2,"var":500202464.0,"ent":4.9,"data": [1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537]},"pktlen": {"min":46,"avg":87.2,"max":129,"stddev":38.5,"var":1485.3,"ent":4.9,"data": [125,48,129,52,125,48,126,49,126,49,123,46,123,46,123,46,128,51,126,49,127,50,125,48,125,48,128,51,127,50,126,49]},"bins": {"c_to_s": [0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.540076256,5.126628399,5.646005154,5.238902569,5.556076050,5.011841774,5.645351887,5.124912739,5.661224842,5.124912739,5.536271572,5.045301914,5.526149273,5.010309696,5.552532196,5.088779926,5.645638943,5.155473709,5.623487949,5.027874470,5.658226013,5.203855038,5.594115257,5.084961414,5.581238747,5.084961414,5.642791271,5.201836586,5.575829029,5.148757458,5.623488426,5.043280125]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02166{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3210,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5091,"avg":127214.4,"max":172321,"stddev":26264.3,"var":689812928.0,"ent":4.9,"data": [5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564]},"pktlen": {"min":45,"avg":87.1,"max":129,"stddev":38.6,"var":1487.1,"ent":4.9,"data": [127,50,128,51,123,46,123,46,126,49,123,46,122,45,127,50,125,48,129,52,126,49,124,47,125,48,129,52,124,47,128,51]},"bins": {"c_to_s": [0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.584132195,5.148756981,5.612321377,5.123405457,5.484527588,5.088779926,5.497614384,5.088779926,5.597732544,5.084096432,5.526148796,5.088780403,5.523175716,5.047409534,5.616926193,5.163855076,5.550037384,5.084961891,5.666587353,5.277364254,5.567777157,5.068690777,5.565383434,5.070440769,5.542193413,5.084961414,5.626701832,5.238902569,5.490826130,4.985334873,5.638961315,5.241052151]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907282684236,"flow_dst_last_pkt_time":1455907282686487,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9710,"flow_dst_tot_l4_payload_len":2010,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907285180257,"flow_dst_last_pkt_time":1455907285181466,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9747,"flow_dst_tot_l4_payload_len":2047,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00921{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":8516,"source":"coap_mqtt.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":100,"flow_dst_packets_processed":100,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907284043615,"flow_dst_last_pkt_time":1455907284046276,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":9760,"flow_dst_tot_l4_payload_len":2060,"midstream":0,"thread_ts_usec":1455907286855601,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -107,10 +107,10 @@ ~~ total active/idle flows...: 16/16 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6315099 bytes -~~ total memory freed........: 6315099 bytes -~~ total allocations/frees...: 130155/130155 +~~ total memory allocated....: 6317275 bytes +~~ total memory freed........: 6317275 bytes +~~ total allocations/frees...: 130171/130171 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars -~~ json string max len.......: 1858 chars -~~ json string avg len.......: 1175 chars +~~ json string max len.......: 2257 chars +~~ json string avg len.......: 1374 chars diff --git a/test/results/collectd.pcap.out b/test/results/collectd.pcap.out index d05658942..29c7f4406 100644 --- a/test/results/collectd.pcap.out +++ b/test/results/collectd.pcap.out @@ -41,7 +41,7 @@ 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":29,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315463990790,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23962,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315463990790,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":35,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315513990834,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":31897,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315513990834,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":41,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":30,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315563990487,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39897,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315563990487,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} -01844{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315583990823,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42548,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315583990823,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":417,"avg":8709655.0,"max":10000474,"stddev":3352121.2,"var":11236716576768.0,"ent":4.8,"data": [9999043,10000474,9999533,9999908,9999948,529,9999990,10000110,9999700,10000036,9999885,10000020,417,9999778,9999931,10000097,9999852,9999817,10000085,761,9999588,9999630,10000163,10000066,9999926,9999713,640,10000064,9999244,10000446,9999890]},"pktlen": {"min":1353,"avg":1371.6,"max":1388,"stddev":10.8,"var":116.6,"ent":5.0,"data": [1385,1365,1371,1361,1365,1355,1369,1388,1379,1385,1386,1380,1386,1368,1375,1376,1353,1371,1368,1353,1365,1364,1367,1370,1384,1361,1381,1383,1388,1355,1359,1376]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,26,4,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02243{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315583990823,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42548,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315583990823,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":417,"avg":8709655.0,"max":10000474,"stddev":3352121.2,"var":11236716576768.0,"ent":4.8,"data": [9999043,10000474,9999533,9999908,9999948,529,9999990,10000110,9999700,10000036,9999885,10000020,417,9999778,9999931,10000097,9999852,9999817,10000085,761,9999588,9999630,10000163,10000066,9999926,9999713,640,10000064,9999244,10000446,9999890]},"pktlen": {"min":1339,"avg":1357.6,"max":1374,"stddev":10.8,"var":116.6,"ent":5.0,"data": [1371,1351,1357,1347,1351,1341,1355,1374,1365,1371,1372,1366,1372,1354,1361,1362,1339,1357,1354,1339,1351,1350,1353,1356,1370,1347,1367,1369,1374,1341,1345,1362]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,26,4,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.538798809,4.626172066,4.590242386,4.677317142,4.469442844,4.469480515,4.436117172,4.566956997,4.640308857,4.622093678,4.647140026,4.535036087,4.461278439,4.484570026,4.575104237,4.554965019,4.643092632,4.568192482,4.547473907,4.509483337,4.405175686,4.572257042,4.526435375,4.590792656,4.609064102,4.615740299,4.564195156,4.457546711,4.629378319,4.606139183,4.648756027,4.580255032]},"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":48,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315623990962,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":49178,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315623990962,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00910{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":55,"source":"collectd.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":0,"flow_first_seen":1655315313991539,"flow_src_last_pkt_time":1655315683990797,"flow_dst_last_pkt_time":1655315313991539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1311,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1346,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":58483,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315683990797,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":35988,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"collectd","proto_id":"298","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":60,"source":"collectd.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655315734133371,"flow_src_last_pkt_time":1655315734133371,"flow_dst_last_pkt_time":1655315734133371,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1334,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1334,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655315734133371,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":36832,"dst_port":25826,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -72,9 +72,9 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6050898 bytes -~~ total memory freed........: 6050898 bytes -~~ total allocations/frees...: 121645/121645 +~~ total memory allocated....: 6052122 bytes +~~ total memory freed........: 6052122 bytes +~~ total allocations/frees...: 121654/121654 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2384 chars diff --git a/test/results/corba.pcap.out b/test/results/corba.pcap.out index d4a197a14..bc22958be 100644 --- a/test/results/corba.pcap.out +++ b/test/results/corba.pcap.out @@ -27,9 +27,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045671 bytes -~~ total memory freed........: 6045671 bytes -~~ total allocations/frees...: 121532/121532 +~~ total memory allocated....: 6046079 bytes +~~ total memory freed........: 6046079 bytes +~~ total allocations/frees...: 121535/121535 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 902 chars diff --git a/test/results/cpha.pcap.out b/test/results/cpha.pcap.out index dd107c713..e3bf2c812 100644 --- a/test/results/cpha.pcap.out +++ b/test/results/cpha.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035642 bytes -~~ total memory freed........: 6035642 bytes -~~ total allocations/frees...: 121487/121487 +~~ total memory allocated....: 6035778 bytes +~~ total memory freed........: 6035778 bytes +~~ total allocations/frees...: 121488/121488 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 886 chars diff --git a/test/results/crynet.pcap.out b/test/results/crynet.pcap.out index 43048473c..8e715d3cf 100644 --- a/test/results/crynet.pcap.out +++ b/test/results/crynet.pcap.out @@ -36,9 +36,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042253 bytes -~~ total memory freed........: 6042253 bytes -~~ total allocations/frees...: 121577/121577 +~~ total memory allocated....: 6042797 bytes +~~ total memory freed........: 6042797 bytes +~~ total allocations/frees...: 121581/121581 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 912 chars diff --git a/test/results/dazn.pcapng.out b/test/results/dazn.pcapng.out index 506f795b2..59c707f91 100644 --- a/test/results/dazn.pcapng.out +++ b/test/results/dazn.pcapng.out @@ -30,9 +30,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6051609 bytes -~~ total memory freed........: 6051609 bytes -~~ total allocations/frees...: 121531/121531 +~~ total memory allocated....: 6052017 bytes +~~ total memory freed........: 6052017 bytes +~~ total allocations/frees...: 121534/121534 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 1226 chars diff --git a/test/results/dcerpc.pcap.out b/test/results/dcerpc.pcap.out index f58914f6c..4f3054e70 100644 --- a/test/results/dcerpc.pcap.out +++ b/test/results/dcerpc.pcap.out @@ -31,9 +31,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6040977 bytes -~~ total memory freed........: 6040977 bytes -~~ total allocations/frees...: 121533/121533 +~~ total memory allocated....: 6041521 bytes +~~ total memory freed........: 6041521 bytes +~~ total allocations/frees...: 121537/121537 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 1791 chars diff --git a/test/results/dhcp-fuzz.pcapng.out b/test/results/dhcp-fuzz.pcapng.out index ea9633d16..57b81acc8 100644 --- a/test/results/dhcp-fuzz.pcapng.out +++ b/test/results/dhcp-fuzz.pcapng.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035642 bytes -~~ total memory freed........: 6035642 bytes -~~ total allocations/frees...: 121487/121487 +~~ total memory allocated....: 6035778 bytes +~~ total memory freed........: 6035778 bytes +~~ total allocations/frees...: 121488/121488 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars ~~ json string max len.......: 940 chars diff --git a/test/results/diameter.pcap.out b/test/results/diameter.pcap.out index 768bc6253..31fba4ef1 100644 --- a/test/results/diameter.pcap.out +++ b/test/results/diameter.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035815 bytes -~~ total memory freed........: 6035815 bytes -~~ total allocations/frees...: 121493/121493 +~~ total memory allocated....: 6035951 bytes +~~ total memory freed........: 6035951 bytes +~~ total allocations/frees...: 121494/121494 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 997 chars diff --git a/test/results/discord.pcap.out b/test/results/discord.pcap.out index e6f876893..cd4720079 100644 --- a/test/results/discord.pcap.out +++ b/test/results/discord.pcap.out @@ -268,9 +268,9 @@ ~~ total active/idle flows...: 34/34 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6108152 bytes -~~ total memory freed........: 6108152 bytes -~~ total allocations/frees...: 122238/122238 +~~ total memory allocated....: 6112776 bytes +~~ total memory freed........: 6112776 bytes +~~ total allocations/frees...: 122272/122272 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 1890 chars diff --git a/test/results/dnp3.pcap.out b/test/results/dnp3.pcap.out index a0f184019..e6f313823 100644 --- a/test/results/dnp3.pcap.out +++ b/test/results/dnp3.pcap.out @@ -5,14 +5,14 @@ 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1097501938503079,"flow_dst_last_pkt_time":1097501938503079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097501938503079,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTFlAAIAGmmQKAAAICgAAAwrlTiBVHBrSAAAAAHAC\/\/+mIQAAAgQFtAEBBAI="} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1097501938503079,"flow_dst_last_pkt_time":1097501938503079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097501938503079,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTFlAAIAGmmQKAAAICgAAAwrlTiBVHBrSAAAAAHAC\/\/+mIQAAAgQFtAEBBAI="} 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097501938503490,"flow_dst_last_pkt_time":1097501938504844,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097501938504844,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502061905496,"flow_dst_last_pkt_time":1097501941569134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097502061905496,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":201,"avg":12646847.0,"max":120145678,"stddev":35851428.0,"var":1285324797902848.0,"ent":0.4,"data": [201,411,1564,151649,2891882,795,3043080,21210,212002,120145678]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.8,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01988{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502061905496,"flow_dst_last_pkt_time":1097501941569134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097502061905496,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":201,"avg":12646847.0,"max":120145678,"stddev":35851428.0,"var":1285324797902848.0,"ent":0.4,"data": [201,411,1564,151649,2891882,795,3043080,21210,212002,120145678]},"pktlen": {"min":46,"avg":52.2,"max":65,"stddev":6.8,"var":46.8,"ent":5.0,"data": [48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,55,55,55,65,65,65,46,46,46,57,57,57,46,46,46,64,64]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0],"entropies": [4.259637833,4.259637833,4.259637833,4.683206558,4.683206558,4.683206558,4.102729797,4.102729797,4.102729797,4.867636204,4.867636204,4.867636204,4.146208286,4.146208286,4.146208286,4.803641796,4.803641796,4.803641796,5.091148376,5.091148376,5.091148376,4.146208286,4.146208286,4.146208286,4.750165939,4.750165939,4.750165939,4.146208286,4.146208286,4.146208286,4.932524681,4.932524681]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00552{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":40,"packets-processed":39,"total-skipped-flows":0,"total-l4-payload-len":345,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1097502623045756} 00742{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097502623045756,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":41,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1097502623045756,"flow_dst_last_pkt_time":1097502623045756,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097502623045756,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTRVAAIAGmagKAAAICgAAAwrzTiBm5W0JAAAAAHAC\/\/9CEwAAAgQFtAEBBAI="} 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":49,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502623046134,"flow_dst_last_pkt_time":1097502623047417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097502623047417,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01590{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":71,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648521527,"flow_dst_last_pkt_time":1097502648521681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097502648521681,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":174,"avg":5095169.5,"max":17487311,"stddev":6400487.0,"var":40966232735744.0,"ent":2.2,"data": [174,378,1487,181225,17203302,17487311,4814054,4907006,3276812,3079947]},"pktlen": {"min":60,"avg":64.8,"max":78,"stddev":7.1,"var":50.0,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01989{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":71,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648521527,"flow_dst_last_pkt_time":1097502648521681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097502648521681,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":174,"avg":5095169.5,"max":17487311,"stddev":6400487.0,"var":40966232735744.0,"ent":2.2,"data": [174,378,1487,181225,17203302,17487311,4814054,4907006,3276812,3079947]},"pktlen": {"min":46,"avg":50.8,"max":64,"stddev":7.1,"var":50.0,"ent":5.0,"data": [48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,64,64,64,46,46,46,64,64,64,46,46,46,46,46,46,46,46]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1],"entropies": [4.259637833,4.259637833,4.259637833,4.599873543,4.599873543,4.599873543,4.032184124,4.032184124,4.032184124,4.588809967,4.588809967,4.588809967,4.075662136,4.075662136,4.075662136,4.807524681,4.807524681,4.807524681,4.075662136,4.075662136,4.075662136,4.889479637,4.889479637,4.889479637,4.102729797,4.102729797,4.102729797,4.146208286,4.146208286,4.146208286,4.146208286,4.146208286]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00553{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":79,"packets-processed":78,"total-skipped-flows":0,"total-l4-payload-len":540,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1097504102255746} 00742{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097504102255746,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097504102255746,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTjtAAIAGmIIKAAAICgAAAwsMTiCPBdusAAAAAHAC\/\/+rNgAAAgQFtAEBBAI="} @@ -20,7 +20,7 @@ 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1097504102255746,"flow_dst_last_pkt_time":1097504102255746,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097504102255746,"pkt":"AAKzznBRAFAEk3BnCABFAAAwTjtAAIAGmIIKAAAICgAAAwsMTiCPBdusAAAAAHAC\/\/+rNgAAAgQFtAEBBAI="} 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":88,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504102256118,"flow_dst_last_pkt_time":1097504102257400,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097504102257400,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00897{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":109,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":18,"flow_first_seen":1097502623045756,"flow_src_last_pkt_time":1097502648678187,"flow_dst_last_pkt_time":1097502648677871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097504103602860,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2803,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01585{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504186592304,"flow_dst_last_pkt_time":1097504103409070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097504186592304,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":167,"avg":8548988.0,"max":82989444,"stddev":24816838.0,"var":615875493232640.0,"ent":0.2,"data": [167,372,1487,144969,996855,774,1141407,10263,204144,82989444]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.8,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01984{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504186592304,"flow_dst_last_pkt_time":1097504103409070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097504186592304,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":167,"avg":8548988.0,"max":82989444,"stddev":24816838.0,"var":615875493232640.0,"ent":0.2,"data": [167,372,1487,144969,996855,774,1141407,10263,204144,82989444]},"pktlen": {"min":46,"avg":52.2,"max":65,"stddev":6.8,"var":46.8,"ent":5.0,"data": [48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,55,55,55,65,65,65,46,46,46,57,57,57,46,46,46,64,64]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0],"entropies": [4.233697891,4.233697891,4.233697891,4.698933601,4.698933601,4.698933601,4.075662136,4.075662136,4.075662136,4.854392529,4.854392529,4.854392529,4.119140625,4.119140625,4.119140625,4.817366600,4.817366600,4.817366600,5.114375591,5.114375591,5.114375591,4.162618637,4.162618637,4.162618637,4.765161514,4.765161514,4.765161514,4.075662136,4.075662136,4.075662136,4.901274681,4.901274681]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":217,"packets-processed":216,"total-skipped-flows":0,"total-l4-payload-len":3957,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":3,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":24,"global_ts_usec":1097505644006837} 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097505644006837,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":217,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097505644006837,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAVNAAIAG5WkKAAAJCgAAAwQ4TiAZahgcAAAAAHAC\/\/\/rNQAAAgQFtAEBBAI="} @@ -28,14 +28,14 @@ 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":219,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1097505644006837,"flow_dst_last_pkt_time":1097505644006837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097505644006837,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAVNAAIAG5WkKAAAJCgAAAwQ4TiAZahgcAAAAAHAC\/\/\/rNQAAAgQFtAEBBAI="} 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":226,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":15,"flow_first_seen":1097501938503079,"flow_src_last_pkt_time":1097502062040142,"flow_dst_last_pkt_time":1097502061912093,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097505644007259,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2789,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":226,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":3,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505719035890,"flow_dst_last_pkt_time":1097505644007009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":15,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":15,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097505719035890,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":248,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505754575976,"flow_dst_last_pkt_time":1097505754654239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":205,"midstream":0,"thread_ts_usec":1097505754654239,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":172,"avg":22121654.0,"max":75076356,"stddev":29809640.0,"var":888614640680960.0,"ent":1.9,"data": [172,422,75028631,75076356,533,48219,553,153041,35338826,35569788]},"pktlen": {"min":60,"avg":66.7,"max":77,"stddev":5.9,"var":34.5,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,69,69,69,71,71,71,71,71,71,60,60,60,77,77,77,60,60,60,72,72,72,71,71]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01988{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":248,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097505644006837,"flow_src_last_pkt_time":1097505754575976,"flow_dst_last_pkt_time":1097505754654239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":205,"midstream":0,"thread_ts_usec":1097505754654239,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1080,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":172,"avg":22121654.0,"max":75076356,"stddev":29809640.0,"var":888614640680960.0,"ent":1.9,"data": [172,422,75028631,75076356,533,48219,553,153041,35338826,35569788]},"pktlen": {"min":46,"avg":52.7,"max":63,"stddev":5.9,"var":34.5,"ent":5.0,"data": [48,48,48,48,48,48,46,46,46,55,55,55,57,57,57,57,57,57,46,46,46,63,63,63,46,46,46,58,58,58,57,57]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1],"entropies": [4.202244282,4.202244282,4.202244282,4.683207035,4.683207035,4.683207035,4.162618637,4.162618637,4.162618637,4.907654285,4.907654285,4.907654285,4.659897804,4.659897804,4.659897804,4.765161991,4.765161991,4.765161991,4.162618637,4.162618637,4.162618637,4.927980900,4.927980900,4.927980900,4.162619114,4.162619114,4.162619114,4.909368515,4.909368515,4.909368515,4.673142433,4.673142433]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":352,"packets-processed":351,"total-skipped-flows":0,"total-l4-payload-len":5682,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":4,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":32,"global_ts_usec":1097507785883614} 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097507785883614,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":352,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":353,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":354,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1097507785883614,"flow_dst_last_pkt_time":1097507785883614,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097507785883614,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAaRAAIAG5RkKAAAICgAAAwQ+TiAMLRLKAAAAAHAC\/\/\/9vwAAAgQFtAEBBAI="} 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":361,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507785883944,"flow_dst_last_pkt_time":1097507785885063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097507785885063,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01576{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507788771853,"flow_dst_last_pkt_time":1097507788624309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097507788771853,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":562893.4,"max":2639445,"stddev":999852.8,"var":999705673728.0,"ent":1.5,"data": [139,330,1310,168563,2471106,796,2639445,99801,232167,15277]},"pktlen": {"min":60,"avg":66.2,"max":79,"stddev":6.8,"var":46.1,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,78,78,78,60,60,60,71,71,71,60,60,60,79,79]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01975{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507788771853,"flow_dst_last_pkt_time":1097507788624309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":167,"flow_dst_tot_l4_payload_len":102,"midstream":0,"thread_ts_usec":1097507788771853,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":562893.4,"max":2639445,"stddev":999852.8,"var":999705673728.0,"ent":1.5,"data": [139,330,1310,168563,2471106,796,2639445,99801,232167,15277]},"pktlen": {"min":46,"avg":52.2,"max":65,"stddev":6.8,"var":46.1,"ent":5.0,"data": [48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,55,55,55,64,64,64,46,46,46,57,57,57,46,46,46,65,65]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0],"entropies": [4.202244282,4.202244282,4.202244282,4.683207035,4.683207035,4.683207035,4.119140148,4.119140148,4.119140148,4.854392529,4.854392529,4.854392529,4.162619114,4.162619114,4.162619114,4.767277718,4.767277718,4.767277718,4.850569725,4.850569725,4.850569725,4.119140625,4.119140625,4.119140625,4.806060791,4.806060791,4.806060791,4.206097126,4.206097126,4.206097126,5.071992874,5.071992874]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00900{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":427,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":60,"flow_dst_packets_processed":78,"flow_first_seen":1097504102255746,"flow_src_last_pkt_time":1097504224083555,"flow_dst_last_pkt_time":1097504223905294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":25,"flow_dst_max_l4_payload_len":91,"flow_src_tot_l4_payload_len":687,"flow_dst_tot_l4_payload_len":2730,"midstream":0,"thread_ts_usec":1097507789958377,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":2828,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":445,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":445,"packets-processed":444,"total-skipped-flows":0,"total-l4-payload-len":7101,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":5,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":40,"global_ts_usec":1097510947092701} 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":445,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097510947092701,"flow_src_last_pkt_time":1097510947092701,"flow_dst_last_pkt_time":1097510947092701,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097510947092701,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1159,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -52,14 +52,14 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":474,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1097512255234470,"flow_dst_last_pkt_time":1097512255234470,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097512255234470,"pkt":"AAKzznBRAFAEk3BnCABFAAAwBpNAAIAG4CoKAAAICgAAAwSgTiANrtDCAAAAAHAC\/\/895AAAAgQFtAEBBAI="} 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":481,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512255234830,"flow_dst_last_pkt_time":1097512255236054,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097512255236054,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":496,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":57,"flow_dst_packets_processed":36,"flow_first_seen":1097507785883614,"flow_src_last_pkt_time":1097507856257809,"flow_dst_last_pkt_time":1097507856091024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":93,"flow_src_tot_l4_payload_len":645,"flow_dst_tot_l4_payload_len":774,"midstream":0,"thread_ts_usec":1097512264841740,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1086,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097512267645965,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":157,"avg":2471499.5,"max":9487840,"stddev":3592256.2,"var":12904304738304.0,"ent":1.9,"data": [157,360,1427,192830,9226978,9487840,187102,2636386,2814075,167839]},"pktlen": {"min":60,"avg":66.8,"max":78,"stddev":7.0,"var":48.7,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,71,71,71,60,60,60,78,78,78,71,71,71,60,60]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01986{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":503,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097512267645965,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":157,"avg":2471499.5,"max":9487840,"stddev":3592256.2,"var":12904304738304.0,"ent":1.9,"data": [157,360,1427,192830,9226978,9487840,187102,2636386,2814075,167839]},"pktlen": {"min":46,"avg":52.8,"max":64,"stddev":7.0,"var":48.7,"ent":5.0,"data": [48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,64,64,64,57,57,57,46,46,46,64,64,64,57,57,57,46,46]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0],"entropies": [4.217971325,4.217971325,4.217971325,4.641540051,4.641540051,4.641540051,4.032184124,4.032184124,4.032184124,4.784216881,4.784216881,4.784216881,4.075662136,4.075662136,4.075662136,4.924864769,4.924864769,4.924864769,4.906424999,4.906424999,4.906424999,4.075662136,4.075662136,4.075662136,4.924864769,4.924864769,4.924864769,4.858093739,4.858093739,4.858093739,4.075662136,4.075662136]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","packets-captured":505,"packets-processed":504,"total-skipped-flows":0,"total-l4-payload-len":7593,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":7,"total-detection-updates":0,"total-updates":1,"current-active-flows":2,"total-active-flows":7,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":56,"global_ts_usec":1097513177295531} 00743{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1097513177295531,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":505,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":506,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":507,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1097513177295531,"flow_dst_last_pkt_time":1097513177295531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1097513177295531,"pkt":"AAKzznBRAFAEk3BnCABFAAAwAUpAAIAG5XIKAAAJCgAAAwQ8TiBc3qwfAAAAAHAC\/\/8TugAAAgQFtAEBBAI="} 00854{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":514,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513177295941,"flow_dst_last_pkt_time":1097513177297272,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":17,"midstream":0,"thread_ts_usec":1097513177297272,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01587{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":536,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185001370,"flow_dst_last_pkt_time":1097513185001533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185001533,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":199,"avg":1541184.1,"max":3963212,"stddev":1422434.8,"var":2023320715264.0,"ent":2.5,"data": [199,410,1542,125290,3672101,3963212,1744251,1702440,2163787,2038609]},"pktlen": {"min":60,"avg":64.8,"max":78,"stddev":7.1,"var":50.0,"ent":5.0,"data": [62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +01986{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":536,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185001370,"flow_dst_last_pkt_time":1097513185001533,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185001533,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":199,"avg":1541184.1,"max":3963212,"stddev":1422434.8,"var":2023320715264.0,"ent":2.5,"data": [199,410,1542,125290,3672101,3963212,1744251,1702440,2163787,2038609]},"pktlen": {"min":46,"avg":50.8,"max":64,"stddev":7.1,"var":50.0,"ent":5.0,"data": [48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,64,64,64,46,46,46,64,64,64,46,46,46,46,46,46,46,46]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1],"entropies": [4.202244282,4.202244282,4.202244282,4.641540051,4.641540051,4.641540051,4.075662136,4.075662136,4.075662136,4.893180847,4.893180847,4.893180847,4.119140148,4.119140148,4.119140148,4.926108360,4.926108360,4.926108360,4.162619114,4.162619114,4.162619114,4.957358360,4.957358360,4.957358360,4.075662613,4.075662613,4.075662613,4.119140625,4.119140625,4.119140625,4.162619114,4.162619114]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00897{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":18,"flow_first_seen":1097513177295531,"flow_src_last_pkt_time":1097513185107737,"flow_dst_last_pkt_time":1097513185107430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.3","src_port":1084,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00898{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":12,"flow_first_seen":1097510947092701,"flow_src_last_pkt_time":1097510959359091,"flow_dst_last_pkt_time":1097510959487180,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":51,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1159,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":543,"source":"dnp3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":12,"flow_first_seen":1097512255234470,"flow_src_last_pkt_time":1097512267645965,"flow_dst_last_pkt_time":1097512267537969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":17,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":153,"midstream":0,"thread_ts_usec":1097513185107737,"l3_proto":"ip4","src_ip":"10.0.0.8","dst_ip":"10.0.0.3","src_port":1184,"dst_port":20000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNP3","proto_id":"244","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} @@ -72,10 +72,10 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6063204 bytes -~~ total memory freed........: 6063204 bytes -~~ total allocations/frees...: 122116/122116 +~~ total memory allocated....: 6064292 bytes +~~ total memory freed........: 6064292 bytes +~~ total allocations/frees...: 122124/122124 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1595 chars -~~ json string avg len.......: 1042 chars +~~ json string max len.......: 1994 chars +~~ json string avg len.......: 1241 chars diff --git a/test/results/dns-invalid-chars.pcap.out b/test/results/dns-invalid-chars.pcap.out index 9a6907b42..df7d25506 100644 --- a/test/results/dns-invalid-chars.pcap.out +++ b/test/results/dns-invalid-chars.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035699 bytes -~~ total memory freed........: 6035699 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6035835 bytes +~~ total memory freed........: 6035835 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 502 chars ~~ json string max len.......: 1027 chars diff --git a/test/results/dns-tunnel-iodine.pcap.out b/test/results/dns-tunnel-iodine.pcap.out index 1f6bb7ba3..99a0e04d9 100644 --- a/test/results/dns-tunnel-iodine.pcap.out +++ b/test/results/dns-tunnel-iodine.pcap.out @@ -6,7 +6,7 @@ 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1282356640051082,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1282356640051175,"pkt":"CAAnnOC0CAAnx266CABFAABZAABAAEARImMKAAIUCgACHgA1rl8ARRoeErCEAAABAAEAAAAAC3ZhYWFha2FyZGxpBnBpcmF0ZQNzZWEAAAoAAcAMAAoAAQAAAAAACVZBQ0tEA8XpAQ=="} 01140{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356640051082,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":61,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":61,"midstream":0,"thread_ts_usec":1282356640051175,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"vaaaakardli.pirate.sea","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":10,"rsp_type":10,"rsp_addr":"0.0.0.0"}}} 00586{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1282356640051979,"flow_dst_last_pkt_time":1282356640051175,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1282356640051979,"pkt":"CAAnx266CAAnnOC0CABFAABZAABAAEARImMKAAIeCgACFK5fADUARcobMN8BAAABAAAAAAAAIGxhZWdwdW1pcGxoaHB6MTJ5bmQxZWZsandsa2pjZ3d5BnBpcmF0ZQNzZWEAAAoAAQ=="} -01833{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356645071860,"flow_dst_last_pkt_time":1282356640060900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1434,"flow_src_tot_l4_payload_len":2968,"flow_dst_tot_l4_payload_len":3580,"midstream":0,"thread_ts_usec":1282356645071860,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":93,"avg":162277.3,"max":1002966,"stddev":368318.9,"var":135658823680.0,"ent":2.4,"data": [93,897,1083,5795,5715,411,342,245,227,219,217,216,215,213,212,209,230,282,586,445,177,314,494,447,227,245,1001664,1002291,1001465,1002966,1002454]},"pktlen": {"min":82,"avg":246.6,"max":1476,"stddev":286.6,"var":82112.7,"ent":4.4,"data": [82,103,103,144,88,137,123,166,132,184,138,196,118,156,134,188,88,96,88,95,88,93,323,1092,323,1476,323,323,323,323,323,323]},"bins": {"c_to_s": [0,6,4,1,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,4,1,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02230{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356645071860,"flow_dst_last_pkt_time":1282356640060900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1434,"flow_src_tot_l4_payload_len":2968,"flow_dst_tot_l4_payload_len":3580,"midstream":0,"thread_ts_usec":1282356645071860,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":93,"avg":162277.3,"max":1002966,"stddev":368318.9,"var":135658823680.0,"ent":2.4,"data": [93,897,1083,5795,5715,411,342,245,227,219,217,216,215,213,212,209,230,282,586,445,177,314,494,447,227,245,1001664,1002291,1001465,1002966,1002454]},"pktlen": {"min":68,"avg":232.6,"max":1462,"stddev":286.6,"var":82112.7,"ent":4.4,"data": [68,89,89,130,74,123,109,152,118,170,124,182,104,142,120,174,74,82,74,81,74,79,309,1078,309,1462,309,309,309,309,309,309]},"bins": {"c_to_s": [0,6,4,1,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,4,1,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,0,0,0],"entropies": [4.192683220,4.481659889,4.827383041,4.928776741,4.048753262,5.135797501,4.621113777,4.797404289,4.689741611,4.823459148,5.501323700,5.868503571,5.093356609,5.373332500,5.574461937,5.911468983,4.085981369,4.376136780,4.058953762,4.299961090,4.038551807,4.297753811,4.143254280,7.508830547,3.346999884,7.575299263,4.126974583,4.140811443,4.147284031,4.120341778,4.126974583,4.140811920]},"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01043{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":438,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":222,"flow_dst_packets_processed":212,"flow_first_seen":1282356640051082,"flow_src_last_pkt_time":1282356664538177,"flow_dst_last_pkt_time":1282356664538369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":281,"flow_dst_max_l4_payload_len":1470,"flow_src_tot_l4_payload_len":16812,"flow_dst_tot_l4_payload_len":35212,"midstream":0,"thread_ts_usec":1282356664538369,"l3_proto":"ip4","src_ip":"10.0.2.30","dst_ip":"10.0.2.20","src_port":44639,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00573{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":438,"source":"dns-tunnel-iodine.pcap","alias":"nDPId-test","packets-captured":438,"packets-processed":434,"total-skipped-flows":0,"total-l4-payload-len":52024,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1282356664538369} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -17,10 +17,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6048252 bytes -~~ total memory freed........: 6048252 bytes -~~ total allocations/frees...: 121922/121922 +~~ total memory allocated....: 6048388 bytes +~~ total memory freed........: 6048388 bytes +~~ total allocations/frees...: 121923/121923 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 502 chars -~~ json string max len.......: 1838 chars -~~ json string avg len.......: 1123 chars +~~ json string max len.......: 2235 chars +~~ json string avg len.......: 1296 chars diff --git a/test/results/dns_ambiguous_names.pcap.out b/test/results/dns_ambiguous_names.pcap.out index 2c662e849..2b4ae319c 100644 --- a/test/results/dns_ambiguous_names.pcap.out +++ b/test/results/dns_ambiguous_names.pcap.out @@ -69,9 +69,9 @@ ~~ total active/idle flows...: 10/10 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6050854 bytes -~~ total memory freed........: 6050854 bytes -~~ total allocations/frees...: 121598/121598 +~~ total memory allocated....: 6052214 bytes +~~ total memory freed........: 6052214 bytes +~~ total allocations/frees...: 121608/121608 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars ~~ json string max len.......: 1048 chars diff --git a/test/results/dns_doh.pcap.out b/test/results/dns_doh.pcap.out index 9fdbad42a..56603dbcc 100644 --- a/test/results/dns_doh.pcap.out +++ b/test/results/dns_doh.pcap.out @@ -6,7 +6,7 @@ 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1571089200876498,"flow_dst_last_pkt_time":1571089200876406,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1571089200876498,"pkt":"WkBO7NFkeDHBvV4kCABFAAAoAABAAEAGI66sFAoEaBD4+cLVAbuk7FgjymHcL1AQEAAggAAA"} 01118{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089200878306,"flow_dst_last_pkt_time":1571089200876406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1571089200878306,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.2","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01163{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089200878306,"flow_dst_last_pkt_time":1571089200968629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1300,"midstream":0,"thread_ts_usec":1571089200968629,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.3","ja3":"b20b44b18b853ef29ab773e921b03422","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01689{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089201723583,"flow_dst_last_pkt_time":1571089201764372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":1424,"flow_dst_tot_l4_payload_len":4202,"midstream":0,"thread_ts_usec":1571089201764372,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":63645.8,"max":535341,"stddev":131829.5,"var":17379012608.0,"ent":3.0,"data": [87116,87208,1808,92218,5,2,90426,511,1485,930,26074,858,110,91,102733,7825,6,1,83431,1,17900,147557,535341,708,88830,66,525420,6,10702,6]},"pktlen": {"min":54,"avg":230.9,"max":1354,"stddev":327.3,"var":107137.2,"ent":4.1,"data": [78,66,54,571,54,1354,1354,54,54,503,54,118,224,297,133,54,591,404,85,54,54,54,85,54,116,147,116,157,54,54,258,85]},"bins": {"c_to_s": [9,2,3,1,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +02088{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089201723583,"flow_dst_last_pkt_time":1571089201764372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":1424,"flow_dst_tot_l4_payload_len":4202,"midstream":0,"thread_ts_usec":1571089201764372,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":63645.8,"max":535341,"stddev":131829.5,"var":17379012608.0,"ent":3.0,"data": [87116,87208,1808,92218,5,2,90426,511,1485,930,26074,858,110,91,102733,7825,6,1,83431,1,17900,147557,535341,708,88830,66,525420,6,10702,6]},"pktlen": {"min":40,"avg":216.9,"max":1340,"stddev":327.3,"var":107137.2,"ent":3.9,"data": [64,52,40,557,40,1340,1340,40,40,489,40,104,210,283,119,40,577,390,71,40,40,40,71,40,102,133,102,143,40,40,244,71]},"bins": {"c_to_s": [9,2,3,1,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1],"entropies": [4.441382408,4.801308632,4.503056526,5.369568825,4.730641365,7.827131748,7.862888336,4.630641460,4.453056335,7.522860050,4.630641460,5.744826317,6.939166546,7.200489998,6.276752949,4.730641365,7.589616776,7.428659439,5.699038506,4.730641365,4.730641365,4.680641174,5.688406467,4.780641556,6.111449242,6.391828060,6.039783001,6.407779217,4.780641556,4.730641365,7.064774990,5.558194637]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00916{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":142,"source":"dns_doh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":86,"flow_dst_packets_processed":56,"flow_first_seen":1571089200789290,"flow_src_last_pkt_time":1571089204031014,"flow_dst_last_pkt_time":1571089204030791,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1300,"flow_src_tot_l4_payload_len":3792,"flow_dst_tot_l4_payload_len":8866,"midstream":0,"thread_ts_usec":1571089204031014,"l3_proto":"ip4","src_ip":"172.20.10.4","dst_ip":"104.16.248.249","src_port":49877,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":142,"source":"dns_doh.pcap","alias":"nDPId-test","packets-captured":142,"packets-processed":142,"total-skipped-flows":0,"total-l4-payload-len":12658,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1571089204031014} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -17,10 +17,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6049282 bytes -~~ total memory freed........: 6049282 bytes -~~ total allocations/frees...: 121635/121635 +~~ total memory allocated....: 6049418 bytes +~~ total memory freed........: 6049418 bytes +~~ total allocations/frees...: 121636/121636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1694 chars -~~ json string avg len.......: 1052 chars +~~ json string max len.......: 2093 chars +~~ json string avg len.......: 1226 chars diff --git a/test/results/dns_dot.pcap.out b/test/results/dns_dot.pcap.out index 0fa4cd2a9..0fa97cd2f 100644 --- a/test/results/dns_dot.pcap.out +++ b/test/results/dns_dot.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6044671 bytes -~~ total memory freed........: 6044671 bytes -~~ total allocations/frees...: 121529/121529 +~~ total memory allocated....: 6044807 bytes +~~ total memory freed........: 6044807 bytes +~~ total allocations/frees...: 121530/121530 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 1845 chars diff --git a/test/results/dns_exfiltration.pcap.out b/test/results/dns_exfiltration.pcap.out index 0b481905a..b68d3d50b 100644 --- a/test/results/dns_exfiltration.pcap.out +++ b/test/results/dns_exfiltration.pcap.out @@ -6,7 +6,7 @@ 00963{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1580978146717893,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":386,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":386,"pkt_l4_len":352,"thread_ts_usec":1580978146888524,"pkt":"jNzURr7Eqqru7hERCABFAAF0PC1AAD8R1RrAqMunwKjcOAA13DUBYD3xOR2BgAABAAEAAAAABmRuc2NhdDw1NDZiMDNmNTAwMDAwMDAwMDBhNjAyM2VkNGRmMTg0ZDZhYzVjMjYyOGI0NzcxNGZkZWU1ODRmZWQ3Mzk8NWEwM2I1YjFlMWFhOGY4ZmRiMWJiZThkNWUwNDk1MjE0MWY3ZDRmODJjN2UzYjA2ZGNjOGI4N2ZhZDdhGjE5ZTRkMDk4ZGM4YzYxOGY4ZDgxY2ZlYjAyAAAPAAHADAAPAAEAAAA8AJ8ACgZkbnNjYXQ\/MjAxZjAzZjUwMDAwMDAwMDAwNzEzYjkyNzFmMDExZGM3NjQyM2RhYjM5MmMzMmMxOGJmYzk2YjZkMjY5NWEyPzZhOTExYzk0NDcyZjU5NDA5YTVmNTI2MDEzZTc2MDE5MzY2YTA3NzkyOWUzNDgwZmJlNmQ3YzRlZGE2ZjkwOBRmMmJjOTlhNjAxZTFhODIyMTMzNgA="} 01325{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978146717893,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":173,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":173,"flow_dst_tot_l4_payload_len":344,"midstream":0,"thread_ts_usec":1580978146888524,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"e1aa8f8fdb1bbe8d5e04952141f7d4f82c7e3b06dcc8b87fad7a.19e4d098dc8c618f8d81cfeb02","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":15,"rsp_type":15,"rsp_addr":"0.0.0.0"}}} 00670{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1580978147753419,"flow_dst_last_pkt_time":1580978146888524,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"thread_ts_usec":1580978147753419,"pkt":"qqru7hERjNzURr7ECABFAACYekZAAD8RAADAqNw4wKjLp9w1ADUAhCnHfRoBAAABAAAAAAAABmRuc2NhdDw5MWYwMDNmNTAwZjYxMjIxODEwYWVhMDAwMDA0ODYzYzY5MTU4MGVjYWQ2NmY2NGFjN2RkYjg3Yjg5YzcmOTIwMDgyMWU1MjdkNGUxNzYzMjUzYzI1ZTI5N2UyYWE0MTEzZDAAAAUAAQ=="} -02056{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978160880828,"flow_dst_last_pkt_time":1580978160882236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":1158,"flow_dst_tot_l4_payload_len":2183,"midstream":0,"thread_ts_usec":1580978160882236,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3976,"avg":913783.2,"max":1035526,"stddev":281798.4,"var":79410348032.0,"ent":4.8,"data": [170631,1035526,866477,1015270,1015599,4647,3976,1009971,1010376,1009201,1009121,1008475,1008435,1009499,1009380,1008042,1008120,1008655,1008570,1009773,1009797,1009990,1010112,1008960,1008939,1008465,1008353,1007666,1007763,1008795,1008694]},"pktlen": {"min":101,"avg":146.4,"max":386,"stddev":59.1,"var":3497.9,"ent":4.9,"data": [215,386,166,286,136,193,101,148,101,148,101,156,101,148,101,158,101,158,101,156,101,148,101,158,101,158,101,158,101,148,101,148]},"bins": {"c_to_s": [0,13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,13,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02441{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978160880828,"flow_dst_last_pkt_time":1580978160882236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":173,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":1158,"flow_dst_tot_l4_payload_len":2183,"midstream":0,"thread_ts_usec":1580978160882236,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3976,"avg":913783.2,"max":1035526,"stddev":281798.4,"var":79410348032.0,"ent":4.8,"data": [170631,1035526,866477,1015270,1015599,4647,3976,1009971,1010376,1009201,1009121,1008475,1008435,1009499,1009380,1008042,1008120,1008655,1008570,1009773,1009797,1009990,1010112,1008960,1008939,1008465,1008353,1007666,1007763,1008795,1008694]},"pktlen": {"min":87,"avg":132.4,"max":372,"stddev":59.1,"var":3497.9,"ent":4.9,"data": [201,372,152,272,122,179,87,134,87,134,87,142,87,134,87,144,87,144,87,142,87,134,87,144,87,144,87,144,87,134,87,134]},"bins": {"c_to_s": [0,13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,13,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.667089462,4.689397812,4.760825157,4.825231075,4.676949501,4.874624252,4.717905998,4.933177948,4.565960884,4.809306622,4.614233017,4.906701565,4.640079498,4.841056824,4.601366520,4.896399975,4.614233017,4.837578773,4.621761799,4.830716610,4.594102859,4.805916786,4.652946472,4.869677067,4.607450485,4.854219437,4.621762276,4.930173397,4.677563667,4.830170631,4.546681404,4.850760937]},"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01163{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":115,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":57,"flow_dst_packets_processed":57,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978196387731,"flow_dst_last_pkt_time":1580978196389199,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":4115,"flow_dst_tot_l4_payload_len":7851,"midstream":0,"thread_ts_usec":1580978196389199,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01165{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":300,"source":"dns_exfiltration.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":150,"flow_dst_packets_processed":150,"flow_first_seen":1580978146717893,"flow_src_last_pkt_time":1580978206706247,"flow_dst_last_pkt_time":1580978206707432,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":59,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":344,"flow_src_tot_l4_payload_len":26119,"flow_dst_tot_l4_payload_len":34826,"midstream":0,"thread_ts_usec":1580978206707432,"l3_proto":"ip4","src_ip":"192.168.220.56","dst_ip":"192.168.203.167","src_port":56373,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"27": {"risk":"Risky Domain Name","severity":"Medium","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00572{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":300,"source":"dns_exfiltration.pcap","alias":"nDPId-test","packets-captured":300,"packets-processed":300,"total-skipped-flows":0,"total-l4-payload-len":60945,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":1,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1580978206707432} @@ -18,10 +18,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6044455 bytes -~~ total memory freed........: 6044455 bytes -~~ total allocations/frees...: 121789/121789 +~~ total memory allocated....: 6044591 bytes +~~ total memory freed........: 6044591 bytes +~~ total allocations/frees...: 121790/121790 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars -~~ json string max len.......: 2061 chars -~~ json string avg len.......: 1256 chars +~~ json string max len.......: 2446 chars +~~ json string avg len.......: 1436 chars diff --git a/test/results/dns_fragmented.pcap.out b/test/results/dns_fragmented.pcap.out index 23f68e08c..3af9c70c5 100644 --- a/test/results/dns_fragmented.pcap.out +++ b/test/results/dns_fragmented.pcap.out @@ -154,9 +154,9 @@ ~~ total active/idle flows...: 21/21 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6070045 bytes -~~ total memory freed........: 6070045 bytes -~~ total allocations/frees...: 121756/121756 +~~ total memory allocated....: 6072901 bytes +~~ total memory freed........: 6072901 bytes +~~ total allocations/frees...: 121777/121777 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 217 chars ~~ json string max len.......: 2505 chars diff --git a/test/results/dns_invert_query.pcapng.out b/test/results/dns_invert_query.pcapng.out index 68b0fbb16..06ed38f78 100644 --- a/test/results/dns_invert_query.pcapng.out +++ b/test/results/dns_invert_query.pcapng.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035671 bytes -~~ total memory freed........: 6035671 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035807 bytes +~~ total memory freed........: 6035807 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 503 chars ~~ json string max len.......: 1006 chars diff --git a/test/results/dns_long_domainname.pcap.out b/test/results/dns_long_domainname.pcap.out index 91eefe5a6..e6626408c 100644 --- a/test/results/dns_long_domainname.pcap.out +++ b/test/results/dns_long_domainname.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035716 bytes -~~ total memory freed........: 6035716 bytes -~~ total allocations/frees...: 121490/121490 +~~ total memory allocated....: 6035852 bytes +~~ total memory freed........: 6035852 bytes +~~ total allocations/frees...: 121491/121491 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars ~~ json string max len.......: 1049 chars diff --git a/test/results/dnscrypt-v1-and-resolver-pings.pcap.out b/test/results/dnscrypt-v1-and-resolver-pings.pcap.out index 41f1b1de8..0d87b3f1e 100644 --- a/test/results/dnscrypt-v1-and-resolver-pings.pcap.out +++ b/test/results/dnscrypt-v1-and-resolver-pings.pcap.out @@ -1667,9 +1667,9 @@ ~~ total active/idle flows...: 245/245 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6446049 bytes -~~ total memory freed........: 6446049 bytes -~~ total allocations/frees...: 124415/124415 +~~ total memory allocated....: 6479369 bytes +~~ total memory freed........: 6479369 bytes +~~ total allocations/frees...: 124660/124660 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 231 chars ~~ json string max len.......: 2491 chars diff --git a/test/results/dnscrypt-v2-doh.pcap.out b/test/results/dnscrypt-v2-doh.pcap.out index 6d3f73622..eb6411992 100644 --- a/test/results/dnscrypt-v2-doh.pcap.out +++ b/test/results/dnscrypt-v2-doh.pcap.out @@ -249,9 +249,9 @@ ~~ total active/idle flows...: 34/34 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6388312 bytes -~~ total memory freed........: 6388312 bytes -~~ total allocations/frees...: 122587/122587 +~~ total memory allocated....: 6392936 bytes +~~ total memory freed........: 6392936 bytes +~~ total allocations/frees...: 122621/122621 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 4771 chars diff --git a/test/results/dnscrypt-v2.pcap.out b/test/results/dnscrypt-v2.pcap.out index d85885a25..b4a740479 100644 --- a/test/results/dnscrypt-v2.pcap.out +++ b/test/results/dnscrypt-v2.pcap.out @@ -24,9 +24,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039063 bytes -~~ total memory freed........: 6039063 bytes -~~ total allocations/frees...: 121513/121513 +~~ total memory allocated....: 6039471 bytes +~~ total memory freed........: 6039471 bytes +~~ total allocations/frees...: 121516/121516 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars ~~ json string max len.......: 1982 chars diff --git a/test/results/dnscrypt_skype_false_positive.pcapng.out b/test/results/dnscrypt_skype_false_positive.pcapng.out index 551dddc35..8da459507 100644 --- a/test/results/dnscrypt_skype_false_positive.pcapng.out +++ b/test/results/dnscrypt_skype_false_positive.pcapng.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035815 bytes -~~ total memory freed........: 6035815 bytes -~~ total allocations/frees...: 121493/121493 +~~ total memory allocated....: 6035951 bytes +~~ total memory freed........: 6035951 bytes +~~ total allocations/frees...: 121494/121494 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 516 chars ~~ json string max len.......: 1218 chars diff --git a/test/results/doq.pcapng.out b/test/results/doq.pcapng.out index 18bfece81..1ed0064be 100644 --- a/test/results/doq.pcapng.out +++ b/test/results/doq.pcapng.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6047979 bytes -~~ total memory freed........: 6047979 bytes -~~ total allocations/frees...: 121538/121538 +~~ total memory allocated....: 6048251 bytes +~~ total memory freed........: 6048251 bytes +~~ total allocations/frees...: 121540/121540 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 2203 chars diff --git a/test/results/doq_adguard.pcapng.out b/test/results/doq_adguard.pcapng.out index 825c6ef92..44f5860d6 100644 --- a/test/results/doq_adguard.pcapng.out +++ b/test/results/doq_adguard.pcapng.out @@ -5,7 +5,7 @@ 01103{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278425043144,"flow_dst_last_pkt_time":1608278425043144,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1608278425043144,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.adguard.com","quic": {"tls": {"version":"TLSv1.3","ja3":"1e022f87823477abd6a79c31d70062d7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"doq-i00","tls_supported_versions":"TLSv1.3"}}}} 00689{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1608278425043144,"flow_dst_last_pkt_time":1608278425079621,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":182,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":182,"pkt_l4_len":148,"thread_ts_usec":1608278425079621,"pkt":"mt9Y+uvcCL6sCxduCABFAACoAbMAAD8RP6dejA4OwKgMqQMQoG4AlJ+l8P8AAB0RXf586nXFuX6jZU8LHDkLsXUEXOoexyg1M1\/+GZvbsGeGqJJILJUnaeRPlfaewSkJ0QM1kILJB9RkVGFQIKTOYfD\/amFvF5G2sUWGCAnPMQAxGtra+t44CL4uNVFuP1UAIYDjP5flgPs8Cfp53+s66ugMjRy2XoqR7aApyqmdoc3EHdt+2Cg="} 02173{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1608278425084825,"flow_dst_last_pkt_time":1608278425079621,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1274,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1274,"pkt_l4_len":1240,"thread_ts_usec":1608278425084825,"pkt":"CL6sCxdumt9Y+uvcCABFAATsXYtAAEARnorAqAypXowODqBuAxAE2FXxz\/8AAB0EXOoexxFd\/nzqdcW5fqNlTwscOQuxdUBgKDUzX\/4Zm9uwZ4aokkgslSdp5E+V9p7BKQnRAzWQgskH1GRUYVAgpM5h8P9qYW8XkbaxRYYICc8xADEa2tr63jgIvi41UW4\/VQAhgOM\/l+WA+zwJ+nnf6zrq6AyNHLZeRFASnCr8obwp9Ty5sR7kprQnC0Sv2ZcsxYzIMAthEKqYU0zMuGSEznU2JvTrq\/bykaeb5dqdGxdiszDYKDU6Jn7sPAcjUZ2gh8+BYZGe9phFiloXFkZRqkF4syIAEkOpcy2MK\/fkeUIOyP6wlwkzaY3fbmuxHrqRyLu45SBR1VMQFyHi28JYz7QmMQfDMqnuI0IWIuFKHwG0T\/v0jhF19jPBzG3JSCrPoiaSUV9rQI1kZsCKoMrGjumM68QAfolXONsAd2IYudReWz3mQrB3zOSDXc7+iPJJwc0+KS52obxIkJ0I8SZ7CLjp+FpGH++2YepZGSZYPB5rc\/4HU1bQ4ocmPERQ5l+FpQxpj4cq2AJTX05VWg9LfjDFrHE6D6oMOTTfheRhy7X3SqhzfVhy\/w3RXnv00qwNGkVr8QIR+wCM95sfw88fV3+NqmU3vnLU2z+qvvT2HlvRQm9ykjYa60lgB9sFJ5Ng9ge\/cpn16AR4r\/NoOup4fo8EeFB8cFrAVg+3WG3mgWxUdvK6oND07fFN48QrriL1y7XuIB3Fa65jgY5B4zE7vkkBXKUfGormP9hug8dHVr44WkbHCTqfFJuTHKIf9gtfJ9VQps1jhQjM952WGdM\/mFbut40pSDwrgQgdt0stO2C4PvDiwgzZaEybJzcZBHCUgM8reKIoRyLrSsWciN2b3tsFQXXaEeEGdt8Bc\/5zyh11uwNSzGQ\/Fl2k7QrJleMEWlDCFHuNFZdb7JDVOvqjlXAHTTHX0xSx0KU4aqrg\/kZVORXUFVlv\/xu8mW\/pGVbnSUQNAvLvkvHNdnu1ZPxtBzMoqU+96Xp\/DxrznNbYv32YFRLbK8kA8U4FaZhJ3oS+5KFBikdLEV9Hai2hbk8GZjN2iqviHrHccJqNkg3SIuZD5qamhaUaMG9NOa5pQ9jLJU\/ymgo7DdgKxRH8uuDjWk10CemOYV7pIj9XJEg0HHMmlI1Un6aDxtAu5UK1qm1HNb38yVa+sYeN5Ew6KHyqBUxxS4IflHX5qeqIZPOKrYg5MCubhSudLKbjcH5sXIzejKF8iZ0FlTKPdHSExxjW0QFN6bAWoLJuZE\/4kDcgHKTjdquB1S9wjg6Pah9A0AO1p8+A56ZYLVjRHdUF0Eo6bHTdn4hIgHvxPjCmO5BtWUKEeQnKGkkR8kgREjXo6GfEeHC4Vb4SCK88RJFW07bR+3U68E0sOKimZElroA+KMcE32OqnpsNULoyV7BunASAegp78gVNI0Bil4Klffm6tM6xnJr7Wx08jSGi+pGYWmiGnj3zfHIxpQuw4bIpm3S\/lud8tMnqwiD6\/bIUKO1SxVSWZBp6s2PlGyGHrgwwdIy5nXoip9OukmbhVHpu5a+3BERo9ToRhkKbGsS5gAuyL08\/F6VvMQD\/JdB+\/2rkXCT7ca7Lr49P5aV+w66D8Iwyn8BcCGyOLiGucN4S\/JjMhOeFgH9mu48hQ78o="} -01735{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278427520204,"flow_dst_last_pkt_time":1608278427556259,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3388,"flow_dst_tot_l4_payload_len":9887,"midstream":0,"thread_ts_usec":1608278427556259,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":160973.4,"max":1885270,"stddev":453072.4,"var":205274628096.0,"ent":2.4,"data": [36477,41681,43201,66,19,41861,6662,38406,6603,58707,16,206479,12,419140,55,727,29151,153173,67,8229,73,10468,39556,83,37026,44980,51489,1830423,63,12,1885270]},"pktlen": {"min":73,"avg":456.8,"max":1294,"stddev":522.9,"var":273444.5,"ent":4.1,"data": [1274,182,1274,1294,1294,1284,97,98,198,95,1284,1284,1284,1284,269,73,97,98,83,306,154,100,73,83,437,73,84,73,101,103,103,83]},"bins": {"c_to_s": [4,8,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,0,0,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,2,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +02130{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278427520204,"flow_dst_last_pkt_time":1608278427556259,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3388,"flow_dst_tot_l4_payload_len":9887,"midstream":0,"thread_ts_usec":1608278427556259,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":160973.4,"max":1885270,"stddev":453072.4,"var":205274628096.0,"ent":2.4,"data": [36477,41681,43201,66,19,41861,6662,38406,6603,58707,16,206479,12,419140,55,727,29151,153173,67,8229,73,10468,39556,83,37026,44980,51489,1830423,63,12,1885270]},"pktlen": {"min":59,"avg":442.8,"max":1280,"stddev":522.9,"var":273444.5,"ent":4.1,"data": [1260,168,1260,1280,1280,1270,83,84,184,81,1270,1270,1270,1270,255,59,83,84,69,292,140,86,59,69,423,59,70,59,87,89,89,69]},"bins": {"c_to_s": [4,8,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,0,0,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,2,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1],"entropies": [7.847249508,6.664321423,7.854867935,7.829421520,7.845530033,7.828608036,5.784439087,5.698686600,6.822151661,5.751563549,7.848925114,7.841618061,7.849283695,7.840007782,7.166291237,5.550272942,5.778533459,5.825033665,5.698887825,7.230185032,6.684528351,6.026679039,5.577555180,5.650410652,7.431746960,5.496964455,5.706285954,5.435783863,6.043458462,6.076747894,6.093711376,5.553960800]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":296,"source":"doq_adguard.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":164,"flow_dst_packets_processed":132,"flow_first_seen":1608278425043144,"flow_src_last_pkt_time":1608278463119538,"flow_dst_last_pkt_time":1608278462796456,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":30,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":10308,"flow_dst_tot_l4_payload_len":21705,"midstream":0,"thread_ts_usec":1608278463119538,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"94.140.14.14","src_port":41070,"dst_port":784,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.DoH_DoT","proto_id":"188.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00569{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":296,"source":"doq_adguard.pcapng","alias":"nDPId-test","packets-captured":296,"packets-processed":296,"total-skipped-flows":0,"total-l4-payload-len":32013,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1608278463119538} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6054295 bytes -~~ total memory freed........: 6054295 bytes -~~ total allocations/frees...: 121804/121804 +~~ total memory allocated....: 6054431 bytes +~~ total memory freed........: 6054431 bytes +~~ total allocations/frees...: 121805/121805 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 2179 chars diff --git a/test/results/dos_win98_smb_netbeui.pcap.out b/test/results/dos_win98_smb_netbeui.pcap.out index 567e24a69..7d488eecc 100644 --- a/test/results/dos_win98_smb_netbeui.pcap.out +++ b/test/results/dos_win98_smb_netbeui.pcap.out @@ -342,7 +342,7 @@ 00371{"packet_event_id":1,"packet_event_name":"packet","packet_id":213,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":61,"pkt_type":47,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":61,"pkt_l4_len":0,"thread_ts_usec":1576409925057831,"pkt":"AwAAAAABAFBWM3ieAC\/w8AMsAP\/vAQAAAAAAGQBXT1JLR1JPVVAgICAgICAeTUFSVElOIFJPU0VOQVUgAw=="} 00200{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":214,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","layer_type":47,"global_ts_usec":1576409926307736} 00371{"packet_event_id":1,"packet_event_name":"packet","packet_id":214,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":61,"pkt_type":47,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":61,"pkt_l4_len":0,"thread_ts_usec":1576409925057831,"pkt":"AwAAAAABAFBWM3ieAC\/w8AMsAP\/vAQAAAAAAGQAAAAAAAAAAAAAAAAAAAAAATUFSVElOIFJPU0VOQVUgAw=="} -01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":4235280.5,"max":96434388,"stddev":17261798.0,"var":297969697947648.0,"ent":1.5,"data": [471,72,38984,710235,79,43,39467,709823,84,47,40333,710082,133,63,40024,760697,749893,749148,750102,96434388,763919,759984,756024,755162,752213,756593,760022,22000853,749883,749867,755005]},"pktlen": {"min":110,"avg":110.0,"max":110,"stddev":0.0,"var":0.0,"ent":5.0,"data": [110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110]},"bins": {"c_to_s": [0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02131{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":4235280.5,"max":96434388,"stddev":17261798.0,"var":297969697947648.0,"ent":1.5,"data": [471,72,38984,710235,79,43,39467,709823,84,47,40333,710082,133,63,40024,760697,749893,749148,750102,96434388,763919,759984,756024,755162,752213,756593,760022,22000853,749883,749867,755005]},"pktlen": {"min":96,"avg":96.0,"max":96,"stddev":0.0,"var":0.0,"ent":5.0,"data": [96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96]},"bins": {"c_to_s": [0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.156764984,4.210426807,4.197602749,4.176768780,4.197602749,4.231260300,4.177598476,4.176768780,4.177598476,4.193659782,4.197602749,4.176768780,4.197602749,4.231260300,4.177598476,4.155935764,4.289934158,4.323737621,4.323737621,4.323737621,4.282100201,4.282100201,4.282100201,4.248297215,4.376053333,4.376053333,4.376053333,4.355220318,4.281060219,4.286166668,4.277262688,4.307000160]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00880{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1576409798047534,"flow_src_last_pkt_time":1576409798047534,"flow_dst_last_pkt_time":1576409798047534,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":8,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":8,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"224.0.0.2","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1576409800543745,"flow_src_last_pkt_time":1576409931837438,"flow_dst_last_pkt_time":1576409800543745,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2176,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00920{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":220,"source":"dos_win98_smb_netbeui.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":0,"flow_first_seen":1576409797553896,"flow_src_last_pkt_time":1576409928060524,"flow_dst_last_pkt_time":1576409797553896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":952,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1576409931837438,"l3_proto":"ip4","src_ip":"192.168.239.129","dst_ip":"192.168.239.2","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} @@ -356,10 +356,10 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042227 bytes -~~ total memory freed........: 6042227 bytes -~~ total allocations/frees...: 121576/121576 +~~ total memory allocated....: 6042771 bytes +~~ total memory freed........: 6042771 bytes +~~ total allocations/frees...: 121580/121580 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 203 chars -~~ json string max len.......: 1906 chars -~~ json string avg len.......: 1054 chars +~~ json string max len.......: 2136 chars +~~ json string avg len.......: 1167 chars diff --git a/test/results/drda_db2.pcap.out b/test/results/drda_db2.pcap.out index 84b60d676..948bc21b1 100644 --- a/test/results/drda_db2.pcap.out +++ b/test/results/drda_db2.pcap.out @@ -5,7 +5,7 @@ 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1175543772220609,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1175543772221098,"pkt":"AFBWwAABAAwpfMZqCABFAAAwAABAAEAG5PXAqGqAwKhqAcNQEu\/9XlZHCrRnsXASFtB6IQAAAgQFtAEBBAI="} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1175543772221136,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1175543772221136,"pkt":"AAwpfMZqAFBWwAABCABFAAAoIqFAAIAGglzAqGoBwKhqgBLvw1AKtGex\/V5WSFAQ\/\/+9tQAA"} 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543772338468,"flow_dst_last_pkt_time":1175543772221098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":175,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":175,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1175543772338468,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} -01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543792690997,"flow_dst_last_pkt_time":1175543792523346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2071,"flow_dst_tot_l4_payload_len":2488,"midstream":0,"thread_ts_usec":1175543792690997,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":489,"avg":1315262.1,"max":17986057,"stddev":4366159.0,"var":19063346561024.0,"ent":1.8,"data": [489,527,117332,117692,728,9146,43443,966142,1129664,349281,477633,7546,71563,64394,182669,413229,622408,30275,5528,2591,521,1606,2014,1552,1127,154254,17828332,17986057,9928,7015,168439]},"pktlen": {"min":54,"avg":197.0,"max":717,"stddev":190.6,"var":36335.2,"ent":4.4,"data": [62,62,54,229,54,161,318,54,295,54,717,54,524,64,108,54,296,684,144,65,64,108,322,455,64,108,54,383,466,64,108,54]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,0,1,0,0,0,1,0,0,0,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} +02144{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543792690997,"flow_dst_last_pkt_time":1175543792523346,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2071,"flow_dst_tot_l4_payload_len":2488,"midstream":0,"thread_ts_usec":1175543792690997,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":489,"avg":1315262.1,"max":17986057,"stddev":4366159.0,"var":19063346561024.0,"ent":1.8,"data": [489,527,117332,117692,728,9146,43443,966142,1129664,349281,477633,7546,71563,64394,182669,413229,622408,30275,5528,2591,521,1606,2014,1552,1127,154254,17828332,17986057,9928,7015,168439]},"pktlen": {"min":40,"avg":183.0,"max":703,"stddev":190.6,"var":36335.2,"ent":4.3,"data": [48,48,40,215,40,147,304,40,281,40,703,40,510,50,94,40,282,670,130,51,50,94,308,441,50,94,40,369,452,50,94,40]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,0,1,0,0,0,1,0,0,0,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0],"entropies": [4.443420410,4.743162632,4.731687069,5.602320194,4.712815285,5.534297943,5.451408386,4.643942833,5.407389164,4.731687069,5.469695568,4.712814808,4.427623272,4.828757286,5.028375626,4.781687260,5.564469814,5.097215652,4.705523014,4.912525654,4.828757286,5.049652100,5.369750977,4.250173569,4.773659706,5.041621685,4.681686878,5.027119160,4.343546391,4.828757286,5.070929050,4.615311623]},"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":38,"source":"drda_db2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":18,"flow_first_seen":1175543772220609,"flow_src_last_pkt_time":1175543810683631,"flow_dst_last_pkt_time":1175543810683601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":630,"flow_src_tot_l4_payload_len":2081,"flow_dst_tot_l4_payload_len":2542,"midstream":0,"thread_ts_usec":1175543810683631,"l3_proto":"ip4","src_ip":"192.168.106.1","dst_ip":"192.168.106.128","src_port":4847,"dst_port":50000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DRDA","proto_id":"227","encrypted":0,"breed":"Acceptable","category_id":11,"category":"Database"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":38,"source":"drda_db2.pcap","alias":"nDPId-test","packets-captured":38,"packets-processed":38,"total-skipped-flows":0,"total-l4-payload-len":4623,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1175543810683631} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038791 bytes -~~ total memory freed........: 6038791 bytes -~~ total allocations/frees...: 121526/121526 +~~ total memory allocated....: 6038927 bytes +~~ total memory freed........: 6038927 bytes +~~ total allocations/frees...: 121527/121527 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars -~~ json string max len.......: 1754 chars -~~ json string avg len.......: 1063 chars +~~ json string max len.......: 2149 chars +~~ json string avg len.......: 1236 chars diff --git a/test/results/dropbox.pcap.out b/test/results/dropbox.pcap.out index f9cc06e98..1db3d9644 100644 --- a/test/results/dropbox.pcap.out +++ b/test/results/dropbox.pcap.out @@ -10,20 +10,20 @@ 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":27,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272856457,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":95,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":95,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907272856457,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1455907272856457,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1455907272858898,"pkt":"CAAnAERyCAAnmO\/hCABFAAAuXhFAAEAR6vbAqDhlwKg4AURcxI4AGvHiYkQdqQeYiy9yL0J1czE3Q21k"} 00629{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1455907272969405,"flow_dst_last_pkt_time":1455907272858898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907272969405,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/EYMAAIARNzTAqDgBwKg4ZcSORFwAa8WlRgMdqhF5z0YYRXJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxMyBFRVQgMjAxNiJ9"} -01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1824,"avg":106135.8,"max":117757,"stddev":19323.7,"var":373406144.0,"ent":4.9,"data": [1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114]},"pktlen": {"min":59,"avg":99.6,"max":143,"stddev":38.6,"var":1486.7,"ent":4.9,"data": [138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59]},"bins": {"c_to_s": [0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02160{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907271481938,"flow_src_last_pkt_time":1455907273126173,"flow_dst_last_pkt_time":1455907273127913,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1538,"flow_dst_tot_l4_payload_len":306,"midstream":0,"thread_ts_usec":1455907273127913,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50311,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1824,"avg":106135.8,"max":117757,"stddev":19323.7,"var":373406144.0,"ent":4.9,"data": [1824,103882,104036,108951,108450,105413,105949,113800,113717,106838,107131,109410,109028,108906,115953,117757,112312,110612,110806,109887,107946,108022,108009,113116,114023,110812,110429,107359,111248,109470,105114]},"pktlen": {"min":45,"avg":85.6,"max":129,"stddev":38.6,"var":1486.7,"ent":4.8,"data": [124,47,123,46,122,45,129,52,125,48,122,45,124,47,124,47,126,49,123,46,124,47,123,46,123,46,123,46,129,52,122,45]},"bins": {"c_to_s": [0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.543972015,5.027887821,5.510700703,5.088779926,5.530181885,5.047409534,5.667361259,5.185924053,5.578914642,5.069235325,5.512969971,5.047409534,5.559295654,5.027887344,5.530185699,4.958842754,5.597733021,5.084096432,5.503751278,5.045301914,5.504820824,5.027887821,5.497614384,5.045301437,5.497614384,5.088779926,5.490664959,5.088779926,5.682090759,5.315825462,5.555962563,5.047409534]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00628{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1455907274088318,"pkt":"CAAnmO\/hCAAnAERyCABFAAB9EncAAIARNkLAqDgBwKg4ZcSIRFwAaR7GRANSj9XGl0FyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTQgRUVUIDIwMTYifQ=="} 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":71,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274088318,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":97,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":97,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":97,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907274088318,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":72,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1455907274088318,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1455907274089637,"pkt":"CAAnAERyCAAnmO\/hCABFAAAwXqNAAEAR6mLAqDhlwKg4AURcxIgAHPHkZERSj9XGl0GLL3IvQnVzMTdDbWQ="} 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1455907274193327,"flow_dst_last_pkt_time":1455907274089637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":143,"pkt_l4_len":109,"thread_ts_usec":1455907274193327,"pkt":"CAAnmO\/hCAAnAERyCABFAACBEpIAAIARNiPAqDgBwKg4ZcSIRFwAbeMnSANSkLugNTWCkTE2ckRcQXIIQnVzMTdDbWQRMv97Im1lc3NhZ2VUeXBlIjoiVVBEQVRFIiwibWVzc2FnZUNvbnRlbnQiOiJGcmkgRmViIDE5IDIwOjQxOjE0IEVFVCAyMDE2In0="} -01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2441,"avg":111522.4,"max":127663,"stddev":20842.5,"var":434411712.0,"ent":4.9,"data": [2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708]},"pktlen": {"min":60,"avg":100.5,"max":142,"stddev":38.5,"var":1485.6,"ent":4.9,"data": [137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64]},"bins": {"c_to_s": [0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02161{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907272856457,"flow_src_last_pkt_time":1455907274582746,"flow_dst_last_pkt_time":1455907274587363,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":23,"flow_src_tot_l4_payload_len":1552,"flow_dst_tot_l4_payload_len":320,"midstream":0,"thread_ts_usec":1455907274587363,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50318,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2441,"avg":111522.4,"max":127663,"stddev":20842.5,"var":434411712.0,"ent":4.9,"data": [2441,112948,114313,107773,108080,108005,107995,109511,111427,119112,118338,116979,117004,127663,125063,114041,112993,120228,120931,111475,111310,105608,107791,113820,112048,122618,125498,112978,109966,123530,125708]},"pktlen": {"min":46,"avg":86.5,"max":128,"stddev":38.5,"var":1485.6,"ent":4.9,"data": [123,46,127,50,126,49,128,51,123,46,125,48,126,49,125,48,123,46,124,47,128,51,126,49,123,46,123,46,123,46,127,50]},"bins": {"c_to_s": [0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.503751755,5.045301437,5.557007790,5.123855114,5.607614994,5.043280125,5.664313793,5.241052628,5.514686108,4.950420856,5.534836769,5.027568340,5.639360428,5.084096432,5.610115051,5.084961891,5.505375385,5.088779926,5.607682705,5.070440769,5.642791271,5.133018017,5.545912743,4.930835724,5.488303185,5.088779926,5.491476536,5.045301437,5.523996830,5.088779926,5.658226490,5.203855038]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":141,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":141,"pkt_l4_len":107,"thread_ts_usec":1455907275690777,"pkt":"CAAnmO\/hCAAnAERyCABFAAB\/FCAAAIARNJfAqDgBwKg4ZcSPRFwAa2JLRgOAZtDWwMpn\/nJEXEFyCEJ1czE3Q21kETL\/eyJtZXNzYWdlVHlwZSI6IlVQREFURSIsIm1lc3NhZ2VDb250ZW50IjoiRnJpIEZlYiAxOSAyMDo0MToxNSBFRVQgMjAxNiJ9"} 00867{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275690777,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":99,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":99,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1455907275690777,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":154,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1455907275690777,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":64,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":64,"pkt_l4_len":30,"thread_ts_usec":1455907275695868,"pkt":"CAAnAERyCAAnmO\/hCABFAAAyX35AAEAR6YXAqDhlwKg4AURcxI8AHvHmZkSAZtDWwMpn\/osvci9CdXMxN0NtZA=="} 00633{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1455907275831283,"flow_dst_last_pkt_time":1455907275695868,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1455907275831283,"pkt":"CAAnmO\/hCAAnAERyCABFAACAFEwAAIARNGrAqDgBwKg4ZcSPRFwAbLkURwOAZ6ExGoh1VzNyRFxBcghCdXMxN0NtZBEy\/3sibWVzc2FnZVR5cGUiOiJVUERBVEUiLCJtZXNzYWdlQ29udGVudCI6IkZyaSBGZWIgMTkgMjA6NDE6MTUgRUVUIDIwMTYifQ=="} -01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1319,"avg":116856.3,"max":131359,"stddev":22365.2,"var":500202464.0,"ent":4.9,"data": [1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537]},"pktlen": {"min":60,"avg":101.2,"max":143,"stddev":38.5,"var":1485.3,"ent":4.9,"data": [139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63]},"bins": {"c_to_s": [0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":276,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5091,"avg":127214.4,"max":172321,"stddev":26264.3,"var":689812928.0,"ent":4.9,"data": [5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564]},"pktlen": {"min":59,"avg":101.1,"max":143,"stddev":38.6,"var":1487.1,"ent":4.9,"data": [141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65]},"bins": {"c_to_s": [0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02162{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907274088318,"flow_src_last_pkt_time":1455907275896569,"flow_dst_last_pkt_time":1455907275902611,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":95,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1564,"flow_dst_tot_l4_payload_len":332,"midstream":0,"thread_ts_usec":1455907275902611,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50312,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1319,"avg":116856.3,"max":131359,"stddev":22365.2,"var":500202464.0,"ent":4.9,"data": [1319,105009,107122,122637,124565,114853,120385,119749,111541,123867,122956,105381,109394,122887,120099,118036,119438,130107,131359,131277,128951,120148,121275,112275,114829,128910,125477,127969,127046,125146,128537]},"pktlen": {"min":46,"avg":87.2,"max":129,"stddev":38.5,"var":1485.3,"ent":4.9,"data": [125,48,129,52,125,48,126,49,126,49,123,46,123,46,123,46,128,51,126,49,127,50,125,48,125,48,128,51,127,50,126,49]},"bins": {"c_to_s": [0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.540076256,5.126628399,5.646005154,5.238902569,5.556076050,5.011841774,5.645351887,5.124912739,5.661224842,5.124912739,5.536271572,5.045301914,5.526149273,5.010309696,5.552532196,5.088779926,5.645638943,5.155473709,5.623487949,5.027874470,5.658226013,5.203855038,5.594115257,5.084961414,5.581238747,5.084961414,5.642791271,5.201836586,5.575829029,5.148757458,5.623488426,5.043280125]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02162{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":276,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1455907275690777,"flow_src_last_pkt_time":1455907277661201,"flow_dst_last_pkt_time":1455907277663998,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":94,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":101,"flow_dst_max_l4_payload_len":24,"flow_src_tot_l4_payload_len":1561,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1455907277663998,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.101","src_port":50319,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5091,"avg":127214.4,"max":172321,"stddev":26264.3,"var":689812928.0,"ent":4.9,"data": [5091,140506,139383,127325,129287,138036,134456,137698,141222,137865,138593,132603,133311,132101,136834,172321,164608,137809,136671,122327,121648,117128,118696,128848,133217,115516,110107,123592,124533,106749,105564]},"pktlen": {"min":45,"avg":87.1,"max":129,"stddev":38.6,"var":1487.1,"ent":4.9,"data": [127,50,128,51,123,46,123,46,126,49,123,46,122,45,127,50,125,48,129,52,126,49,124,47,125,48,129,52,124,47,128,51]},"bins": {"c_to_s": [0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.584132195,5.148756981,5.612321377,5.123405457,5.484527588,5.088779926,5.497614384,5.088779926,5.597732544,5.084096432,5.526148796,5.088780403,5.523175716,5.047409534,5.616926193,5.163855076,5.550037384,5.084961891,5.666587353,5.277364254,5.567777157,5.068690777,5.565383434,5.070440769,5.542193413,5.084961414,5.626701832,5.238902569,5.490826130,4.985334873,5.638961315,5.241052151]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","packets-captured":801,"packets-processed":800,"total-skipped-flows":0,"total-l4-payload-len":47076,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":27,"global_ts_usec":1459182796665502} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1459182796665502,"flow_src_last_pkt_time":1459182796665502,"flow_dst_last_pkt_time":1459182796665502,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1459182796665502,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.254","src_port":55407,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":801,"source":"dropbox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1459182796665502,"flow_dst_last_pkt_time":1459182796665502,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1459182796665502,"pkt":"8IQvSpdgeJKcD6iOCABFAABAOLtAAEARfTrAqAFpwKgB\/thvADUALFKSg5wBAAABAAAAAAAABmNsaWVudAdkcm9wYm94A2NvbQAAAQAB"} @@ -115,10 +115,10 @@ ~~ total active/idle flows...: 15/15 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6082801 bytes -~~ total memory freed........: 6082801 bytes -~~ total allocations/frees...: 122469/122469 +~~ total memory allocated....: 6084841 bytes +~~ total memory freed........: 6084841 bytes +~~ total allocations/frees...: 122484/122484 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1769 chars -~~ json string avg len.......: 1130 chars +~~ json string max len.......: 2167 chars +~~ json string avg len.......: 1329 chars diff --git a/test/results/dtls.pcap.out b/test/results/dtls.pcap.out index aa878ed88..0e69e268b 100644 --- a/test/results/dtls.pcap.out +++ b/test/results/dtls.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035707 bytes -~~ total memory freed........: 6035707 bytes -~~ total allocations/frees...: 121490/121490 +~~ total memory allocated....: 6035843 bytes +~~ total memory freed........: 6035843 bytes +~~ total allocations/frees...: 121491/121491 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 1240 chars diff --git a/test/results/dtls2.pcap.out b/test/results/dtls2.pcap.out index 7944832d0..8572f308c 100644 --- a/test/results/dtls2.pcap.out +++ b/test/results/dtls2.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036599 bytes -~~ total memory freed........: 6036599 bytes -~~ total allocations/frees...: 121521/121521 +~~ total memory allocated....: 6036735 bytes +~~ total memory freed........: 6036735 bytes +~~ total allocations/frees...: 121522/121522 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 1538 chars diff --git a/test/results/dtls_certificate.pcapng.out b/test/results/dtls_certificate.pcapng.out index e4a27515e..19e10a9f5 100644 --- a/test/results/dtls_certificate.pcapng.out +++ b/test/results/dtls_certificate.pcapng.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6044123 bytes -~~ total memory freed........: 6044123 bytes -~~ total allocations/frees...: 121493/121493 +~~ total memory allocated....: 6044259 bytes +~~ total memory freed........: 6044259 bytes +~~ total allocations/frees...: 121494/121494 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 503 chars ~~ json string max len.......: 2464 chars diff --git a/test/results/dtls_certificate_fragments.pcap.out b/test/results/dtls_certificate_fragments.pcap.out index 7729dc0c3..8db82cdd2 100644 --- a/test/results/dtls_certificate_fragments.pcap.out +++ b/test/results/dtls_certificate_fragments.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036265 bytes -~~ total memory freed........: 6036265 bytes -~~ total allocations/frees...: 121509/121509 +~~ total memory allocated....: 6036401 bytes +~~ total memory freed........: 6036401 bytes +~~ total allocations/frees...: 121510/121510 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 511 chars ~~ json string max len.......: 1441 chars diff --git a/test/results/dtls_mid_sessions.pcapng.out b/test/results/dtls_mid_sessions.pcapng.out index 50d803e8b..c8cb0ddff 100644 --- a/test/results/dtls_mid_sessions.pcapng.out +++ b/test/results/dtls_mid_sessions.pcapng.out @@ -31,9 +31,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043152 bytes -~~ total memory freed........: 6043152 bytes -~~ total allocations/frees...: 121608/121608 +~~ total memory allocated....: 6043696 bytes +~~ total memory freed........: 6043696 bytes +~~ total allocations/frees...: 121612/121612 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars ~~ json string max len.......: 2487 chars diff --git a/test/results/dtls_old_version.pcapng.out b/test/results/dtls_old_version.pcapng.out index 8ef4b584d..70bca9de5 100644 --- a/test/results/dtls_old_version.pcapng.out +++ b/test/results/dtls_old_version.pcapng.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035891 bytes -~~ total memory freed........: 6035891 bytes -~~ total allocations/frees...: 121496/121496 +~~ total memory allocated....: 6036027 bytes +~~ total memory freed........: 6036027 bytes +~~ total allocations/frees...: 121497/121497 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 503 chars ~~ json string max len.......: 1142 chars diff --git a/test/results/dtls_session_id_and_coockie_both.pcap.out b/test/results/dtls_session_id_and_coockie_both.pcap.out index b966ec1fe..3a45c8e84 100644 --- a/test/results/dtls_session_id_and_coockie_both.pcap.out +++ b/test/results/dtls_session_id_and_coockie_both.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035765 bytes -~~ total memory freed........: 6035765 bytes -~~ total allocations/frees...: 121492/121492 +~~ total memory allocated....: 6035901 bytes +~~ total memory freed........: 6035901 bytes +~~ total allocations/frees...: 121493/121493 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 517 chars ~~ json string max len.......: 1330 chars diff --git a/test/results/emotet.pcap.out b/test/results/emotet.pcap.out index c773b3742..1ad5281d5 100644 --- a/test/results/emotet.pcap.out +++ b/test/results/emotet.pcap.out @@ -5,14 +5,14 @@ 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1645830066121611,"flow_dst_last_pkt_time":1645830066871134,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1645830066871134,"pkt":"AAgCHEeuIOUqtpPxCABFAAAsxzIAAIAGd+HB\/BZUCgIZZgJL392K6SffzSFkt2AS+vDaogAAAgQFtA=="} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1645830066871330,"flow_dst_last_pkt_time":1645830066871134,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1645830066871330,"pkt":"IOUqtpPxAAgCHEeuCABFAAAowBNAAIAGPwQKAhlmwfwWVN\/dAkvNIWS3iukn4FAQ+vDyXwAA"} 00936{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830067978107,"flow_dst_last_pkt_time":1645830068348052,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":21,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":21,"flow_dst_tot_l4_payload_len":214,"midstream":0,"thread_ts_usec":1645830068348052,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"opmta1mto02nd1","smtp": {"user":"","password":"","auth_failed":0}}} -01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830074471734,"flow_dst_last_pkt_time":1645830074471604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":698,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":898,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1645830074471734,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":254,"avg":538713.4,"max":3056402,"stddev":774055.0,"var":599161176064.0,"ent":3.7,"data": [749523,749719,1106307,1106777,773,369838,370621,895,325625,326244,506,323,737,841210,842439,907,363,438,3054676,3056402,1628,247201,247778,521,1205120,1205575,420,442964,443628,704,254]},"pktlen": {"min":54,"avg":94.8,"max":752,"stddev":121.9,"var":14849.5,"ent":4.5,"data": [66,58,54,108,75,54,214,66,54,72,86,54,56,54,72,70,54,56,54,94,91,54,100,87,54,101,60,54,62,93,54,752]},"bins": {"c_to_s": [8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} +02111{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830074471734,"flow_dst_last_pkt_time":1645830074471604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":698,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":898,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1645830074471734,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":254,"avg":538713.4,"max":3056402,"stddev":774055.0,"var":599161176064.0,"ent":3.7,"data": [749523,749719,1106307,1106777,773,369838,370621,895,325625,326244,506,323,737,841210,842439,907,363,438,3054676,3056402,1628,247201,247778,521,1205120,1205575,420,442964,443628,704,254]},"pktlen": {"min":40,"avg":80.8,"max":738,"stddev":121.9,"var":14849.5,"ent":4.3,"data": [52,44,40,94,61,40,200,52,40,58,72,40,42,40,58,56,40,42,40,80,77,40,86,73,40,87,46,40,48,79,40,738]},"bins": {"c_to_s": [8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0],"entropies": [4.644789696,4.953416348,4.981687069,5.477373600,5.387795925,4.784183979,5.738989830,5.361793995,4.834184170,5.487123966,5.654376030,4.784183979,4.955064297,4.734184265,5.288679600,5.421465874,4.784183979,4.859826565,4.784183979,5.343945503,5.557319641,4.765312195,5.392617702,5.626545429,4.834184170,5.525993347,5.097266674,4.834184170,5.095175266,5.329178810,4.784184456,5.639209747]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":627,"packets-processed":626,"total-skipped-flows":0,"total-l4-payload-len":404645,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1648563468993352} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563468993352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648563468993352,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":627,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563468993352,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1648563468993352,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0EddAAIAG2c0KAx1laKF\/Ftv1AFBvd7IvAAAAAIAC+vBnEwAAAgQFtAEDAwgBAQQC"} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":628,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1648563468993352,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1648563469109116,"pkt":"AAgCHEeuIOUqtpPxCABFAAAsoCoAAIAGi4JooX8WCgMdZQBQ2\/UuAEklb3eyMGAS+vAY8wAAAgQFtA=="} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":629,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1648563469109248,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1648563469109248,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoEdhAAIAG2dgKAx1laKF\/Ftv1AFBvd7IwLgBJJlAQ+vAwsAAA"} 01142{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":630,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469109583,"flow_dst_last_pkt_time":1648563469109116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1648563469109583,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fkl.co.ke","http": {"url":"fkl.co.ke\/wp-content\/Elw3kPvOsZxM5\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/99.0.4844.74 Safari\/537.36 Edg\/99.0.1150.55","detected_os":"Windows 10"}}} -01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":658,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469442201,"flow_dst_last_pkt_time":1648563469442152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":24498,"midstream":0,"thread_ts_usec":1648563469442201,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":77,"avg":28956.4,"max":204389,"stddev":59845.4,"var":3581476608.0,"ent":2.7,"data": [115764,115896,335,518,204207,77,204389,352,224,565,217,228,441,212,496,705,246,220,470,115050,221,115302,340,251,573,9235,226,9483,474,242,690]},"pktlen": {"min":54,"avg":834.0,"max":1415,"stddev":663.1,"var":439751.8,"ent":4.4,"data": [66,58,54,500,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02104{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":658,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563469442201,"flow_dst_last_pkt_time":1648563469442152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":446,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":446,"flow_dst_tot_l4_payload_len":24498,"midstream":0,"thread_ts_usec":1648563469442201,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":77,"avg":28956.4,"max":204389,"stddev":59845.4,"var":3581476608.0,"ent":2.7,"data": [115764,115896,335,518,204207,77,204389,352,224,565,217,228,441,212,496,705,246,220,470,115050,221,115302,340,251,573,9235,226,9483,474,242,690]},"pktlen": {"min":40,"avg":820.0,"max":1401,"stddev":663.1,"var":439751.8,"ent":4.4,"data": [52,44,40,486,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0],"entropies": [4.710365295,4.913976669,4.680641174,5.777981758,4.621928692,7.446667671,7.722211838,4.711769104,7.820096016,7.819649696,4.730641365,7.834948540,7.865209579,4.730641365,7.838735580,7.852061272,4.780641079,7.835340023,7.853207111,4.711769104,7.851351738,7.847233772,4.780641079,7.872184753,7.855648994,4.780641079,7.879763126,7.844507217,4.680641174,7.843948364,7.837398529,4.780641079]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00908{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":831,"source":"emotet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":303,"flow_dst_packets_processed":323,"flow_first_seen":1645830066121611,"flow_src_last_pkt_time":1645830085160825,"flow_dst_last_pkt_time":1645830085160896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":160,"flow_src_tot_l4_payload_len":403803,"flow_dst_tot_l4_payload_len":842,"midstream":0,"thread_ts_usec":1648563473087528,"l3_proto":"ip4","src_ip":"10.2.25.102","dst_ip":"193.252.22.84","src_port":57309,"dst_port":587,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":835,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":835,"packets-processed":834,"total-skipped-flows":0,"total-l4-payload-len":582320,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1650490398530577} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":835,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398530577,"flow_dst_last_pkt_time":1650490398530577,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650490398530577,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -21,7 +21,7 @@ 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":837,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1650490398628126,"flow_dst_last_pkt_time":1650490398627831,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650490398628126,"pkt":"IOUqtpPxAAgCHEeuCABFAAAo\/mNAAIAGv44KBBRma6Gy0tQvAFBRzVZnDPZp\/FAQBAB7UAAAAAAAAAAA"} 01082{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":838,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398628513,"flow_dst_last_pkt_time":1650490398627831,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650490398628513,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"gandhitoday.org","http": {"url":"gandhitoday.org\/video\/6JvA8\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","detected_os":"Windows 10"}}} 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":839,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490398628513,"flow_dst_last_pkt_time":1650490398888771,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1650490398888771,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"gandhitoday.org","http": {"url":"gandhitoday.org\/video\/6JvA8\/","code":200,"content_type":"","user_agent":"Mozilla\/5.0 (Windows NT 10.0; Win64; x64; Trident\/7.0; rv:11.0) like Gecko","detected_os":"Windows 10"}}} -01832{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":866,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490399009658,"flow_dst_last_pkt_time":1650490399009514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":19432,"midstream":0,"thread_ts_usec":1650490399009658,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":40,"avg":30903.8,"max":260940,"stddev":65726.9,"var":4320020480.0,"ent":3.0,"data": [97254,97549,387,260940,260431,3204,3158,9543,9466,6236,69,6255,124,124,128,201,123,50,174,174,40,2646,2680,60630,60713,9884,9822,15114,15099,12868,12932]},"pktlen": {"min":60,"avg":671.7,"max":1442,"stddev":680.4,"var":462891.9,"ent":4.1,"data": [66,62,60,279,1442,60,1442,60,1442,60,1442,1442,60,1442,60,1442,60,1442,60,1442,60,60,1442,60,1442,60,1442,60,1442,60,1442,60]},"bins": {"c_to_s": [16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02231{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":866,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490399009658,"flow_dst_last_pkt_time":1650490399009514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":19432,"midstream":0,"thread_ts_usec":1650490399009658,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":40,"avg":30903.8,"max":260940,"stddev":65726.9,"var":4320020480.0,"ent":3.0,"data": [97254,97549,387,260940,260431,3204,3158,9543,9466,6236,69,6255,124,124,128,201,123,50,174,174,40,2646,2680,60630,60713,9884,9822,15114,15099,12868,12932]},"pktlen": {"min":46,"avg":657.7,"max":1428,"stddev":680.4,"var":462891.9,"ent":4.1,"data": [52,48,46,265,1428,46,1428,46,1428,46,1428,1428,46,1428,46,1428,46,1428,46,1428,46,46,1428,46,1428,46,1428,46,1428,46,1428,46]},"bins": {"c_to_s": [16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0],"entropies": [4.633441925,5.001628399,4.330939770,5.702507019,4.791214466,4.390829086,5.521807671,4.303872585,6.000949860,4.347350597,5.983242989,6.243623734,4.347351074,5.943493843,4.390829086,4.384503365,4.390829086,4.537651062,4.347351074,4.500005245,4.390829086,4.390829086,4.575252056,4.390829086,4.522280216,4.390829086,4.470242500,4.347350597,4.561497688,4.347350597,4.580824375,4.390829086]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":72,"flow_dst_packets_processed":136,"flow_first_seen":1648563468993352,"flow_src_last_pkt_time":1648563480808552,"flow_dst_last_pkt_time":1648563480808458,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":537,"flow_dst_max_l4_payload_len":1361,"flow_src_tot_l4_payload_len":983,"flow_dst_tot_l4_payload_len":176692,"midstream":0,"thread_ts_usec":1650490407650290,"l3_proto":"ip4","src_ip":"10.3.29.101","dst_ip":"104.161.127.22","src_port":56309,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00565{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","packets-captured":1664,"packets-processed":1663,"total-skipped-flows":0,"total-l4-payload-len":1352571,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":3,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":26,"global_ts_usec":1650905413858492} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1664,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905413858492,"flow_dst_last_pkt_time":1650905413858492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905413858492,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -30,7 +30,7 @@ 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1666,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1650905414043020,"flow_dst_last_pkt_time":1650905414042728,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650905414043020,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoLKZAAIAGOLwKBBllTWkknMKFAFDxFWwhKWw3CFAQAgOX4gAAAAAAAAAA"} 01133{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1667,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414043252,"flow_dst_last_pkt_time":1650905414042728,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905414043252,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"filmmogzivota.rs","http": {"url":"filmmogzivota.rs\/SpryAssets\/gDR\/","code":0,"content_type":"","user_agent":"vBKbaQgjyvRRbcgfvlsc"}}} 01286{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1669,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414043252,"flow_dst_last_pkt_time":1650905414335184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":572,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":572,"midstream":0,"thread_ts_usec":1650905414335184,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"filmmogzivota.rs","http": {"url":"filmmogzivota.rs\/SpryAssets\/gDR\/","code":200,"content_type":"application\/x-msdownload","user_agent":"vBKbaQgjyvRRbcgfvlsc"}}} -01954{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1695,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414512477,"flow_dst_last_pkt_time":1650905414512421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":26616,"midstream":0,"thread_ts_usec":1650905414512477,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":56,"avg":42190.8,"max":292217,"stddev":79641.8,"var":6342810624.0,"ent":2.9,"data": [184236,184528,232,171817,120639,81,116,292217,2662,111,117,90,2892,2739,117,70,3040,164670,68,120,164820,2817,118,71,3042,2918,68,119,165,3158,56]},"pktlen": {"min":60,"avg":892.9,"max":1442,"stddev":652.6,"var":425943.0,"ent":4.5,"data": [66,66,60,206,60,626,1442,1442,60,1442,1442,1442,1114,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,1442,60,60]},"bins": {"c_to_s": [9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +02353{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1695,"source":"emotet.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1650905413858492,"flow_src_last_pkt_time":1650905414512477,"flow_dst_last_pkt_time":1650905414512421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":26616,"midstream":0,"thread_ts_usec":1650905414512477,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"77.105.36.156","src_port":49797,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":56,"avg":42190.8,"max":292217,"stddev":79641.8,"var":6342810624.0,"ent":2.9,"data": [184236,184528,232,171817,120639,81,116,292217,2662,111,117,90,2892,2739,117,70,3040,164670,68,120,164820,2817,118,71,3042,2918,68,119,165,3158,56]},"pktlen": {"min":46,"avg":878.9,"max":1428,"stddev":652.6,"var":425943.0,"ent":4.5,"data": [52,52,46,192,46,612,1428,1428,46,1428,1428,1428,1100,46,1428,1428,1428,46,1428,1428,1428,46,1428,1428,1428,46,1428,1428,1428,1428,46,46]},"bins": {"c_to_s": [9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0],"entropies": [4.671903610,4.849197388,4.501398563,5.653024197,4.390829563,5.577536106,4.013392448,5.117209911,4.501398563,5.103430748,5.009723663,5.324585438,5.512314796,4.457919598,5.070570469,5.174447536,5.467666149,4.457920074,5.218022346,5.067547321,5.343363285,4.501398087,5.389601707,5.123095036,5.071803093,4.354552746,5.203499794,5.430387497,5.394243717,4.889959335,4.501398563,4.390829086]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 01032{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":272,"flow_dst_packets_processed":557,"flow_first_seen":1650490398530577,"flow_src_last_pkt_time":1650490407554682,"flow_dst_last_pkt_time":1650490407650290,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":225,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":225,"flow_dst_tot_l4_payload_len":770026,"midstream":0,"thread_ts_usec":1650905415845438,"l3_proto":"ip4","src_ip":"10.4.20.102","dst_ip":"107.161.178.210","src_port":54319,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467542773,"flow_dst_last_pkt_time":1650905467542773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905467542773,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2228,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1650905467542773,"flow_dst_last_pkt_time":1650905467542773,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1650905467542773,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0C55AAIAGrZIKBBllisWTZcKLAbv3Q1KhAAAAAIAC\/\/8fUQAAAgQFtAEDAwgBAQQC"} @@ -38,7 +38,7 @@ 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2230,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1650905467652398,"flow_dst_last_pkt_time":1650905467652145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1650905467652398,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoC59AAIAGrZ0KBBllisWTZcKLAbv3Q1KiR\/jAO1AQBABT4AAAAAAAAAAA"} 01248{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2231,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467666537,"flow_dst_last_pkt_time":1650905467652145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905467666537,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01673{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2233,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905467666537,"flow_dst_last_pkt_time":1650905467789145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1378,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":1378,"midstream":0,"thread_ts_usec":1650905467789145,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"ec74a5c51106f0419184d0dd08fb05bc","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","subjectDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","fingerprint":"43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93"}}} -01585{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":58,"avg":116901.0,"max":1262510,"stddev":291863.6,"var":85184339968.0,"ent":2.7,"data": [109372,109625,14139,123772,13228,122858,52674,132935,80275,6518,151937,1117119,71,165,1262510,58,2900,71,3072,96890,117,96947,3054,71,165,71,3262,116,2919,118]},"pktlen": {"min":60,"avg":696.0,"max":1442,"stddev":663.2,"var":439900.2,"ent":4.2,"data": [66,66,60,203,60,1432,60,147,296,60,534,60,1442,1442,1442,60,60,1442,1442,66,1442,1442,74,1442,1442,1442,1442,74,74,74,1442,1442]},"bins": {"c_to_s": [11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1]}} +01984{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":58,"avg":116901.0,"max":1262510,"stddev":291863.6,"var":85184339968.0,"ent":2.7,"data": [109372,109625,14139,123772,13228,122858,52674,132935,80275,6518,151937,1117119,71,165,1262510,58,2900,71,3072,96890,117,96947,3054,71,165,71,3262,116,2919,118]},"pktlen": {"min":46,"avg":682.0,"max":1428,"stddev":663.2,"var":439900.2,"ent":4.2,"data": [52,52,46,189,46,1418,46,133,282,46,520,46,1428,1428,1428,46,46,1428,1428,52,1428,1428,60,1428,1428,1428,1428,60,60,60,1428,1428]},"bins": {"c_to_s": [11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1],"entropies": [4.661227226,4.908878326,4.501398087,5.357971191,4.609350681,7.499943256,4.609350204,5.862740993,7.080684185,4.501398087,7.521671295,4.522393703,7.860427856,7.879212856,7.876828194,4.501398087,4.501398087,7.862761021,7.872880459,4.974009037,7.863744259,7.867939472,5.142321110,7.869549751,7.874364853,7.859346390,7.876013756,5.142321110,5.142321110,5.142320633,7.842814445,7.873933792]}} 01676{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2259,"source":"emotet.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1650905467542773,"flow_src_last_pkt_time":1650905469294827,"flow_dst_last_pkt_time":1650905469297748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":722,"flow_dst_tot_l4_payload_len":19664,"midstream":0,"thread_ts_usec":1650905469297748,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49803,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"51c64c77e60f3980eea90869b68c58a8","ja3s":"ec74a5c51106f0419184d0dd08fb05bc","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","subjectDN":"C=GB, ST=London, L=London, O=Global Security, OU=IT Department, CN=example.com","fingerprint":"43:A2:39:73:AC:4D:2C:15:7B:D6:4E:32:EA:22:11:B7:97:65:1A:93"}}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2359,"source":"emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1650905469778844,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469778844,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1650905469778844,"l3_proto":"ip4","src_ip":"10.4.25.101","dst_ip":"138.197.147.101","src_port":49804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2359,"source":"emotet.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1650905469778844,"flow_dst_last_pkt_time":1650905469778844,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1650905469778844,"pkt":"IOUqtpPxAAgCHEeuCABFAAA0C9hAAIAGrVgKBBllisWTZcKMAbv+vEuFAAAAAIAC\/\/8e8wAAAgQFtAEDAwgBAQQC"} @@ -58,10 +58,10 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6136222 bytes -~~ total memory freed........: 6136222 bytes -~~ total allocations/frees...: 123943/123943 +~~ total memory allocated....: 6137038 bytes +~~ total memory freed........: 6137038 bytes +~~ total allocations/frees...: 123949/123949 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1959 chars -~~ json string avg len.......: 1224 chars +~~ json string max len.......: 2358 chars +~~ json string avg len.......: 1423 chars diff --git a/test/results/encrypted_sni.pcap.out b/test/results/encrypted_sni.pcap.out index faabbc921..a07306465 100644 --- a/test/results/encrypted_sni.pcap.out +++ b/test/results/encrypted_sni.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6047001 bytes -~~ total memory freed........: 6047001 bytes -~~ total allocations/frees...: 121522/121522 +~~ total memory allocated....: 6047409 bytes +~~ total memory freed........: 6047409 bytes +~~ total allocations/frees...: 121525/121525 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 1490 chars diff --git a/test/results/esp.pcapng.out b/test/results/esp.pcapng.out index 041ce8e83..7c012a07d 100644 --- a/test/results/esp.pcapng.out +++ b/test/results/esp.pcapng.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037439 bytes -~~ total memory freed........: 6037439 bytes -~~ total allocations/frees...: 121503/121503 +~~ total memory allocated....: 6037711 bytes +~~ total memory freed........: 6037711 bytes +~~ total allocations/frees...: 121505/121505 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 982 chars diff --git a/test/results/ethereum.pcap.out b/test/results/ethereum.pcap.out index 23d7dad97..78d47a66a 100644 --- a/test/results/ethereum.pcap.out +++ b/test/results/ethereum.pcap.out @@ -86,11 +86,11 @@ 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":109,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364654361,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364654361,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":171,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":171,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364654361,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"128.0.51.140","src_port":30303,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523420,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364657828,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC8GWDwD0S1PwKgBuHZf3TTdrvLSmxdVZqAScSC43wAAAgQFrAQCCApOlRAnItiUTwEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":126,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364657930,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364657930,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGR0TAqAG4A9EtT900dl+bF1Vm3a7y04AQECxIFwAAAQEICiLYlNBOlRAn"} -01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522958,"flow_src_last_pkt_time":1578508364631940,"flow_dst_last_pkt_time":1578508364658815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":495,"flow_dst_max_l4_payload_len":448,"flow_src_tot_l4_payload_len":735,"flow_dst_tot_l4_payload_len":512,"midstream":0,"thread_ts_usec":1578508364658815,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.158.244.151","src_port":56615,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7898.0,"max":63466,"stddev":18325.6,"var":335828128.0,"ent":2.4,"data": [42899,42982,2208,63466,818,46,62123,6,373,313,356,354,126,10,127,6,123,159,339,3,86,17,41,85,11,59,21,32,10,27626,14]},"pktlen": {"min":60,"avg":105.2,"max":561,"stddev":114.1,"var":13011.4,"ent":4.5,"data": [78,74,66,561,66,514,98,66,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02163{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522958,"flow_src_last_pkt_time":1578508364631940,"flow_dst_last_pkt_time":1578508364658815,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":495,"flow_dst_max_l4_payload_len":448,"flow_src_tot_l4_payload_len":735,"flow_dst_tot_l4_payload_len":512,"midstream":0,"thread_ts_usec":1578508364658815,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.158.244.151","src_port":56615,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7898.0,"max":63466,"stddev":18325.6,"var":335828128.0,"ent":2.4,"data": [42899,42982,2208,63466,818,46,62123,6,373,313,356,354,126,10,127,6,123,159,339,3,86,17,41,85,11,59,21,32,10,27626,14]},"pktlen": {"min":46,"avg":91.2,"max":547,"stddev":114.1,"var":13011.4,"ent":4.4,"data": [64,60,52,547,52,500,84,52,52,53,52,54,52,65,68,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.453177452,5.333454132,5.000318527,7.620707512,5.195351601,7.612061024,5.903985500,5.077241421,5.077241421,5.270098686,5.077241421,5.305542469,5.077241421,5.535423279,5.653491497,5.077241421,5.077241421,5.233812809,5.077241421,5.807060242,5.154217243,6.729629993,5.192151070,5.452736855,5.949917316,5.154217243,5.191807747,5.493040085,5.493248940,5.077241421,3.725504398,3.725504398]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":140,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364659294,"flow_dst_last_pkt_time":1578508364659294,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364659294,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":140,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364659294,"flow_dst_last_pkt_time":1578508364659294,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364659294,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGv5TAqAG4KEOQgN02dl98bCWSAAAAALAC\/\/8OmwAAAgQFtAEDAwUBAQgKItiU0QAAAAAEAgAA"} 00983{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":141,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364659971,"flow_dst_last_pkt_time":1578508364657828,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":395,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364659971,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364523356,"flow_src_last_pkt_time":1578508364663606,"flow_dst_last_pkt_time":1578508364664348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":404,"flow_src_tot_l4_payload_len":1106,"flow_dst_tot_l4_payload_len":612,"midstream":0,"thread_ts_usec":1578508364664348,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.128.195.220","src_port":56626,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9072.3,"max":62996,"stddev":18852.3,"var":355411104.0,"ent":2.7,"data": [42941,42985,1880,62851,2026,2,12,7,1,62996,2,23,5,115,83,3,1324,29,68,8,50,438,29,39,9,101,32217,29,13,30178,778]},"pktlen": {"min":66,"avg":121.8,"max":612,"stddev":122.8,"var":15078.8,"ent":4.5,"data": [78,74,66,612,66,470,98,67,222,69,66,66,66,66,82,66,66,98,67,190,69,82,98,67,114,81,82,78,78,78,338,78]},"bins": {"c_to_s": [14,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02165{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364523356,"flow_src_last_pkt_time":1578508364663606,"flow_dst_last_pkt_time":1578508364664348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":404,"flow_src_tot_l4_payload_len":1106,"flow_dst_tot_l4_payload_len":612,"midstream":0,"thread_ts_usec":1578508364664348,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.128.195.220","src_port":56626,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9072.3,"max":62996,"stddev":18852.3,"var":355411104.0,"ent":2.7,"data": [42941,42985,1880,62851,2026,2,12,7,1,62996,2,23,5,115,83,3,1324,29,68,8,50,438,29,39,9,101,32217,29,13,30178,778]},"pktlen": {"min":52,"avg":107.8,"max":598,"stddev":122.8,"var":15078.8,"ent":4.4,"data": [64,60,52,598,52,456,84,53,208,55,52,52,52,52,68,52,52,84,53,176,55,68,84,53,100,67,68,64,64,64,324,64]},"bins": {"c_to_s": [14,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1],"entropies": [4.408572197,5.379368782,5.077241421,7.669267178,5.156889439,7.526873589,5.951604366,5.156891346,6.891885281,5.267454624,5.077241421,5.038779736,5.000318050,5.038779736,5.524744987,5.038779736,5.000318050,5.872653008,5.041009903,6.756078243,5.155787468,5.423323631,5.920271873,5.041009903,6.031247139,5.403306961,5.416114807,5.165874004,5.197124004,5.228374004,7.334465981,5.165874004]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364522823,"flow_dst_last_pkt_time":1578508364667606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364667606,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADEG8jtCKlL2wKgBuHZf3SQj+YV4f2iiaKAScSArVwAAAgQFrAQCCAodkmB\/ItiUTwEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":182,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364667656,"flow_dst_last_pkt_time":1578508364667606,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364667656,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG40PAqAG4QipS9t0kdl9\/aKJoI\/mFeYAQECy6hgAAAQEICiLYlNgdkmB\/"} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364632239,"flow_dst_last_pkt_time":1578508364668680,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364668680,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADEGF+czJjxPwKgBuHZf3TW8w0qY6ojTGKAScSDV+QAAAgQFrAQCCAphOp2qItiUuAEDAwc="} @@ -109,7 +109,7 @@ 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":238,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364522827,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364717778,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACMGVBhoKtkZwKgBuHZf3SMhYrdg7BRmI6AS\/ohxlQAAAgQFoAQCCAru0q\/IItiUTwEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364717893,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364717893,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGNyDAqAG4aCrZGd0jdl\/sFGYjIWK3YYAQEAmOFAAAAQEICiLYlQju0q\/I"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":240,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364719135,"flow_dst_last_pkt_time":1578508364717778,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364719135,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":242,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523418,"flow_src_last_pkt_time":1578508364659019,"flow_dst_last_pkt_time":1578508364721593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":402,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":466,"midstream":0,"thread_ts_usec":1578508364721593,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"34.255.23.113","src_port":56627,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":10767.0,"max":70198,"stddev":24163.0,"var":583848512.0,"ent":2.4,"data": [70028,70198,1425,62112,2103,2,2,32,23,22,62731,3,15,11,2,8,85,118,636,45,106,25,18,64,32,95,10,50,9,63729,37]},"pktlen": {"min":60,"avg":104.3,"max":578,"stddev":111.3,"var":12394.7,"ent":4.5,"data": [78,74,66,578,66,468,98,67,68,79,82,66,66,66,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02155{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":242,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523418,"flow_src_last_pkt_time":1578508364659019,"flow_dst_last_pkt_time":1578508364721593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":402,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":466,"midstream":0,"thread_ts_usec":1578508364721593,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"34.255.23.113","src_port":56627,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":10767.0,"max":70198,"stddev":24163.0,"var":583848512.0,"ent":2.4,"data": [70028,70198,1425,62112,2103,2,2,32,23,22,62731,3,15,11,2,8,85,118,636,45,106,25,18,64,32,95,10,50,9,63729,37]},"pktlen": {"min":46,"avg":90.3,"max":564,"stddev":111.3,"var":12394.7,"ent":4.4,"data": [64,60,52,564,52,454,84,53,54,65,68,52,52,52,52,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.441382408,5.346035480,5.024262905,7.573521614,5.233813286,7.579136848,5.880175591,5.270098686,5.268505573,5.525989532,5.642391205,5.062724590,5.024262905,5.024262905,5.024262905,5.062724590,5.062724590,5.272274494,5.062724590,5.967890739,5.154217243,6.729060650,5.228514671,5.477021694,5.839856625,5.078744888,5.191807270,5.462270737,5.610895157,5.115703106,3.600984097,3.600984097]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01930{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364729181,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1097,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1097,"pkt_l4_len":1063,"thread_ts_usec":1578508364729181,"pkt":"KDc3AG3IEBMx8Tl2CABFAAQ7gO1AADART9iAADOMwKgBuHZfdl8EJxcg9PffAeslidE0A2XYKUWPfQSrSzELT24RQsZMkDFAUC\/8t71UobxaKgVF9YFxtOS9Li4RLrxMDnrT4k5PGgw2NDHZtKrKg8J\/d2YlScEj\/YBR+sG3bhx8yqSCwFLu+QmtAQT5A7r5A7L4TYRQniRSgnZfgnZfuEDy+3Y1qZpk8\/KZSHkhI\/dUtq2PmnojEAJ+pvc2bi3A23IJ6RM8OAW49hm6EgP+nw9QrdJ1FOvq3+1MzaqVwKmC+E2ETi\/CnoJ2X4J2X7hA+Q4zg2oOekCIJoV1y\/ualFI8sA2WiSVXjBsUf\/fkEaUBa4ucL3qlgbfTJJpR6RtQSjEN0kW4Om6HGzu56xhcP\/hNhF6CJvWCdl+Cdl+4QCa0AdVA2\/h5KxbzG7wSXhKLcgLDQf3VZM6j4pcDpEr22I0w8vjr3eeZrANzqy+B0k7Jw6sj9qOYOkYu9v1\/HcL4S4QXZGXDgsVFgLhA4dMHiHESZvaZv5XwOSEg7GIAhtTuq\/1+kuZamW7NEWy5Mx7jYjqriPSY+yi8MCrIJ809xx8ts8E05ybrI5RK9vhNhHTKaT+Cdl+Cdl+4QNscTNh1YzVnvcLB2a2lU2bz3gyaTlXXbE+pFLDVoDdFI5ADpod42cruH9wQt79YZLxlJa01FygTlV6X9wnzbsb4TYRSpWAfgnZhgnZhuECxFAegsyOgyfrql\/zztxCELDSekbbhUJf21H8iSNiW9cKP2xirrTz8RKLVHxNA2LkFNcMF8l9m+GUUJJ3wo0ve+E2EZ\/0rzIJ2X4J2X7hA0+1Q\/zfDwmqiJ4L7\/yvPXaADca3\/aoKeqi6XasejIDSTPmS2ILmdZ2LgwWGNQRAtsR66VqR5PIUppHE6JTXzu\/hNhC9aDGqCdl+Cdl+4QEWucUJTr5uswusybUrNZinvmACa+spHP3M8Ca80aMiKTDP2An9QqqbsJgkcvDnFqQSdwmVB0j3FFWWOWXchmBH4TYQ03B+BglLcglLcuEC4ECYNzxwi2kJoJQjyJ6lUniuRlC+UndNWqAZRufW0X533Ymm1WtW8x0w\/1eGqPwGeOGNfU57w7mmrZv5S0MuC+E2EoBCKUoJ2X4J2X7hA7pvrsi4uzujUwcCnzbOXM3k+PSTxp6vSaGlZ+vjNNS2DLnFg12pt76j1a3+aMxZ2sjeuJ4ACTqyhbBihj1yObfhNhLB96meCdl+Cdl+4QMGwHxHg22IaagGZCrHWyox4ceWSrkz5+TUJ7FvSKEAsyUrKnBQ1BKg4U4OyDXv653Ump5Su2Klg\/PAjth\/4FVX4TYQDCFzcgnZfgnZfuEAOe5LjgOGocDnrwWucrGwohrnh\/PIVvUNi2EPcxA3lL9o2I1kGKrrcltIHdy07g5GmzReWD9IntTCd9ncDRnHuhF4WIGA="} 01070{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":253,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364654361,"flow_dst_last_pkt_time":1578508364729798,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":467,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":467,"pkt_l4_len":433,"thread_ts_usec":1578508364729798,"pkt":"KDc3AG3IEBMx8Tl2CABFAAHFgO5AADARUk2AADOMwKgBuHZfdl8BsUbFE+HTPyEyomNSay73CyfrLD8rHnhX7vxj92G3He3rB8i3yggvxA3gI120fMxC8T5NSVg69zUML0xXdXDn6x+i1UJlYzm2ZsL8HkXRcVxsD7\/Cz8uc2cDeR5GmI31rs3BBAAT5AUT5ATz4TYRWzyr3gnZfgnZfuEAwPG4npPFCKterF6wXX6hmKDtHpPLV5Gpyh4HRvQlb1WOtMBiFa5iB1p48IlU7yQzlUhHlEKU2TAWk+UxWCOtE+E2EwKkGMYJ2X4J2X7hAXDWjwnntCdEfY7ZsbIcma6dZim0sS\/6AZlg+cBMsOylaupmT4K85DC7A88jAAB9\/AkNP7Q7FRuWOzTw655z20fhNhF\/YD6SCdl+Cdl+4QMhe7o3oH5yNMBpAbg7BFfLQiRhzAx0IcRlGupvV\/Zui89t4l4x5tGAZhBv4cgNKbiHVFqGfCeCtDh7KA5ZNUtn4TYQ2yX4zgnZfgnZfuEBWXo894U5qji3Sd9oPTupJEBwpi5JkOWop7uGO9PMehSCnS4eHg4+tauk7NJIwG19teeCjKxS93DtycMhLIWGEhF4WIGA="} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":254,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364732443,"flow_src_last_pkt_time":1578508364732443,"flow_dst_last_pkt_time":1578508364732443,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364732443,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"111.229.0.180","src_port":30303,"dst_port":20182,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -128,7 +128,7 @@ 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":273,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523109,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364786203,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC0GKKu\/6qLGwKgBuHZf3SxpEHBBX7euwaAS\/ohj6AAAAgQFoAQCCAo0GJnqItiUTwEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364786273,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364786273,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGFbPAqAG4v+qixt0sdl9ft67BaRBwQoAQEAmAJwAAAQEICiLYlUg0GJnq"} 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":275,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508364786351,"flow_dst_last_pkt_time":1578508364784751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364786351,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1578508364632239,"flow_src_last_pkt_time":1578508364714483,"flow_dst_last_pkt_time":1578508364786943,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":421,"flow_dst_max_l4_payload_len":340,"flow_src_tot_l4_payload_len":661,"flow_dst_tot_l4_payload_len":404,"midstream":0,"thread_ts_usec":1578508364786943,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.60.79","src_port":56629,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7643.5,"max":72892,"stddev":17918.8,"var":321082976.0,"ent":2.4,"data": [36441,36500,1495,43967,497,46,63,13,18,43065,4,1,1,17,703,21,64,47,32,88,50,77,17,30,32,72892,13,7,734,1,12]},"pktlen": {"min":60,"avg":99.0,"max":487,"stddev":93.3,"var":8701.2,"ent":4.6,"data": [78,74,66,487,66,406,98,67,68,95,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60]},"bins": {"c_to_s": [15,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02150{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1578508364632239,"flow_src_last_pkt_time":1578508364714483,"flow_dst_last_pkt_time":1578508364786943,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":421,"flow_dst_max_l4_payload_len":340,"flow_src_tot_l4_payload_len":661,"flow_dst_tot_l4_payload_len":404,"midstream":0,"thread_ts_usec":1578508364786943,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.60.79","src_port":56629,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7643.5,"max":72892,"stddev":17918.8,"var":321082976.0,"ent":2.4,"data": [36441,36500,1495,43967,497,46,63,13,18,43065,4,1,1,17,703,21,64,47,32,88,50,77,17,30,32,72892,13,7,734,1,12]},"pktlen": {"min":46,"avg":85.0,"max":473,"stddev":93.3,"var":8701.2,"ent":4.5,"data": [64,60,52,473,52,392,84,53,54,81,52,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46,46,46,46,46]},"bins": {"c_to_s": [15,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1],"entropies": [4.421927452,5.379368782,5.115703106,7.505434513,5.310736179,7.434167385,5.999223709,5.232362747,5.342579842,5.892141342,5.115703106,5.115703106,5.115703106,5.024262905,5.115703106,5.869502068,5.116480827,6.709120274,5.214789391,5.552071571,5.902298450,5.154217243,5.228844643,5.462270737,5.552072525,5.115703106,5.310736179,3.969498873,3.926020622,3.969498873,3.969498873,3.969498873]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":285,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508364787529,"flow_dst_last_pkt_time":1578508364786203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":512,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364787529,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":286,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364714836,"flow_dst_last_pkt_time":1578508364789015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364789015,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAADMGVclSkdz5wKgBuHZf3TlFnUTdn3ylU6AScSDFhwAAAgQFrAQCCAqGNr5sItiVBQEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":287,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364789130,"flow_dst_last_pkt_time":1578508364789015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364789130,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGSNnAqAG4UpHc+d05dl+ffKVTRZ1E3oAQECxU+wAAAQEICiLYlUqGNr5s"} @@ -155,8 +155,8 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":384,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364523145,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364877648,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACEGk4U0u88bwKgBuHZf3S3Pd7n11PppgaAS\/oiD+wAAAgQFoAQCCApvJb2EItiUTwEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":385,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364877742,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508364877742,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGdI3AqAG4NLvPG90tdl\/U+mmBz3e59oAQEAmf6AAAAQEICiLYlZpvJb2E"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508364879259,"flow_dst_last_pkt_time":1578508364877648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364879259,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364682687,"flow_src_last_pkt_time":1578508364832409,"flow_dst_last_pkt_time":1578508364898847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":479,"flow_dst_max_l4_payload_len":439,"flow_src_tot_l4_payload_len":719,"flow_dst_tot_l4_payload_len":503,"midstream":0,"thread_ts_usec":1578508364898847,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.81.180","src_port":56632,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11802.6,"max":78584,"stddev":26563.9,"var":705640768.0,"ent":2.4,"data": [68454,68561,1411,78125,1877,68,78584,38,219,12,4,177,15,1,106,11,115,2,426,13,74,15,66,39,30,87,16,26,26,67245,39]},"pktlen": {"min":60,"avg":104.4,"max":545,"stddev":111.1,"var":12335.6,"ent":4.5,"data": [78,74,66,545,66,505,98,66,66,67,68,79,66,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":408,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508364714836,"flow_src_last_pkt_time":1578508364867557,"flow_dst_last_pkt_time":1578508364919424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":682,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508364919424,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"82.145.220.249","src_port":56633,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":11526.1,"max":77251,"stddev":26248.2,"var":688970368.0,"ent":2.4,"data": [74179,74294,1198,77251,76054,663,12,594,2,179,16,57,19,60,67,15,72,28,42,24,51962,31,247,15,13,11,81,2,10,6,105]},"pktlen": {"min":60,"avg":101.1,"max":508,"stddev":105.3,"var":11090.0,"ent":4.6,"data": [78,74,66,508,488,66,98,98,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [13,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02159{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364682687,"flow_src_last_pkt_time":1578508364832409,"flow_dst_last_pkt_time":1578508364898847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":479,"flow_dst_max_l4_payload_len":439,"flow_src_tot_l4_payload_len":719,"flow_dst_tot_l4_payload_len":503,"midstream":0,"thread_ts_usec":1578508364898847,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.38.81.180","src_port":56632,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11802.6,"max":78584,"stddev":26563.9,"var":705640768.0,"ent":2.4,"data": [68454,68561,1411,78125,1877,68,78584,38,219,12,4,177,15,1,106,11,115,2,426,13,74,15,66,39,30,87,16,26,26,67245,39]},"pktlen": {"min":46,"avg":90.4,"max":531,"stddev":111.1,"var":12335.6,"ent":4.4,"data": [64,60,52,531,52,491,84,52,52,53,54,65,52,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.397368431,5.306893826,4.993616104,7.595185280,5.233812809,7.573578358,5.960590839,5.154164791,5.077241421,5.270098686,5.268505573,5.587528229,5.115703106,5.115703106,5.115703106,5.554157257,5.310736179,5.115703106,5.115703106,5.935094357,5.154217243,6.817276955,5.264878273,5.581483841,5.878489017,5.078744411,5.228844166,5.493040085,5.610895157,5.115703106,3.909610271,3.866132259]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02160{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":408,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508364714836,"flow_src_last_pkt_time":1578508364867557,"flow_dst_last_pkt_time":1578508364919424,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":682,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508364919424,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"82.145.220.249","src_port":56633,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":11526.1,"max":77251,"stddev":26248.2,"var":688970368.0,"ent":2.4,"data": [74179,74294,1198,77251,76054,663,12,594,2,179,16,57,19,60,67,15,72,28,42,24,51962,31,247,15,13,11,81,2,10,6,105]},"pktlen": {"min":46,"avg":87.1,"max":494,"stddev":105.3,"var":11090.0,"ent":4.4,"data": [64,60,52,494,474,52,84,84,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46,46,46,46,46,46,46,46]},"bins": {"c_to_s": [13,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.441382408,5.381731033,5.115703106,7.596201897,7.501367569,5.115703106,5.935592651,5.974224567,5.115703106,5.115703106,5.982713223,5.154216766,6.770318985,5.264878273,5.610895157,5.743154526,5.041008472,5.154769897,5.523809433,5.581483841,5.115703106,3.701528549,3.701528549,3.701528549,3.701528549,3.701528549,3.701528549,3.701528549,3.701528549,3.701528549,3.701528549,3.701528549]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":435,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364922060,"flow_src_last_pkt_time":1578508364922060,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364922060,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.233.197.131","src_port":56637,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":435,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364922060,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364922060,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGjuvAqAG4I+nFg909dl+ptEcpAAAAALAC\/\/+OGAAAAgQFtAEDAwUBAQgKItiVxAAAAAAEAgAA"} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":445,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508364924936,"flow_dst_last_pkt_time":1578508364924936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364924936,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -169,7 +169,7 @@ 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":472,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508364932939,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364932939,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":472,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":1,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508364932939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508364932939,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGvd3AqAG4Etunn90\/dl9+5\/UeAAAAALAC\/\/851wAAAgQFtAEDAwUBAQgKItiVzQAAAAAEAgAA"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":473,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508364933835,"flow_dst_last_pkt_time":1578508364932308,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":571,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508364933835,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":475,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364824407,"flow_dst_last_pkt_time":1578508364936429,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":470,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":534,"midstream":0,"thread_ts_usec":1578508364936429,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":23032.1,"max":164457,"stddev":52707.1,"var":2778034688.0,"ent":2.4,"data": [134408,134510,2041,164457,730,163149,164,16,91,13,125,16,10,133,2,2,198,213,439,13,62,28,71,55,19,91,9,24,22,112857,28]},"pktlen": {"min":60,"avg":103.0,"max":536,"stddev":105.0,"var":11031.5,"ent":4.6,"data": [78,74,66,461,66,536,66,98,67,66,66,68,79,82,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02165{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":475,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523420,"flow_src_last_pkt_time":1578508364824407,"flow_dst_last_pkt_time":1578508364936429,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":395,"flow_dst_max_l4_payload_len":470,"flow_src_tot_l4_payload_len":635,"flow_dst_tot_l4_payload_len":534,"midstream":0,"thread_ts_usec":1578508364936429,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"3.209.45.79","src_port":56628,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":23032.1,"max":164457,"stddev":52707.1,"var":2778034688.0,"ent":2.4,"data": [134408,134510,2041,164457,730,163149,164,16,91,13,125,16,10,133,2,2,198,213,439,13,62,28,71,55,19,91,9,24,22,112857,28]},"pktlen": {"min":46,"avg":89.0,"max":522,"stddev":105.0,"var":11031.5,"ent":4.5,"data": [64,60,52,447,52,522,52,84,53,52,52,54,65,68,52,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.441382408,5.266787052,4.985801220,7.462465286,5.103911400,7.567200184,4.947339535,5.975413799,5.232362270,4.985801220,4.985801220,5.268505096,5.587528229,5.642391205,4.985801220,4.985801220,4.947339535,5.118428230,4.985801220,5.926107883,5.116480827,6.775084019,5.192151546,5.511558533,5.887475491,5.078744888,5.094675064,5.481426716,5.452735901,5.000318050,5.118428230,3.682026386]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01936{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364925232,"flow_dst_last_pkt_time":1578508364954898,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1099,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1099,"pkt_l4_len":1065,"thread_ts_usec":1578508364954898,"pkt":"KDc3AG3IEBMx8Tl2CABFAAQ91J1AACwRmVQjtPapwKgBuHZddl8EKaTIL6PiPVD76wxxux15bHRlnSs2av4nBFSV7v4bhHiIpeAMxLmbK8f6wiaJfQicCaKdl2RU3riNA4G85e32CrySn3+r4nugeiGUNmLmJTGwe70KAk\/1yl9pMbVr5iHiC9EbAQT5A7z5A7T4TYSnVnoygnZfgnZfuECQJNyxBglNPC+n9m4t\/W08TtywpdWYdWjkRxmhkajaDCz+gK\/mbTitDTyIYj\/DM6dFql13rAhhOsl+TepFcV7R+E2EVmvzPoJ2X4J2X7hAs1lDgaitKFA3cxLdFsLwt7VebQyms4a6o\/fivZtKo8AkJ6dL4w4Dn4+\/vC\/\/JsKeSIScYYBOpqnxxVMZ+XWFxvhNhIui\/9KCdl+Cdl+4QKesUvPGk3pcExPSpjjyYak+S\/zgRaKyCtkCAnADlTupsK\/kU6vbTyjVeYLvjRqhlLfuaobh1XsP1yYWbMEwCkP4TYROL5ObgnZfgnZfuEBjjxCUsfvwMHRxTE5YrP7+ISCuREmPbKrzjoabqIoNEUz\/YRnAV2w6k47DZjKIksCMD5bt88unhn0EsLYp\/SzX+E2EXkQ3ooJ2X4J2X7hAPuP3gMJbiMdT+jVwpl443XaSBNUfQ0qZUmbru+9L8er4h7zKFM+7c1K4WVxLv0mgiZa++5g5WXQyn8nQTgubb\/hNhIpLq76Cdl+Cdl+4QPw+TE9tCaxzvKUZLrSUydGaIDt2Km6jvC1h7Hg9CIqQESMae7r6mkOxEncigdCNSYhdj\/fphc\/puhfvJzVEsBH4TYQj6yXYgnZfgnZfuEC5nQSZ\/xzD17vSEoHg\/jtmGLuRaM3q97\/3Czva8FggRyrw44MHO8OtruMk8OoTJc88hHmdKvMBoeGC+K0eEhFi+E2Ep1ZKIYJ2XYJ2XbhAYZoPsgtYlBM737vFkYUTo\/9EphiWRNvy3F9PFQKE60Wg2vh7fDKeVFJ2s+C3+rlsvule\/8FMZch7lhCdhu+rUPhNhJ3mmFeCdl+Cdl+4QGQs+WUN2IadQlJdv2hYAS47TWT0deczhHq293QjQaQ5dBSGXZU4dOj17ZGw5OHFM97hStHWuydqVFmyRxRg\/w34TYQ050sDgsVJgsVJuEDzSXu93jNII3idYaebqM1QwrATGCoZMfOLWHKo8\/HNEvGmOW1TsZdycKJciiZgh6ud1sRz67L9tP+HeODfKFTV+E2EDfsOx4J2X4J2X7hAH7mV1eGOz5WoeIocWFwRYF7ZVBDRcdtaFFH5u23BFJ62FH1ch71cEmxc8OtYpiPqb2N3y6mQjsQPeWAgtQws9vhNhCPknjSCdl+Cdl+4QFeAPtyTjNbAmZsxJ+YSStMfUptpi+Ck9CtWlo\/Fnkmot5zzhg4wYebjEaqIDMNNKgYreTwT+o6X4euclIzcKBSEXhYgYA=="} 01076{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":487,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":3,"flow_src_last_pkt_time":1578508364925232,"flow_dst_last_pkt_time":1578508364954930,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":467,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":467,"pkt_l4_len":433,"thread_ts_usec":1578508364954930,"pkt":"KDc3AG3IEBMx8Tl2CABFAAHF1J5AACwRm8sjtPapwKgBuHZddl8BsQR1SNeP1ZrG\/ZwtEcGW5vGA0sDGp78prdWhxHtDqEDU7PNKL6kZEdICkE\/ClTr5riDvJ\/S0Juy5pZvsiDZ34LyanRNXXRjpzjohXnlvDARKWl\/FPyuFUx\/5q7iG79kKNiaGAAT5AUT5ATz4TYS5GczRgm\/xgm\/xuEBa13f1PeAY+pXn+QDG2H2vRnbUjALc47yKM1DGaLaCBXAmqDZbTzNfSqGBTAVPFFnsJtnCFC0Fv0w0bIIRmdWp+E2EijsROoJ2X4J2X7hAJi3PrTUi8k0+hp72TGveiEIya6qIgjO27CDPgcM2XClPC4ML\/96HDCNIKvA6L6b3KKoTFoGm44u2hTJ2hJ9PJvhNhM+0ztiCdl+Cdl+4QCCTHaJCBMKOiAeM0+J0ILaNmDQGKBpq95aDifzAyS6BBPIijEGzkyTvF6L1V27y7PdVSWOVkbAaliLEx1mlVCv4TYRf2EBxgnX+gnX+uEAuHZY2QcmV8WQCz4M\/VG5LfG7tHam\/sFovnjhq\/yEXmxTFgIMHUbncizgn1Jn7XeiL7CoOoCVHxB7uvvn28VO3hF4WIGA="} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":488,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364924936,"flow_dst_last_pkt_time":1578508364957524,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508364957524,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGw5PR+vDNwKgBuHZf3T7\/g0hGkL7bbKAScSAsgwAAAgQFrAQCCAoN8FcJItiVxgEDAwc="} @@ -184,13 +184,13 @@ 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":568,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365021490,"flow_dst_last_pkt_time":1578508365021490,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365021490,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGuz\/AqAG4sj4K2t1Cdl8xVnl5AAAAALAC\/\/8AHAAAAgQFtAEDAwUBAQgKItiWHgAAAAAEAgAA"} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":569,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365029590,"flow_dst_last_pkt_time":1578508365029590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365029590,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":569,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365029590,"flow_dst_last_pkt_time":1578508365029590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365029590,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGqGLAqAG4sj4dt91Ddl+W2yuDAAAAALAC\/\/\/VpgAAAgQFtAEDAwUBAQgKItiWJgAAAAAEAgAA"} -01775{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508365038162,"flow_dst_last_pkt_time":1578508365038195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":415,"flow_dst_max_l4_payload_len":494,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":686,"midstream":0,"thread_ts_usec":1578508365038195,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7306.0,"max":43142,"stddev":14269.1,"var":203606176.0,"ent":2.8,"data": [32588,32677,1133,41248,3045,43142,1077,15,57,29,33,2220,3,33,1051,3,12,110,51,429,10,11,17,141,33844,34,22,20,33327,11,92]},"pktlen": {"min":66,"avg":120.0,"max":560,"stddev":112.4,"var":12624.2,"ent":4.6,"data": [78,74,66,481,66,560,66,98,67,190,69,82,98,67,209,66,66,66,82,66,98,67,114,81,82,78,78,78,78,226,178,66]},"bins": {"c_to_s": [13,3,0,2,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02174{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364924936,"flow_src_last_pkt_time":1578508365038162,"flow_dst_last_pkt_time":1578508365038195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":415,"flow_dst_max_l4_payload_len":494,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":686,"midstream":0,"thread_ts_usec":1578508365038195,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"209.250.240.205","src_port":56638,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":7306.0,"max":43142,"stddev":14269.1,"var":203606176.0,"ent":2.8,"data": [32588,32677,1133,41248,3045,43142,1077,15,57,29,33,2220,3,33,1051,3,12,110,51,429,10,11,17,141,33844,34,22,20,33327,11,92]},"pktlen": {"min":52,"avg":106.0,"max":546,"stddev":112.4,"var":12624.2,"ent":4.5,"data": [64,60,52,467,52,546,52,84,53,176,55,68,84,53,195,52,52,52,68,52,84,53,100,67,68,64,64,64,64,212,164,52]},"bins": {"c_to_s": [13,3,0,2,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1],"entropies": [4.515677452,5.379368782,5.115703106,7.628110409,5.233812809,7.621943474,5.000318050,5.854679585,5.026765347,6.739012241,5.155788422,5.511559486,6.055828571,5.194625378,6.831315041,5.038779736,5.077241421,5.077241421,5.642391205,5.077241421,5.911284924,5.154216290,6.092246532,5.582411766,5.463837624,5.146419048,5.146419048,5.177669048,5.146419048,6.910353184,6.676519394,5.156889439]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":598,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365038942,"flow_src_last_pkt_time":1578508365038942,"flow_dst_last_pkt_time":1578508365038942,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365038942,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.230.108.42","src_port":56644,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":598,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365038942,"flow_dst_last_pkt_time":1578508365038942,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365038942,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG\/kfAqAG4DeZsKt1Edl+KMGOvAAAAALAC\/\/8AAwAAAgQFtAEDAwUBAQgKItiWLQAAAAAEAgAA"} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":605,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365009842,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365039176,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGe3mQW3iHwKgBuHZf3UEpl2emdDhi4qAScSAVuAAAAgQFrAQCCArbhaVwItiWFAEDAwc="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":606,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365039222,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365039222,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGb4HAqAG4kFt4h91Bdl90OGLiKZdnp4AQECylVgAAAQEICiLYli7bhaVw"} 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":607,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365009842,"flow_src_last_pkt_time":1578508365040566,"flow_dst_last_pkt_time":1578508365039176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365040566,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"144.91.120.135","src_port":56641,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":617,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364932664,"flow_dst_last_pkt_time":1578508365043187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":423,"flow_src_tot_l4_payload_len":671,"flow_dst_tot_l4_payload_len":487,"midstream":0,"thread_ts_usec":1578508365043187,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":21202.0,"max":158141,"stddev":48725.8,"var":2374199552.0,"ent":2.4,"data": [158073,158141,1927,112688,964,45,111769,2,97,24,66,10,893,34,92,13,26,143,3,148,30,48,25,111098,32,825,2,26,2,1,16]},"pktlen": {"min":60,"avg":101.3,"max":497,"stddev":103.8,"var":10779.3,"ent":4.6,"data": [78,74,66,497,66,489,98,66,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02164{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":617,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508364659294,"flow_src_last_pkt_time":1578508364932664,"flow_dst_last_pkt_time":1578508365043187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":423,"flow_src_tot_l4_payload_len":671,"flow_dst_tot_l4_payload_len":487,"midstream":0,"thread_ts_usec":1578508365043187,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"40.67.144.128","src_port":56630,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":21202.0,"max":158141,"stddev":48725.8,"var":2374199552.0,"ent":2.4,"data": [158073,158141,1927,112688,964,45,111769,2,97,24,66,10,893,34,92,13,26,143,3,148,30,48,25,111098,32,825,2,26,2,1,16]},"pktlen": {"min":46,"avg":87.3,"max":483,"stddev":103.8,"var":10779.3,"ent":4.4,"data": [64,60,52,483,52,475,84,52,52,68,68,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46,46,46,46,46]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1],"entropies": [4.484427452,5.346035480,5.077241421,7.564687252,5.233812809,7.546903610,5.936781406,5.115703106,5.154164791,5.653491974,5.612979889,5.077241421,5.154164314,5.811898232,5.109905720,6.736226082,5.149451256,5.359375000,5.770115376,5.072169781,5.074242115,5.414525986,5.488122940,5.032077789,3.622137308,3.622137308,3.622137308,3.622137308,3.622137308,3.622137308,3.622137308,3.622137308]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365045064,"flow_dst_last_pkt_time":1578508365045064,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365045064,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365045064,"flow_dst_last_pkt_time":1578508365045064,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365045064,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGOT7AqAG4uduFPt1Fdl+PNscoAAAAALAC\/\/\/ScwAAAgQFtAEDAwUBAQgKItiWMgAAAAAEAgAA"} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":646,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1578508364932939,"flow_dst_last_pkt_time":1578508365063785,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365063785,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAACMG2uES26efwKgBuHZf3T9fy8\/Lfuf1H6ASaN8cNgAAAgQFrAQCCAoSyYNbItiVzQEDAwc="} @@ -210,16 +210,16 @@ 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":718,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365094017,"flow_dst_last_pkt_time":1578508365092283,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":410,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365094017,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":728,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365094625,"flow_src_last_pkt_time":1578508365094625,"flow_dst_last_pkt_time":1578508365094625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365094625,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"182.162.161.61","src_port":56647,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":728,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365094625,"flow_dst_last_pkt_time":1578508365094625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365094625,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGIHjAqAG4tqKhPd1Hdl8HffxGAAAAALAC\/\/8MGQAAAgQFtAEDAwUBAQgKItiWYAAAAAAEAgAA"} -01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":732,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364921758,"flow_dst_last_pkt_time":1578508365096545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":467,"flow_src_tot_l4_payload_len":730,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365096545,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":31375.8,"max":202293,"stddev":71334.6,"var":5088628224.0,"ent":2.4,"data": [194951,195066,1242,202293,279,25,201303,2,92,53,99,12,102,9,99,103,126,125,566,17,55,13,75,43,16,62,14,42,23,175388,354]},"pktlen": {"min":60,"avg":105.8,"max":556,"stddev":115.5,"var":13350.2,"ent":4.5,"data": [78,74,66,556,66,533,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02168{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":732,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522827,"flow_src_last_pkt_time":1578508364921758,"flow_dst_last_pkt_time":1578508365096545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":490,"flow_dst_max_l4_payload_len":467,"flow_src_tot_l4_payload_len":730,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365096545,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"104.42.217.25","src_port":56611,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":31375.8,"max":202293,"stddev":71334.6,"var":5088628224.0,"ent":2.4,"data": [194951,195066,1242,202293,279,25,201303,2,92,53,99,12,102,9,99,103,126,125,566,17,55,13,75,43,16,62,14,42,23,175388,354]},"pktlen": {"min":46,"avg":91.8,"max":542,"stddev":115.5,"var":13350.2,"ent":4.4,"data": [64,60,52,542,52,519,84,52,52,53,52,54,65,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.421927452,5.333454132,5.038780212,7.555685520,5.246409416,7.620338917,5.920769691,5.115702629,5.154164314,5.282457829,5.154164314,5.280635834,5.493683815,5.154164314,5.154164314,5.622612953,5.154164314,5.246409416,5.154164314,5.716195107,5.109905720,6.683475971,5.149451256,5.517535210,5.772800446,5.034432888,5.111279488,5.487678528,5.447609901,5.070538998,5.207947731,3.725504398]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":755,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365079165,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365104666,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAADMGeqysaV4+wKgBuHZf3UajVVX7HTpq6KAS\/ojIGAAAAgQFrAQCCAobAQsKItiWUQEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":756,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365104768,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365104768,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGbbzAqAG4rGlePt1Gdl8dOmroo1VV\/IAQECzlIgAAAQEICiLYlmgbAQsK"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":757,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365105962,"flow_dst_last_pkt_time":1578508365104666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":474,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365105962,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01774{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":842,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508365044863,"flow_dst_last_pkt_time":1578508365151822,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":513,"flow_src_tot_l4_payload_len":811,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":1578508365151822,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":17655.5,"max":109385,"stddev":39696.4,"var":1575808128.0,"ent":2.4,"data": [107626,107678,1475,109033,1825,109385,687,13,52,13,68,1028,198,109,79,136,133,112,7,116,2,80,130,42,5,71,30,33,21,107121,13]},"pktlen": {"min":60,"avg":109.6,"max":637,"stddev":130.9,"var":17130.1,"ent":4.4,"data": [78,74,66,637,66,579,66,98,67,190,69,82,98,66,67,66,68,66,79,82,66,66,98,66,67,66,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02172{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":842,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364824682,"flow_src_last_pkt_time":1578508365044863,"flow_dst_last_pkt_time":1578508365151822,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":513,"flow_src_tot_l4_payload_len":811,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":1578508365151822,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"159.203.84.31","src_port":56634,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":17655.5,"max":109385,"stddev":39696.4,"var":1575808128.0,"ent":2.4,"data": [107626,107678,1475,109033,1825,109385,687,13,52,13,68,1028,198,109,79,136,133,112,7,116,2,80,130,42,5,71,30,33,21,107121,13]},"pktlen": {"min":46,"avg":95.6,"max":623,"stddev":130.9,"var":17130.1,"ent":4.3,"data": [64,60,52,623,52,565,52,84,53,176,55,68,84,52,53,52,54,52,65,68,52,52,84,52,53,52,54,65,68,52,46,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1],"entropies": [4.484427452,5.379368782,5.115703583,7.654181480,5.195351601,7.665644169,5.154164791,5.911284924,5.191953182,6.883150101,5.155787945,5.581483364,5.880175591,5.115703106,5.194626331,5.115703106,5.305542946,5.115703106,5.587528229,5.730626106,5.101186275,5.091758728,5.816046715,5.156889915,5.154217243,5.062724590,5.052737236,5.322218418,5.581483364,5.139647484,3.969499111,4.012977600]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":900,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365153718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365153718,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":900,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365153718,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365153718,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGWefAqAG4I+T6jN1Kdl95PEStAAAAALAC\/\/+LMAAAAgQFtAEDAwUBAQgKItiWjwAAAAAEAgAA"} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":904,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365154075,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365154075,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":904,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365154075,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365154075,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG4TfAqAG4iskMV91Ldl\/HR3E5AAAAALAC\/\/+X6AAAAgQFtAEDAwUBAQgKItiWjwAAAAAEAgAA"} -01769{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":911,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365168387,"flow_dst_last_pkt_time":1578508365168448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":469,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365168448,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":8956.6,"max":48881,"stddev":17793.5,"var":316609056.0,"ent":2.7,"data": [44428,44545,1146,47405,2629,34,48881,2,106,60,120,15,121,3,107,116,574,31,61,16,57,386,11,31,13,50,43304,549,42693,151,10]},"pktlen": {"min":66,"avg":106.9,"max":535,"stddev":97.8,"var":9570.5,"ent":4.6,"data": [78,74,66,535,66,384,98,66,66,67,66,191,68,66,66,82,66,98,67,190,69,82,98,67,114,81,82,66,98,66,67,70]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02167{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":911,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365029590,"flow_src_last_pkt_time":1578508365168387,"flow_dst_last_pkt_time":1578508365168448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":469,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":531,"midstream":0,"thread_ts_usec":1578508365168448,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"178.62.29.183","src_port":56643,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":8956.6,"max":48881,"stddev":17793.5,"var":316609056.0,"ent":2.7,"data": [44428,44545,1146,47405,2629,34,48881,2,106,60,120,15,121,3,107,116,574,31,61,16,57,386,11,31,13,50,43304,549,42693,151,10]},"pktlen": {"min":52,"avg":92.9,"max":521,"stddev":97.8,"var":9570.5,"ent":4.5,"data": [64,60,52,521,52,370,84,52,52,53,52,177,54,52,52,68,52,84,53,176,55,68,84,53,100,67,68,52,84,52,53,56]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1],"entropies": [4.453177452,5.412702084,5.077241421,7.576026917,5.094483852,7.477237225,5.936781406,5.038779736,5.038779736,5.194627285,5.077241421,6.737099171,5.342579842,5.038780212,5.038780212,5.701214790,5.077241421,5.863666058,5.154217243,6.725339890,5.192151546,5.463837624,5.839856625,5.116481781,6.092247009,5.492858887,5.610895157,5.142373085,5.945767879,5.038779736,5.232362270,5.409769058]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":924,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365169225,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365169225,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":924,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365169225,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365169225,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGP33AqAG4sAmI0d1Mdl8ouUvbAAAAALAC\/\/+6CgAAAgQFtAEDAwUBAQgKItiWngAAAAAEAgAA"} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":928,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365154075,"flow_dst_last_pkt_time":1578508365186673,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365186673,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIG7zuKyQxXwKgBuHZf3Uu6UG6Lx0dxOqAScSDP1QAAAgQFrAQCCAq1b4mgItiWjwEDAwc="} @@ -230,7 +230,7 @@ 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365189369,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365189369,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":30303,"dst_port":30303,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00672{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365189369,"pkt":"EBMx8Tl2KDc3AG3ICABFAACcflcAAEARfx\/AqAG4Etunn3Zfdl8AiGnBB7Pc5ZlsDZTbUrqaaoRxeL1l7Crbcxf\/BOXFZNGdyZsOxpmBlW67u9+KWe59CkWnKw2GIsEnEKk87oxTf3me3BvKcrMQD0jXMXlBXiHkLViPnwRaOVxyx4odh7D\/BO97AAHdBMuEfwAAAYJ2X4J2X8mEEtunn4J2X4CEXhYgYQU="} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":955,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365189369,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365189369,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365189369,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":30303,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":966,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365193903,"flow_dst_last_pkt_time":1578508365193933,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":698,"flow_dst_tot_l4_payload_len":623,"midstream":0,"thread_ts_usec":1578508365193933,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9603.5,"max":51634,"stddev":18821.1,"var":354234048.0,"ent":2.8,"data": [47219,47359,1594,49528,3728,51634,828,16,1020,92,14,1,37,127,71,134,135,105,102,138,138,353,12,12,16,83,45623,1100,32,46342,115]},"pktlen": {"min":66,"avg":107.9,"max":476,"stddev":97.7,"var":9536.3,"ent":4.6,"data": [78,74,66,476,66,448,66,98,67,98,190,66,69,82,67,66,222,66,69,66,82,66,98,67,114,81,82,66,66,98,66,67]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,0,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02174{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":966,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365193903,"flow_dst_last_pkt_time":1578508365193933,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":698,"flow_dst_tot_l4_payload_len":623,"midstream":0,"thread_ts_usec":1578508365193933,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9603.5,"max":51634,"stddev":18821.1,"var":354234048.0,"ent":2.8,"data": [47219,47359,1594,49528,3728,51634,828,16,1020,92,14,1,37,127,71,134,135,105,102,138,138,353,12,12,16,83,45623,1100,32,46342,115]},"pktlen": {"min":52,"avg":93.9,"max":462,"stddev":97.7,"var":9536.3,"ent":4.5,"data": [64,60,52,462,52,434,52,84,53,84,176,52,55,68,53,52,208,52,55,52,68,52,84,53,100,67,68,52,52,84,52,53]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,0,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,1],"entropies": [4.453177452,5.346035004,5.115703106,7.515024185,5.233812809,7.417223930,4.993616104,5.784938335,5.072169304,5.912971973,6.701569080,5.101185799,5.178425789,5.447610855,5.218119621,5.101185799,6.890011311,5.062724113,5.253729820,5.062724113,5.434425354,5.062724113,5.620957375,5.057926178,6.028760910,5.398105145,5.477022171,5.180834770,5.180834770,5.823570728,5.062724113,5.218119144]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":987,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365194618,"flow_src_last_pkt_time":1578508365194618,"flow_dst_last_pkt_time":1578508365194618,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365194618,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"202.112.28.106","src_port":56655,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":987,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365194618,"flow_dst_last_pkt_time":1578508365194618,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365194618,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGkX3AqAG4ynAcat1Pdl84sWAlAAAAALAC\/\/\/nsAAAAgQFtAEDAwUBAQgKItiWswAAAAAEAgAA"} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1015,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365169225,"flow_dst_last_pkt_time":1578508365201994,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365201994,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGTYGwCYjRwKgBuHZf3UxCOLg9KLlL3KAScSB8NwAAAgQFrAQCCAqsVDbiItiWngEDAwc="} @@ -239,8 +239,8 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1018,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365153718,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365210541,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADYGY+sj5PqMwKgBuHZf3UovaHbWeTxErqASbgBmbgAAAgQFjAQCCAqaQodaItiWjwEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1019,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365210643,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365210643,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGWfPAqAG4I+T6jN1Kdl95PESuL2h214AQECjytwAAAQEICiLYlsKaQoda"} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1028,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365212245,"flow_dst_last_pkt_time":1578508365210541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":462,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365212245,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1030,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508365008936,"flow_dst_last_pkt_time":1578508365219392,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":453,"flow_src_tot_l4_payload_len":690,"flow_dst_tot_l4_payload_len":517,"midstream":0,"thread_ts_usec":1578508365219392,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":38137.1,"max":261804,"stddev":87113.6,"var":7588779008.0,"ent":2.3,"data": [261712,261804,1508,222767,73,3,23,221290,9,6,194,11,189,20,102,10,88,9,563,27,71,35,50,54,29,73,9,29,34,211443,15]},"pktlen": {"min":60,"avg":104.2,"max":519,"stddev":109.1,"var":11904.3,"ent":4.6,"data": [78,74,66,516,66,519,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1043,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508365009640,"flow_dst_last_pkt_time":1578508365221428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508365221428,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":38221.0,"max":263164,"stddev":87319.6,"var":7624720896.0,"ent":2.3,"data": [263094,263164,1256,221848,245,3,9,220800,8,13,125,15,115,10,130,9,138,8,711,8,50,43,2,70,7,75,9,33,11,212620,221]},"pktlen": {"min":60,"avg":106.1,"max":578,"stddev":117.4,"var":13788.7,"ent":4.5,"data": [78,74,66,578,66,525,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02164{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1030,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523039,"flow_src_last_pkt_time":1578508365008936,"flow_dst_last_pkt_time":1578508365219392,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":453,"flow_src_tot_l4_payload_len":690,"flow_dst_tot_l4_payload_len":517,"midstream":0,"thread_ts_usec":1578508365219392,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.231.165.108","src_port":56618,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":38137.1,"max":261804,"stddev":87113.6,"var":7588779008.0,"ent":2.3,"data": [261712,261804,1508,222767,73,3,23,221290,9,6,194,11,189,20,102,10,88,9,563,27,71,35,50,54,29,73,9,29,34,211443,15]},"pktlen": {"min":46,"avg":90.2,"max":505,"stddev":109.1,"var":11904.3,"ent":4.4,"data": [64,60,52,502,52,505,84,53,52,52,52,54,65,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.472632408,5.279368401,4.971284389,7.593235970,5.176993370,7.560348034,5.783750057,5.246605873,5.115703106,5.115703106,5.077241421,5.287864685,5.597605228,5.115703106,5.077241421,5.652023315,5.209868431,5.115703106,5.115703106,5.731483459,5.109905720,6.885459900,5.149450779,5.450927734,5.835707664,5.147641182,5.185353279,5.518447876,5.509750366,5.032077789,5.246409416,3.768982887]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02164{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1043,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523109,"flow_src_last_pkt_time":1578508365009640,"flow_dst_last_pkt_time":1578508365221428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":752,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508365221428,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"191.234.162.198","src_port":56620,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":38221.0,"max":263164,"stddev":87319.6,"var":7624720896.0,"ent":2.3,"data": [263094,263164,1256,221848,245,3,9,220800,8,13,125,15,115,10,130,9,138,8,711,8,50,43,2,70,7,75,9,33,11,212620,221]},"pktlen": {"min":46,"avg":92.1,"max":564,"stddev":117.4,"var":13788.7,"ent":4.4,"data": [64,60,52,564,52,511,84,53,52,52,52,54,65,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.421927452,5.346035480,4.947339535,7.600792408,5.169486523,7.523147583,5.992197990,5.169249058,5.077241421,5.077241421,5.077241421,5.243598461,5.597605228,5.077241421,5.077241421,5.582098961,5.169486046,5.077241421,5.077241421,5.874339581,4.996697903,6.697847366,5.062998295,5.410989761,5.779101849,5.034433842,5.037205219,5.383756638,5.546946526,4.955154419,3.682026148,3.682026148]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1061,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365189114,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365223317,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIGxFFV1mw0wKgBuHZf3U5vpmVtv4fCo6ASOJBjegAAAgQFrAQCCApls11ZItiWsAEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1062,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365223392,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365223392,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGtlnAqAG4VdZsNN1Odl+\/h8Kjb6ZlboAQECy6hQAAAQEICiLYls1ls11Z"} 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1071,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365189114,"flow_src_last_pkt_time":1578508365225314,"flow_dst_last_pkt_time":1578508365223317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":508,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":508,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365225314,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"85.214.108.52","src_port":56654,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -248,9 +248,9 @@ 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1083,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365226088,"flow_dst_last_pkt_time":1578508365226088,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365226088,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGQk7AqAG4ikurvt1Rdl8erUWUAAAAALAC\/\/\/M9wAAAgQFtAEDAwUBAQgKItiW0AAAAAAEAgAA"} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1104,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365239758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365239758,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1104,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365239758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365239758,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGQhrAqAG4neaYV91Sdl9OT1qyAAAAALAC\/\/+H9wAAAgQFtAEDAwUBAQgKItiW2wAAAAAEAgAA"} -01768{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365225822,"flow_dst_last_pkt_time":1578508365257069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":417,"flow_dst_max_l4_payload_len":327,"flow_src_tot_l4_payload_len":657,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1578508365257069,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":5636.8,"max":36541,"stddev":12197.5,"var":148778048.0,"ent":2.6,"data": [32598,32641,1212,33881,3882,36541,367,364,134,135,131,136,417,10,43,12,102,2,13,40,18,46,15,31120,114,13,120,11,562,50,11]},"pktlen": {"min":60,"avg":98.1,"max":483,"stddev":91.5,"var":8376.2,"ent":4.6,"data": [78,74,66,483,66,393,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01782{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1171,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365271500,"flow_dst_last_pkt_time":1578508365271455,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":332,"flow_src_tot_l4_payload_len":810,"flow_dst_tot_l4_payload_len":780,"midstream":0,"thread_ts_usec":1578508365271500,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":12407.3,"max":116020,"stddev":26211.9,"var":687065472.0,"ent":2.9,"data": [25501,25603,1194,25860,91412,116020,834,13,59,13,31,24470,23554,429,12,15,16,655,121,709,21,11,5,23284,18,24097,248,344,46,20,10]},"pktlen": {"min":66,"avg":116.3,"max":540,"stddev":108.5,"var":11769.5,"ent":4.6,"data": [78,74,66,540,66,398,66,98,67,190,69,82,306,66,98,67,114,81,66,82,66,66,66,66,274,66,66,98,66,67,69,78]},"bins": {"c_to_s": [14,4,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,1,1,1,1,1,0,0,1,0,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1188,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365239481,"flow_dst_last_pkt_time":1578508365271811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":492,"midstream":0,"thread_ts_usec":1578508365271811,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":5575.5,"max":34994,"stddev":12229.4,"var":149558160.0,"ent":2.5,"data": [32769,32829,1344,33937,2357,34994,270,193,122,12,123,10,417,12,70,10,89,1,14,53,11,44,42,32625,14,112,124,133,12,7,92]},"pktlen": {"min":60,"avg":104.6,"max":597,"stddev":116.9,"var":13676.1,"ent":4.5,"data": [78,74,66,597,66,494,66,98,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02167{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365154075,"flow_src_last_pkt_time":1578508365225822,"flow_dst_last_pkt_time":1578508365257069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":417,"flow_dst_max_l4_payload_len":327,"flow_src_tot_l4_payload_len":657,"flow_dst_tot_l4_payload_len":391,"midstream":0,"thread_ts_usec":1578508365257069,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.201.12.87","src_port":56651,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":5636.8,"max":36541,"stddev":12197.5,"var":148778048.0,"ent":2.6,"data": [32598,32641,1212,33881,3882,36541,367,364,134,135,131,136,417,10,43,12,102,2,13,40,18,46,15,31120,114,13,120,11,562,50,11]},"pktlen": {"min":46,"avg":84.1,"max":469,"stddev":91.5,"var":8376.2,"ent":4.5,"data": [64,60,52,469,52,379,52,84,52,68,52,68,52,84,53,176,55,68,84,53,54,65,68,52,52,46,46,46,46,46,46,46]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1],"entropies": [4.515677452,5.379368782,5.077241421,7.567195415,5.310736179,7.401209831,5.115703106,5.951604366,5.115703106,5.671802521,5.154164791,5.701214790,5.115703583,5.958903790,5.229689121,6.830620766,5.251152992,5.581483841,5.896461964,5.191953182,5.265881062,5.554578781,5.581483841,5.192626476,5.310736179,3.682026148,3.682026148,3.682026148,3.682026148,3.682026148,3.682026148,3.682026148]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02181{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1171,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365079165,"flow_src_last_pkt_time":1578508365271500,"flow_dst_last_pkt_time":1578508365271455,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":332,"flow_src_tot_l4_payload_len":810,"flow_dst_tot_l4_payload_len":780,"midstream":0,"thread_ts_usec":1578508365271500,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"172.105.94.62","src_port":56646,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":12407.3,"max":116020,"stddev":26211.9,"var":687065472.0,"ent":2.9,"data": [25501,25603,1194,25860,91412,116020,834,13,59,13,31,24470,23554,429,12,15,16,655,121,709,21,11,5,23284,18,24097,248,344,46,20,10]},"pktlen": {"min":52,"avg":102.3,"max":526,"stddev":108.5,"var":11769.5,"ent":4.5,"data": [64,60,52,526,52,384,52,84,53,176,55,68,292,52,84,53,100,67,52,68,52,52,52,52,260,52,52,84,52,53,55,64]},"bins": {"c_to_s": [14,4,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,1,1,1,1,1,0,0,1,0,0,0],"entropies": [4.441382408,5.289900780,4.976373672,7.566489220,5.131024361,7.376211166,5.053297043,5.896462440,5.130724430,6.832929611,5.096785545,5.533761978,7.210265636,5.053297043,5.805871487,5.055253029,5.924697399,5.492858887,5.246409416,5.480678558,5.246409416,5.169486046,5.246409416,5.246409416,7.089441776,5.193430901,4.976373672,5.702836037,5.193430901,5.130724430,5.205876350,5.255445480]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02165{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1188,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365169225,"flow_src_last_pkt_time":1578508365239481,"flow_dst_last_pkt_time":1578508365271811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":492,"midstream":0,"thread_ts_usec":1578508365271811,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"176.9.136.209","src_port":56652,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":5575.5,"max":34994,"stddev":12229.4,"var":149558160.0,"ent":2.5,"data": [32769,32829,1344,33937,2357,34994,270,193,122,12,123,10,417,12,70,10,89,1,14,53,11,44,42,32625,14,112,124,133,12,7,92]},"pktlen": {"min":46,"avg":90.6,"max":583,"stddev":116.9,"var":13676.1,"ent":4.4,"data": [64,60,52,583,52,480,52,84,52,68,68,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46,46,46,46,46]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1],"entropies": [4.453177452,5.379369259,5.115703106,7.627379894,5.272274971,7.546579361,5.077241421,5.936781406,5.077241421,5.701214314,5.701214314,5.115703106,5.115703106,5.911284924,5.154217243,6.794458389,5.228514671,5.699130058,5.935094357,5.191953182,5.228844166,5.493040085,5.581483841,5.154164791,3.725504637,3.725504637,3.725504637,3.725504637,3.725504637,3.725504637,3.725504637,3.725504637]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1189,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365271977,"flow_dst_last_pkt_time":1578508365271977,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365271977,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1189,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365271977,"flow_dst_last_pkt_time":1578508365271977,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365271977,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGLavAqAG4M6EXDN1Udl9XVw7PAAAAALAC\/\/+2RQAAAgQFtAEDAwUBAQgKItiW9wAAAAAEAgAA"} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1195,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365279592,"flow_dst_last_pkt_time":1578508365279592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365279592,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -259,13 +259,13 @@ 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1208,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":56,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365295537,"flow_dst_last_pkt_time":1578508365295537,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365295537,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGbF\/AqAG4I+XoE91Wdl\/o6wkCAAAAALAC\/\/9pGwAAAgQFtAEDAwUBAQgKItiXDAAAAAAEAgAA"} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1220,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365300081,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365300081,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365300081,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"124.217.235.180","src_port":56663,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1220,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365300081,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365300081,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGD8rAqAG4fNnrtN1Xdl9L2gYiAAAAALAC\/\/+scgAAAgQFtAEDAwUBAQgKItiXEAAAAAAEAgAA"} -01777{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1222,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364832618,"flow_src_last_pkt_time":1578508365154217,"flow_dst_last_pkt_time":1578508365304459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":413,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":653,"flow_dst_tot_l4_payload_len":469,"midstream":0,"thread_ts_usec":1578508365304459,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"162.228.29.160","src_port":56635,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":25594.8,"max":159357,"stddev":56992.8,"var":3248178688.0,"ent":2.5,"data": [157669,157791,1578,152892,8130,159357,1177,13,61,20,78,1877,13,527,1,123,12,130,3,101,114,166,3,78,34,46,32,749,390,149661,614]},"pktlen": {"min":60,"avg":101.5,"max":479,"stddev":99.1,"var":9815.1,"ent":4.6,"data": [78,74,66,479,66,471,66,98,67,190,69,82,98,67,66,66,68,79,66,66,82,66,98,67,68,79,82,66,66,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01774{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1231,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508365188877,"flow_dst_last_pkt_time":1578508365309479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":490,"flow_src_tot_l4_payload_len":761,"flow_dst_tot_l4_payload_len":554,"midstream":0,"thread_ts_usec":1578508365309479,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":20402.5,"max":130950,"stddev":46194.5,"var":2133934848.0,"ent":2.4,"data": [130846,130950,1277,122765,1253,122671,155,10,149,9,88,86,123,126,124,123,256,9,49,17,28,59,7,51,29,22,20,121098,33,23,22]},"pktlen": {"min":60,"avg":107.0,"max":587,"stddev":122.2,"var":14931.5,"ent":4.5,"data": [78,74,66,587,66,556,66,98,67,66,66,81,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60]},"bins": {"c_to_s": [16,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02175{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1222,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364832618,"flow_src_last_pkt_time":1578508365154217,"flow_dst_last_pkt_time":1578508365304459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":413,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":653,"flow_dst_tot_l4_payload_len":469,"midstream":0,"thread_ts_usec":1578508365304459,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"162.228.29.160","src_port":56635,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":25594.8,"max":159357,"stddev":56992.8,"var":3248178688.0,"ent":2.5,"data": [157669,157791,1578,152892,8130,159357,1177,13,61,20,78,1877,13,527,1,123,12,130,3,101,114,166,3,78,34,46,32,749,390,149661,614]},"pktlen": {"min":46,"avg":87.5,"max":465,"stddev":99.1,"var":9815.1,"ent":4.5,"data": [64,60,52,465,52,457,52,84,53,176,55,68,84,53,52,52,54,65,52,52,68,52,84,53,54,65,68,52,52,52,52,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1],"entropies": [4.421927452,5.346035480,5.077241421,7.486079693,5.156889439,7.536809444,5.038779736,5.887475491,5.154217243,6.869001865,5.192151070,5.540970802,5.945767879,5.232362270,5.038779736,5.077241421,5.268505096,5.556758881,5.077241421,5.038780212,5.612979889,5.038780212,5.673190117,5.078745365,5.080696106,5.322218418,5.522660255,5.077241421,5.156889915,5.077241421,5.233813286,3.768982887]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02172{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1231,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508364932939,"flow_src_last_pkt_time":1578508365188877,"flow_dst_last_pkt_time":1578508365309479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":490,"flow_src_tot_l4_payload_len":761,"flow_dst_tot_l4_payload_len":554,"midstream":0,"thread_ts_usec":1578508365309479,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.219.167.159","src_port":56639,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":20402.5,"max":130950,"stddev":46194.5,"var":2133934848.0,"ent":2.4,"data": [130846,130950,1277,122765,1253,122671,155,10,149,9,88,86,123,126,124,123,256,9,49,17,28,59,7,51,29,22,20,121098,33,23,22]},"pktlen": {"min":46,"avg":93.0,"max":573,"stddev":122.2,"var":14931.5,"ent":4.3,"data": [64,60,52,573,52,542,52,84,53,52,52,67,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46]},"bins": {"c_to_s": [16,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1],"entropies": [4.484427452,5.300120831,5.038779736,7.626091480,5.156889439,7.533421516,5.077241898,5.942617416,5.156890869,5.038780212,5.038780212,5.524824619,5.077241898,5.583567619,5.077241898,5.156889439,5.038780212,5.902298450,5.116480827,6.768815994,5.105699062,5.552071571,5.744618893,5.116480827,5.117732525,5.395370483,5.552071571,5.077241421,3.926020861,3.969499111,3.969499111,3.969499111]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00700{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1239,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365315790,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":192,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":192,"pkt_l4_len":158,"thread_ts_usec":1578508365315790,"pkt":"KDc3AG3IEBMx8Tl2CABFAACymwlAACMRP1cS26efwKgBuHZfdl8AnsFrVj4puAH6ZgARKbHJmno0oUTDSx6ME3WyQvgYFdLFf82IMxF0n+9n2kTCv9WKp0W5OWAeoQIHesUQlOhBZUox8XuUKjSw2r\/cLxIh6clEUwjRudwx4mptlXU2a3WMaDxBAALzy4RPFs69gun3gnZfoAez3OWZbA2U21K6mmqEcXi9Zewq23MX\/wTlxWTRncmbhF4WIGEK"} 00672{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1240,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365189369,"flow_dst_last_pkt_time":1578508365315825,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365315825,"pkt":"KDc3AG3IEBMx8Tl2CABFAACcmwpAACMRP2wS26efwKgBuHZfdl8AiLphceZOwZGufNXFAvXWI774ooc6PkwC6kxvzCm0BhiTs\/TWig3gE4P3+Y0lY\/Fll4rTUKnacLSuqKdSUAk7eTbz218E2dS8j3sLMJigll9ziTSt7jKgE6R7GxELpoJhO+ReAQHdBMuEEtunn4J2X4J2X8mETxbOvYLp94CEXhYgYQo="} -01775{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365327684,"flow_dst_last_pkt_time":1578508365329449,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":442,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1578508365329449,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":11280.5,"max":57129,"stddev":22219.5,"var":493705824.0,"ent":2.8,"data": [56823,56925,1602,56390,2342,57129,531,462,124,8,117,8,162,10,51,23,20,1132,926,430,2,33,26,92,56511,32,22,55939,9,1784,32]},"pktlen": {"min":66,"avg":114.4,"max":528,"stddev":109.7,"var":12030.8,"ent":4.6,"data": [78,74,66,528,66,508,66,98,66,209,67,66,66,98,67,190,69,82,82,66,98,67,114,81,82,66,98,148,66,66,96,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01775{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1264,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523182,"flow_src_last_pkt_time":1578508365078877,"flow_dst_last_pkt_time":1578508365330913,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":382,"midstream":0,"thread_ts_usec":1578508365330913,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.108.67","src_port":56622,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":43981.5,"max":300415,"stddev":100376.1,"var":10075352064.0,"ent":2.3,"data": [300373,300415,1705,253379,743,11,252408,10,126,124,122,12,120,7,112,11,115,13,362,33,90,11,17,64,29,59,24,45,44,252812,30]},"pktlen": {"min":60,"avg":102.3,"max":597,"stddev":106.2,"var":11275.5,"ent":4.6,"data": [78,74,66,597,66,384,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1282,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523185,"flow_src_last_pkt_time":1578508365096272,"flow_dst_last_pkt_time":1578508365350710,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":471,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":711,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508365350710,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.81.28","src_port":56623,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":45181.0,"max":308079,"stddev":102626.0,"var":10532101120.0,"ent":2.4,"data": [308002,308079,2079,260252,1619,259755,495,482,122,10,122,8,118,9,119,17,140,15,66,21,45,75,23,49,39,20,18,2347,1915,254515,36]},"pktlen": {"min":60,"avg":103.8,"max":537,"stddev":108.1,"var":11684.8,"ent":4.6,"data": [78,74,66,537,66,488,66,98,66,67,68,66,66,79,82,66,66,98,67,190,69,82,98,67,68,79,82,66,66,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02174{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365153718,"flow_src_last_pkt_time":1578508365327684,"flow_dst_last_pkt_time":1578508365329449,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":462,"flow_dst_max_l4_payload_len":442,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1578508365329449,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.250.140","src_port":56650,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":11280.5,"max":57129,"stddev":22219.5,"var":493705824.0,"ent":2.8,"data": [56823,56925,1602,56390,2342,57129,531,462,124,8,117,8,162,10,51,23,20,1132,926,430,2,33,26,92,56511,32,22,55939,9,1784,32]},"pktlen": {"min":52,"avg":100.4,"max":514,"stddev":109.7,"var":12030.8,"ent":4.5,"data": [64,60,52,514,52,494,52,84,52,195,53,52,52,84,53,176,55,68,68,52,84,53,100,67,68,52,84,134,52,52,82,52]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1],"entropies": [4.515677452,5.240226269,5.115703106,7.534019470,5.233812809,7.516967297,5.154164791,5.847379684,5.115703106,6.830158234,5.194627285,5.024262905,5.038780212,5.926107883,5.078744888,6.739013672,5.192151070,5.482147217,5.671802521,5.115703106,5.887475491,5.191953182,6.048761845,5.522709846,5.522660255,5.233812809,5.894998550,6.621984482,5.115703106,5.062724590,5.776439667,5.272274494]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02173{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1264,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523182,"flow_src_last_pkt_time":1578508365078877,"flow_dst_last_pkt_time":1578508365330913,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":318,"flow_src_tot_l4_payload_len":771,"flow_dst_tot_l4_payload_len":382,"midstream":0,"thread_ts_usec":1578508365330913,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.108.67","src_port":56622,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":43981.5,"max":300415,"stddev":100376.1,"var":10075352064.0,"ent":2.3,"data": [300373,300415,1705,253379,743,11,252408,10,126,124,122,12,120,7,112,11,115,13,362,33,90,11,17,64,29,59,24,45,44,252812,30]},"pktlen": {"min":46,"avg":88.3,"max":583,"stddev":106.2,"var":11275.5,"ent":4.4,"data": [64,60,52,583,52,370,84,52,52,53,52,54,65,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.428027153,5.279368877,5.038780212,7.657849789,5.131024361,7.439465523,5.864164352,5.000318527,5.000318050,5.244720936,5.038779736,5.317672253,5.536067009,5.000318050,5.000318050,5.563788414,5.169486046,5.000318050,5.000318050,5.759441853,4.989030361,6.735422134,5.192151546,5.357292175,5.816047192,5.041008472,5.154769897,5.339193821,5.410754204,5.038779736,3.682026386,3.682026386]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02176{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1282,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523185,"flow_src_last_pkt_time":1578508365096272,"flow_dst_last_pkt_time":1578508365350710,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":471,"flow_dst_max_l4_payload_len":422,"flow_src_tot_l4_payload_len":711,"flow_dst_tot_l4_payload_len":486,"midstream":0,"thread_ts_usec":1578508365350710,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"18.138.81.28","src_port":56623,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":45181.0,"max":308079,"stddev":102626.0,"var":10532101120.0,"ent":2.4,"data": [308002,308079,2079,260252,1619,259755,495,482,122,10,122,8,118,9,119,17,140,15,66,21,45,75,23,49,39,20,18,2347,1915,254515,36]},"pktlen": {"min":46,"avg":89.8,"max":523,"stddev":108.1,"var":11684.8,"ent":4.4,"data": [64,60,52,523,52,474,52,84,52,53,54,52,52,65,68,52,52,84,53,176,55,68,84,53,54,65,68,52,52,52,52,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1],"entropies": [4.515677452,5.379368782,5.115703106,7.587895393,5.233812809,7.532115936,5.077241421,5.898149014,5.038779736,5.232362747,5.231468678,5.000318050,5.038779736,5.618297577,5.642390728,5.038779736,5.000318050,5.825033665,5.041009426,6.724864960,5.192151070,5.429300308,5.854679585,5.078745842,5.117733479,5.462270737,5.482147217,5.038779736,5.195351601,5.077241421,5.195351601,3.768982887]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365408726,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":129,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365408726,"l3_proto":"ip4","src_ip":"183.129.242.164","dst_ip":"192.168.1.184","src_port":1024,"dst_port":30303,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00675{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":171,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":171,"pkt_l4_len":137,"thread_ts_usec":1578508365408726,"pkt":"KDc3AG3IEBMx8Tl2CABFAACdhY9AAC4RWjq3gfKkwKgBuAQAdl8AiS5Y3VkKujBE9K5giYMoNotbt65xxd7ko3VSXKgTCSaupxKnp71rmT0XRsX6xoF5macEurqmdfib0\/9m0ybRIVy\/Qzz+\/\/zwyKtEHKyC9Xjjwvc8TLpzNetXjDWFS0pbC\/Z0AQHeBcuErBRsfYJ2X4J2X8uETxbOvYLp94J2X4ReFiBh"} 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1315,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365408726,"flow_src_last_pkt_time":1578508365408726,"flow_dst_last_pkt_time":1578508365408726,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":129,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365408726,"l3_proto":"ip4","src_ip":"183.129.242.164","dst_ip":"192.168.1.184","src_port":1024,"dst_port":30303,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -277,7 +277,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1321,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365239758,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365419060,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADAGUh6d5phXwKgBuHZf3VIVkuQhTk9as6AScSDAlwAAAgQFrAQCCAq827CpItiW2wEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1322,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365419127,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365419127,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGQibAqAG4neaYV91Sdl9OT1qzFZLkIoAQECxPsAAAAQEICiLYl3u827Cp"} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1323,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365420924,"flow_dst_last_pkt_time":1578508365419060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":583,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365420924,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1325,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522826,"flow_src_last_pkt_time":1578508365153717,"flow_dst_last_pkt_time":1578508365439333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":574,"flow_dst_max_l4_payload_len":396,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":460,"midstream":0,"thread_ts_usec":1578508365439333,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"165.22.107.33","src_port":56610,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":49916.1,"max":339297,"stddev":113624.6,"var":12910541824.0,"ent":2.4,"data": [339196,339297,1296,287250,2535,288430,1006,11,1005,14,2,8,122,6,111,4,2,12,35,118,61,115,34,101,31,26,56,616,251,285614,33]},"pktlen": {"min":60,"avg":106.1,"max":640,"stddev":119.2,"var":14212.1,"ent":4.5,"data": [78,74,66,640,66,462,66,98,67,66,66,98,67,68,79,190,66,69,66,82,82,66,98,67,68,79,82,66,66,66,60,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02174{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1325,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364522826,"flow_src_last_pkt_time":1578508365153717,"flow_dst_last_pkt_time":1578508365439333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":574,"flow_dst_max_l4_payload_len":396,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":460,"midstream":0,"thread_ts_usec":1578508365439333,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"165.22.107.33","src_port":56610,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":49916.1,"max":339297,"stddev":113624.6,"var":12910541824.0,"ent":2.4,"data": [339196,339297,1296,287250,2535,288430,1006,11,1005,14,2,8,122,6,111,4,2,12,35,118,61,115,34,101,31,26,56,616,251,285614,33]},"pktlen": {"min":46,"avg":92.1,"max":626,"stddev":119.2,"var":14212.1,"ent":4.4,"data": [64,60,52,626,52,448,52,84,53,52,52,84,53,54,65,176,52,55,52,68,68,52,84,53,54,65,68,52,52,52,46,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,1],"entropies": [4.453177452,5.379368782,5.038780212,7.608707905,5.000318050,7.463840485,5.077241421,5.793924809,5.119154453,5.000318050,5.038779736,5.816047192,5.041009426,5.103753567,5.464450836,6.749572277,5.000318050,5.155787945,5.000318050,5.441635132,5.524744034,5.038779736,5.878488541,5.041008949,5.117733002,5.431501389,5.552072525,5.115703106,5.156889439,5.115703106,3.725504398,3.725504398]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1339,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365279592,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365458807,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAACwG2AY0CYBEwKgBuHZf3VXR7JfX7e3rXKASaN9TlwAAAgQFrAQCCAqDIEEYItiW\/gEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1340,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365458850,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365458850,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGxBbAqAG4NAmARN1Vdl\/t7etc0eyX2IAQECzabQAAAQEICiLYl5+DIEEY"} 00984{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1341,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365460380,"flow_dst_last_pkt_time":1578508365458807,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":472,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365460380,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -290,7 +290,7 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1346,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365226088,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365485758,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAAC0GVVKKS6u+wKgBuHZf3VEGdfqIHq1FlaAS\/og\/VgAAAgQFrAQCCAqkAfsSItiW0AEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1347,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365485867,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365485867,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGQlrAqAG4ikurvt1Rdl8erUWVBnX6iYAQECxbjgAAAQEICiLYl7mkAfsS"} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1348,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365487180,"flow_dst_last_pkt_time":1578508365485758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":539,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365487180,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01780{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1350,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508365197191,"flow_dst_last_pkt_time":1578508365510722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":451,"flow_src_tot_l4_payload_len":765,"flow_dst_tot_l4_payload_len":515,"midstream":0,"thread_ts_usec":1578508365510722,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":53600.7,"max":354597,"stddev":122026.8,"var":14890529792.0,"ent":2.4,"data": [354503,354597,1517,316901,1340,316735,173,101,119,114,122,127,128,12,120,9,115,122,283,10,68,11,22,44,44,48,7,18,49,313859,305]},"pktlen": {"min":60,"avg":106.4,"max":591,"stddev":118.1,"var":13953.7,"ent":4.5,"data": [78,74,66,591,66,517,66,98,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02178{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1350,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1578508364523145,"flow_src_last_pkt_time":1578508365197191,"flow_dst_last_pkt_time":1578508365510722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":525,"flow_dst_max_l4_payload_len":451,"flow_src_tot_l4_payload_len":765,"flow_dst_tot_l4_payload_len":515,"midstream":0,"thread_ts_usec":1578508365510722,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.187.207.27","src_port":56621,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":53600.7,"max":354597,"stddev":122026.8,"var":14890529792.0,"ent":2.4,"data": [354503,354597,1517,316901,1340,316735,173,101,119,114,122,127,128,12,120,9,115,122,283,10,68,11,22,44,44,48,7,18,49,313859,305]},"pktlen": {"min":46,"avg":92.4,"max":577,"stddev":118.1,"var":13953.7,"ent":4.4,"data": [64,60,52,577,52,503,52,84,52,53,52,54,52,65,68,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46]},"bins": {"c_to_s": [17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1],"entropies": [4.515677452,5.379368782,5.077241898,7.643549442,5.207947731,7.572619438,5.077241898,5.878986835,5.077241421,5.282456875,5.077241421,5.280635357,5.077241421,5.480534077,5.670333862,5.038779736,5.077241421,5.131024361,5.038779736,5.665890694,5.034432411,6.857876301,5.113088131,5.388787270,5.793924809,5.034432888,5.037204742,5.395370483,5.418199539,4.955154419,5.131024361,3.682026386]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365567882,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365567882,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"106.12.39.168","src_port":30303,"dst_port":30333,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00673{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":1578508365567882,"pkt":"EBMx8Tl2KDc3AG3ICABFAACcHIoAAEARCbPAqAG4agwnqHZfdn0AiGszdDnl2LgHwUzwnp\/NUaAjl2\/6ukAyoGtKBC9U9NcJJ2SSjY1bIBQONPG3UmfcMXvTBTN6oZMu6GXIBxr9UadDckfonN6CsHl3H7EBI7wV8mnDuf+AbUa\/i02tPDo+DL09AAHdBMuEfwAAAYJ2X4J2X8mEagwnqIJ2fYCEXhYgYQU="} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1373,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365567882,"flow_src_last_pkt_time":1578508365567882,"flow_dst_last_pkt_time":1578508365567882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365567882,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"106.12.39.168","src_port":30303,"dst_port":30333,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -314,13 +314,13 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1463,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365300081,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365688431,"pkt":"KDc3AG3IEBMx8Tl2CABFCAA8AABAACwGI8Z82eu0wKgBuHZf3VfxiPe9S9oGI6AScSAoCwAAAgQFrAQCCArI+HIBItiXEAEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1464,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365688547,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365688547,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGD9bAqAG4fNnrtN1Xdl9L2gYj8Yj3voAQECy2XAAAAQEICiLYmHfI+HIB"} 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1465,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365300081,"flow_src_last_pkt_time":1578508365690049,"flow_dst_last_pkt_time":1578508365688431,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":545,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":545,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365690049,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"124.217.235.180","src_port":56663,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01784{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1470,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365699150,"flow_dst_last_pkt_time":1578508365699343,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":573,"flow_dst_max_l4_payload_len":421,"flow_src_tot_l4_payload_len":861,"flow_dst_tot_l4_payload_len":662,"midstream":0,"thread_ts_usec":1578508365699343,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":27565.8,"max":147323,"stddev":54220.4,"var":2939852800.0,"ent":2.8,"data": [139345,139431,1667,141731,7248,147323,778,15,57,13,65,6714,5782,300,242,748,13,7,750,26,2,438,13,27,43,49,129951,188,824,130452,297]},"pktlen": {"min":66,"avg":114.2,"max":639,"stddev":122.1,"var":14898.1,"ent":4.5,"data": [78,74,66,639,66,487,66,98,67,190,69,82,98,66,67,66,216,75,82,66,66,66,98,67,114,81,82,66,66,98,66,67]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02183{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1470,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365271977,"flow_src_last_pkt_time":1578508365699150,"flow_dst_last_pkt_time":1578508365699343,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":573,"flow_dst_max_l4_payload_len":421,"flow_src_tot_l4_payload_len":861,"flow_dst_tot_l4_payload_len":662,"midstream":0,"thread_ts_usec":1578508365699343,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.161.23.12","src_port":56660,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":27565.8,"max":147323,"stddev":54220.4,"var":2939852800.0,"ent":2.8,"data": [139345,139431,1667,141731,7248,147323,778,15,57,13,65,6714,5782,300,242,748,13,7,750,26,2,438,13,27,43,49,129951,188,824,130452,297]},"pktlen": {"min":52,"avg":100.2,"max":625,"stddev":122.1,"var":14898.1,"ent":4.4,"data": [64,60,52,625,52,473,52,84,53,176,55,68,84,52,53,52,202,61,68,52,52,52,84,53,100,67,68,52,52,84,52,53]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1],"entropies": [4.453177452,5.273559570,4.976373672,7.683106422,5.094483852,7.563943863,5.053297043,5.816047192,5.055253029,6.738208294,5.205876350,5.563172817,5.912971973,5.115703106,5.307834625,5.115703106,6.880195141,5.500168800,5.701214790,5.077241421,5.077241421,5.038779736,5.830870152,5.003273487,6.124698639,5.451741219,5.522660255,5.094483376,5.132945061,5.969577789,5.000318527,5.246605873]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1484,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365701530,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365701530,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1484,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365701530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365701530,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG7OLAqAG4i6L\/0t1gdl\/B\/P6FAAAAALAC\/\/8ZigAAAgQFtAEDAwUBAQgKItiYggAAAAAEAgAA"} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1517,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508365712625,"flow_dst_last_pkt_time":1578508365712625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365712625,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1517,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365712625,"flow_dst_last_pkt_time":1578508365712625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365712625,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGlo3AqAG4Ti+Tm91hdl8xKZuYAAAAALAC\/\/+26gAAAgQFtAEDAwUBAQgKItiYjAAAAAAEAgAA"} 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1521,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365736342,"flow_dst_last_pkt_time":1578508364732443,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":213,"pkt_l4_len":179,"thread_ts_usec":1578508365736342,"pkt":"EBMx8Tl2KDc3AG3ICABFAADHpIMAAEARoqnAqAG4b+UAtHZfTtYAsxSK2l5Lj\/FNPSwNskN7KXHg69sINFX5NaCleeEwgXwmONn61xupKUye1QOfHD1DMyDw8Rv4bxSGME4AJ9XC7q+0Pwz+NqNAUtNYGL1TDF+F5wROIhyoide5OcgIFnuRD6baAQP4R7hAggEUSZWpWZm0YK3HCqZiBR7sHJ3wp8USPzyX73HGoWVqts4UjRd8TfDxZuCIPe7jI\/CXMWJB7l7pTCCyfJvg8YReFiBh"} -01775{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1532,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":62,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1578508365592330,"flow_src_last_pkt_time":1578508365741203,"flow_dst_last_pkt_time":1578508365740945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":364,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":812,"midstream":0,"thread_ts_usec":1578508365741203,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"86.107.243.62","src_port":56671,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":9596.4,"max":39189,"stddev":16023.4,"var":256750832.0,"ent":3.1,"data": [39074,39189,1465,38437,362,37288,763,13,47,10,88,39176,38284,307,256,561,11,34,20,89,30734,30582,269,187,28,20,37,34,54,6,63]},"pktlen": {"min":66,"avg":121.0,"max":606,"stddev":118.7,"var":14100.3,"ent":4.6,"data": [78,74,66,606,66,430,66,98,67,190,69,82,306,66,66,66,98,67,114,81,82,274,66,66,98,67,69,78,82,98,67,70]},"bins": {"c_to_s": [17,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02174{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1532,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":62,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1578508365592330,"flow_src_last_pkt_time":1578508365741203,"flow_dst_last_pkt_time":1578508365740945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":540,"flow_dst_max_l4_payload_len":364,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":812,"midstream":0,"thread_ts_usec":1578508365741203,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"86.107.243.62","src_port":56671,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":9596.4,"max":39189,"stddev":16023.4,"var":256750832.0,"ent":3.1,"data": [39074,39189,1465,38437,362,37288,763,13,47,10,88,39176,38284,307,256,561,11,34,20,89,30734,30582,269,187,28,20,37,34,54,6,63]},"pktlen": {"min":52,"avg":107.0,"max":592,"stddev":118.7,"var":14100.3,"ent":4.4,"data": [64,60,52,592,52,416,52,84,53,176,55,68,292,52,52,52,84,53,100,67,68,260,52,52,84,53,55,64,68,84,53,56]},"bins": {"c_to_s": [17,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0],"entropies": [4.484427452,5.346035480,5.077241421,7.656184673,5.233812809,7.517492771,5.077241898,5.839856625,5.102238178,6.715719223,5.192151070,5.552071571,7.256381512,5.038780212,5.118427753,5.195351124,5.807060242,5.116481304,6.072246075,5.481591702,5.581483841,7.116200924,5.038780212,5.233812809,5.744618893,5.154217243,5.228514671,5.419355392,5.552072048,5.863666058,5.154217243,5.264381886]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1536,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365741903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365741903,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1536,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365741903,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365741903,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG4nHAqAG4XkQ3ot1idl9YCAHzAAAAALAC\/\/91dwAAAgQFtAEDAwUBAQgKItiYqQAAAAAEAgAA"} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1539,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365701530,"flow_dst_last_pkt_time":1578508365742943,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365742943,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADIG+uaLov\/SwKgBuHZf3WDeocLiwfz+hqAS\/ogDJwAAAgQFrAQCCArjm6OzItiYggEDAwc="} @@ -335,16 +335,16 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1582,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":66,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365777046,"flow_dst_last_pkt_time":1578508365776923,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365777046,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGLqHAqAG4I+sl2N1jdl9d8bOcqknE0YAQECyPmwAAAQEICiLYmMg1IQWk"} 00986{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1583,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":66,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365751805,"flow_src_last_pkt_time":1578508365778282,"flow_dst_last_pkt_time":1578508365776923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":530,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365778282,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.235.37.216","src_port":56675,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1586,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365781990,"flow_dst_last_pkt_time":1578508364776411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":213,"pkt_l4_len":179,"thread_ts_usec":1578508365781990,"pkt":"EBMx8Tl2KDc3AG3ICABFAADHjqoAAEARyLjAqAG40WGPAXZfw1AAs7BF2l5Lj\/FNPSwNskN7KXHg69sINFX5NaCleeEwgXwmONn61xupKUye1QOfHD1DMyDw8Rv4bxSGME4AJ9XC7q+0Pwz+NqNAUtNYGL1TDF+F5wROIhyoide5OcgIFnuRD6baAQP4R7hAggEUSZWpWZm0YK3HCqZiBR7sHJ3wp8USPzyX73HGoWVqts4UjRd8TfDxZuCIPe7jI\/CXMWJB7l7pTCCyfJvg8YReFiBh"} -01783{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1589,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365782730,"flow_dst_last_pkt_time":1578508365782698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":391,"flow_src_tot_l4_payload_len":871,"flow_dst_tot_l4_payload_len":648,"midstream":0,"thread_ts_usec":1578508365782730,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":35029.4,"max":184362,"stddev":71024.3,"var":5044451840.0,"ent":2.6,"data": [179302,179369,1797,184362,177,182759,106,62,111,97,367,12,367,8,114,117,157,11,64,17,19,306,10,10,14,156,176481,904,995,9,177632]},"pktlen": {"min":66,"avg":114.1,"max":649,"stddev":121.0,"var":14650.9,"ent":4.5,"data": [78,74,66,649,66,457,66,98,66,67,66,227,80,66,66,82,66,98,67,190,69,82,98,67,125,70,82,66,66,98,67,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02182{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1589,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365239758,"flow_src_last_pkt_time":1578508365782730,"flow_dst_last_pkt_time":1578508365782698,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":583,"flow_dst_max_l4_payload_len":391,"flow_src_tot_l4_payload_len":871,"flow_dst_tot_l4_payload_len":648,"midstream":0,"thread_ts_usec":1578508365782730,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"157.230.152.87","src_port":56658,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":35029.4,"max":184362,"stddev":71024.3,"var":5044451840.0,"ent":2.6,"data": [179302,179369,1797,184362,177,182759,106,62,111,97,367,12,367,8,114,117,157,11,64,17,19,306,10,10,14,156,176481,904,995,9,177632]},"pktlen": {"min":52,"avg":100.1,"max":635,"stddev":121.0,"var":14650.9,"ent":4.4,"data": [64,60,52,635,52,443,52,84,52,53,52,213,66,52,52,68,52,84,53,176,55,68,84,53,111,56,68,52,52,84,53,52]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0],"entropies": [4.515677452,5.346035480,5.038780212,7.678948879,5.233812809,7.426693916,5.115703106,5.903985023,5.115703106,5.307834625,5.115703106,7.013820648,5.585841656,5.077241421,5.077241421,5.642391205,5.038780212,5.798073769,5.116480827,6.750286102,5.119424820,5.423324585,5.821883202,5.116480827,6.247833252,5.085811138,5.423323631,5.142372608,5.156889439,5.894998550,5.270098209,5.038779736]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1645,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365741903,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508365813172,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADAG8nVeRDeiwKgBuHZf3WKbomHRWAgB9KAScSDEJQAAAgQFrAQCCAppF+qfItiYqQEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1646,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365813279,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365813279,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG4n3AqAG4XkQ3ot1idl9YCAH0m6Jh0oAQECxToAAAAQEICiLYmOdpF+qf"} 00985{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1647,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365814591,"flow_dst_last_pkt_time":1578508365813172,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":547,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365814591,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1664,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365828265,"flow_src_last_pkt_time":1578508365828265,"flow_dst_last_pkt_time":1578508365828265,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365828265,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"13.251.14.199","src_port":56678,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1664,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":67,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365828265,"flow_dst_last_pkt_time":1578508365828265,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365828265,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGW5bAqAG4DfsOx91mdl9PCwRhAAAAALAC\/\/\/02wAAAgQFtAEDAwUBAQgKItiY9AAAAAAEAgAA"} -01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1665,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365787932,"flow_dst_last_pkt_time":1578508365828317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":356,"flow_src_tot_l4_payload_len":626,"flow_dst_tot_l4_payload_len":420,"midstream":0,"thread_ts_usec":1578508365828317,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":6877.1,"max":42383,"stddev":15108.4,"var":228262896.0,"ent":2.6,"data": [41413,41460,1312,42383,1046,42119,204,192,363,356,369,368,205,23,58,13,64,62,24,80,8,25,33,39148,1363,11,132,116,14,104,121]},"pktlen": {"min":60,"avg":98.0,"max":452,"stddev":90.7,"var":8221.2,"ent":4.6,"data": [78,74,66,452,66,422,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02171{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1665,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":63,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1578508365701530,"flow_src_last_pkt_time":1578508365787932,"flow_dst_last_pkt_time":1578508365828317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":356,"flow_src_tot_l4_payload_len":626,"flow_dst_tot_l4_payload_len":420,"midstream":0,"thread_ts_usec":1578508365828317,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"139.162.255.210","src_port":56672,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":6877.1,"max":42383,"stddev":15108.4,"var":228262896.0,"ent":2.6,"data": [41413,41460,1312,42383,1046,42119,204,192,363,356,369,368,205,23,58,13,64,62,24,80,8,25,33,39148,1363,11,132,116,14,104,121]},"pktlen": {"min":46,"avg":84.0,"max":438,"stddev":90.7,"var":8221.2,"ent":4.5,"data": [64,60,52,438,52,408,52,84,52,68,52,68,52,84,53,176,55,68,84,53,54,65,68,52,52,46,46,46,46,46,46,46]},"bins": {"c_to_s": [14,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1],"entropies": [4.472632408,5.366787434,5.077241898,7.477252960,5.094483376,7.506056309,5.032077789,5.945768356,5.032077789,5.682903290,5.032077789,5.594669342,5.032077789,5.686549187,5.109905720,6.751657963,5.222177982,5.381002426,5.835707664,5.072169304,5.148315907,5.414526463,5.517535210,5.070539474,5.209868431,3.725504637,3.725504637,3.725504637,3.725504637,3.725504637,3.725504637,3.725504637]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1691,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":68,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365846680,"flow_src_last_pkt_time":1578508365846680,"flow_dst_last_pkt_time":1578508365846680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365846680,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"35.228.158.52","src_port":56679,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1691,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":68,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365846680,"flow_dst_last_pkt_time":1578508365846680,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365846680,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGtj\/AqAG4I+SeNN1ndl9FuX9aAAAAALAC\/\/\/dzAAAAgQFtAEDAwUBAQgKItiZBAAAAAAEAgAA"} -01786{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1700,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365851788,"flow_dst_last_pkt_time":1578508365851734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":760,"flow_dst_tot_l4_payload_len":764,"midstream":0,"thread_ts_usec":1578508365851788,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":36914.1,"max":194120,"stddev":74421.4,"var":5538540544.0,"ent":2.7,"data": [179215,179258,1530,193512,372,17,192344,9,225,230,714,12,52,18,61,2845,2062,406,9,21,19,104,193755,151,777,194120,128,66,1119,26,1161]},"pktlen": {"min":66,"avg":114.2,"max":538,"stddev":109.0,"var":11872.9,"ent":4.6,"data": [78,74,66,538,66,494,98,66,66,198,66,98,67,190,69,82,94,66,98,67,114,81,82,66,66,98,66,147,66,97,66,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02185{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1700,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365279592,"flow_src_last_pkt_time":1578508365851788,"flow_dst_last_pkt_time":1578508365851734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":428,"flow_src_tot_l4_payload_len":760,"flow_dst_tot_l4_payload_len":764,"midstream":0,"thread_ts_usec":1578508365851788,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"52.9.128.68","src_port":56661,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":36914.1,"max":194120,"stddev":74421.4,"var":5538540544.0,"ent":2.7,"data": [179215,179258,1530,193512,372,17,192344,9,225,230,714,12,52,18,61,2845,2062,406,9,21,19,104,193755,151,777,194120,128,66,1119,26,1161]},"pktlen": {"min":52,"avg":100.2,"max":524,"stddev":109.0,"var":11872.9,"ent":4.5,"data": [64,60,52,524,52,480,84,52,52,184,52,84,53,176,55,68,80,52,84,53,100,67,68,52,52,84,52,133,52,83,52,52]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,1,0,1,1,0],"entropies": [4.453177452,5.348397732,4.961856365,7.599962234,4.933627129,7.510960579,5.832557201,4.932822704,4.932822704,6.835141659,4.894361019,5.783250809,5.064501762,6.716285229,5.069335938,5.335089684,5.759187222,4.947339535,5.789087296,5.078744888,6.152247906,5.259534836,5.434425354,4.972088337,5.025067329,5.878987312,5.038779736,6.474194050,4.961856842,5.903718472,5.154969215,4.961856842]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1710,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365852452,"flow_src_last_pkt_time":1578508365852452,"flow_dst_last_pkt_time":1578508365852452,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365852452,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.59.17.58","src_port":56680,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1710,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_packet_id":1,"flow_src_last_pkt_time":1578508365852452,"flow_dst_last_pkt_time":1578508365852452,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508365852452,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG3OLAqAG4ijsROt1odl\/ttHvbAAAAALAC\/\/9f7QAAAgQFtAEDAwUBAQgKItiZCQAAAAAEAgAA"} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1750,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508365885366,"flow_src_last_pkt_time":1578508365885366,"flow_dst_last_pkt_time":1578508365885366,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365885366,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"207.180.206.216","src_port":56681,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -360,10 +360,10 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1776,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_packet_id":3,"flow_src_last_pkt_time":1578508365926010,"flow_dst_last_pkt_time":1578508365925923,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508365926010,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG2dbAqAG4z7TO2N1pdl+dzwtnJw8AtoAQECw5oAAAAQEICiLYmUxcfI6d"} 00988{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1777,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":70,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365885366,"flow_src_last_pkt_time":1578508365927412,"flow_dst_last_pkt_time":1578508365925923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508365927412,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"207.180.206.216","src_port":56681,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00695{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1780,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":71,"flow_packet_id":2,"flow_src_last_pkt_time":1578508365919739,"flow_dst_last_pkt_time":1578508365951357,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":189,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":189,"pkt_l4_len":155,"thread_ts_usec":1578508365951357,"pkt":"KDc3AG3IEBMx8Tl2CABFAACvrTpAADMRthqnVnoywKgBuHZfdl8AmyGXAff4avCCJKd8iLkYnGp5WBGcR5kwKjaGYfuGK7O5Pxha3PZrVargsE3sp+V969kCE0ZShXRyP212X0\/ogX+KLxU0BMrg9yur0MCSn4OC+hF8e78p1SovnEhcJv1j5UvsAALwyYSnVnoygnZfgKByZEv+wn4eYEUXuf5R8Qoku8N0GB0rNIQImrGkxu4BYoReFiBh"} -01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1796,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365961141,"flow_dst_last_pkt_time":1578508365961206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":504,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":840,"midstream":0,"thread_ts_usec":1578508365961206,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":14146.5,"max":75129,"stddev":28349.9,"var":803714368.0,"ent":2.7,"data": [71269,71376,1312,75129,983,32,74778,28,135,90,486,477,192,27,65,15,66,252,9,12,16,87,69614,777,19,69699,729,15,730,7,115]},"pktlen": {"min":66,"avg":119.0,"max":613,"stddev":126.8,"var":16079.3,"ent":4.5,"data": [78,74,66,613,66,570,98,66,66,209,66,83,66,98,67,190,69,82,98,67,114,81,82,66,66,98,66,148,96,66,66,66]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02171{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1796,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":65,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1578508365741903,"flow_src_last_pkt_time":1578508365961141,"flow_dst_last_pkt_time":1578508365961206,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":547,"flow_dst_max_l4_payload_len":504,"flow_src_tot_l4_payload_len":835,"flow_dst_tot_l4_payload_len":840,"midstream":0,"thread_ts_usec":1578508365961206,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"94.68.55.162","src_port":56674,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":14146.5,"max":75129,"stddev":28349.9,"var":803714368.0,"ent":2.7,"data": [71269,71376,1312,75129,983,32,74778,28,135,90,486,477,192,27,65,15,66,252,9,12,16,87,69614,777,19,69699,729,15,730,7,115]},"pktlen": {"min":52,"avg":105.0,"max":599,"stddev":126.8,"var":16079.3,"ent":4.4,"data": [64,60,52,599,52,556,84,52,52,195,52,69,52,84,53,176,55,68,84,53,100,67,68,52,52,84,52,134,82,52,52,52]},"bins": {"c_to_s": [15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1],"entropies": [4.428027153,5.333454132,5.014835358,7.631373405,5.195351601,7.586966038,5.775951385,5.038780212,5.000318050,6.896724224,5.000318527,5.543021202,5.038780212,5.697000027,5.116480827,6.792954922,5.069334984,5.517535210,5.883326530,5.154216766,6.099795818,5.552560806,5.458711624,5.156889439,5.195351124,5.775951862,5.038780212,6.440905094,5.855588436,5.038779736,5.038779736,5.118428230]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1835,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508366005550,"flow_src_last_pkt_time":1578508366005550,"flow_dst_last_pkt_time":1578508366005550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366005550,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"51.83.237.44","src_port":56684,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1835,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":72,"flow_packet_id":1,"flow_src_last_pkt_time":1578508366005550,"flow_dst_last_pkt_time":1578508366005550,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366005550,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGV9jAqAG4M1PtLN1sdl8dp4x2AAAAALAC\/\/+ZwwAAAgQFtAEDAwUBAQgKItiZlwAAAAAEAgAA"} -01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1847,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366012044,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":42302.9,"max":263115,"stddev":95827.5,"var":9182917632.0,"ent":2.4,"data": [259670,259779,1313,261414,3049,263115,462,422,253,247,161,10,63,22,41,100,13,84,18,22,24,260103,45,20,93,122,13,668,28,8,8]},"pktlen": {"min":60,"avg":105.4,"max":605,"stddev":121.5,"var":14755.2,"ent":4.5,"data": [78,74,66,605,66,525,66,98,66,98,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60]},"bins": {"c_to_s": [13,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02174{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1847,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366012044,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":42302.9,"max":263115,"stddev":95827.5,"var":9182917632.0,"ent":2.4,"data": [259670,259779,1313,261414,3049,263115,462,422,253,247,161,10,63,22,41,100,13,84,18,22,24,260103,45,20,93,122,13,668,28,8,8]},"pktlen": {"min":46,"avg":91.4,"max":591,"stddev":121.5,"var":14755.2,"ent":4.3,"data": [64,60,52,591,52,511,52,84,52,84,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46,46,46,46,46,46,46]},"bins": {"c_to_s": [13,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1],"entropies": [4.484427452,5.266787052,5.014835358,7.622575283,5.176993370,7.537411690,4.937911987,5.836015701,4.937911987,5.821192741,4.937912464,5.839856625,5.055252075,6.730566502,5.133149624,5.533761024,5.816047192,4.979780197,5.094675064,5.473884583,5.364500046,5.014835358,3.725504398,3.725504398,3.725504398,3.725504398,3.725504398,3.725504398,3.725504398,3.725504398,3.725504398,3.725504398]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1857,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1578508366020357,"flow_src_last_pkt_time":1578508366020357,"flow_dst_last_pkt_time":1578508366020357,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366020357,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"88.99.93.219","src_port":56685,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1857,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":1,"flow_src_last_pkt_time":1578508366020357,"flow_dst_last_pkt_time":1578508366020357,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366020357,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGwhnAqAG4WGNd291tdl+CSdQcAAAAALAC\/\/9XrgAAAgQFtAEDAwUBAQgKItiZpAAAAAAEAgAA"} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1862,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_src_last_pkt_time":1578508366029471,"flow_dst_last_pkt_time":1578508364922060,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1578508366029471,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGjuvAqAG4I+nFg909dl+ptEcpAAAAALAC\/\/+KMAAAAgQFtAEDAwUBAQgKItiZrAAAAAAEAgAA"} @@ -384,7 +384,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1968,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":2,"flow_src_last_pkt_time":1578508366073881,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1578508366117663,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGSnvOvWsjwKgBuHZf3W6FBUsAADkpP6AScSCofQAAAgQFrAQCCApn2sBGItiZ0wEDAwc="} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1969,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_packet_id":3,"flow_src_last_pkt_time":1578508366117769,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1578508366117769,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGPoPAqAG4zr1rI91udl8AOSk\/hQVLAYAQECw4DwAAAQEICiLYmfpn2sBG"} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1970,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":74,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508366073881,"flow_src_last_pkt_time":1578508366119559,"flow_dst_last_pkt_time":1578508366117663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":407,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":407,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366119559,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"206.189.107.35","src_port":56686,"dst_port":30303,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01791{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1983,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508366123630,"flow_dst_last_pkt_time":1578508366123331,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":567,"flow_dst_max_l4_payload_len":347,"flow_src_tot_l4_payload_len":951,"flow_dst_tot_l4_payload_len":859,"midstream":0,"thread_ts_usec":1578508366123630,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":26506.8,"max":285939,"stddev":65286.3,"var":4262303488.0,"ent":2.6,"data": [40373,40438,1542,40906,246535,285939,40615,40605,699,30,144,12,23,360,16,18,29,110,39411,235,883,650,39691,157,36,21,17,63,1098,839,216]},"pktlen": {"min":66,"avg":123.6,"max":633,"stddev":120.4,"var":14503.6,"ent":4.6,"data": [78,74,66,633,66,306,78,413,66,98,67,190,69,82,98,67,114,81,82,66,66,66,130,66,98,67,69,78,82,274,66,98]},"bins": {"c_to_s": [16,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1983,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1578508365712625,"flow_src_last_pkt_time":1578508366123630,"flow_dst_last_pkt_time":1578508366123331,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":567,"flow_dst_max_l4_payload_len":347,"flow_src_tot_l4_payload_len":951,"flow_dst_tot_l4_payload_len":859,"midstream":0,"thread_ts_usec":1578508366123630,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"78.47.147.155","src_port":56673,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":26506.8,"max":285939,"stddev":65286.3,"var":4262303488.0,"ent":2.6,"data": [40373,40438,1542,40906,246535,285939,40615,40605,699,30,144,12,23,360,16,18,29,110,39411,235,883,650,39691,157,36,21,17,63,1098,839,216]},"pktlen": {"min":52,"avg":109.6,"max":619,"stddev":120.4,"var":14503.6,"ent":4.5,"data": [64,60,52,619,52,292,64,399,52,84,53,176,55,68,84,53,100,67,68,52,52,52,116,52,84,53,55,64,68,260,52,84]},"bins": {"c_to_s": [16,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,0],"entropies": [4.453177452,5.346035480,5.077241421,7.661995411,5.233812809,7.235357285,5.194910049,7.441572666,5.062724113,5.854679585,5.191952705,6.817754745,5.228514671,5.610895157,5.854679585,5.229689121,6.152247906,5.547358990,5.581482887,5.272274494,5.272274494,5.272274494,6.375947475,5.115703106,5.887475491,5.154217243,5.264878273,5.481855392,5.592584610,7.149727345,5.077241421,5.878489017]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01031{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":16,"flow_first_seen":1578508365226088,"flow_src_last_pkt_time":1578508365751522,"flow_dst_last_pkt_time":1578508366012064,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":539,"flow_dst_max_l4_payload_len":459,"flow_src_tot_l4_payload_len":779,"flow_dst_tot_l4_payload_len":523,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.75.171.190","src_port":56657,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01024{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":69,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578508365852452,"flow_src_last_pkt_time":1578508366055031,"flow_dst_last_pkt_time":1578508366053699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":447,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":447,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"138.59.17.58","src_port":56680,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01031{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"ethereum.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":27,"flow_first_seen":1578508365045064,"flow_src_last_pkt_time":1578508365195126,"flow_dst_last_pkt_time":1578508365241563,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":410,"flow_dst_max_l4_payload_len":382,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":798,"midstream":0,"thread_ts_usec":1578508366135917,"l3_proto":"ip4","src_ip":"192.168.1.184","dst_ip":"185.219.133.62","src_port":56645,"dst_port":30303,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -471,10 +471,10 @@ ~~ total active/idle flows...: 74/74 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6220481 bytes -~~ total memory freed........: 6220481 bytes -~~ total allocations/frees...: 124221/124221 +~~ total memory allocated....: 6230545 bytes +~~ total memory freed........: 6230545 bytes +~~ total allocations/frees...: 124295/124295 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars -~~ json string max len.......: 2044 chars -~~ json string avg len.......: 1268 chars +~~ json string max len.......: 2195 chars +~~ json string avg len.......: 1344 chars diff --git a/test/results/ethernetIP.pcap.out b/test/results/ethernetIP.pcap.out index b3f60fc8a..281b365fb 100644 --- a/test/results/ethernetIP.pcap.out +++ b/test/results/ethernetIP.pcap.out @@ -33,9 +33,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043413 bytes -~~ total memory freed........: 6043413 bytes -~~ total allocations/frees...: 121617/121617 +~~ total memory allocated....: 6043957 bytes +~~ total memory freed........: 6043957 bytes +~~ total allocations/frees...: 121621/121621 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 2134 chars diff --git a/test/results/exe_download.pcap.out b/test/results/exe_download.pcap.out index 2f9ab5516..fb13812ee 100644 --- a/test/results/exe_download.pcap.out +++ b/test/results/exe_download.pcap.out @@ -6,7 +6,7 @@ 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569434051324323,"flow_dst_last_pkt_time":1569434051324116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1569434051324323,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoALJAAIAGAJIKCRllkFtFw8ANAFC+hvgfPu\/YuVAQ+vAsqgAA"} 01243{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051324979,"flow_dst_last_pkt_time":1569434051324116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569434051324979,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"144.91.69.195","http": {"url":"144.91.69.195\/solar.php","code":0,"content_type":"","user_agent":"pwtyyEKzNtGatwnJjmCcBLbOveCVpc"}}} 01398{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051324979,"flow_dst_last_pkt_time":1569434051623372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1569434051623372,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"144.91.69.195","http": {"url":"144.91.69.195\/solar.php","code":200,"content_type":"application\/octet-stream","user_agent":"pwtyyEKzNtGatwnJjmCcBLbOveCVpc"}}} -02067{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051966172,"flow_dst_last_pkt_time":1569434051966041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":25896,"midstream":0,"thread_ts_usec":1569434051966172,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":62020.0,"max":319527,"stddev":115050.4,"var":13236601856.0,"ent":3.0,"data": [319320,319527,656,1120,298136,10,298579,1555,147,1842,2428,2695,9,4969,246,28639,114,28917,100748,305805,34,11,94,205204,207,207,651,10,7,7,727]},"pktlen": {"min":54,"avg":868.5,"max":1514,"stddev":668.4,"var":446708.3,"ent":4.4,"data": [66,58,54,207,54,1514,1322,54,1418,1418,54,1418,1514,1302,54,1418,1418,1418,54,54,1514,1514,1226,1418,54,1418,54,1514,1514,1514,1130,54]},"bins": {"c_to_s": [10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,2,0,0,8,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,1,1,0]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +02466{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434051966172,"flow_dst_last_pkt_time":1569434051966041,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":25896,"midstream":0,"thread_ts_usec":1569434051966172,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":62020.0,"max":319527,"stddev":115050.4,"var":13236601856.0,"ent":3.0,"data": [319320,319527,656,1120,298136,10,298579,1555,147,1842,2428,2695,9,4969,246,28639,114,28917,100748,305805,34,11,94,205204,207,207,651,10,7,7,727]},"pktlen": {"min":40,"avg":854.5,"max":1500,"stddev":668.4,"var":446708.3,"ent":4.4,"data": [52,44,40,193,40,1500,1308,40,1404,1404,40,1404,1500,1288,40,1404,1404,1404,40,40,1500,1500,1212,1404,40,1404,40,1500,1500,1500,1116,40]},"bins": {"c_to_s": [10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,2,0,0,8,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,1,1,0],"entropies": [4.385625362,4.876442909,4.621928215,5.761415958,4.730640888,3.668365002,0.301540941,4.621928692,0.282004327,4.382377148,4.571928501,5.688343048,5.482964993,5.437496185,4.521928310,5.899663925,5.776542664,5.685672760,4.571928501,4.571928501,5.409879208,5.378962994,5.436534882,5.744604588,4.571928978,5.603744507,4.521928787,5.738482952,5.793150902,5.592350006,5.696241856,4.571928978]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 01266{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":703,"source":"exe_download.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":203,"flow_dst_packets_processed":500,"flow_first_seen":1569434051004796,"flow_src_last_pkt_time":1569434056186340,"flow_dst_last_pkt_time":1569434056096541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":153,"flow_dst_tot_l4_payload_len":679332,"midstream":0,"thread_ts_usec":1569434056186340,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"144.91.69.195","src_port":49165,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"11": {"risk":"HTTP Suspicious User-Agent","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00569{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":703,"source":"exe_download.pcap","alias":"nDPId-test","packets-captured":703,"packets-processed":703,"total-skipped-flows":0,"total-l4-payload-len":679485,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1569434056186340} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -17,10 +17,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6056195 bytes -~~ total memory freed........: 6056195 bytes -~~ total allocations/frees...: 122196/122196 +~~ total memory allocated....: 6056331 bytes +~~ total memory freed........: 6056331 bytes +~~ total allocations/frees...: 122197/122197 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars -~~ json string max len.......: 2072 chars -~~ json string avg len.......: 1229 chars +~~ json string max len.......: 2471 chars +~~ json string avg len.......: 1404 chars diff --git a/test/results/exe_download_as_png.pcap.out b/test/results/exe_download_as_png.pcap.out index 2ad048210..eadde39cc 100644 --- a/test/results/exe_download_as_png.pcap.out +++ b/test/results/exe_download_as_png.pcap.out @@ -6,7 +6,7 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569434903440784,"flow_dst_last_pkt_time":1569434903440451,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1569434903440784,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoBlJAAIAGv\/QKCRlluWJXucAtAFB7PMGXLy4K1lAQ+vBJBAAA"} 01126{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434903441012,"flow_dst_last_pkt_time":1569434903440451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569434903441012,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"185.98.87.185","http": {"url":"185.98.87.185\/tablone.png","code":0,"content_type":"","user_agent":"WinHTTP loader\/1.0"}}} 01261{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434903441012,"flow_dst_last_pkt_time":1569434904053845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1569434904053845,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"185.98.87.185","http": {"url":"185.98.87.185\/tablone.png","code":200,"content_type":"image\/png","user_agent":"WinHTTP loader\/1.0"}}} -01961{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434904481632,"flow_dst_last_pkt_time":1569434904508320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":25916,"midstream":0,"thread_ts_usec":1569434904508320,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":93850.2,"max":613012,"stddev":192589.9,"var":37090865152.0,"ent":2.7,"data": [400153,400486,228,717,612677,12,613012,424,482,834,426,507,936,1134,423,1552,361,732,1082,417726,1390,103,419479,654,405,941,2596,154,2784,26602,344]},"pktlen": {"min":54,"avg":869.0,"max":1514,"stddev":664.6,"var":441668.3,"ent":4.4,"data": [66,58,54,203,54,1514,1322,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418]},"bins": {"c_to_s": [10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,17,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02360{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434904481632,"flow_dst_last_pkt_time":1569434904508320,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":25916,"midstream":0,"thread_ts_usec":1569434904508320,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":93850.2,"max":613012,"stddev":192589.9,"var":37090865152.0,"ent":2.7,"data": [400153,400486,228,717,612677,12,613012,424,482,834,426,507,936,1134,423,1552,361,732,1082,417726,1390,103,419479,654,405,941,2596,154,2784,26602,344]},"pktlen": {"min":40,"avg":855.0,"max":1500,"stddev":664.6,"var":441668.3,"ent":4.4,"data": [52,44,40,189,40,1500,1308,40,1404,1404,40,1404,1404,40,1404,1404,40,1404,1404,40,1404,1404,1404,40,1404,1404,40,1404,1404,40,1404,1404]},"bins": {"c_to_s": [10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,17,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,1,1,0,1,1],"entropies": [4.593450069,4.921897411,4.734183788,5.453228951,4.630641460,3.420540333,0.300011843,4.784183979,0.284853339,4.608477116,4.784183979,4.479417324,3.353007078,4.684184074,3.253508806,3.476947546,4.734183788,4.057516575,5.282192707,4.734183788,5.523138046,4.632616997,4.955163479,4.715311527,4.361701965,2.729017735,4.734184265,6.268059254,4.366500378,4.734183788,4.014078617,2.777677774]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01153{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":534,"source":"exe_download_as_png.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":163,"flow_dst_packets_processed":371,"flow_first_seen":1569434903040298,"flow_src_last_pkt_time":1569434972556095,"flow_dst_last_pkt_time":1569434912545467,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":299,"flow_dst_tot_l4_payload_len":500298,"midstream":0,"thread_ts_usec":1569434972556095,"l3_proto":"ip4","src_ip":"10.9.25.101","dst_ip":"185.98.87.185","src_port":49197,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00576{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":534,"source":"exe_download_as_png.pcap","alias":"nDPId-test","packets-captured":534,"packets-processed":534,"total-skipped-flows":0,"total-l4-payload-len":500597,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1569434972556095} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -17,10 +17,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6051225 bytes -~~ total memory freed........: 6051225 bytes -~~ total allocations/frees...: 122026/122026 +~~ total memory allocated....: 6051361 bytes +~~ total memory freed........: 6051361 bytes +~~ total allocations/frees...: 122027/122027 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars -~~ json string max len.......: 1966 chars -~~ json string avg len.......: 1180 chars +~~ json string max len.......: 2365 chars +~~ json string avg len.......: 1354 chars diff --git a/test/results/facebook.pcap.out b/test/results/facebook.pcap.out index 3eed8a9b8..b2b0caa8d 100644 --- a/test/results/facebook.pcap.out +++ b/test/results/facebook.pcap.out @@ -13,7 +13,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1472393123682902,"flow_dst_last_pkt_time":1472393123682883,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1472393123682902,"pkt":"mAyC0zx8MFLLbJwbCABFAAA0dR5AAEAGZLrAqCsSHw1WJK5GAbsvASg+cOnYd4AQAOVhEgAAAQEICgBLXUglRdDW"} 01068{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":23,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393123683095,"flow_dst_last_pkt_time":1472393123682883,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1472393123683095,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.facebook.com","tls": {"version":"TLSv1.2","ja3":"5c60e71f1b8cd40e4d40ed5b6d666e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,spdy\/3.1,http\/1.1"}}} 01128{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":25,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393123683095,"flow_dst_last_pkt_time":1472393123838069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":146,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":146,"midstream":0,"thread_ts_usec":1472393123838069,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.facebook.com","tls": {"version":"TLSv1.2","ja3":"5c60e71f1b8cd40e4d40ed5b6d666e3f","ja3s":"96681175a9547081bf3d417f1a572091","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,spdy\/3.1,http\/1.1"}}} -01732{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124118414,"flow_dst_last_pkt_time":1472393124118402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":992,"flow_dst_tot_l4_payload_len":15090,"midstream":0,"thread_ts_usec":1472393124118414,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":193,"avg":36622.1,"max":154982,"stddev":57898.8,"var":3352273664.0,"ent":3.3,"data": [132117,132136,193,154701,485,154982,244,3282,129361,125921,442,418,797,119231,4520,123730,627,605,1230,4940,621,5568,8878,7797,16680,916,530,1441,790,657,1444]},"pktlen": {"min":66,"avg":569.1,"max":1454,"stddev":613.3,"var":376153.1,"ent":4.2,"data": [74,74,66,583,66,212,66,117,452,147,104,104,108,66,1454,445,66,1454,590,66,1454,1454,66,1454,1454,66,1454,1454,66,1454,1454,66]},"bins": {"c_to_s": [10,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,1,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02128{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124118414,"flow_dst_last_pkt_time":1472393124118402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":992,"flow_dst_tot_l4_payload_len":15090,"midstream":0,"thread_ts_usec":1472393124118414,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":193,"avg":36622.1,"max":154982,"stddev":57898.8,"var":3352273664.0,"ent":3.3,"data": [132117,132136,193,154701,485,154982,244,3282,129361,125921,442,418,797,119231,4520,123730,627,605,1230,4940,621,5568,8878,7797,16680,916,530,1441,790,657,1444]},"pktlen": {"min":52,"avg":555.1,"max":1440,"stddev":613.3,"var":376153.1,"ent":4.1,"data": [60,60,52,569,52,198,52,103,438,133,90,90,94,52,1440,431,52,1440,576,52,1440,1440,52,1440,1440,52,1440,1440,52,1440,1440,52]},"bins": {"c_to_s": [10,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,1,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0],"entropies": [4.760014057,5.194312096,5.053297043,6.165235996,5.091758251,6.462422371,5.053297043,5.523866653,7.463335991,6.461145878,5.587870598,5.919519901,5.958845615,5.014835358,7.843218803,7.552490711,5.025067806,7.863905430,7.631061554,5.025067329,7.860723495,7.881686687,5.063529015,7.870133877,7.854965687,5.063529015,7.867281437,7.861505032,5.025067329,7.849763870,7.860621929,5.025067329]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00767{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1472393122365661,"flow_src_last_pkt_time":1472393123408152,"flow_dst_last_pkt_time":1472393123665163,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":383,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":743,"flow_dst_tot_l4_payload_len":3732,"midstream":0,"thread_ts_usec":1472393124229315,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"66.220.156.68","src_port":52066,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00922{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":22,"flow_first_seen":1472393123550766,"flow_src_last_pkt_time":1472393124218612,"flow_dst_last_pkt_time":1472393124229315,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":20642,"midstream":0,"thread_ts_usec":1472393124229315,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"31.13.86.36","src_port":44614,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":60,"source":"facebook.pcap","alias":"nDPId-test","packets-captured":60,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":26519,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":19,"global_ts_usec":1472393124229315} @@ -25,10 +25,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6054422 bytes -~~ total memory freed........: 6054422 bytes -~~ total allocations/frees...: 121580/121580 +~~ total memory allocated....: 6054694 bytes +~~ total memory freed........: 6054694 bytes +~~ total allocations/frees...: 121582/121582 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars -~~ json string max len.......: 1737 chars -~~ json string avg len.......: 1109 chars +~~ json string max len.......: 2133 chars +~~ json string avg len.......: 1295 chars diff --git a/test/results/fastcgi.pcap.out b/test/results/fastcgi.pcap.out index a21f9b2b6..9ae6930e2 100644 --- a/test/results/fastcgi.pcap.out +++ b/test/results/fastcgi.pcap.out @@ -5,7 +5,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1280403893598699,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1280403893598868,"pkt":"AAvNgo+GABzEfBq8CABFAAA8AABAAEAGJqkKAAALCgAACSMolW5v2bTavtEyUKASFqBTYwAAAgQFtAQCCAoN02\/TIuta2wEDAwc="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1280403893598925,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1280403893598925,"pkt":"ABzEfBq8AAvNgo+GCABFAAA0aJVAAEAGvhsKAAAJCgAAC5VuIyi+0TJQb9m024AQAFyYcwAAAQEICiLrWtsN02\/T"} 00855{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403893599034,"flow_dst_last_pkt_time":1280403893598868,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1071,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1280403893599034,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01659{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403895619664,"flow_dst_last_pkt_time":1280403895619673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":14480,"midstream":0,"thread_ts_usec":1280403895619673,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":130385.1,"max":2020143,"stddev":496240.3,"var":246254469120.0,"ent":1.0,"data": [169,226,42,67,15,217,77,12,83,12,48,16,2019881,2020143,186,63,52,55,94,90,42,33,32,28,26,27,50,53,34,34,32]},"pktlen": {"min":66,"avg":553.2,"max":1514,"stddev":672.8,"var":452637.9,"ent":3.9,"data": [74,74,66,82,1121,74,66,74,74,66,66,66,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +02058{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403895619664,"flow_dst_last_pkt_time":1280403895619673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":14480,"midstream":0,"thread_ts_usec":1280403895619673,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":130385.1,"max":2020143,"stddev":496240.3,"var":246254469120.0,"ent":1.0,"data": [169,226,42,67,15,217,77,12,83,12,48,16,2019881,2020143,186,63,52,55,94,90,42,33,32,28,26,27,50,53,34,34,32]},"pktlen": {"min":52,"avg":539.2,"max":1500,"stddev":672.8,"var":452637.9,"ent":3.9,"data": [60,60,52,68,1107,60,52,60,60,52,52,52,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.423614979,4.926749229,4.700937271,4.233195782,6.033331394,4.550921917,4.686420441,4.550921917,4.550921917,4.686420441,4.624014378,4.686420441,4.724881649,7.641661644,4.854783535,7.763941288,4.854784012,7.761142254,4.777860165,7.844599247,4.891996861,7.826266289,4.815073490,7.841456413,4.815073490,7.847429752,4.815073490,7.852382183,4.891996861,7.847055912,4.815073490,7.805794239]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00904{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":102,"source":"fastcgi.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":54,"flow_first_seen":1280403893598699,"flow_src_last_pkt_time":1280403897015424,"flow_dst_last_pkt_time":1280403897015595,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1055,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":64400,"midstream":0,"thread_ts_usec":1280403897015595,"l3_proto":"ip4","src_ip":"10.0.0.9","dst_ip":"10.0.0.11","src_port":38254,"dst_port":9000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FastCGI","proto_id":"310","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":102,"source":"fastcgi.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":102,"total-skipped-flows":0,"total-l4-payload-len":65495,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1280403897015595} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6040686 bytes -~~ total memory freed........: 6040686 bytes -~~ total allocations/frees...: 121592/121592 +~~ total memory allocated....: 6040822 bytes +~~ total memory freed........: 6040822 bytes +~~ total allocations/frees...: 121593/121593 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1664 chars -~~ json string avg len.......: 1023 chars +~~ json string max len.......: 2063 chars +~~ json string avg len.......: 1197 chars diff --git a/test/results/firefox.pcap.out b/test/results/firefox.pcap.out index 3fa5522c2..bea54943d 100644 --- a/test/results/firefox.pcap.out +++ b/test/results/firefox.pcap.out @@ -8,7 +8,7 @@ 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927997782476,"flow_dst_last_pkt_time":1620927997814169,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1620927997814169,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"aa7744226c695c0b2e440419848cf700","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":30,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998782772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927998782772,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998782772,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927998782772,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Esl\/AbveSGQcAAAAALAC\/\/\/OTgAAAgQFtAEDAwUBAQgKNAyYZQAAAAAEAgAA"} -01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":33,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927998776498,"flow_dst_last_pkt_time":1620927998804931,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1348,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620927998804931,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":66861.1,"max":576607,"stddev":148076.5,"var":21926651904.0,"ent":2.8,"data": [26706,26798,1311,27344,5752,45,31822,499,455,210977,313,236002,29,1309,26,26092,3,575380,1218,576607,259,117,346,122,123,243,1357,145807,171406,2874,1353]},"pktlen": {"min":66,"avg":599.1,"max":1506,"stddev":633.0,"var":400627.7,"ent":4.2,"data": [78,74,66,583,66,1506,1506,66,772,66,146,452,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,431,66,1506,1506]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02101{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":33,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927998776498,"flow_dst_last_pkt_time":1620927998804931,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1348,"flow_dst_tot_l4_payload_len":15691,"midstream":0,"thread_ts_usec":1620927998804931,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":66861.1,"max":576607,"stddev":148076.5,"var":21926651904.0,"ent":2.8,"data": [26706,26798,1311,27344,5752,45,31822,499,455,210977,313,236002,29,1309,26,26092,3,575380,1218,576607,259,117,346,122,123,243,1357,145807,171406,2874,1353]},"pktlen": {"min":52,"avg":585.1,"max":1492,"stddev":633.0,"var":400627.7,"ent":4.1,"data": [64,60,52,569,52,1492,1492,52,758,52,132,438,52,52,355,355,52,52,1492,1492,52,1492,1492,52,1492,1471,52,52,417,52,1492,1492]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1],"entropies": [4.428027153,5.266787052,5.014835358,5.174138069,5.162476063,7.842608452,7.864985943,5.014834881,7.695538521,5.053296566,6.283938885,7.435882092,5.085552692,5.008629799,7.300004005,7.376957893,5.014835358,4.976373672,7.887156010,7.855851173,4.976373672,7.868392467,7.877747059,5.014835358,7.872129440,7.861151218,4.961856842,5.014835358,7.429141998,5.124014378,7.843397617,7.882917881]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":42,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927998806443,"flow_dst_last_pkt_time":1620927998806443,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927998806443,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":42,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1620927998806443,"flow_dst_last_pkt_time":1620927998806443,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927998806443,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EsmEAbtCftk8AAAAALAC\/\/\/03wAAAgQFtAEDAwUBAQgKNAyYeQAAAAAEAgAA"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1620927998782772,"flow_dst_last_pkt_time":1620927998817178,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927998817178,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yX\/JSxfE3khkHaAS\/oi4VgAAAgQFrAQCCAo8IAs5NAyYZQEDAwc="} @@ -27,7 +27,7 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":86,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1620927999112216,"flow_dst_last_pkt_time":1620927999112216,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620927999112216,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EsmRAbvLRPiuAAAAALAC\/\/9LkAAAAgQFtAEDAwUBAQgKNAyZgwAAAAAEAgAA"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999109976,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999138093,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yY9yeaT2oLD166AS\/ogrVAAAAgQFrAQCCAo8IAx5NAyZgQEDAwc="} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999111334,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999138095,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yZBJLtVRAr1wcaAS\/ohHrwAAAgQFrAQCCAo8IAx6NAyZggEDAwc="} -01698{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999138109,"flow_dst_last_pkt_time":1620927999138090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1491,"flow_dst_tot_l4_payload_len":17379,"midstream":0,"thread_ts_usec":1620927999138109,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":22924.4,"max":231008,"stddev":52648.8,"var":2771896832.0,"ent":3.0,"data": [34406,34489,3261,32258,1506,30479,4158,18595,31638,14,8894,18473,2988,120,21557,203508,231008,997,180,13,28684,187,199,924,71,1013,133,374,19,9,500]},"pktlen": {"min":66,"avg":656.3,"max":1506,"stddev":649.7,"var":422101.6,"ent":4.2,"data": [78,74,66,746,66,326,66,146,416,66,369,66,66,1506,1042,66,447,66,1506,1506,1506,66,1506,66,1506,1506,66,1506,1506,1506,1506,66]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02097{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999138109,"flow_dst_last_pkt_time":1620927999138090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1491,"flow_dst_tot_l4_payload_len":17379,"midstream":0,"thread_ts_usec":1620927999138109,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":22924.4,"max":231008,"stddev":52648.8,"var":2771896832.0,"ent":3.0,"data": [34406,34489,3261,32258,1506,30479,4158,18595,31638,14,8894,18473,2988,120,21557,203508,231008,997,180,13,28684,187,199,924,71,1013,133,374,19,9,500]},"pktlen": {"min":52,"avg":642.3,"max":1492,"stddev":649.7,"var":422101.6,"ent":4.2,"data": [64,60,52,732,52,312,52,132,402,52,355,52,52,1492,1028,52,433,52,1492,1492,1492,52,1492,52,1492,1492,52,1492,1492,1492,1492,52]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,0,1,1,1,1,0],"entropies": [4.459277153,5.233453751,5.014835358,7.202944279,5.085553169,7.007672310,4.961856842,6.264141560,7.328972340,5.032574654,7.353322983,5.014835358,5.124014854,7.879932404,7.808946609,4.961856365,7.467625618,5.047091484,7.873059750,7.873151302,7.887775421,4.976373672,7.877523422,5.014835358,7.875070572,7.887982368,4.976373672,7.869130135,7.859514236,7.867089272,7.877560139,5.014835358]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":118,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1620927999138163,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620927999138163,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmPAbugsPXrcnmk94AQECxIWgAAAQEICjQMmZw8IAx5"} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1620927999138166,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620927999138166,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EsmQAbsCvXBxSS7VUoAQECxktgAAAQEICjQMmZw8IAx6"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1620927999112216,"flow_dst_last_pkt_time":1620927999140847,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620927999140847,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG7yZFyBGfZy0T4r6AS\/og7hgAAAgQFrAQCCAo8IAx9NAyZgwEDAwc="} @@ -35,16 +35,16 @@ 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999141444,"flow_dst_last_pkt_time":1620927999138095,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999141444,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":125,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999143664,"flow_dst_last_pkt_time":1620927999138093,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999143664,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01078{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":126,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999148674,"flow_dst_last_pkt_time":1620927999140847,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620927999148674,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01575{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":23282.8,"max":221390,"stddev":50495.5,"var":2549799168.0,"ent":3.1,"data": [27372,27441,16192,42139,1225,27152,10064,34749,19,24715,195798,221390,1843,27432,3443,28677,1090,241,26560,1009,109,1111,130,120,236,127,123,253,261,233,512]},"pktlen": {"min":66,"avg":622.9,"max":1506,"stddev":649.7,"var":422127.9,"ent":4.2,"data": [78,74,66,746,66,326,66,146,66,369,66,433,66,1406,66,436,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]}} +01974{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":23282.8,"max":221390,"stddev":50495.5,"var":2549799168.0,"ent":3.1,"data": [27372,27441,16192,42139,1225,27152,10064,34749,19,24715,195798,221390,1843,27432,3443,28677,1090,241,26560,1009,109,1111,130,120,236,127,123,253,261,233,512]},"pktlen": {"min":52,"avg":608.9,"max":1492,"stddev":649.7,"var":422127.9,"ent":4.1,"data": [64,60,52,732,52,312,52,132,52,355,52,419,52,1392,52,422,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0],"entropies": [4.459277153,5.146034718,4.976373672,7.228655815,5.010550499,6.920869827,4.976373672,6.311110497,5.008629799,7.354775429,4.976373672,7.419640064,4.972088814,7.854094028,4.860989094,7.443080425,5.008629799,7.863340855,7.851551056,4.976373672,7.864044666,7.884602547,4.976373672,7.881500721,7.891372204,4.976373672,7.871342182,7.873107433,4.976373672,7.874297619,7.860782623,4.976373672]}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":154,"source":"firefox.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620927998806443,"flow_src_last_pkt_time":1620927999167352,"flow_dst_last_pkt_time":1620927999167300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":16303,"midstream":0,"thread_ts_usec":1620927999167352,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51588,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999141444,"flow_dst_last_pkt_time":1620927999169718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999169718,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999143664,"flow_dst_last_pkt_time":1620927999170826,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999170826,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":163,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999148674,"flow_dst_last_pkt_time":1620927999179715,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":260,"flow_src_tot_l4_payload_len":680,"flow_dst_tot_l4_payload_len":260,"midstream":0,"thread_ts_usec":1620927999179715,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01558{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":7431.5,"max":29597,"stddev":10227.7,"var":104605344.0,"ent":3.7,"data": [26761,26832,3278,29208,2415,28362,2863,12850,29597,2,13859,11433,1695,114,13236,128,293,994,822,122,164,127,63,168,80,256,81,263,11998,12186,128]},"pktlen": {"min":66,"avg":614.5,"max":1506,"stddev":660.2,"var":435829.6,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,66,1506,1506,66,1506]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,1]}} +01957{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":7431.5,"max":29597,"stddev":10227.7,"var":104605344.0,"ent":3.7,"data": [26761,26832,3278,29208,2415,28362,2863,12850,29597,2,13859,11433,1695,114,13236,128,293,994,822,122,164,127,63,168,80,256,81,263,11998,12186,128]},"pktlen": {"min":52,"avg":600.5,"max":1492,"stddev":660.2,"var":435829.6,"ent":4.1,"data": [64,60,52,732,52,312,52,132,422,52,355,52,52,1492,1492,52,1492,52,1492,52,1492,52,1492,52,1492,1492,52,52,1492,1492,52,1492]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,1],"entropies": [4.377322197,5.220872402,5.014835358,7.213215351,5.008629799,6.968000412,5.014835358,6.313750267,7.425912857,5.085553169,7.267926216,5.014835358,5.008629799,7.858884811,7.871315002,4.976373672,7.877995014,4.931210041,7.875296116,5.053297043,7.839466572,4.931210041,7.867573261,4.976373672,7.859172344,7.851386070,5.014835358,4.892748356,7.876949787,7.858725071,4.976373672,7.891367435]}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":322,"source":"firefox.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999111334,"flow_src_last_pkt_time":1620927999226479,"flow_dst_last_pkt_time":1620927999226567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16403,"midstream":0,"thread_ts_usec":1620927999226567,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51600,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01559{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":8622.9,"max":45603,"stddev":12422.0,"var":154305440.0,"ent":3.6,"data": [28117,28187,5501,31657,1076,27239,20259,3957,45603,1275,22621,2846,3133,147,6125,104,193,162,80,94,95,129,121,148,217,366,254,1527,18636,26,17416]},"pktlen": {"min":66,"avg":592.4,"max":1506,"stddev":641.5,"var":411570.0,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,1506,66,1506,799,66]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0]}} +01958{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":8622.9,"max":45603,"stddev":12422.0,"var":154305440.0,"ent":3.6,"data": [28117,28187,5501,31657,1076,27239,20259,3957,45603,1275,22621,2846,3133,147,6125,104,193,162,80,94,95,129,121,148,217,366,254,1527,18636,26,17416]},"pktlen": {"min":52,"avg":578.4,"max":1492,"stddev":641.5,"var":411570.0,"ent":4.1,"data": [64,60,52,732,52,312,52,132,422,52,355,52,52,1492,1492,52,1492,52,1492,52,1492,52,1492,52,1492,1492,52,1492,52,1492,785,52]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0],"entropies": [4.428027153,5.200119972,4.976374149,7.195712090,5.085553169,6.972116470,5.014835835,6.221041679,7.470200539,5.008629799,7.370405674,5.014835358,5.124014854,7.847041607,7.873993397,4.976373672,7.857460022,4.854287148,7.870365620,5.053297043,7.837957382,4.931210041,7.879583359,5.053297043,7.881470203,7.859474659,5.014835358,7.886620045,4.892748356,7.869515896,7.724751472,5.014835358]}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":348,"source":"firefox.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999109976,"flow_src_last_pkt_time":1620927999243663,"flow_dst_last_pkt_time":1620927999243600,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":15696,"midstream":0,"thread_ts_usec":1620927999243663,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51599,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":9847.8,"max":37388,"stddev":13420.2,"var":180101408.0,"ent":3.6,"data": [28631,28716,7742,37388,1480,31124,2184,12981,31005,84,15910,15394,488,119,15971,252,383,635,139,236,17,375,2,151,475,36484,124,120,36112,183,377]},"pktlen": {"min":66,"avg":547.2,"max":1506,"stddev":619.5,"var":383804.7,"ent":4.1,"data": [78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,1506,66,1506,1506,412,66,66,66,445,66,1506,1506,66,66,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,0,1]}} +01954{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":9847.8,"max":37388,"stddev":13420.2,"var":180101408.0,"ent":3.6,"data": [28631,28716,7742,37388,1480,31124,2184,12981,31005,84,15910,15394,488,119,15971,252,383,635,139,236,17,375,2,151,475,36484,124,120,36112,183,377]},"pktlen": {"min":52,"avg":533.2,"max":1492,"stddev":619.5,"var":383804.7,"ent":4.0,"data": [64,60,52,732,52,312,52,132,422,52,355,52,52,1492,1492,52,1492,1492,52,1492,1492,398,52,52,52,431,52,1492,1492,52,52,1492]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,0,1],"entropies": [4.459277153,5.220872402,5.014835358,7.209626675,5.085553169,7.008624077,5.014835358,6.200282097,7.566779613,5.085553646,7.353106976,5.014835358,5.124014854,7.878056049,7.889544964,5.014835358,7.892714977,7.877523899,5.014835358,7.856287479,7.859073639,7.445496559,4.961856842,4.945419312,4.892748833,7.390010357,5.047091484,7.860656738,7.870811462,5.014835358,4.892748833,7.870283127]}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":500,"source":"firefox.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620927999112216,"flow_src_last_pkt_time":1620927999264777,"flow_dst_last_pkt_time":1620927999264937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":13869,"midstream":0,"thread_ts_usec":1620927999264937,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51601,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.3","ja3":"df208241e7f3897d4ca38cfe68eabb21","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":436,"flow_dst_packets_processed":629,"flow_first_seen":1620927997754367,"flow_src_last_pkt_time":1620927999853445,"flow_dst_last_pkt_time":1620927999852827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":4766,"flow_dst_tot_l4_payload_len":886436,"midstream":0,"thread_ts_usec":1620927999948696,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51577,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":5441,"source":"firefox.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":408,"flow_dst_packets_processed":623,"flow_first_seen":1620927998782772,"flow_src_last_pkt_time":1620927999948696,"flow_dst_last_pkt_time":1620927999948604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3687,"flow_dst_tot_l4_payload_len":865816,"midstream":0,"thread_ts_usec":1620927999948696,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":51583,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -61,10 +61,10 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6547608 bytes -~~ total memory freed........: 6547608 bytes -~~ total allocations/frees...: 127043/127043 +~~ total memory allocated....: 6548424 bytes +~~ total memory freed........: 6548424 bytes +~~ total allocations/frees...: 127049/127049 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1707 chars -~~ json string avg len.......: 1098 chars +~~ json string max len.......: 2106 chars +~~ json string avg len.......: 1298 chars diff --git a/test/results/fix.pcap.out b/test/results/fix.pcap.out index e58932945..d49e75d06 100644 --- a/test/results/fix.pcap.out +++ b/test/results/fix.pcap.out @@ -29,7 +29,7 @@ 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"fix.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1493755109654913,"flow_dst_last_pkt_time":1493755109655079,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755109655079,"pkt":"ACJNe\/gxTHK5MeMlCABFAAA07JVAAEAGb0LAqAAUCBEWH7taD6B8NqfnDJ+ZSYAQhgAbHwAAAQEICho\/VIrKvigo"} 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"fix.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1493755109654913,"flow_dst_last_pkt_time":1493755109655263,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":152,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":152,"pkt_l4_len":118,"thread_ts_usec":1493755109655263,"pkt":"ACJNe\/gxTHK5MeMlCABFAACK7JZAAEAGbuvAqAAUCBEWH7taD6B8NqfnDJ+ZSYAYhgDh+QAAAQEICho\/VIrKvigoOD1GSVhDT01QATk9NzEBeJwNx7ENgDAMBED9QER+x684kdwisQEtDR0N+xdw3WXtx9miEbPMQugqQ48\/iuGQlxuHyXzjXMrlCdLrvt4HtKKED90WDdY="} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":63,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1493755109941137,"flow_dst_last_pkt_time":1493755109440588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1493755109941137,"pkt":"THK5MeMlACJNe\/gxCABFAABLyzQAADIGwMPQ9WsDwKgAFA+gshDsZRDXr0wvBlAYWgiDjAAAOD1PATk9MDAyNAEzNT1HAQCIAAAAWQxAldWZn+Q2dgAAAAE="} -01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755110311293,"flow_dst_last_pkt_time":1493755110311459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":86,"midstream":1,"thread_ts_usec":1493755110311459,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":170,"avg":65174.2,"max":314954,"stddev":68088.5,"var":4636038656.0,"ent":4.4,"data": [170,209,52428,3585,93980,87569,49399,50741,50707,52796,52875,49653,49630,49737,49707,49456,49402,49750,49791,49981,50005,49926,49930,49589,49596,49797,49760,50218,50168,314891,314954]},"pktlen": {"min":54,"avg":107.1,"max":511,"stddev":87.5,"var":7658.2,"ent":4.7,"data": [93,60,140,169,54,60,511,60,230,60,233,60,143,60,110,60,185,60,112,60,81,60,106,60,81,60,89,60,108,60,81,60]},"bins": {"c_to_s": [4,6,1,1,1,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +02099{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755110311293,"flow_dst_last_pkt_time":1493755110311459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":86,"midstream":1,"thread_ts_usec":1493755110311459,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":170,"avg":65174.2,"max":314954,"stddev":68088.5,"var":4636038656.0,"ent":4.4,"data": [170,209,52428,3585,93980,87569,49399,50741,50707,52796,52875,49653,49630,49737,49707,49456,49402,49750,49791,49981,50005,49926,49930,49589,49596,49797,49760,50218,50168,314891,314954]},"pktlen": {"min":40,"avg":93.1,"max":497,"stddev":87.5,"var":7658.2,"ent":4.6,"data": [79,46,126,155,40,46,497,46,216,46,219,46,129,46,96,46,171,46,98,46,67,46,92,46,67,46,75,46,94,46,67,46]},"bins": {"c_to_s": [4,6,1,1,1,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.154581547,4.414441109,6.395655632,5.091774940,4.780641556,4.457919598,5.201892376,4.414441109,4.962749958,4.457919598,5.236365318,4.414441109,5.106607437,4.457919598,5.098806381,4.457919598,5.104629040,4.398030281,5.136437416,4.347350597,5.144082069,4.457919598,4.962267876,4.414441109,5.073113441,4.370962620,5.166584492,4.457919598,4.922869682,4.457919598,5.102964401,4.370963097]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110320014,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":77,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":77,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110320014,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38652,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00613{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":131,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":131,"pkt_l4_len":97,"thread_ts_usec":1493755110320014,"pkt":"THK5MeMlACJNe\/gxCABFAAB1U\/wAADIGN9LQ9WsDwKgAFA+glvwzTd9PWnk+l1AYb96N\/wAAOD1PATk9MDA2NgEzNT1HAQHYAAAABVkI5OEMFeFiPZCEMAATlYJyAAAABFkI5OEMFVZHfdCEMAATwIJ3AAAABlkI5OEIW+2APQJxEAQ="} 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110320014,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110320014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":77,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":77,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110320014,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38652,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} @@ -38,14 +38,14 @@ 00846{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":88,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755110328857,"flow_dst_last_pkt_time":1493755110328857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755110328857,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1493755110328857,"flow_dst_last_pkt_time":1493755110328967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755110328967,"pkt":"ACJNe\/gxTHK5MeMlCABFAAA0b9ZAAEAG7AHAqAAUCBEWH5\/WD6D+vKsbjSdUdYAQ\/\/\/knQAAAQEICtZGrHjKvirJ"} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":92,"source":"fix.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1493755110320014,"flow_dst_last_pkt_time":1493755110362185,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1493755110362185,"pkt":"ACJNe\/gxTHK5MeMlCABFAAAouAtAAEAGhg\/AqAAU0PVrA5b8D6BaeT6XM03fnFAQ\/GxkGwAAAAAAAAAA"} -01692{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":114,"source":"fix.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109264927,"flow_src_last_pkt_time":1493755110667807,"flow_dst_last_pkt_time":1493755110668000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":553,"flow_dst_tot_l4_payload_len":87,"midstream":1,"thread_ts_usec":1493755110668000,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":47968,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":90514.6,"max":300186,"stddev":84141.6,"var":7079807488.0,"ent":4.2,"data": [147,100141,123,100163,124,100018,123,100053,25,99913,99995,100225,100166,100788,100836,300170,29,300186,26,222,17881,82390,142005,200503,158539,99966,99944,398,386,200212,200256]},"pktlen": {"min":66,"avg":86.0,"max":153,"stddev":23.6,"var":558.3,"ent":4.9,"data": [96,66,101,92,66,66,101,100,66,66,92,66,135,66,91,66,105,135,66,66,153,66,105,66,101,66,101,66,90,66,98,66]},"bins": {"c_to_s": [6,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +02084{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":114,"source":"fix.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109264927,"flow_src_last_pkt_time":1493755110667807,"flow_dst_last_pkt_time":1493755110668000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":553,"flow_dst_tot_l4_payload_len":87,"midstream":1,"thread_ts_usec":1493755110668000,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":47968,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":90514.6,"max":300186,"stddev":84141.6,"var":7079807488.0,"ent":4.2,"data": [147,100141,123,100163,124,100018,123,100053,25,99913,99995,100225,100166,100788,100836,300170,29,300186,26,222,17881,82390,142005,200503,158539,99966,99944,398,386,200212,200256]},"pktlen": {"min":52,"avg":72.0,"max":139,"stddev":23.6,"var":558.3,"ent":4.9,"data": [82,52,87,78,52,52,87,86,52,52,78,52,121,52,77,52,91,121,52,52,139,52,91,52,87,52,87,52,76,52,84,52]},"bins": {"c_to_s": [6,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1],"entropies": [5.351819992,5.248330116,5.436416626,5.363250256,5.103910923,5.156889915,5.413428307,5.384781837,5.115703106,5.168681622,5.321646214,5.132944584,5.563299656,5.209868431,5.466999531,5.248330116,5.438351631,5.219768047,5.118427753,5.132945061,6.504659653,5.091758728,5.478478432,5.209868431,5.454665184,5.171406746,5.204155445,5.209868431,5.232492447,5.209868431,5.401538372,5.132945061]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00608{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1493755111422176,"flow_dst_last_pkt_time":1493755110328967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1493755111422176,"pkt":"THK5MeMlACJNe\/gxCABFAABwiaEAAPUGXPoIERYfwKgAFA+gn9aNJ1R1\/ryrG4AY\/\/+zfAAAAQEICsq+Lw\/WRqx4OD1PATk9MDA0OQEzNT1HAQFQAAAADVkI5OEMFgYg3VCIUAATiYF3AAAADFkI5OEMB9wg3RAAEAATiYAA"} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755111956116,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755111956116,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38646,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1493755111956116,"pkt":"THK5MeMlACJNe\/gxCABFAABP7\/wAADIGm\/fQ9WsDwKgAFA+glvYLJrChYuT9OVAYYmg1SgAAOD1GSVguNC4xATk9MDAwMTQBMzU9MQExMTI9ZmFybQExMD0yMTcB"} 00850{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":155,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755111956116,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755111956116,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":38646,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":156,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956292,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1493755111956292,"pkt":"ACJNe\/gxTHK5MeMlCABFAAAoPOZAAEAGATXAqAAU0PVrA5b2D6Bi5P05CyawyFAQ\/Gz0DgAAAAAAAAAA"} 00630{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":157,"source":"fix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1493755111956116,"flow_dst_last_pkt_time":1493755111956474,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":139,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":139,"pkt_l4_len":105,"thread_ts_usec":1493755111956474,"pkt":"ACJNe\/gxTHK5MeMlCABFAAB9POdAAEAGAN\/AqAAU0PVrA5b2D6Bi5P05CyawyFAY\/GyQmgAAOD1GSVhDT01QATk9NzABeJwFwTEKgEAMBEDyII\/dJIu5g7SCP7C1sbPx\/4Uz1cd5jRy02UDKQg2LbFAVafJ2cIfgG+dSraCR3s\/9vUY05fYD3SIN0A=="} -01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"fix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109242949,"flow_src_last_pkt_time":1493755111999185,"flow_dst_last_pkt_time":1493755111999341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":1313,"flow_dst_tot_l4_payload_len":85,"midstream":1,"thread_ts_usec":1493755111999341,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":43594,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":177826.7,"max":291268,"stddev":112931.7,"var":12753577984.0,"ent":4.5,"data": [209,293,265,250589,114,250615,24,223,18233,232135,291268,250073,208970,250691,250733,250586,250560,250658,250654,250671,250658,250632,30,250660,26,251471,251453,249735,249759,250325,250315]},"pktlen": {"min":66,"avg":109.7,"max":254,"stddev":52.0,"var":2700.5,"ent":4.8,"data": [152,66,91,66,105,152,66,66,151,66,169,66,169,66,186,66,169,66,169,66,118,66,254,113,66,66,135,66,203,66,118,66]},"bins": {"c_to_s": [2,4,3,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +02111{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"fix.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109242949,"flow_src_last_pkt_time":1493755111999185,"flow_dst_last_pkt_time":1493755111999341,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":1313,"flow_dst_tot_l4_payload_len":85,"midstream":1,"thread_ts_usec":1493755111999341,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":43594,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":177826.7,"max":291268,"stddev":112931.7,"var":12753577984.0,"ent":4.5,"data": [209,293,265,250589,114,250615,24,223,18233,232135,291268,250073,208970,250691,250733,250586,250560,250658,250654,250671,250658,250632,30,250660,26,251471,251453,249735,249759,250325,250315]},"pktlen": {"min":52,"avg":95.7,"max":240,"stddev":52.0,"var":2700.5,"ent":4.8,"data": [138,52,77,52,91,138,52,52,137,52,155,52,155,52,172,52,155,52,155,52,104,52,240,99,52,52,121,52,189,52,104,52]},"bins": {"c_to_s": [2,4,3,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1],"entropies": [5.494600296,5.156889439,5.286477566,5.118427753,5.354906082,5.367415428,5.156889915,5.118428230,6.408948421,5.130219936,5.439220428,5.209867954,5.526780605,5.248329639,5.560081959,5.171406746,5.428024292,5.209867954,5.492540359,5.209868431,5.433600426,5.171406746,5.581422329,5.564811230,5.171406746,5.209867954,5.463109970,5.209867954,5.382565022,5.209867954,5.537013054,5.209868431]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755113353296,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755113353296,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":39094,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":93,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":93,"pkt_l4_len":59,"thread_ts_usec":1493755113353296,"pkt":"THK5MeMlACJNe\/gxCABFAABP8tQAADIGmR\/Q9WsDwKgAFA+gmLZKUJEYQJIHD1AYWpQ0OgAAOD1GSVguNC4xATk9MDAwMTQBMzU9MQExMTI9ZmFybQExMD0yMTcB"} 00851{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":209,"source":"fix.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755113353296,"flow_src_last_pkt_time":1493755113353296,"flow_dst_last_pkt_time":1493755113353296,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755113353296,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":39094,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} @@ -63,8 +63,8 @@ 00848{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":419,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1493755117668152,"flow_src_last_pkt_time":1493755117668152,"flow_dst_last_pkt_time":1493755117668152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1493755117668152,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40928,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00647{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":420,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1493755117668152,"flow_dst_last_pkt_time":1493755117668466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":152,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":152,"pkt_l4_len":118,"thread_ts_usec":1493755117668466,"pkt":"ACJNe\/gxTHK5MeMlCABFAACK1yxAAEAGhFXAqAAUCBEWH5\/gD6Bu8UTiG402I4AY\/+CkEwAAAQEICnIP3\/PKvkd1OD1GSVhDT01QATk9NzEBeJwFwbENgDAMBEB5IKJ\/Ow5OpG+R2ICWho6G\/QvuSsd5td5oU0BPixQsusCsLEuXgzsSvnGurBXDSNdzf68R4gj7Ad5tDd0="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":425,"source":"fix.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1493755117687593,"flow_dst_last_pkt_time":1493755117668466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1493755117687593,"pkt":"THK5MeMlACJNe\/gxCABFAAA09L8AAPUG8hcIERYfwKgAFA+gn+AbjTYjbvFFOIAQ\/\/9+KwAAAQEICsq+R4lyD9\/z"} -01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":554,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755120254899,"flow_dst_last_pkt_time":1493755120295550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":498,"flow_dst_tot_l4_payload_len":173,"midstream":1,"thread_ts_usec":1493755120295550,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":168,"avg":699019.6,"max":5507323,"stddev":1280900.8,"var":1640706605056.0,"ent":3.7,"data": [168,500717,500699,200419,200471,184,89723,210661,340264,500679,460548,5507291,5507323,600979,600971,400442,400455,700964,700990,400404,400386,600557,600559,400806,400807,600830,600822,215,54314,45693,140268]},"pktlen": {"min":54,"avg":77.6,"max":141,"stddev":21.9,"var":481.2,"ent":4.9,"data": [89,60,89,60,93,60,141,54,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,93,60,140,54,89,60]},"bins": {"c_to_s": [2,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} -01756{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1180,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755130974521,"flow_dst_last_pkt_time":1493755130974683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":651,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755130974683,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":110,"avg":1331983.5,"max":4175061,"stddev":1132458.4,"var":1282462056448.0,"ent":4.4,"data": [110,1093319,1093395,599016,598995,1546128,1546141,239,22763,2072709,2137804,913298,870712,442005,442027,3366066,3366054,1195438,1195405,437653,437695,1550229,1550211,211,22417,1711389,1774342,1498173,1457475,4175061,4175010]},"pktlen": {"min":66,"avg":91.7,"max":151,"stddev":28.5,"var":811.2,"ent":4.9,"data": [105,66,126,66,105,66,105,66,151,66,105,66,105,66,126,66,105,66,126,66,105,66,105,66,151,66,105,66,147,66,105,66]},"bins": {"c_to_s": [2,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +02125{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":554,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755120254899,"flow_dst_last_pkt_time":1493755120295550,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":498,"flow_dst_tot_l4_payload_len":173,"midstream":1,"thread_ts_usec":1493755120295550,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":168,"avg":699019.6,"max":5507323,"stddev":1280900.8,"var":1640706605056.0,"ent":3.7,"data": [168,500717,500699,200419,200471,184,89723,210661,340264,500679,460548,5507291,5507323,600979,600971,400442,400455,700964,700990,400404,400386,600557,600559,400806,400807,600830,600822,215,54314,45693,140268]},"pktlen": {"min":40,"avg":63.6,"max":127,"stddev":21.9,"var":481.2,"ent":4.9,"data": [75,46,75,46,79,46,127,40,75,46,75,46,75,46,75,46,75,46,75,46,75,46,75,46,75,46,79,46,126,40,75,46]},"bins": {"c_to_s": [2,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1],"entropies": [4.945594788,4.398030758,5.188046455,4.398030758,5.199008465,4.457919598,6.476713657,4.730641365,4.962196827,4.457919598,5.241379738,4.501398087,5.161379337,4.501398087,5.025595188,4.457919598,5.052261829,4.457919598,5.214713573,4.457919598,5.224778175,4.501398087,5.241379738,4.457919598,5.025595188,4.501398087,5.249641418,4.501398087,6.379781723,4.730641365,4.998929024,4.457919598]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +02145{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1180,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755130974521,"flow_dst_last_pkt_time":1493755130974683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":651,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755130974683,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":110,"avg":1331983.5,"max":4175061,"stddev":1132458.4,"var":1282462056448.0,"ent":4.4,"data": [110,1093319,1093395,599016,598995,1546128,1546141,239,22763,2072709,2137804,913298,870712,442005,442027,3366066,3366054,1195438,1195405,437653,437695,1550229,1550211,211,22417,1711389,1774342,1498173,1457475,4175061,4175010]},"pktlen": {"min":52,"avg":77.7,"max":137,"stddev":28.5,"var":811.2,"ent":4.9,"data": [91,52,112,52,91,52,91,52,137,52,91,52,91,52,112,52,91,52,112,52,91,52,91,52,137,52,91,52,133,52,91,52]},"bins": {"c_to_s": [2,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1],"entropies": [5.567693233,5.103910923,5.539355278,5.053297043,5.492160797,5.118427753,5.446647644,5.118427753,6.341468334,5.115703106,5.351537228,5.171406269,5.539231300,5.171406746,5.445882797,5.171406746,5.442563534,5.118428230,5.588550091,5.209868431,5.417931080,5.209867954,5.425766945,5.132945061,6.498472691,5.168681622,5.496372223,5.094483376,5.470992565,5.171406269,5.501759529,5.171406746]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00900{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":228,"flow_dst_packets_processed":228,"flow_first_seen":1493755109301176,"flow_src_last_pkt_time":1493755132102784,"flow_dst_last_pkt_time":1493755132102954,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":457,"flow_dst_max_l4_payload_len":86,"flow_src_tot_l4_payload_len":14021,"flow_dst_tot_l4_payload_len":258,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45578,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00896{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":35,"flow_dst_packets_processed":35,"flow_first_seen":1493755109440420,"flow_src_last_pkt_time":1493755131869860,"flow_dst_last_pkt_time":1493755131870022,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":1132,"flow_dst_tot_l4_payload_len":260,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"208.245.107.3","dst_ip":"192.168.0.20","src_port":4000,"dst_port":45584,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00892{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1261,"source":"fix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":18,"flow_first_seen":1493755110328857,"flow_src_last_pkt_time":1493755132019095,"flow_dst_last_pkt_time":1493755132019254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":85,"flow_src_tot_l4_payload_len":750,"flow_dst_tot_l4_payload_len":170,"midstream":1,"thread_ts_usec":1493755132120045,"l3_proto":"ip4","src_ip":"8.17.22.31","dst_ip":"192.168.0.20","src_port":4000,"dst_port":40918,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} @@ -86,10 +86,10 @@ ~~ total active/idle flows...: 12/12 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6114650 bytes -~~ total memory freed........: 6114650 bytes -~~ total allocations/frees...: 122870/122870 +~~ total memory allocated....: 6116282 bytes +~~ total memory freed........: 6116282 bytes +~~ total allocations/frees...: 122882/122882 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1761 chars -~~ json string avg len.......: 1123 chars +~~ json string max len.......: 2150 chars +~~ json string avg len.......: 1318 chars diff --git a/test/results/fix2.pcap.out b/test/results/fix2.pcap.out index 9863e4d62..1d0835295 100644 --- a/test/results/fix2.pcap.out +++ b/test/results/fix2.pcap.out @@ -10,8 +10,8 @@ 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1614758889589020,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1614758889589588,"pkt":"WgXZu6TVApXG95WRCABFAAAweT8AAIAGrLMKZgAJCmUAAgQAiJMt1EWWLdRCK3ASgAF\/OwAAAgQFtAMDAQA="} 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1614758889589590,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1614758889589590,"pkt":"5kBKB+riApXG95NLCABFAAAoeUAAAIAGAAAKZQACCmYACYiTBAAt1EIrLdRFl1AQgAEU8AAAAAAAAAAA"} 00844{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889589592,"flow_dst_last_pkt_time":1614758889589588,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":85,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1614758889589592,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} -01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":56,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889589960,"flow_dst_last_pkt_time":1614758889589962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":669,"flow_dst_tot_l4_payload_len":911,"midstream":0,"thread_ts_usec":1614758889589962,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":73.3,"max":652,"stddev":161.3,"var":26006.9,"ent":3.1,"data": [641,652,12,92,71,9,33,29,203,208,31,32,5,2,23,28,2,2,8,8,11,13,25,23,5,4,9,5,7,5]},"pktlen": {"min":60,"avg":106.6,"max":174,"stddev":46.7,"var":2179.9,"ent":4.9,"data": [62,62,60,139,62,60,147,144,60,152,144,152,146,60,60,147,60,60,60,152,60,174,157,174,60,60,60,60,157,147,160,152]},"bins": {"c_to_s": [7,0,4,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,3,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} -01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889590049,"flow_dst_last_pkt_time":1614758889590048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":801,"midstream":0,"thread_ts_usec":1614758889590049,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":70.9,"max":570,"stddev":141.3,"var":19970.8,"ent":3.3,"data": [568,570,2,146,145,106,1,105,2,16,6,26,48,7,14,19,2,2,18,19,48,49,27,12,37,4,6,27,25]},"pktlen": {"min":60,"avg":106.0,"max":174,"stddev":46.1,"var":2122.5,"ent":4.9,"data": [62,62,60,139,147,144,152,62,60,144,60,60,152,146,60,147,60,152,60,174,157,147,160,60,60,60,160,162,144,60,60,60]},"bins": {"c_to_s": [6,0,5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,3,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,1,1,1,0,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01987{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":56,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889589960,"flow_dst_last_pkt_time":1614758889589962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":669,"flow_dst_tot_l4_payload_len":911,"midstream":0,"thread_ts_usec":1614758889589962,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":73.3,"max":652,"stddev":161.3,"var":26006.9,"ent":3.1,"data": [641,652,12,92,71,9,33,29,203,208,31,32,5,2,23,28,2,2,8,8,11,13,25,23,5,4,9,5,7,5]},"pktlen": {"min":46,"avg":92.6,"max":160,"stddev":46.7,"var":2179.9,"ent":4.8,"data": [48,48,46,125,48,46,133,130,46,138,130,138,132,46,46,133,46,46,46,138,46,160,143,160,46,46,46,46,143,133,146,138]},"bins": {"c_to_s": [7,0,4,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,3,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1],"entropies": [3.876627445,4.502165794,3.795586109,5.147858620,4.543832302,3.752108097,5.214525223,5.327383041,4.032184124,5.397408485,5.326416016,5.390491009,5.234700680,4.032184124,4.032184124,5.214525223,3.795585871,4.032184601,3.795585871,5.411900997,3.795585871,5.292957783,5.260262489,5.336493969,3.795586109,4.032184124,3.988706112,4.032184124,5.260262489,5.196290016,5.370437145,5.404983521]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} +01991{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889590049,"flow_dst_last_pkt_time":1614758889590048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":762,"flow_dst_tot_l4_payload_len":801,"midstream":0,"thread_ts_usec":1614758889590049,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":70.9,"max":570,"stddev":141.3,"var":19970.8,"ent":3.3,"data": [568,570,2,146,145,106,1,105,2,16,6,26,48,7,14,19,2,2,18,19,48,49,27,12,37,4,6,27,25]},"pktlen": {"min":46,"avg":92.0,"max":160,"stddev":46.1,"var":2122.5,"ent":4.8,"data": [48,48,46,125,133,130,138,48,46,130,46,46,138,132,46,133,46,138,46,160,143,133,146,46,46,46,146,148,130,46,46,46]},"bins": {"c_to_s": [6,0,5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,3,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,1,1,1,0,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,0],"entropies": [3.944233894,4.517892838,3.795586348,5.115859032,5.169412613,5.333189964,5.351288795,4.517892838,3.795586109,5.341800690,4.032184601,4.032184124,5.369617462,5.205471516,4.075662613,5.190125942,3.839064360,5.365781307,3.839064360,5.331775665,5.255437374,5.190015793,5.411532879,4.075662613,4.075662613,4.075662613,5.397834301,5.453368664,5.342391014,4.075662136,4.075662613,3.839064121]},"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00899{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":683,"flow_dst_packets_processed":1304,"flow_first_seen":1614758889588862,"flow_src_last_pkt_time":1614758889595345,"flow_dst_last_pkt_time":1614758889595344,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":13395,"flow_dst_tot_l4_payload_len":26148,"midstream":0,"thread_ts_usec":1614758889595345,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.2","src_port":34962,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00898{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":411,"flow_dst_packets_processed":648,"flow_first_seen":1614758889589020,"flow_src_last_pkt_time":1614758889595307,"flow_dst_last_pkt_time":1614758889595305,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":106,"flow_dst_max_l4_payload_len":120,"flow_src_tot_l4_payload_len":10864,"flow_dst_tot_l4_payload_len":17549,"midstream":0,"thread_ts_usec":1614758889595345,"l3_proto":"ip4","src_ip":"10.101.0.2","dst_ip":"10.102.0.9","src_port":34963,"dst_port":1024,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"FIX","proto_id":"230","encrypted":0,"breed":"Safe","category_id":16,"category":"RPC"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":3049,"source":"fix2.pcap","alias":"nDPId-test","packets-captured":3049,"packets-processed":3046,"total-skipped-flows":0,"total-l4-payload-len":67956,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1614758889595345} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6129695 bytes -~~ total memory freed........: 6129695 bytes -~~ total allocations/frees...: 124545/124545 +~~ total memory allocated....: 6129967 bytes +~~ total memory freed........: 6129967 bytes +~~ total allocations/frees...: 124547/124547 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1598 chars -~~ json string avg len.......: 1031 chars +~~ json string max len.......: 1996 chars +~~ json string avg len.......: 1223 chars diff --git a/test/results/flow-info/1kxun.pcap.out b/test/results/flow-info/1kxun.pcap.out index 17e357fae..1d62bb6e7 100644 --- a/test/results/flow-info/1kxun.pcap.out +++ b/test/results/flow-info/1kxun.pcap.out @@ -70,50 +70,55 @@ detected: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] detected: [....31] [ip4][..tcp] [..192.168.115.8][49603] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] analyse: [....29] [ip4][..tcp] [..192.168.115.8][49601] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.056| 0.011| 0.020| 413.706| 0.000] - [PKTLEN......: 54.000| 1314.000| 835.900| 585.300|342554.800| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.056| 0.011| 0.020| 413.706| 3.100] + [PKTLEN......: 40.000| 1300.000| 821.900| 585.300| 342554.800| 4.500] [BINS(c->s)..: 8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1] [IATS(ms)....: 0.0,52.1,52.2,0.0,5.5,0.0,48.2,11.6,0.8,0.1,0.1,0.0,0.3,0.0,0.0,0.0,0.5,56.2,0.0,50.5,3.5,0.1,0.1,53.9,0.0,17.7,0.1,0.1,0.1,0.0,0.1] - [PKTLENS.....: 66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314] + [PKTLENS.....: 52,52,52,40,40,400,400,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300] + [ENTROPIES...: 4.5,4.5,5.0,4.8,4.8,5.8,5.8,4.2,5.6,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.7,4.7,7.8,7.8,7.8,7.8,4.7,4.7,7.8,7.8,7.8,7.8,7.9,7.8] analyse: [....30] [ip4][..tcp] [..192.168.115.8][49602] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.066| 0.012| 0.024| 579.055| 0.000] - [PKTLEN......: 54.000| 1314.000| 757.100| 600.300|360321.400| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.066| 0.012| 0.024| 579.055| 2.800] + [PKTLEN......: 40.000| 1300.000| 743.100| 600.300| 360321.400| 4.400] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,0,0,1,1,1,1,1,1,0,0] [IATS(ms)....: 0.0,54.6,54.7,0.0,4.2,0.1,64.5,0.1,0.0,0.0,0.1,0.0,0.7,0.1,0.1,0.1,61.7,0.0,0.9,65.4,0.1,66.2,0.1,0.5,2.9,0.6,0.1,0.1,0.1,3.9,0.0] - [PKTLENS.....: 66,66,66,54,54,413,413,60,373,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54] + [PKTLENS.....: 52,52,52,40,40,399,399,46,359,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,40,40] + [ENTROPIES...: 4.5,4.5,5.0,4.7,4.7,5.8,5.8,4.4,5.6,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,7.8,7.8,7.8,4.8,4.8] analyse: [....27] [ip4][..tcp] [..192.168.115.8][49599] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.067| 0.012| 0.023| 544.113| 0.000] - [PKTLEN......: 54.000| 1314.000| 757.200| 600.200|360235.600| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.067| 0.012| 0.023| 544.113| 2.900] + [PKTLEN......: 40.000| 1300.000| 743.200| 600.200| 360235.600| 4.400] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1] [IATS(ms)....: 0.0,53.2,53.3,0.0,4.6,0.1,61.5,0.0,0.3,0.1,57.3,0.0,5.1,0.1,0.3,0.0,0.3,0.1,5.9,0.0,1.4,65.1,0.1,0.1,0.1,66.8,0.0,3.8,0.1,0.8,0.1] - [PKTLENS.....: 66,66,66,54,54,415,415,60,373,1314,1314,54,54,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314] + [PKTLENS.....: 52,52,52,40,40,401,401,46,359,1300,1300,40,40,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300] + [ENTROPIES...: 4.5,4.5,5.0,4.8,4.8,5.8,5.8,4.3,5.6,7.5,7.8,4.7,4.7,7.8,7.8,7.8,7.8,7.8,7.8,4.7,4.7,7.8,7.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,7.8] analyse: [....32] [ip4][..tcp] [..192.168.115.8][49604] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.096| 0.013| 0.026| 693.255| 0.000] - [PKTLEN......: 54.000| 1314.000| 847.000| 555.000|308021.300| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.096| 0.013| 0.026| 693.255| 2.700] + [PKTLEN......: 40.000| 1300.000| 833.000| 555.000| 308021.300| 4.600] [BINS(c->s)..: 6,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0] [IATS(ms)....: 0.0,50.7,50.8,0.0,5.7,0.0,60.3,0.1,0.1,0.1,0.0,0.1,0.7,0.0,0.0,0.1,0.3,56.3,0.0,72.3,0.1,0.0,0.1,0.2,0.1,0.1,0.1,0.3,0.0,96.5,0.1] - [PKTLENS.....: 66,66,66,54,54,414,414,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1314,932,423,423] + [PKTLENS.....: 52,52,52,40,40,400,400,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,1300,1300,1300,918,409,409] + [ENTROPIES...: 4.5,4.5,5.0,4.9,4.9,5.8,5.8,4.4,5.7,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,7.8,7.8,7.9,7.8,7.9,7.8,7.7,5.8,5.8] analyse: [....28] [ip4][..tcp] [..192.168.115.8][49600] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.142| 0.016| 0.032| 1046.271| 0.000] - [PKTLEN......: 54.000| 1314.000| 836.000| 585.200|342449.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.142| 0.016| 0.032| 1046.271| 2.800] + [PKTLEN......: 40.000| 1300.000| 822.000| 585.200| 342449.500| 4.500] [BINS(c->s)..: 8,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1] [IATS(ms)....: 0.1,51.9,52.1,0.0,5.2,0.1,60.5,0.9,0.0,0.0,0.1,0.0,0.4,0.1,0.0,0.1,0.2,85.1,142.0,0.0,40.8,2.5,0.1,0.1,0.1,43.6,0.1,0.4,0.1,0.1,0.0] - [PKTLENS.....: 66,66,66,54,54,416,416,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314] + [PKTLENS.....: 52,52,52,40,40,402,402,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300] + [ENTROPIES...: 4.5,4.5,5.0,4.8,4.8,5.8,5.8,4.3,5.6,6.7,7.7,7.8,7.7,7.7,7.7,7.7,7.6,4.1,6.3,4.8,4.8,7.7,7.8,7.7,7.7,7.7,4.8,4.8,7.7,7.7,5.6,3.0] new: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] detected: [....35] [ip4][..udp] [...192.168.5.67][..138] -> [192.168.255.255][..138] [NetBIOS.SMBv1][System][Dangerous] RISK: Unsafe Protocol @@ -122,14 +127,15 @@ detected: [....36] [ip4][..tcp] [..192.168.115.8][49605] -> [.106.185.35.110][...80] [HTTP.1kxun][Streaming][Fun] detected: [....37] [ip4][..tcp] [..192.168.115.8][49606] -> [.106.185.35.110][...80] [HTTP.1kxun][Streaming][Fun] analyse: [....37] [ip4][..tcp] [..192.168.115.8][49606] -> [.106.185.35.110][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.147| 0.015| 0.033| 1100.854| 0.000] - [PKTLEN......: 54.000| 1314.000| 707.600| 612.000|374554.600| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.147| 0.015| 0.033| 1100.854| 2.600] + [PKTLEN......: 40.000| 1300.000| 693.600| 612.000| 374554.600| 4.300] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,0,1,1,1,1,1] [IATS(ms)....: 0.1,37.8,38.0,0.1,1.8,0.1,39.0,109.8,0.2,146.8,0.0,0.3,0.1,0.1,0.1,0.5,0.0,0.2,0.1,0.1,0.4,0.0,0.2,36.3,36.5,0.0,0.4,0.1,0.5,0.1,0.1] - [PKTLENS.....: 66,66,66,54,54,411,411,60,1314,1314,54,54,1314,1314,1314,1314,54,54,1314,1314,1314,54,54,1314,1314,54,54,1314,1314,1314,1314,1314] + [PKTLENS.....: 52,52,52,40,40,397,397,46,1300,1300,40,40,1300,1300,1300,1300,40,40,1300,1300,1300,40,40,1300,1300,40,40,1300,1300,1300,1300,1300] + [ENTROPIES...: 4.5,4.5,5.0,4.8,4.8,5.8,5.8,4.3,5.6,5.0,4.8,4.8,4.8,5.3,5.2,5.1,4.7,4.7,6.0,5.1,5.2,4.8,4.8,5.8,5.1,4.7,4.7,4.5,4.7,4.7,5.6,5.2] new: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] detected: [....38] [ip4][..tcp] [..192.168.115.8][49607] -> [218.244.135.170][.9099] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address @@ -160,14 +166,15 @@ RISK: HTTP Numeric IP Address new: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] analyse: [....41] [ip4][..tcp] [..192.168.115.8][49609] -> [..42.120.51.152][.8080] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.399| 0.070| 0.104|10878.943| 0.000] - [PKTLEN......: 54.000| 1314.000| 364.600| 410.300|168364.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.399| 0.070| 0.104| 10878.943| 3.600] + [PKTLEN......: 40.000| 1300.000| 350.600| 410.300| 168364.100| 4.100] [BINS(c->s)..: 9,0,0,0,0,0,0,4,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0] [IATS(ms)....: 0.1,76.5,76.6,0.0,1.1,0.0,62.3,0.1,61.8,0.0,298.9,0.1,399.0,66.5,0.2,166.1,0.0,60.3,0.5,0.1,60.8,0.0,117.1,0.0,178.1,0.5,62.0,0.0,102.3,44.3,349.7] - [PKTLENS.....: 66,66,62,54,54,306,306,60,79,499,499,499,499,60,1314,1314,54,54,1314,1314,542,54,54,281,281,60,79,491,491,60,747,54] + [PKTLENS.....: 52,52,48,40,40,292,292,46,65,485,485,485,485,46,1300,1300,40,40,1300,1300,528,40,40,267,267,46,65,477,477,46,733,40] + [ENTROPIES...: 4.6,4.6,5.0,5.0,5.0,5.8,5.8,4.7,5.4,6.1,6.1,6.1,6.1,4.6,5.3,4.7,4.9,4.9,4.7,5.2,4.9,4.9,4.9,5.8,5.8,4.6,5.4,6.1,6.1,4.7,5.7,4.9] detected: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Web][Acceptable] RISK: HTTP Numeric IP Address detection-update: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Media][Acceptable] @@ -185,14 +192,15 @@ new: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] detected: [....55] [ip4][..udp] [...192.168.5.16][...68] -> [..192.168.119.1][...67] [DHCP][Network][Acceptable] analyse: [....49] [ip4][..tcp] [..192.168.115.8][49613] -> [.183.131.48.144][...80] [HTTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.863| 0.183| 0.253|63925.490| 0.000] - [PKTLEN......: 54.000| 1078.000| 383.300| 452.500|204736.500| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.863| 0.183| 0.253| 63925.490| 3.600] + [PKTLEN......: 40.000| 1064.000| 369.300| 452.500| 204736.500| 3.900] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0] [IATS(ms)....: 0.0,69.3,69.4,0.0,1.9,0.0,67.9,1.4,6.1,0.3,74.0,0.0,665.9,862.8,0.0,408.6,411.0,0.0,251.4,251.8,0.0,336.8,336.0,0.1,329.9,0.2,130.8,0.1,599.5,799.2,0.1] - [PKTLENS.....: 66,66,60,54,54,557,557,60,335,1078,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,54,54,1078,1078,54,54,1078,54,54] + [PKTLENS.....: 52,52,46,40,40,543,543,46,321,1064,1064,40,40,1064,40,40,1064,40,40,1064,40,40,1064,40,40,1064,1064,40,40,1064,40,40] + [ENTROPIES...: 4.5,4.5,4.6,4.8,4.8,5.5,5.5,4.5,5.6,3.4,2.3,4.8,4.8,2.2,4.8,4.8,2.3,4.8,4.8,2.2,4.8,4.8,2.3,4.8,4.8,2.3,2.2,4.8,4.8,2.2,4.8,4.8] new: [....56] [ip4][..udp] [.59.120.208.218][50151] -> [255.255.255.255][.1947] new: [....57] [ip4][..tcp] [..192.168.115.8][49596] -> [..203.66.182.87][..443] [MIDSTREAM] new: [....58] [ip4][..tcp] [...192.168.5.16][53613] -> [.68.233.253.133][...80] [MIDSTREAM] @@ -332,14 +340,15 @@ update: [....10] [ip6][..udp] [..............fe80::edf5:240a:c8c0:8312][61603] -> [..............................ff02::1:3][.5355] [LLMNR][Network][Acceptable] update: [....13] [ip4][..udp] [..192.168.115.8][51458] -> [....224.0.0.252][.5355] [LLMNR][Network][Acceptable] analyse: [....31] [ip4][..tcp] [..192.168.115.8][49603] -> [.106.187.35.246][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 45.001| 1.464| 7.949|63183326.806| 0.000] - [PKTLEN......: 54.000| 1314.000| 795.600| 593.200|351838.700| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 45.001| 1.464| 7.949| 63183326.806| 0.100] + [PKTLEN......: 40.000| 1300.000| 781.600| 593.200| 351838.700| 4.400] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,17,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0] [IATS(ms)....: 0.0,54.5,54.6,0.0,4.9,0.0,65.5,0.1,0.1,0.4,0.1,0.1,0.2,0.0,0.0,0.0,0.0,61.5,0.0,69.0,0.1,0.1,0.0,0.7,0.1,0.1,0.1,0.5,70.7,0.0,45001.1] - [PKTLENS.....: 66,66,66,54,54,415,415,60,373,1314,1314,1314,1314,1314,1314,1314,1314,1314,54,54,1314,1314,1314,1314,1314,1314,1314,1314,1281,54,54,55] + [PKTLENS.....: 52,52,52,40,40,401,401,46,359,1300,1300,1300,1300,1300,1300,1300,1300,1300,40,40,1300,1300,1300,1300,1300,1300,1300,1300,1267,40,40,41] + [ENTROPIES...: 4.6,4.6,5.0,4.9,4.9,5.8,5.8,4.4,5.7,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.8,4.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,4.9,4.9,4.8] new: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] detected: [...118] [ip4][..udp] [..192.168.0.104][..137] -> [192.168.255.255][..137] [NetBIOS][System][Acceptable] new: [...119] [ip4][..udp] [...192.168.5.16][..123] -> [..17.253.26.125][..123] @@ -580,32 +589,35 @@ new: [...144] [ip4][..tcp] [..192.168.2.126][46212] -> [.172.105.121.82][...80] [MIDSTREAM] detected: [...144] [ip4][..tcp] [..192.168.2.126][46212] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...142] [ip4][..tcp] [..192.168.2.126][46170] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.895| 0.074| 0.190|35982.832| 0.000] - [PKTLEN......: 274.000|21666.000| 4548.200| 5608.100|31450230.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.895| 0.074| 0.190| 35982.832| 2.200] + [PKTLEN......: 260.000|21652.000| 4534.200| 5608.100| 31450232.000| 4.200] [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,16] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1] [IATS(ms)....: 356.2,0.1,308.1,0.1,2.4,3.2,0.1,200.2,0.1,0.0,0.0,0.0,0.0,0.0,1.6,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,895.3,372.0,0.0,1.3,0.1,1.9] - [PKTLENS.....: 278,387,13026,14466,2946,2946,1506,7266,2946,1506,2946,2946,1506,1506,1506,1506,1506,4386,6338,2946,2946,1506,1506,1506,802,274,387,17346,21666,1506,4386,17346] + [PKTLENS.....: 264,373,13012,14452,2932,2932,1492,7252,2932,1492,2932,2932,1492,1492,1492,1492,1492,4372,6324,2932,2932,1492,1492,1492,788,260,373,17332,21652,1492,4372,17332] + [ENTROPIES...: 5.9,5.7,8.0,8.0,7.9,7.9,7.9,8.0,7.9,7.8,7.9,7.9,7.9,7.8,7.8,7.9,7.8,7.9,7.9,7.9,7.9,7.9,7.8,7.8,7.7,5.8,5.8,8.0,8.0,7.9,7.9,8.0] analyse: [...139] [ip4][..tcp] [..192.168.2.126][60148] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.661| 0.481| 1.215|1476638.409| 0.000] - [PKTLEN......: 268.000|21666.000| 4999.800| 6236.200|38890032.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.661| 0.481| 1.215| 1476638.409| 2.400] + [PKTLEN......: 254.000|21652.000| 4985.800| 6236.200| 38890032.000| 4.100] [BINS(c->s)..: 0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,17] [DIRECTIONS..: 0,1,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,0,1,1,1] [IATS(ms)....: 306.1,4.8,325.8,248.8,4660.9,4604.2,0.4,0.6,0.8,1.0,367.7,0.1,0.1,2.5,311.4,0.1,1.7,0.1,878.3,204.5,1.6,1.1,216.5,375.5,0.0,1.5] - [PKTLENS.....: 268,384,6298,268,384,5682,278,386,1506,1506,7266,2946,5826,2946,10146,2946,1506,5826,2946,1506,8706,1506,5768,277,386,20226,21666,15363,278,387,2946,21666] + [PKTLENS.....: 254,370,6284,254,370,5668,264,372,1492,1492,7252,2932,5812,2932,10132,2932,1492,5812,2932,1492,8692,1492,5754,263,372,20212,21652,15349,264,373,2932,21652] + [ENTROPIES...: 5.9,5.7,7.9,5.8,5.7,7.9,5.9,5.8,7.5,7.9,8.0,7.9,7.9,7.9,8.0,7.9,7.9,7.9,7.9,7.9,8.0,7.9,7.9,5.9,5.7,8.0,8.0,8.0,5.9,5.7,7.8,8.0] analyse: [...143] [ip4][..tcp] [..192.168.2.126][46200] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.892| 0.092| 0.200|39932.170| 0.000] - [PKTLEN......: 278.000|21666.000| 6946.200| 6776.100|45915728.000| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.892| 0.092| 0.200| 39932.170| 2.500] + [PKTLEN......: 264.000|21652.000| 6932.200| 6776.100| 45915728.000| 4.300] [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,20] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 348.4,0.1,2.6,311.3,0.1,1.9,0.1,0.1,200.2,0.0,0.7,0.1,0.1,0.0,891.6,375.9,1.6,0.1,2.2,1.5,332.8,0.1,0.0,1.9,0.0,1.6,1.6] - [PKTLENS.....: 278,386,1506,11586,1506,4386,2946,13026,7266,1506,1506,1506,1506,2946,2946,1506,4605,278,388,21666,2946,10146,11586,17346,7266,18786,5826,20226,1506,10146,11586,21666] + [PKTLENS.....: 264,372,1492,11572,1492,4372,2932,13012,7252,1492,1492,1492,1492,2932,2932,1492,4591,264,374,21652,2932,10132,11572,17332,7252,18772,5812,20212,1492,10132,11572,21652] + [ENTROPIES...: 5.9,5.7,7.4,8.0,7.8,7.9,7.9,8.0,7.9,7.8,7.8,7.8,7.9,7.9,7.9,7.8,7.9,5.9,5.7,7.2,7.8,8.0,8.0,8.0,7.9,8.0,7.9,8.0,7.8,8.0,8.0,8.0] new: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [MIDSTREAM] detected: [...145] [ip4][..tcp] [..192.168.2.126][35200] -> [...103.29.71.30][...80] [HTTP.1kxun][Streaming][Fun] new: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -626,14 +638,15 @@ new: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [MIDSTREAM] detected: [...153] [ip4][..tcp] [..192.168.2.126][41390] -> [....18.64.79.37][...80] [HTTP.Google][Web][Acceptable] analyse: [...146] [ip4][..tcp] [..192.168.2.126][45380] -> [..161.117.13.29][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.409| 0.085| 0.132|17528.007| 0.000] - [PKTLEN......: 490.000| 8706.000| 2615.900| 2200.300|4841425.000| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.409| 0.085| 0.132| 17528.007| 3.300] + [PKTLEN......: 476.000| 8692.000| 2601.900| 2200.300| 4841425.000| 4.600] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,16,0,12] [DIRECTIONS..: 0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 380.4,4.6,408.6,215.7,0.5,1.0,1.0,178.5,0.3,0.5,379.6,185.4,1.4,0.7,331.7,5.7,174.2,6.1,0.3,0.9,170.5,0.4,6.0,1.1,0.3,0.7,169.5,0.5,0.6,5.3,0.4] - [PKTLENS.....: 831,1506,1267,502,1506,1506,7266,4386,1506,1506,2518,490,2946,8706,1506,2946,8706,2946,1506,1506,7266,1506,1506,2946,1506,1506,2946,1506,1506,2946,1506,1506] + [PKTLENS.....: 817,1492,1253,488,1492,1492,7252,4372,1492,1492,2504,476,2932,8692,1492,2932,8692,2932,1492,1492,7252,1492,1492,2932,1492,1492,2932,1492,1492,2932,1492,1492] + [ENTROPIES...: 5.9,7.7,7.8,5.9,7.6,7.9,8.0,8.0,7.9,7.9,7.9,5.9,7.8,8.0,7.9,7.9,8.0,7.9,7.9,7.9,8.0,7.9,7.8,7.9,7.8,7.8,7.9,7.9,7.9,7.9,7.9,7.9] new: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [MIDSTREAM] detected: [...154] [ip4][..tcp] [..192.168.2.126][51888] -> [.119.28.164.143][...80] [HTTP.Tencent][SocialNetwork][Acceptable] new: [...155] [ip4][..tcp] [..192.168.2.126][38354] -> [.142.250.186.34][...80] [MIDSTREAM] @@ -654,43 +667,47 @@ new: [...162] [ip4][..tcp] [..192.168.2.126][49396] -> [.14.136.136.108][...80] [MIDSTREAM] detected: [...162] [ip4][..tcp] [..192.168.2.126][49396] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...157] [ip4][..tcp] [..192.168.2.126][49354] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.832| 0.077| 0.179|32207.956| 0.000] - [PKTLEN......: 351.000|10146.000| 3118.200| 2492.500|6212617.000| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.832| 0.077| 0.179| 32207.956| 2.400] + [PKTLEN......: 337.000|10132.000| 3104.200| 2492.500| 6212617.000| 4.600] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,16] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 207.0,0.4,1.1,0.7,203.5,0.4,0.5,0.8,0.4,1.2,0.6,204.0,0.5,1.9,0.8,831.8,413.6,1.5,1.6,0.4,0.9,201.6,0.4,0.6,1.0,0.9,0.4] - [PKTLENS.....: 592,351,1506,8706,2946,1506,1506,2946,1506,1506,5826,4386,1506,1506,1506,5826,2946,2946,3956,592,351,1506,8706,10146,5826,2946,1506,1506,2946,4386,4386,1506] + [PKTLENS.....: 578,337,1492,8692,2932,1492,1492,2932,1492,1492,5812,4372,1492,1492,1492,5812,2932,2932,3942,578,337,1492,8692,10132,5812,2932,1492,1492,2932,4372,4372,1492] + [ENTROPIES...: 5.8,5.8,7.8,8.0,7.9,7.8,7.9,7.9,7.9,7.9,8.0,8.0,7.9,7.9,7.9,8.0,7.9,7.9,8.0,5.9,5.8,7.8,8.0,8.0,8.0,7.9,7.9,7.9,7.9,8.0,8.0,7.9] detection-update: [...161] [ip4][..tcp] [..192.168.2.126][49412] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] detection-update: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...159] [ip4][..tcp] [..192.168.2.126][49370] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.877| 0.084| 0.182|33133.681| 0.000] - [PKTLEN......: 351.000|15906.000| 2761.900| 3042.000|9253906.000| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.877| 0.084| 0.182| 33133.681| 2.600] + [PKTLEN......: 337.000|15892.000| 2747.900| 3042.000| 9253907.000| 4.400] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,17,0,10] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1] [IATS(ms)....: 216.8,1.3,1.2,217.6,0.4,0.8,0.7,0.8,206.4,3.2,0.7,1.4,202.1,0.5,2.9,0.4,0.4,0.6,0.7,876.5,236.5,0.0,2.1,0.9,206.1,0.4] - [PKTLENS.....: 580,351,1506,4386,1506,5826,1506,1506,1506,1506,1506,2946,1506,4386,2946,2946,8706,1506,1506,1506,1506,1506,1506,1506,1204,592,351,7266,15906,4386,1506,1506] + [PKTLENS.....: 566,337,1492,4372,1492,5812,1492,1492,1492,1492,1492,2932,1492,4372,2932,2932,8692,1492,1492,1492,1492,1492,1492,1492,1190,578,337,7252,15892,4372,1492,1492] + [ENTROPIES...: 5.9,5.8,7.8,7.9,7.7,7.9,7.8,7.8,7.8,7.8,7.8,7.9,7.9,7.9,7.9,7.8,8.0,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,5.9,5.8,8.0,8.0,8.0,7.9,7.8] analyse: [...160] [ip4][..tcp] [..192.168.2.126][49380] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.887| 0.081| 0.181|32801.006| 0.000] - [PKTLEN......: 351.000|18786.000| 3157.800| 3724.000|13867893.000| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.887| 0.081| 0.181| 32801.006| 2.600] + [PKTLEN......: 337.000|18772.000| 3143.800| 3724.000| 13867894.000| 4.300] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,17,0,11] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 223.7,209.6,1.7,207.2,0.4,1.3,0.7,0.5,0.5,1.2,204.0,0.4,1.4,0.7,0.6,3.5,886.9,237.6,0.5,1.0,2.5,0.8,206.7,0.9,0.4,0.9,0.7] - [PKTLENS.....: 580,2946,1506,1506,11586,1506,1506,2946,1506,1506,1506,7266,1506,1506,1506,1506,4386,1506,2946,4253,592,351,1506,8706,18786,1506,2946,1506,1506,5826,1506,1330] + [PKTLENS.....: 566,2932,1492,1492,11572,1492,1492,2932,1492,1492,1492,7252,1492,1492,1492,1492,4372,1492,2932,4239,578,337,1492,8692,18772,1492,2932,1492,1492,5812,1492,1316] + [ENTROPIES...: 5.9,7.9,7.8,7.8,8.0,7.8,7.9,7.9,7.9,7.9,7.8,8.0,7.8,7.8,7.8,7.9,7.9,7.8,7.9,7.9,5.9,5.8,7.8,8.0,8.0,7.9,7.9,7.9,7.9,8.0,7.9,7.9] analyse: [...158] [ip4][..tcp] [..192.168.2.126][49372] -> [.14.136.136.108][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.900| 0.119| 0.204|41414.242| 0.000] - [PKTLEN......: 351.000|18786.000| 3665.900| 4182.900|17496908.000| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.900| 0.119| 0.204| 41414.242| 3.000] + [PKTLEN......: 337.000|18772.000| 3651.900| 4182.900| 17496908.000| 4.300] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,14] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,0,1,1,1] [IATS(ms)....: 205.6,2.1,0.0,224.8,0.4,0.3,1.4,193.7,0.4,0.4,1.7,1.3,1.9,226.0,899.7,238.0,0.0,2.4,199.2,0.5,1.0,1.3,407.3,371.5,1.5] - [PKTLENS.....: 580,351,1506,4386,2946,4386,1506,1506,1506,1506,5826,1506,1506,1506,2946,4386,5826,3732,592,351,7266,15906,1506,1506,7266,1506,5826,654,580,351,7801,18786] + [PKTLENS.....: 566,337,1492,4372,2932,4372,1492,1492,1492,1492,5812,1492,1492,1492,2932,4372,5812,3718,578,337,7252,15892,1492,1492,7252,1492,5812,640,566,337,7787,18772] + [ENTROPIES...: 5.9,5.9,7.3,7.9,7.9,7.9,7.8,7.8,7.8,7.9,8.0,7.8,7.8,7.8,7.9,7.9,7.9,7.9,5.9,5.8,8.0,8.0,7.9,7.9,8.0,7.9,8.0,7.7,5.9,5.9,7.9,8.0] new: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [MIDSTREAM] detected: [...163] [ip4][..tcp] [..192.168.2.126][44368] -> [..172.217.18.98][...80] [HTTP.GoogleServices][Web][Acceptable] new: [...164] [ip4][..tcp] [..192.168.2.126][50140] -> [..161.117.13.29][...80] [MIDSTREAM] @@ -704,14 +721,15 @@ new: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [MIDSTREAM] detected: [...168] [ip4][..tcp] [..192.168.2.126][50176] -> [..161.117.13.29][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...150] [ip4][..tcp] [..192.168.2.126][45416] -> [..161.117.13.29][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 6.045| 1.119| 2.029|4116996.948| 0.000] - [PKTLEN......: 500.000|14466.000| 2827.500| 2993.900|8963654.000| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 6.045| 1.119| 2.029| 4116996.948| 3.000] + [PKTLEN......: 486.000|14452.000| 2813.500| 2993.900| 8963654.000| 4.400] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,0,0,7,0,13] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,1,0,1] [IATS(ms)....: 188.5,0.0,1.4,179.4,1.4,0.7,0.4,2.4,0.7,270.1,0.1,0.6,3892.8,3428.9,186.1,186.3,192.6,209.0,367.2,352.3,5253.8,5339.0,3.6,6045.0,5959.1,0.4,0.5,194.9,189.4] - [PKTLENS.....: 500,2946,2946,8706,2946,7266,1506,1506,14466,1506,2946,2946,7266,7266,4092,817,709,819,1525,821,1415,817,1530,1079,2946,1144,1169,1506,1506,1589,1180,1097] + [PKTLENS.....: 486,2932,2932,8692,2932,7252,1492,1492,14452,1492,2932,2932,7252,7252,4078,803,695,805,1511,807,1401,803,1516,1065,2932,1130,1155,1492,1492,1575,1166,1083] + [ENTROPIES...: 5.9,7.8,7.9,8.0,7.9,8.0,7.9,7.9,8.0,7.9,7.9,7.9,8.0,8.0,8.0,5.9,6.4,5.9,7.5,5.9,6.2,5.9,6.5,5.8,6.5,6.8,5.8,6.4,7.8,7.9,5.8,6.9] new: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [MIDSTREAM] detected: [...169] [ip4][..tcp] [..192.168.2.126][38326] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] new: [...170] [ip4][..tcp] [..192.168.2.126][38314] -> [.172.105.121.82][...80] [MIDSTREAM] @@ -719,23 +737,25 @@ new: [...171] [ip4][..tcp] [..192.168.2.126][38316] -> [.172.105.121.82][...80] [MIDSTREAM] detected: [...171] [ip4][..tcp] [..192.168.2.126][38316] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] analyse: [...141] [ip4][..tcp] [..192.168.2.126][46184] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 39.120| 3.011| 10.152|103072311.280| 0.000] - [PKTLEN......: 273.000|23106.000| 5201.300| 6479.700|41986288.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 39.120| 3.011| 10.152| 103072311.280| 1.300] + [PKTLEN......: 259.000|23092.000| 5187.300| 6479.700| 41986280.000| 4.100] [BINS(c->s)..: 0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,7,0,16] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1] [IATS(ms)....: 353.7,3.8,0.1,303.7,4.3,0.1,205.8,0.1,881.0,368.9,0.0,5.1,392.9,352.2,1.6,0.1,2.3,0.1,1.5,285.7,2.1,39119.7,38675.2,0.0,2.9,335.4,3.7] - [PKTLENS.....: 278,386,1506,1506,10146,2946,2946,23106,1506,1506,1172,273,386,18786,7757,278,387,1506,21666,4386,17346,4386,10146,5826,1506,5159,273,388,1506,11586,2946,2946] + [PKTLENS.....: 264,372,1492,1492,10132,2932,2932,23092,1492,1492,1158,259,372,18772,7743,264,373,1492,21652,4372,17332,4372,10132,5812,1492,5145,259,374,1492,11572,2932,2932] + [ENTROPIES...: 5.8,5.8,7.2,7.6,7.9,7.9,7.9,8.0,7.8,7.8,7.8,5.9,5.7,8.0,8.0,5.9,5.7,7.0,8.0,7.9,8.0,7.9,8.0,7.9,7.9,7.9,5.8,5.8,7.5,7.9,7.9,7.9] analyse: [...170] [ip4][..tcp] [..192.168.2.126][38314] -> [.172.105.121.82][...80] [HTTP.1kxun][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.361| 0.129| 0.285|81120.911| 0.000] - [PKTLEN......: 273.000|15906.000| 6044.500| 5319.900|28301384.000| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.361| 0.129| 0.285| 81120.911| 2.500] + [PKTLEN......: 259.000|15892.000| 6030.500| 5319.900| 28301380.000| 4.400] [BINS(c->s)..: 0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,21] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 326.1,0.2,328.8,0.2,2.7,177.6,0.5,1.3,2.9,0.1,0.2,0.8,2.3,401.3,1361.5,293.5,0.0,1.1,2.1,2.8,0.1,0.2,2.8,309.6,1.5] - [PKTLENS.....: 273,388,1506,1506,2946,7266,1506,8706,2946,15906,1506,1506,4386,13026,8706,2946,1506,15906,13200,273,388,1506,5826,15906,11586,10146,4386,14466,2946,2946,13026,4386] + [PKTLENS.....: 259,374,1492,1492,2932,7252,1492,8692,2932,15892,1492,1492,4372,13012,8692,2932,1492,15892,13186,259,374,1492,5812,15892,11572,10132,4372,14452,2932,2932,13012,4372] + [ENTROPIES...: 5.9,5.7,7.5,7.9,7.9,7.9,7.8,8.0,7.9,8.0,7.8,7.8,7.9,7.9,7.9,7.9,7.8,8.0,8.0,5.8,5.7,7.5,7.9,8.0,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9] new: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [MIDSTREAM] detected: [...172] [ip4][..tcp] [..192.168.2.126][59324] -> [.104.117.221.10][...80] [HTTP][Web][Acceptable] new: [...173] [ip4][..tcp] [..192.168.2.126][56094] -> [....3.72.69.158][...80] [MIDSTREAM] @@ -772,24 +792,26 @@ new: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [MIDSTREAM] detected: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [HTTP.AmazonAWS][Cloud][Acceptable] analyse: [...182] [ip4][..tcp] [..192.168.2.126][35664] -> [.....18.66.2.90][...80] [HTTP.AmazonAWS][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.015| 0.003| 0.003| 10.814| 0.000] - [PKTLEN......: 249.000| 7206.000| 4110.800| 1776.800|3156934.000| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.015| 0.003| 0.003| 10.814| 3.800] + [PKTLEN......: 235.000| 7192.000| 4096.800| 1776.800| 3156934.000| 4.800] [BINS(c->s)..: 0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,27] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 14.9,0.6,0.6,2.5,3.6,0.1,0.9,2.5,9.2,0.0,0.1,6.5,0.1,1.6,3.0,1.6,0.1,1.5,0.1,0.1,2.8,6.5,3.1,2.4,1.8,2.8,0.1] - [PKTLENS.....: 249,797,1494,2922,4350,4350,4350,4350,2922,1494,4350,4350,2922,4350,4350,2922,4350,5778,5778,5778,5778,4350,5778,1494,5778,4350,2922,7206,4350,7206,7206,2922] + [PKTLENS.....: 235,783,1480,2908,4336,4336,4336,4336,2908,1480,4336,4336,2908,4336,4336,2908,4336,5764,5764,5764,5764,4336,5764,1480,5764,4336,2908,7192,4336,7192,7192,2908] + [ENTROPIES...: 6.0,5.8,7.2,7.3,7.2,7.5,7.7,7.9,7.8,7.9,7.8,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.8,7.8,7.9,7.9,7.9,7.8,7.9,7.8,7.8] detection-update: [...187] [ip4][..tcp] [..192.168.2.126][36660] -> [...18.64.103.30][...80] [HTTP.AmazonAWS][Cloud][Acceptable] analyse: [...185] [ip4][..tcp] [..192.168.2.126][36640] -> [...18.64.103.30][...80] [HTTP.AmazonAWS][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.021| 0.003| 0.005| 24.604| 0.000] - [PKTLEN......: 563.000| 5778.000| 3473.000| 1697.900|2882863.000| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.021| 0.003| 0.005| 24.604| 3.600] + [PKTLEN......: 549.000| 5764.000| 3459.000| 1697.900| 2882863.000| 4.800] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,1,21] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 21.0,0.2,0.1,3.1,1.7,3.1,15.8,2.2,2.0,2.7,0.1,1.5,0.6,2.9,1.6,1.5,0.1,0.1,3.5,1.6,2.8,10.5,1.4,0.1,1.6] - [PKTLENS.....: 563,1494,1494,2922,1494,2922,1494,4350,4350,4350,2922,1494,4350,1494,4350,4350,4350,5778,5778,4350,1494,1494,1494,4350,5778,5778,3214,4202,5590,1538,5778,5778] + [PKTLENS.....: 549,1480,1480,2908,1480,2908,1480,4336,4336,4336,2908,1480,4336,1480,4336,4336,4336,5764,5764,4336,1480,1480,1480,4336,5764,5764,3200,4188,5576,1524,5764,5764] + [ENTROPIES...: 5.8,7.8,7.8,7.9,7.8,7.9,7.9,7.9,8.0,8.0,7.9,7.9,7.9,7.8,7.9,8.0,7.9,8.0,8.0,7.9,7.8,7.8,7.8,7.9,8.0,8.0,7.9,7.9,8.0,7.9,8.0,8.0] new: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [MIDSTREAM] detected: [...188] [ip4][..tcp] [..192.168.2.126][37100] -> [..52.29.177.177][...80] [HTTP.AmazonAWS][Cloud][Acceptable] new: [...189] [ip4][..tcp] [..192.168.2.126][42554] -> [...35.156.44.13][...80] [MIDSTREAM] diff --git a/test/results/flow-info/443-curl.pcap.out b/test/results/flow-info/443-curl.pcap.out index bd98c00f4..c8ce20105 100644 --- a/test/results/flow-info/443-curl.pcap.out +++ b/test/results/flow-info/443-curl.pcap.out @@ -6,13 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.784| 0.063| 0.190|36203.258| 0.000] - [PKTLEN......: 66.000| 1506.000| 411.200| 558.700|312115.000| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.784| 0.063| 0.190| 36203.258| 2.200] + [PKTLEN......: 52.000| 1492.000| 397.200| 558.700| 312115.000| 3.800] [BINS(c->s)..: 10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,3,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,1,0,1] [IATS(ms)....: 38.7,38.8,9.6,47.6,2.8,1.1,0.0,41.9,0.0,11.8,50.9,0.0,39.1,0.0,0.7,0.0,0.0,0.1,0.1,38.5,8.9,46.6,784.1,784.0,0.4,0.1,0.5,0.1,0.1,0.2,0.2] - [PKTLENS.....: 78,74,66,583,66,1506,1506,197,66,66,192,117,123,66,66,119,122,108,133,104,66,104,66,281,66,1506,1506,66,1506,1062,66,1506] + [PKTLENS.....: 64,60,52,569,52,1492,1492,183,52,52,178,103,109,52,52,105,108,94,119,90,52,90,52,267,52,1492,1492,52,1492,1048,52,1492] + [ENTROPIES...: 4.4,5.3,4.9,4.3,5.1,7.4,7.5,6.8,4.9,4.9,6.3,6.0,6.2,5.0,4.9,5.8,5.8,5.5,6.0,5.5,5.2,5.9,5.1,7.2,5.1,7.9,7.9,5.1,7.9,7.8,5.1,7.9] end: [.....1] [ip4][..tcp] [...192.168.1.13][55523] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/443-firefox.pcap.out b/test/results/flow-info/443-firefox.pcap.out index 95be754d9..c006bc12b 100644 --- a/test/results/flow-info/443-firefox.pcap.out +++ b/test/results/flow-info/443-firefox.pcap.out @@ -6,13 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.656| 0.130| 0.404|163175.268| 0.000] - [PKTLEN......: 66.000| 1506.000| 532.700| 610.400|372566.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.656| 0.130| 0.404| 163175.268| 2.000] + [PKTLEN......: 52.000| 1492.000| 518.700| 610.400| 372566.000| 4.000] [BINS(c->s)..: 11,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] [IATS(ms)....: 38.5,38.6,1.8,40.0,4.1,0.1,0.0,42.3,0.0,2.1,40.7,0.0,38.7,0.0,193.8,0.1,0.2,231.1,10.0,47.0,1655.7,0.1,1655.7,0.2,0.0,0.2,0.2,0.1,0.3,0.1,0.2] - [PKTLENS.....: 78,74,66,583,66,1506,1506,140,66,66,151,332,115,66,66,235,312,96,66,96,66,1506,1506,66,1506,1030,66,1506,1506,66,1506,1030] + [PKTLENS.....: 64,60,52,569,52,1492,1492,126,52,52,137,318,101,52,52,221,298,82,52,82,52,1492,1492,52,1492,1016,52,1492,1492,52,1492,1016] + [ENTROPIES...: 4.4,5.4,4.9,5.2,5.1,7.4,7.5,6.3,5.0,5.0,6.1,7.2,6.2,5.1,5.1,6.9,7.2,5.7,5.2,5.8,4.9,7.9,7.9,5.0,7.9,7.8,5.0,7.9,7.9,4.9,7.9,7.8] end: [.....1] [ip4][..tcp] [...192.168.1.13][53096] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/443-git.pcap.out b/test/results/flow-info/443-git.pcap.out index 618ef736f..9857ef1f2 100644 --- a/test/results/flow-info/443-git.pcap.out +++ b/test/results/flow-info/443-git.pcap.out @@ -6,13 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.144| 0.033| 0.053| 2832.982| 0.000] - [PKTLEN......: 66.000| 1490.000| 351.800| 464.400|215710.400| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.144| 0.033| 0.053| 2832.982| 3.200] + [PKTLEN......: 52.000| 1476.000| 337.800| 464.400| 215710.400| 4.000] [BINS(c->s)..: 14,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,3,1,1,0,0,0,0,0,1,0,1,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,0,0,1,1,0] [IATS(ms)....: 110.5,110.6,6.6,119.4,0.0,0.0,112.8,0.0,11.1,124.0,112.9,0.6,143.5,0.0,142.9,0.0,6.5,0.0,0.0,6.5,0.0,0.0,0.1,0.1,1.2,0.0,1.3,0.0,0.2,0.0,0.2] - [PKTLENS.....: 78,74,66,583,1490,1490,768,66,66,192,117,66,273,437,140,66,66,100,358,99,66,66,66,164,66,1465,622,66,66,1465,486,66] + [PKTLENS.....: 64,60,52,569,1476,1476,754,52,52,178,103,52,259,423,126,52,52,86,344,85,52,52,52,150,52,1451,608,52,52,1451,472,52] + [ENTROPIES...: 4.3,5.2,4.8,4.2,7.0,7.4,7.6,5.0,5.0,6.4,5.9,4.9,7.0,7.4,6.2,4.9,5.0,5.6,7.4,5.7,4.9,4.9,4.9,6.4,5.0,7.9,7.6,5.0,5.0,7.9,7.5,5.0] end: [.....1] [ip4][..tcp] [...192.168.1.13][55744] -> [...140.82.114.4][..443] [TLS.Github][Collaborative][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/443-opvn.pcap.out b/test/results/flow-info/443-opvn.pcap.out index 7522dc10e..c19215273 100644 --- a/test/results/flow-info/443-opvn.pcap.out +++ b/test/results/flow-info/443-opvn.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] detected: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] [OpenVPN][VPN][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] [OpenVPN][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.161| 0.158| 0.364|132701.856| 0.000] - [PKTLEN......: 66.000| 1506.000| 274.300| 407.400|166005.600| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.161| 0.158| 0.364| 132701.856| 2.700] + [PKTLEN......: 52.000| 1492.000| 260.300| 407.400| 166005.600| 3.800] [BINS(c->s)..: 7,5,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 8,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,1,1] [IATS(ms)....: 21.6,21.7,1053.8,1075.1,1.0,22.2,0.3,57.4,57.1,21.2,11.8,33.0,0.2,0.2,20.6,20.5,9.1,0.0,20.0,11.3,22.2,20.0,20.0,0.2,21.4,21.2,0.1,58.6,1160.7,1122.5,1.3] - [PKTLENS.....: 78,74,66,110,66,122,66,118,66,387,66,1236,66,1506,118,69,118,1506,863,66,118,66,173,66,619,382,66,118,66,152,66,118] + [PKTLENS.....: 64,60,52,96,52,108,52,104,52,373,52,1222,52,1492,104,55,104,1492,849,52,104,52,159,52,605,368,52,104,52,138,52,104] + [ENTROPIES...: 4.4,5.1,4.8,5.5,5.1,5.6,5.0,5.8,5.1,6.1,5.1,6.9,4.9,7.3,5.7,5.0,5.8,6.8,7.4,5.2,5.8,4.9,6.3,5.0,7.6,7.2,5.0,5.7,5.1,6.2,5.2,5.8] end: [.....1] [ip4][..tcp] [...192.168.1.84][52973] -> [.192.12.192.103][.1194] [OpenVPN][VPN][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/443-safari.pcap.out b/test/results/flow-info/443-safari.pcap.out index 064487eaf..4223a04a8 100644 --- a/test/results/flow-info/443-safari.pcap.out +++ b/test/results/flow-info/443-safari.pcap.out @@ -6,13 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] detection-update: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.696| 0.070| 0.175|30530.335| 0.000] - [PKTLEN......: 66.000| 1506.000| 398.700| 559.600|313139.800| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.696| 0.070| 0.175| 30530.335| 2.600] + [PKTLEN......: 52.000| 1492.000| 384.700| 559.600| 313139.800| 3.800] [BINS(c->s)..: 11,3,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1] [IATS(ms)....: 38.2,38.3,1.1,39.8,4.1,0.1,0.0,42.8,0.0,225.7,264.3,0.0,38.7,0.0,1.6,0.0,0.0,0.0,0.1,40.0,0.0,9.9,48.2,695.6,0.1,695.6,0.1,0.1,0.1,0.1,0.1] - [PKTLENS.....: 78,74,66,299,66,1506,1506,168,66,66,151,109,115,66,66,111,108,100,394,96,66,66,96,66,1506,1506,66,1506,66,1030,66,1506] + [PKTLENS.....: 64,60,52,285,52,1492,1492,154,52,52,137,95,101,52,52,97,94,86,380,82,52,52,82,52,1492,1492,52,1492,52,1016,52,1492] + [ENTROPIES...: 4.3,5.3,4.9,5.7,5.2,7.4,7.4,6.4,4.9,4.9,6.0,5.8,6.1,4.9,5.0,5.9,5.8,5.8,7.4,5.6,5.0,5.1,5.8,5.0,7.9,7.9,4.9,7.9,4.8,7.8,4.9,7.9] idle: [.....1] [ip4][..tcp] [...192.168.1.13][53031] -> [.178.62.197.130][..443] [TLS.ntop][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/6in4tunnel.pcap.out b/test/results/flow-info/6in4tunnel.pcap.out index c43599320..0b1ea816d 100644 --- a/test/results/flow-info/6in4tunnel.pcap.out +++ b/test/results/flow-info/6in4tunnel.pcap.out @@ -3,14 +3,15 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] analyse: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.005| 0.495| 0.455|206990.442| 0.000] - [PKTLEN......: 106.000| 1911.000| 250.400| 383.000|146712.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.005| 0.495| 0.455| 206990.442| 4.200] + [PKTLEN......: 92.000| 1897.000| 236.400| 383.000| 146712.700| 4.100] [BINS(c->s)..: 0,0,4,11,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,2,8,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1] [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,1,0,0,0,0] [IATS(ms)....: 104.8,780.1,221.1,1000.5,1001.7,1001.1,1001.7,1005.1,1001.1,1000.8,1001.1,1001.1,1001.4,999.9,1001.9,1003.1,365.4,1.1,349.0,4.1,96.7,99.1,95.7,0.8,97.9,1.0,0.1,98.1,0.1,8.8,0.5] - [PKTLENS.....: 138,138,200,138,138,138,138,138,138,138,138,138,138,138,138,138,138,133,133,273,261,114,114,106,310,106,1504,1911,106,106,268,159] + [PKTLENS.....: 124,124,186,124,124,124,124,124,124,124,124,124,124,124,124,124,124,119,119,259,247,100,100,92,296,92,1490,1897,92,92,254,145] + [ENTROPIES...: 5.7,5.7,5.6,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.8,5.6,5.7,5.7,5.7,5.7,5.7,4.7,4.7,4.8,4.9,5.2,5.8,5.5,5.8,5.6,6.9,7.0,5.5,5.5,6.7,6.0] not-detected: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] [Unknown][Unrated] idle: [.....1] [ip4][...41] [....174.3.73.24] -> [.184.105.255.26] [Unknown][Unrated] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out b/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out index 769222cd2..c5cc54154 100644 --- a/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out +++ b/test/results/flow-info/FAX-Call-t38-CA-TDM-SIP-FB-1.pcap.out @@ -10,35 +10,38 @@ new: [.....4] [ip4][..udp] [138.132.169.101][.5060] -> [192.168.100.219][.5060] detected: [.....4] [ip4][..udp] [138.132.169.101][.5060] -> [192.168.100.219][.5060] [SIP][VoIP][Acceptable] analyse: [.....1] [ip4][..udp] [....10.35.40.22][.2944] -> [.....10.23.1.42][.2944] [Megaco][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.370| 1.692| 2.031|4125948.903| 0.000] - [PKTLEN......: 87.000| 414.000| 168.800| 98.900| 9786.300| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.370| 1.692| 2.031| 4125948.903| 3.700] + [PKTLEN......: 73.000| 400.000| 154.800| 98.900| 9786.300| 4.700] [BINS(c->s)..: 0,15,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,0,7,0,0,0,7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1] [IATS(ms)....: 0.1,2.6,0.1,4369.7,0.2,4369.4,0.1,4370.2,0.1,4370.2,0.1,4369.9,0.1,4370.1,0.3,4370.0,0.1,4369.4,0.1,3508.4,3524.3,204.4,193.0,657.5,0.0,652.5,0.2,4369.7,0.1,4370.2,0.6] - [PKTLENS.....: 87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,87,87,292,164,376,414,94,101,88,88,293,165,88,88,293,165] + [PKTLENS.....: 73,73,278,150,73,73,278,150,73,73,278,150,73,73,278,150,73,73,278,150,362,400,80,87,74,74,279,151,74,74,279,151] + [ENTROPIES...: 5.2,5.1,5.4,5.4,5.2,5.2,5.4,5.4,5.2,5.2,5.4,5.4,5.2,5.2,5.4,5.4,5.2,5.1,5.4,5.4,5.8,5.2,5.3,5.1,5.2,5.2,5.4,5.5,5.2,5.2,5.4,5.4] new: [.....5] [ip4][..udp] [...10.35.60.100][15580] -> [.....10.23.1.52][16756] detected: [.....5] [ip4][..udp] [...10.35.60.100][15580] -> [.....10.23.1.52][16756] [RTP][Media][Acceptable] analyse: [.....5] [ip4][..udp] [...10.35.60.100][15580] -> [.....10.23.1.52][16756] [RTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.040| 0.020| 0.005| 23.656| 0.000] - [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.040| 0.020| 0.005| 23.656| 4.900] + [PKTLEN......: 200.000| 200.000| 200.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 20.8,19.1,39.5,1.4,20.0,20.0,19.3,20.5,19.6,19.9,21.0,20.3,18.5,20.4,19.7,19.9,20.4,20.2,19.7,20.4,19.3,20.5,20.1,20.0,19.6,20.0,19.9,20.3,20.2,19.8,20.0] - [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] + [PKTLENS.....: 200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200] + [ENTROPIES...: 1.7,1.7,1.7,1.7,1.7,1.7,1.7,1.7,1.7,1.7,1.7,2.4,2.4,2.4,2.5,2.4,2.5,2.5,2.5,2.5,2.5,2.4,2.4,2.4,2.4,2.5,2.5,2.5,2.5,2.4,2.4,2.5] update: [.....1] [ip4][..udp] [....10.35.40.22][.2944] -> [.....10.23.1.42][.2944] [Megaco][VoIP][Acceptable] analyse: [.....3] [ip4][..udp] [....10.35.40.25][.5060] -> [...10.35.40.200][.5060] [SIP][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 27.628| 2.809| 6.896|47549159.309| 0.000] - [PKTLEN......: 304.000| 923.000| 605.300| 211.900|44888.200| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 27.628| 2.809| 6.896| 47549159.309| 2.500] + [PKTLEN......: 290.000| 909.000| 591.300| 211.900| 44888.200| 4.900] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,2,4,2,0,0,0,0,0,0,0,0,0,2,0,2,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,2,0,2,0,0,4,2,0,2,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,1,1,1,1,0,0,1,1,0,0,0,0,1,1,0,0,1,1,0,0,1,1,1,1,0,0,0,0] [IATS(ms)....: 1.4,6.0,0.3,162.7,0.4,6673.1,0.7,6843.3,0.4,2041.5,0.8,2040.7,0.3,12.4,0.7,131.8,0.4,27628.4,0.4,27585.5,0.5,6913.8,0.7,6841.3,0.3,84.0,0.4,88.1,0.4,19.8,1.0] - [PKTLENS.....: 919,919,304,304,488,488,825,825,452,452,894,894,425,425,793,793,493,493,460,460,572,572,846,846,364,364,475,475,452,452,923,923] + [PKTLENS.....: 905,905,290,290,474,474,811,811,438,438,880,880,411,411,779,779,479,479,446,446,558,558,832,832,350,350,461,461,438,438,909,909] + [ENTROPIES...: 5.7,5.7,5.6,5.6,5.6,5.6,5.7,5.7,5.6,5.6,5.7,5.7,5.6,5.6,5.8,5.8,5.6,5.6,5.6,5.6,5.7,5.7,5.7,5.7,5.6,5.6,5.6,5.6,5.6,5.6,5.7,5.7] update: [.....4] [ip4][..udp] [138.132.169.101][.5060] -> [192.168.100.219][.5060] [SIP][VoIP][Acceptable] update: [.....2] [ip4][..udp] [....10.35.60.72][.5060] -> [...10.35.60.100][.5060] [SIP][VoIP][Acceptable] update: [.....3] [ip4][..udp] [....10.35.40.25][.5060] -> [...10.35.40.200][.5060] [SIP][VoIP][Acceptable] diff --git a/test/results/flow-info/KakaoTalk_chat.pcap.out b/test/results/flow-info/KakaoTalk_chat.pcap.out index 516ed1dbd..ffe984843 100644 --- a/test/results/flow-info/KakaoTalk_chat.pcap.out +++ b/test/results/flow-info/KakaoTalk_chat.pcap.out @@ -103,14 +103,15 @@ detected: [....30] [ip4][..tcp] [...10.24.82.188][58927] -> [.54.255.253.199][.5223] [TLS.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port analyse: [....26] [ip4][..tcp] [...10.24.82.188][43581] -> [....31.13.68.70][..443] [TLS.Facebook][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.174| 0.038| 0.043| 1891.518| 0.000] - [PKTLEN......: 56.000| 1336.000| 272.100| 386.900|149674.200| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.174| 0.038| 0.043| 1891.518| 4.000] + [PKTLEN......: 40.000| 1320.000| 256.100| 386.900| 149674.200| 3.800] [BINS(c->s)..: 10,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,3,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1] [IATS(ms)....: 37.0,40.3,0.3,47.7,4.0,72.1,0.7,124.0,0.2,15.9,0.7,16.6,0.2,12.2,67.2,36.0,15.8,0.7,105.9,38.1,60.4,4.5,0.1,3.9,174.3,67.7,16.8,17.0,108.5,0.7,81.1] - [PKTLENS.....: 76,60,56,621,60,56,1336,174,56,56,1336,949,56,56,1053,56,314,113,101,56,56,109,846,103,93,101,56,477,56,56,56,56] + [PKTLENS.....: 60,44,40,605,44,40,1320,158,40,40,1320,933,40,40,1037,40,298,97,85,40,40,93,830,87,77,85,40,461,40,40,40,40] + [ENTROPIES...: 4.7,5.2,4.9,6.7,4.6,5.0,6.4,5.9,4.8,4.7,7.0,7.0,4.7,4.7,7.8,4.9,7.0,6.1,6.0,4.8,4.8,6.0,7.7,5.9,5.8,6.0,4.8,7.5,4.8,5.0,4.9,5.0] new: [....31] [ip4][..tcp] [...10.24.82.188][42332] -> [.210.103.240.15][..443] [MIDSTREAM] new: [....32] [ip4][..tcp] [...10.24.82.188][37557] -> [....31.13.68.84][...80] detected: [....32] [ip4][..tcp] [...10.24.82.188][37557] -> [....31.13.68.84][...80] [HTTP.Facebook][SocialNetwork][Fun] @@ -118,14 +119,15 @@ detected: [....33] [ip4][..tcp] [...10.24.82.188][45213] -> [....31.13.68.84][..443] [TLS.Facebook][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) analyse: [....15] [ip4][..tcp] [...10.24.82.188][35503] -> [...173.252.97.2][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.004| 3.803| 0.501| 0.832|692202.045| 0.000] - [PKTLEN......: 56.000| 1336.000| 225.000| 352.300|124085.100| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.004| 3.803| 0.501| 0.832| 692202.045| 3.700] + [PKTLEN......: 40.000| 1320.000| 209.000| 352.300| 124085.100| 3.700] [BINS(c->s)..: 11,0,1,1,1,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,0] [IATS(ms)....: 995.9,1037.9,49.3,6.7,695.5,683.6,56.0,2329.9,2320.4,251.6,299.0,4.5,4.4,4.1,3.7,105.5,239.4,242.2,376.5,82.6,125.8,244.5,287.3,18.1,164.6,239.0,428.1,146.0,274.1,3803.0,24.7] - [PKTLENS.....: 76,76,60,56,240,60,56,60,240,56,1336,56,1336,56,1043,56,178,56,103,56,710,56,85,56,358,56,99,56,196,56,83,132] + [PKTLENS.....: 60,60,44,40,224,44,40,44,224,40,1320,40,1320,40,1027,40,162,40,87,40,694,40,69,40,342,40,83,40,180,40,67,116] + [ENTROPIES...: 4.7,4.7,5.0,4.9,5.2,5.1,5.0,4.7,5.2,4.9,6.5,4.7,7.1,4.8,6.7,4.9,6.6,4.9,5.7,4.8,7.7,4.9,5.5,4.9,7.4,5.0,5.9,4.8,6.8,5.0,5.6,6.4] detection-update: [....15] [ip4][..tcp] [...10.24.82.188][35503] -> [...173.252.97.2][..443] [TLS.Facebook][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) new: [....34] [ip4][..tcp] [...10.24.82.188][35511] -> [...173.252.97.2][..443] @@ -146,14 +148,15 @@ new: [....37] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [MIDSTREAM] detected: [....37] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [TLS.Google][Web][Acceptable] analyse: [....34] [ip4][..tcp] [...10.24.82.188][35511] -> [...173.252.97.2][..443] [TLS.Facebook][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 27.031| 1.853| 6.601|43576507.498| 0.000] - [PKTLEN......: 56.000| 1336.000| 214.800| 348.100|121165.000| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 27.031| 1.853| 6.601| 43576507.498| 1.500] + [PKTLEN......: 40.000| 1320.000| 198.800| 348.100| 121165.000| 3.700] [BINS(c->s)..: 10,0,1,1,1,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,0,1,1] [IATS(ms)....: 41.7,45.8,2.2,39.5,11.3,448.4,0.2,2.9,498.7,0.2,0.1,36.9,124.2,229.9,322.0,23.0,161.8,229.9,405.3,0.2,57.4,108.2,76.0,156.0,245.1,68.0,69.5,26937.8,56.9,27030.7,8.1] - [PKTLENS.....: 76,60,56,240,60,56,1336,1336,1043,56,56,56,178,56,103,56,578,56,85,56,215,328,56,56,94,56,85,56,83,132,56,56] + [PKTLENS.....: 60,44,40,224,44,40,1320,1320,1027,40,40,40,162,40,87,40,562,40,69,40,199,312,40,40,78,40,69,40,67,116,40,40] + [ENTROPIES...: 4.7,5.0,4.9,5.2,4.7,5.0,6.5,7.1,6.7,4.8,4.9,4.9,6.5,4.9,5.9,4.8,7.7,5.0,5.6,4.8,6.9,7.1,5.0,5.0,5.8,4.9,5.5,4.9,5.6,6.3,5.0,5.0] update: [....19] [ip4][.icmp] [...10.24.82.188] -> [...10.188.191.1] [ICMP][Network][Acceptable] new: [....38] [ip4][..tcp] [...10.24.82.188][58964] -> [.54.255.253.199][.5223] detected: [....38] [ip4][..tcp] [...10.24.82.188][58964] -> [.54.255.253.199][.5223] [TLS.AmazonAWS][Cloud][Acceptable] diff --git a/test/results/flow-info/KakaoTalk_talk.pcap.out b/test/results/flow-info/KakaoTalk_talk.pcap.out index 2115cde19..7d21bba55 100644 --- a/test/results/flow-info/KakaoTalk_talk.pcap.out +++ b/test/results/flow-info/KakaoTalk_talk.pcap.out @@ -33,45 +33,49 @@ new: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] detected: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] [RTP][Media][Acceptable] analyse: [....12] [ip4][..udp] [...10.24.82.188][11320] -> [....1.201.1.174][23044] [RTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.389| 0.067| 0.073| 5302.569| 0.000] - [PKTLEN......: 99.000| 192.000| 103.200| 16.700| 278.800| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.389| 0.067| 0.073| 5302.569| 4.200] + [PKTLEN......: 83.000| 176.000| 87.200| 16.700| 278.800| 5.000] [BINS(c->s)..: 0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,9,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1] [IATS(ms)....: 2.1,0.1,91.3,0.2,98.3,0.1,103.5,389.0,99.4,0.2,41.7,34.1,94.1,1.2,99.9,98.5,32.0,72.3,100.1,1.0,27.9,87.8,99.7,0.0,76.1,16.1,99.2,84.2,99.9,1.1,113.1] - [PKTLENS.....: 100,99,99,99,99,99,99,99,123,99,99,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99] + [PKTLENS.....: 84,83,83,83,83,83,83,83,107,83,83,176,99,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83] + [ENTROPIES...: 6.0,5.9,5.8,5.8,5.9,5.8,5.9,5.9,6.2,6.0,5.8,6.7,6.2,5.9,5.9,5.9,5.8,6.0,5.9,5.9,5.9,5.9,6.0,5.9,5.8,6.0,6.0,5.9,6.0,5.9,5.9,6.0] analyse: [....13] [ip4][..udp] [...10.24.82.188][10268] -> [....1.201.1.174][23046] [RTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.004| 0.144| 0.063| 0.038| 1440.325| 0.000] - [PKTLEN......: 99.000| 192.000| 106.600| 20.800| 434.500| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.004| 0.144| 0.063| 0.038| 1440.325| 4.700] + [PKTLEN......: 83.000| 176.000| 90.600| 20.800| 434.500| 5.000] [BINS(c->s)..: 0,13,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,1,0,0,0,1] [IATS(ms)....: 36.1,39.2,140.3,102.0,35.2,98.1,7.9,55.8,42.0,93.4,6.8,89.9,91.8,48.2,40.2,100.1,12.0,81.5,89.4,7.0,84.1,40.7,87.7,54.9,38.8,107.9,4.2,87.6,68.5,32.3,143.9] - [PKTLENS.....: 123,192,115,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,99,166,141,99] + [PKTLENS.....: 107,176,99,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,83,150,125,83] + [ENTROPIES...: 6.2,6.7,6.2,5.8,5.8,5.9,6.0,5.9,5.9,5.9,5.9,6.0,5.9,5.8,5.9,5.9,6.0,6.0,6.0,6.0,5.8,5.9,5.9,5.9,6.0,6.0,5.9,6.0,5.8,6.7,6.3,6.0] new: [....14] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [MIDSTREAM] detected: [....14] [ip4][..tcp] [...10.24.82.188][49217] -> [.216.58.220.174][..443] [TLS.Google][Web][Acceptable] new: [....15] [ip4][..tcp] [..173.252.122.1][..443] -> [...10.24.82.188][52123] [MIDSTREAM] new: [....16] [ip4][..tcp] [...10.24.82.188][53974] -> [203.205.151.233][.8080] [MIDSTREAM] analyse: [.....6] [ip4][..tcp] [...10.24.82.188][32968] -> [..110.76.143.50][.8080] [TLS.KakaoTalk][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.002| 20.337| 1.801| 4.155|17264411.673| 0.000] - [PKTLEN......: 68.000| 920.000| 241.500| 230.000|52885.800| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 20.337| 1.801| 4.155| 17264411.673| 2.900] + [PKTLEN......: 52.000| 904.000| 225.500| 230.000| 52885.800| 4.400] [BINS(c->s)..: 8,0,0,0,1,7,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,1,0,1,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,0,0,1,1,0,0] [IATS(ms)....: 141.6,151.9,11.8,244.9,5.7,231.7,5.3,268.9,267.9,260.5,295.7,6066.9,6069.5,2.3,183.7,177.4,76.0,36.6,148.1,8359.6,8676.0,4.5,469.8,147.4,147.1,2.6,694.9,724.2,479.8,20336.8,1138.4] - [PKTLENS.....: 76,76,68,210,68,920,68,394,302,814,574,68,782,68,238,366,68,68,238,68,254,68,238,68,366,68,238,238,68,80,254,254] + [PKTLENS.....: 60,60,52,194,52,904,52,378,286,798,558,52,766,52,222,350,52,52,222,52,238,52,222,52,350,52,222,222,52,64,238,238] + [ENTROPIES...: 4.7,5.2,5.2,5.3,5.1,7.4,5.1,7.2,7.1,7.7,7.6,5.1,7.7,5.1,7.0,7.3,5.2,5.1,7.0,5.2,7.0,5.1,6.9,5.1,7.3,5.2,6.9,6.9,5.1,5.1,7.1,7.1] analyse: [.....8] [ip4][..tcp] [...10.24.82.188][58857] -> [..110.76.143.50][.9001] [TLS.KakaoTalk][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 21.237| 2.444| 5.342|28541506.814| 0.000] - [PKTLEN......: 68.000| 920.000| 267.100| 266.400|70953.500| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 21.237| 2.444| 5.342| 28541506.814| 2.900] + [PKTLEN......: 52.000| 904.000| 251.100| 266.400| 70953.500| 4.300] [BINS(c->s)..: 9,0,0,0,1,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,0,1,1,0,0,0,1,1,0,0,1,0,1,0,1] [IATS(ms)....: 148.0,148.3,14.4,196.3,3.7,185.6,22.2,228.4,215.7,291.7,316.8,4536.4,4872.6,301.5,147.9,147.9,122.3,336.2,8596.6,8810.7,73.7,557.6,700.9,602.5,20472.0,917.8,21237.1,519.3,0.3,0.2,1054.3] - [PKTLENS.....: 76,76,68,210,68,920,68,394,302,766,734,68,862,846,68,366,68,238,68,366,68,238,238,68,80,254,254,430,68,68,68,80] + [PKTLENS.....: 60,60,52,194,52,904,52,378,286,750,718,52,846,830,52,350,52,222,52,350,52,222,222,52,64,238,238,414,52,52,52,64] + [ENTROPIES...: 4.7,5.2,5.2,5.3,5.2,7.4,5.2,7.4,7.0,7.7,7.7,5.2,7.8,7.8,5.2,7.3,5.1,7.0,5.2,7.2,5.2,6.8,6.8,5.1,5.1,7.1,7.0,7.4,5.2,5.2,5.2,5.2] new: [....17] [ip4][..tcp] [173.194.117.229][..443] -> [...10.24.82.188][38380] [MIDSTREAM] new: [....18] [ip4][..tcp] [.173.252.88.128][..443] -> [...10.24.82.188][59912] [MIDSTREAM] new: [....19] [ip4][..tcp] [...10.24.82.188][59954] -> [.173.252.88.128][..443] diff --git a/test/results/flow-info/Oscar.pcap.out b/test/results/flow-info/Oscar.pcap.out index 60a7e57ae..b366df01b 100644 --- a/test/results/flow-info/Oscar.pcap.out +++ b/test/results/flow-info/Oscar.pcap.out @@ -3,14 +3,15 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] analyse: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 58.215| 3.883| 14.268|203566836.875| 0.000] - [PKTLEN......: 54.000| 1414.000| 186.500| 263.300|69345.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 58.215| 3.883| 14.268| 203566836.875| 1.300] + [PKTLEN......: 40.000| 1400.000| 172.500| 263.300| 69345.600| 4.000] [BINS(c->s)..: 11,4,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,1,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0] [IATS(ms)....: 28.7,28.8,8.9,42.4,33.5,0.5,0.5,0.1,33.5,33.4,0.3,33.6,0.8,34.1,0.2,44.6,44.3,32.8,32.8,0.2,0.1,0.3,31.3,31.1,58175.5,58215.2,0.0,39.6,1457.4,1490.1,502.6] - [PKTLENS.....: 78,60,54,369,64,54,619,54,106,144,54,70,1414,351,54,80,60,166,511,54,284,54,266,60,349,90,60,92,54,92,60,90] + [PKTLENS.....: 64,46,40,355,50,40,605,40,92,130,40,56,1400,337,40,66,46,152,497,40,270,40,252,46,335,76,46,78,40,78,46,76] + [ENTROPIES...: 4.4,4.9,4.7,7.1,4.7,4.7,5.2,4.7,4.0,4.3,4.6,4.3,3.8,3.9,4.6,4.3,4.5,3.5,4.2,4.6,3.7,4.6,5.5,4.5,3.4,4.8,4.5,5.0,4.6,4.5,4.5,4.8] guessed: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Web][Safe] detected: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Web][Safe] idle: [.....1] [ip4][..tcp] [.....10.30.29.3][63357] -> [.178.237.24.249][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/WebattackXSS.pcap.out b/test/results/flow-info/WebattackXSS.pcap.out index a891c05a6..f3a126fe8 100644 --- a/test/results/flow-info/WebattackXSS.pcap.out +++ b/test/results/flow-info/WebattackXSS.pcap.out @@ -14,14 +14,15 @@ new: [.....7] [ip4][..tcp] [.....172.16.0.1][52220] -> [..192.168.10.50][...80] new: [.....8] [ip4][..tcp] [.....172.16.0.1][52222] -> [..192.168.10.50][...80] analyse: [.....5] [ip4][..tcp] [.....172.16.0.1][52200] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.805| 0.259| 0.699|488344.093| 0.000] - [PKTLEN......: 66.000| 7992.000| 586.000| 1374.100|1888110.100| 3.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.805| 0.259| 0.699| 488344.093| 2.400] + [PKTLEN......: 52.000| 7978.000| 572.000| 1374.100| 1888110.000| 3.400] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1] [IATS(ms)....: 0.1,0.9,0.0,0.9,1.5,2.3,23.6,26.5,34.2,32.2,1.1,1.0,0.2,0.9,0.2,0.4,39.8,69.9,111.2,1.1,61.6,62.7,1.1,842.7,846.6,3.8,131.7,132.7,1.1,2804.2,2805.2] - [PKTLENS.....: 74,74,66,375,66,578,66,408,1198,431,807,454,1514,7992,66,66,66,66,377,571,66,407,571,66,625,429,66,423,587,66,66,66] + [PKTLENS.....: 60,60,52,361,52,564,52,394,1184,417,793,440,1500,7978,52,52,52,52,363,557,52,393,557,52,611,415,52,409,573,52,52,52] + [ENTROPIES...: 4.6,5.1,4.9,5.9,4.9,5.8,4.9,6.0,7.5,6.0,7.3,5.9,7.6,8.0,4.9,4.9,4.9,4.9,6.0,5.8,5.0,6.0,5.8,4.9,5.9,5.7,4.9,6.0,5.8,5.0,5.1,4.9] new: [.....9] [ip4][..tcp] [.....172.16.0.1][52298] -> [..192.168.10.50][...80] detected: [.....9] [ip4][..tcp] [.....172.16.0.1][52298] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] RISK: HTTP Numeric IP Address @@ -29,14 +30,15 @@ new: [....11] [ip4][..tcp] [.....172.16.0.1][52318] -> [..192.168.10.50][...80] new: [....12] [ip4][..tcp] [.....172.16.0.1][52320] -> [..192.168.10.50][...80] analyse: [.....9] [ip4][..tcp] [.....172.16.0.1][52298] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.856| 0.080| 0.207|42651.251| 0.000] - [PKTLEN......: 66.000| 4410.000| 627.000| 1050.300|1103191.500| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.856| 0.080| 0.207| 42651.251| 2.700] + [PKTLEN......: 52.000| 4396.000| 613.000| 1050.300| 1103191.500| 3.700] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,2,2,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,3] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,1,0,0,0,0,1,0,0,1,0,0,1,0,0,1,0] [IATS(ms)....: 0.2,0.9,0.0,0.9,1.5,2.1,20.7,25.9,42.5,6.0,44.4,1.3,0.2,1.3,0.1,0.1,1.2,0.3,0.4,68.6,70.5,37.8,60.4,98.3,1.1,851.7,856.3,4.6,109.7,139.3,29.5] - [PKTLENS.....: 74,74,66,375,66,578,66,408,1200,66,431,807,66,454,4410,4410,752,66,66,66,377,571,66,407,571,66,625,429,66,449,1870,66] + [PKTLENS.....: 60,60,52,361,52,564,52,394,1186,52,417,793,52,440,4396,4396,738,52,52,52,363,557,52,393,557,52,611,415,52,435,1856,52] + [ENTROPIES...: 4.6,5.1,4.9,5.9,4.8,5.7,4.9,5.9,7.4,4.9,5.9,7.2,4.9,5.9,7.9,7.9,7.7,4.9,4.9,4.8,5.9,5.8,4.8,5.9,5.8,4.8,5.9,5.7,4.9,5.9,7.8,5.0] detected: [....10] [ip4][..tcp] [.....172.16.0.1][52300] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] RISK: HTTP Numeric IP Address detected: [....11] [ip4][..tcp] [.....172.16.0.1][52318] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -78,14 +80,15 @@ new: [....45] [ip4][..tcp] [.....172.16.0.1][52978] -> [..192.168.10.50][...80] new: [....46] [ip4][..tcp] [.....172.16.0.1][53004] -> [..192.168.10.50][...80] analyse: [....41] [ip4][..tcp] [.....172.16.0.1][52910] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.809| 0.610| 0.941|885441.823| 0.000] - [PKTLEN......: 66.000| 1935.000| 730.800| 755.700|571022.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.809| 0.610| 0.941| 885441.823| 3.700] + [PKTLEN......: 52.000| 1921.000| 716.800| 755.700| 571022.900| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.8,3808.1,3808.9,3.1,3.9,1010.4,1014.2,3.8,247.0,250.6,3.6,1037.9,1041.6,3.8,265.4,269.2,3.7,1020.1,1024.5,4.4,240.9,244.6,3.7,1033.1,1036.8,3.7,252.8,256.5,3.7,1006.2] - [PKTLENS.....: 74,74,66,651,66,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449] + [PKTLENS.....: 60,60,52,637,52,1919,52,435,1822,52,637,1920,52,435,1822,52,637,1921,52,435,1822,52,637,1920,52,435,1822,52,637,1918,52,435] + [ENTROPIES...: 4.5,5.0,4.8,6.0,4.9,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.7,6.0,7.8,4.7,5.9,7.7,4.8,6.0,7.8,4.9,5.9] new: [....47] [ip4][..tcp] [.....172.16.0.1][53018] -> [..192.168.10.50][...80] new: [....48] [ip4][..tcp] [.....172.16.0.1][53032] -> [..192.168.10.50][...80] new: [....49] [ip4][..tcp] [.....172.16.0.1][53058] -> [..192.168.10.50][...80] @@ -143,14 +146,15 @@ new: [....83] [ip4][..tcp] [.....172.16.0.1][53678] -> [..192.168.10.50][...80] new: [....84] [ip4][..tcp] [.....172.16.0.1][53692] -> [..192.168.10.50][...80] analyse: [....78] [ip4][..tcp] [.....172.16.0.1][53584] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.899| 0.653| 1.186|1406566.662| 0.000] - [PKTLEN......: 66.000| 1934.000| 727.700| 750.900|563862.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.899| 0.653| 1.186| 1406566.662| 3.500] + [PKTLEN......: 52.000| 1920.000| 713.700| 750.900| 563862.500| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.7,4897.8,4898.5,8.6,9.4,243.2,246.7,3.6,1041.2,1044.8,3.8,241.2,245.3,4.0,1005.5,1009.5,4.0,241.0,244.6,3.6,1008.9,1012.5,3.7,268.3,273.7,5.3,1005.6,1009.6,4.1,266.0] - [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651] + [PKTLENS.....: 60,60,52,435,52,1823,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637,1918,52,435,1822,52,637,1919,52,435,1822,52,637] + [ENTROPIES...: 4.6,5.1,4.9,5.9,4.9,7.7,4.9,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0] end: [....10] [ip4][..tcp] [.....172.16.0.1][52300] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] RISK: HTTP Numeric IP Address end: [....11] [ip4][..tcp] [.....172.16.0.1][52318] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -267,14 +271,15 @@ end: [....48] [ip4][..tcp] [.....172.16.0.1][53032] -> [..192.168.10.50][...80] new: [...119] [ip4][..tcp] [.....172.16.0.1][54362] -> [..192.168.10.50][...80] analyse: [...114] [ip4][..tcp] [.....172.16.0.1][54268] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.827| 0.609| 0.943|889903.972| 0.000] - [PKTLEN......: 66.000| 1935.000| 730.800| 755.600|570947.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.827| 0.609| 0.943| 889903.972| 3.700] + [PKTLEN......: 52.000| 1921.000| 716.800| 755.600| 570947.800| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.9,3826.3,3827.2,3.1,3.9,1023.0,1026.9,3.9,268.2,273.7,5.4,1005.2,1009.2,4.0,256.2,259.9,3.6,1006.9,1010.6,3.7,250.1,253.8,3.8,1011.3,1016.1,4.8,241.0,244.7,3.6,1020.5] - [PKTLENS.....: 74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1931,66,449] + [PKTLENS.....: 60,60,52,637,52,1921,52,435,1822,52,637,1920,52,435,1822,52,637,1920,52,435,1822,52,637,1919,52,435,1822,52,637,1917,52,435] + [ENTROPIES...: 4.6,5.0,4.9,6.0,4.9,7.8,5.0,5.9,7.7,4.9,6.1,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,5.0,6.1,7.8,5.0,5.9,7.7,4.9,6.1,7.8,4.9,5.9] new: [...120] [ip4][..tcp] [.....172.16.0.1][54376] -> [..192.168.10.50][...80] new: [...121] [ip4][..tcp] [.....172.16.0.1][54390] -> [..192.168.10.50][...80] new: [...122] [ip4][..tcp] [.....172.16.0.1][54416] -> [..192.168.10.50][...80] @@ -386,14 +391,15 @@ new: [...156] [ip4][..tcp] [.....172.16.0.1][55024] -> [..192.168.10.50][...80] new: [...157] [ip4][..tcp] [.....172.16.0.1][55038] -> [..192.168.10.50][...80] analyse: [...152] [ip4][..tcp] [.....172.16.0.1][54956] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.643| 0.568| 0.904|816455.025| 0.000] - [PKTLEN......: 66.000| 1935.000| 727.700| 750.800|563712.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.643| 0.568| 0.904| 816455.025| 3.600] + [PKTLEN......: 52.000| 1921.000| 713.700| 750.800| 563712.500| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.7,3641.9,3642.6,3.1,4.1,234.1,238.5,4.2,1006.1,1011.0,4.9,233.1,236.8,3.8,1005.6,1010.7,5.0,236.2,239.8,3.6,1006.8,1010.5,3.7,232.6,236.3,3.6,1034.9,1038.9,4.1,256.3] - [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1929,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651] + [PKTLENS.....: 60,60,52,435,52,1823,52,637,1919,52,435,1822,52,637,1915,52,435,1822,52,637,1921,52,435,1822,52,637,1919,52,435,1822,52,637] + [ENTROPIES...: 4.6,5.1,4.9,5.9,4.9,7.7,4.8,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,5.0,6.0,7.8,4.9,5.9,7.7,4.9,6.1] new: [...158] [ip4][..tcp] [.....172.16.0.1][55064] -> [..192.168.10.50][...80] new: [...159] [ip4][..tcp] [.....172.16.0.1][55078] -> [..192.168.10.50][...80] new: [...160] [ip4][..tcp] [.....172.16.0.1][55092] -> [..192.168.10.50][...80] @@ -501,14 +507,15 @@ new: [...194] [ip4][..tcp] [.....172.16.0.1][55700] -> [..192.168.10.50][...80] new: [...195] [ip4][..tcp] [.....172.16.0.1][55726] -> [..192.168.10.50][...80] analyse: [...190] [ip4][..tcp] [.....172.16.0.1][55632] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.785| 0.602| 0.936|875951.489| 0.000] - [PKTLEN......: 66.000| 1935.000| 730.900| 755.900|571323.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.785| 0.602| 0.936| 875951.489| 3.700] + [PKTLEN......: 52.000| 1921.000| 716.900| 755.900| 571323.500| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.9,3784.1,3784.9,3.1,3.8,1004.0,1007.6,3.7,223.7,227.4,3.7,1007.8,1011.6,3.8,255.8,259.5,3.6,1007.9,1012.0,4.2,230.4,234.8,4.3,1037.5,1041.9,4.5,238.3,242.0,3.7,1009.9] - [PKTLENS.....: 74,74,66,651,66,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1935,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449] + [PKTLENS.....: 60,60,52,637,52,1921,52,435,1822,52,637,1920,52,435,1822,52,637,1921,52,435,1822,52,637,1920,52,435,1822,52,637,1920,52,435] + [ENTROPIES...: 4.6,5.0,4.9,6.0,4.9,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,5.0,6.1,7.8,5.0,5.9,7.7,4.8,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9] new: [...196] [ip4][..tcp] [.....172.16.0.1][55740] -> [..192.168.10.50][...80] guessed: [...117] [ip4][..tcp] [.....172.16.0.1][54322] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] end: [...117] [ip4][..tcp] [.....172.16.0.1][54322] -> [..192.168.10.50][...80] @@ -633,14 +640,15 @@ guessed: [...158] [ip4][..tcp] [.....172.16.0.1][55064] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] end: [...158] [ip4][..tcp] [.....172.16.0.1][55064] -> [..192.168.10.50][...80] analyse: [...227] [ip4][..tcp] [.....172.16.0.1][56306] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.805| 0.635| 1.170|1368332.173| 0.000] - [PKTLEN......: 66.000| 1934.000| 709.600| 708.000|501313.900| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.805| 0.635| 1.170| 1368332.173| 3.400] + [PKTLEN......: 52.000| 1920.000| 695.600| 708.000| 501313.900| 4.200] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,7] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,0,1] [IATS(ms)....: 0.1,0.7,4804.7,4805.4,3.1,3.8,248.6,252.2,3.7,1022.4,1026.2,3.8,225.2,229.2,0.0,4.0,1026.8,1030.9,4.2,232.5,236.2,0.1,3.6,1006.0,1010.7,4.8,233.2,236.8,3.6,1008.0,1011.7] - [PKTLENS.....: 74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1514,486,66,449,1836,66,651,1514,486,66,449,1836,66,651,1934,66,449,1836] + [PKTLENS.....: 60,60,52,435,52,1823,52,637,1920,52,435,1822,52,637,1500,472,52,435,1822,52,637,1500,472,52,435,1822,52,637,1920,52,435,1822] + [ENTROPIES...: 4.6,5.1,5.0,5.9,4.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.7,7.5,4.8,5.9,7.7,5.0,6.0,7.7,7.6,5.0,5.9,7.7,5.0,6.0,7.7,4.9,5.9,7.7] new: [...233] [ip4][..tcp] [.....172.16.0.1][56414] -> [..192.168.10.50][...80] new: [...234] [ip4][..tcp] [.....172.16.0.1][56428] -> [..192.168.10.50][...80] new: [...235] [ip4][..tcp] [.....172.16.0.1][56454] -> [..192.168.10.50][...80] @@ -755,14 +763,15 @@ new: [...270] [ip4][..tcp] [.....172.16.0.1][57076] -> [..192.168.10.50][...80] new: [...271] [ip4][..tcp] [.....172.16.0.1][57090] -> [..192.168.10.50][...80] analyse: [...265] [ip4][..tcp] [.....172.16.0.1][56994] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.819| 0.606| 0.944|891595.915| 0.000] - [PKTLEN......: 66.000| 1934.000| 730.700| 755.500|570797.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.819| 0.606| 0.944| 891595.915| 3.700] + [PKTLEN......: 52.000| 1920.000| 716.700| 755.500| 570797.200| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.9,3818.1,3819.0,2.9,3.6,1026.8,1031.2,4.4,231.9,235.6,3.8,1007.0,1010.7,3.8,236.2,239.9,3.6,1008.9,1012.8,4.2,228.6,232.8,4.0,1040.9,1048.3,7.4,251.6,255.2,3.6,1017.7] - [PKTLENS.....: 74,74,66,651,66,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1932,66,449] + [PKTLENS.....: 60,60,52,637,52,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637,1918,52,435] + [ENTROPIES...: 4.6,5.0,4.9,6.0,4.9,7.8,5.0,5.9,7.7,4.9,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,5.0,6.0,7.8,4.9,5.9] new: [...272] [ip4][..tcp] [.....172.16.0.1][57116] -> [..192.168.10.50][...80] new: [...273] [ip4][..tcp] [.....172.16.0.1][57130] -> [..192.168.10.50][...80] new: [...274] [ip4][..tcp] [.....172.16.0.1][57144] -> [..192.168.10.50][...80] @@ -876,14 +885,15 @@ new: [...308] [ip4][..tcp] [.....172.16.0.1][57752] -> [..192.168.10.50][...80] new: [...309] [ip4][..tcp] [.....172.16.0.1][57778] -> [..192.168.10.50][...80] analyse: [...304] [ip4][..tcp] [.....172.16.0.1][57684] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.536| 0.567| 0.877|769788.412| 0.000] - [PKTLEN......: 66.000| 1934.000| 727.700| 750.900|563862.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.536| 0.567| 0.877| 769788.412| 3.700] + [PKTLEN......: 52.000| 1920.000| 713.700| 750.900| 563862.500| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.9,3535.3,3536.2,3.0,3.9,353.5,357.6,4.1,1009.5,1013.5,4.1,235.9,239.6,3.7,1007.5,1011.2,3.7,236.1,239.8,3.7,1007.6,1011.4,3.8,240.9,244.7,3.7,1011.7,1015.5,3.8,232.1] - [PKTLENS.....: 74,74,66,449,66,1837,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651] + [PKTLENS.....: 60,60,52,435,52,1823,52,637,1918,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637] + [ENTROPIES...: 4.6,5.0,4.8,5.9,4.8,7.7,4.6,6.0,7.8,4.8,5.9,7.7,4.8,6.0,7.8,4.9,5.9,7.7,4.8,6.0,7.8,4.8,5.9,7.7,4.8,6.0,7.8,4.8,5.9,7.7,4.8,6.0] new: [...310] [ip4][..tcp] [.....172.16.0.1][57792] -> [..192.168.10.50][...80] new: [...311] [ip4][..tcp] [.....172.16.0.1][57806] -> [..192.168.10.50][...80] guessed: [...231] [ip4][..tcp] [.....172.16.0.1][56374] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -1011,14 +1021,15 @@ guessed: [...272] [ip4][..tcp] [.....172.16.0.1][57116] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] end: [...272] [ip4][..tcp] [.....172.16.0.1][57116] -> [..192.168.10.50][...80] analyse: [...342] [ip4][..tcp] [.....172.16.0.1][58360] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.810| 0.603| 0.941|884966.883| 0.000] - [PKTLEN......: 66.000| 1935.000| 730.800| 755.700|571097.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.810| 0.603| 0.941| 884966.883| 3.700] + [PKTLEN......: 52.000| 1921.000| 716.800| 755.700| 571097.900| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.7,3808.9,3809.5,3.4,4.1,1007.1,1011.3,4.3,225.9,229.5,3.8,1021.8,1025.8,4.1,234.0,238.5,4.5,1006.3,1010.7,4.3,238.5,243.2,4.5,1006.7,1011.2,4.5,253.5,257.1,3.6,1008.0] - [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449] + [PKTLENS.....: 60,60,52,637,52,1920,52,435,1822,52,637,1920,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1921,52,435] + [ENTROPIES...: 4.6,5.1,5.0,6.0,5.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,5.0,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.8,5.9] new: [...348] [ip4][..tcp] [.....172.16.0.1][58468] -> [..192.168.10.50][...80] new: [...349] [ip4][..tcp] [.....172.16.0.1][58482] -> [..192.168.10.50][...80] new: [...350] [ip4][..tcp] [.....172.16.0.1][58496] -> [..192.168.10.50][...80] @@ -1132,14 +1143,15 @@ end: [...308] [ip4][..tcp] [.....172.16.0.1][57752] -> [..192.168.10.50][...80] new: [...385] [ip4][..tcp] [.....172.16.0.1][59124] -> [..192.168.10.50][...80] analyse: [...380] [ip4][..tcp] [.....172.16.0.1][59042] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.823| 0.637| 1.173|1374936.236| 0.000] - [PKTLEN......: 66.000| 1935.000| 709.600| 759.800|577334.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.823| 0.637| 1.173| 1374936.236| 3.400] + [PKTLEN......: 52.000| 1921.000| 695.600| 759.800| 577334.100| 4.100] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0] [IATS(ms)....: 0.1,1.1,4821.8,4822.9,2.9,6.0,222.0,227.9,5.0,1.0,1005.0,1011.2,4.1,265.5,269.3,3.6,1019.9,1023.5,4.0,238.2,242.3,4.8,1006.0,1010.7,4.0,237.9,242.4,5.0,1011.0,1016.0,5.0] - [PKTLENS.....: 74,74,66,449,66,1837,66,651,1935,66,66,449,1836,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66] + [PKTLENS.....: 60,60,52,435,52,1823,52,637,1921,52,52,435,1822,52,637,1919,52,435,1822,52,637,1921,52,435,1822,52,637,1919,52,435,1822,52] + [ENTROPIES...: 4.6,5.1,4.9,5.9,4.8,7.7,4.9,6.0,7.8,4.9,4.9,5.8,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.8,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.7,5.0,5.9,7.7,5.0] new: [...386] [ip4][..tcp] [.....172.16.0.1][59150] -> [..192.168.10.50][...80] new: [...387] [ip4][..tcp] [.....172.16.0.1][59164] -> [..192.168.10.50][...80] new: [...388] [ip4][..tcp] [.....172.16.0.1][59178] -> [..192.168.10.50][...80] @@ -1256,14 +1268,15 @@ new: [...423] [ip4][..tcp] [.....172.16.0.1][59812] -> [..192.168.10.50][...80] new: [...424] [ip4][..tcp] [.....172.16.0.1][59826] -> [..192.168.10.50][...80] analyse: [...419] [ip4][..tcp] [.....172.16.0.1][59732] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.767| 0.604| 0.933|871184.138| 0.000] - [PKTLEN......: 66.000| 1935.000| 730.800| 755.700|571022.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.767| 0.604| 0.933| 871184.138| 3.700] + [PKTLEN......: 52.000| 1921.000| 716.800| 755.700| 571022.900| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.7,3766.4,3767.0,3.5,4.2,1039.9,1045.4,5.5,227.3,230.9,3.6,1037.1,1040.9,3.8,252.9,256.6,3.8,1024.0,1027.8,3.7,237.3,241.0,3.6,1007.8,1011.5,3.7,235.0,238.7,3.7,1007.2] - [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1935,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449] + [PKTLENS.....: 60,60,52,637,52,1920,52,435,1822,52,637,1918,52,435,1822,52,637,1921,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,435] + [ENTROPIES...: 4.6,5.1,4.9,6.0,4.9,7.8,4.9,5.9,7.7,5.0,6.0,7.8,4.8,5.9,7.7,4.9,6.0,7.8,4.8,5.9,7.7,4.9,6.0,7.8,4.8,5.9,7.7,4.9,6.0,7.8,4.9,5.9] new: [...425] [ip4][..tcp] [.....172.16.0.1][59852] -> [..192.168.10.50][...80] new: [...426] [ip4][..tcp] [.....172.16.0.1][59866] -> [..192.168.10.50][...80] guessed: [...346] [ip4][..tcp] [.....172.16.0.1][58440] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -1394,14 +1407,15 @@ end: [...389] [ip4][..tcp] [.....172.16.0.1][59192] -> [..192.168.10.50][...80] new: [...463] [ip4][..tcp] [.....172.16.0.1][60558] -> [..192.168.10.50][...80] analyse: [...458] [ip4][..tcp] [.....172.16.0.1][60464] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.582| 0.571| 0.887|786468.045| 0.000] - [PKTLEN......: 66.000| 1934.000| 727.700| 750.900|563862.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.582| 0.571| 0.887| 786468.045| 3.700] + [PKTLEN......: 52.000| 1920.000| 713.700| 750.900| 563862.600| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.9,3581.2,3582.1,3.3,4.1,271.0,275.6,4.6,1007.5,1011.3,3.8,268.9,273.0,4.1,1007.5,1011.6,4.2,263.6,267.5,3.9,1019.8,1023.7,4.0,253.2,261.2,7.9,1002.9,1011.8,8.9,255.9] - [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651,1931,66,449,1836,66,651,1934,66,449,1836,66,651] + [PKTLENS.....: 60,60,52,435,52,1823,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637,1917,52,435,1822,52,637,1920,52,435,1822,52,637] + [ENTROPIES...: 4.6,5.1,4.9,5.9,4.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,5.0,5.8,7.7,4.9,6.0] new: [...464] [ip4][..tcp] [.....172.16.0.1][60572] -> [..192.168.10.50][...80] new: [...465] [ip4][..tcp] [.....172.16.0.1][60598] -> [..192.168.10.50][...80] new: [...466] [ip4][..tcp] [.....172.16.0.1][60612] -> [..192.168.10.50][...80] @@ -1513,14 +1527,15 @@ new: [...500] [ip4][..tcp] [.....172.16.0.1][32988] -> [..192.168.10.50][...80] new: [...501] [ip4][..tcp] [.....172.16.0.1][33002] -> [..192.168.10.50][...80] analyse: [...495] [ip4][..tcp] [.....172.16.0.1][32906] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.862| 0.614| 0.953|908128.223| 0.000] - [PKTLEN......: 66.000| 1935.000| 730.800| 755.600|570948.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.862| 0.614| 0.953| 908128.223| 3.700] + [PKTLEN......: 52.000| 1921.000| 716.800| 755.600| 570948.000| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.2,0.9,3861.2,3862.0,3.2,4.0,1007.4,1011.0,3.7,256.9,260.5,3.6,1018.3,1022.0,3.6,243.4,247.0,3.6,1033.5,1037.2,3.7,244.2,248.3,4.1,1037.5,1041.7,4.2,261.5,265.1,3.6,1039.0] - [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1934,66,449,1836,66,651,1930,66,449,1836,66,651,1935,66,449] + [PKTLENS.....: 60,60,52,637,52,1920,52,435,1822,52,637,1920,52,435,1822,52,637,1920,52,435,1822,52,637,1916,52,435,1822,52,637,1921,52,435] + [ENTROPIES...: 4.5,5.1,4.9,6.0,4.9,7.8,4.9,5.9,7.7,4.8,6.0,7.8,4.9,5.9,7.7,4.8,6.0,7.8,4.9,5.9,7.7,4.9,6.1,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9] new: [...502] [ip4][..tcp] [.....172.16.0.1][33028] -> [..192.168.10.50][...80] new: [...503] [ip4][..tcp] [.....172.16.0.1][33042] -> [..192.168.10.50][...80] new: [...504] [ip4][..tcp] [.....172.16.0.1][33068] -> [..192.168.10.50][...80] @@ -1636,14 +1651,15 @@ new: [...536] [ip4][..tcp] [.....172.16.0.1][33648] -> [..192.168.10.50][...80] new: [...537] [ip4][..tcp] [.....172.16.0.1][33674] -> [..192.168.10.50][...80] analyse: [...532] [ip4][..tcp] [.....172.16.0.1][33580] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.841| 0.651| 1.171|1372280.717| 0.000] - [PKTLEN......: 66.000| 1935.000| 727.800| 751.000|564013.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.841| 0.651| 1.171| 1372280.717| 3.500] + [PKTLEN......: 52.000| 1921.000| 713.800| 751.000| 564013.300| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.9,4839.8,4840.6,3.7,4.5,263.2,266.8,3.7,1005.3,1009.1,3.8,260.6,264.4,3.8,1025.0,1028.7,3.7,266.1,269.7,3.7,1007.6,1011.9,4.3,260.9,265.1,4.2,1006.7,1010.8,4.2,244.8] - [PKTLENS.....: 74,74,66,449,66,1837,66,651,1933,66,449,1836,66,651,1935,66,449,1836,66,651,1932,66,449,1836,66,651,1934,66,449,1836,66,651] + [PKTLENS.....: 60,60,52,435,52,1823,52,637,1919,52,435,1822,52,637,1921,52,435,1822,52,637,1918,52,435,1822,52,637,1920,52,435,1822,52,637] + [ENTROPIES...: 4.6,5.1,4.9,5.9,4.9,7.7,4.9,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,5.0,6.0] new: [...538] [ip4][..tcp] [.....172.16.0.1][33688] -> [..192.168.10.50][...80] new: [...539] [ip4][..tcp] [.....172.16.0.1][33702] -> [..192.168.10.50][...80] guessed: [...463] [ip4][..tcp] [.....172.16.0.1][60558] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -1753,14 +1769,15 @@ new: [...572] [ip4][..tcp] [.....172.16.0.1][34332] -> [..192.168.10.50][...80] new: [...573] [ip4][..tcp] [.....172.16.0.1][34346] -> [..192.168.10.50][...80] analyse: [...569] [ip4][..tcp] [.....172.16.0.1][34278] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.588| 0.498| 0.689|474371.129| 0.000] - [PKTLEN......: 66.000| 1934.000| 718.700| 762.800|581830.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.588| 0.498| 0.689| 474371.129| 3.700] + [PKTLEN......: 52.000| 1920.000| 704.700| 762.800| 581830.000| 4.100] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,1,0] [IATS(ms)....: 0.2,0.7,2587.7,2588.4,3.7,4.5,1020.5,1024.9,4.4,244.7,248.4,3.7,1042.3,1047.0,4.6,242.3,246.0,3.7,1031.2,1034.9,3.7,241.4,245.1,3.6,0.5,1025.2,1029.3,3.8,251.3,255.5,4.2] - [PKTLENS.....: 74,74,66,651,66,1932,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,66,449,1836,66,651,1932,66] + [PKTLENS.....: 60,60,52,637,52,1918,52,435,1822,52,637,1918,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,52,435,1822,52,637,1918,52] + [ENTROPIES...: 4.6,5.0,5.0,6.0,4.9,7.8,4.9,5.9,7.7,4.9,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,4.9,6.0,7.8,4.9,4.9,5.9,7.7,4.8,6.0,7.7,4.9] guessed: [...498] [ip4][..tcp] [.....172.16.0.1][32960] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] end: [...498] [ip4][..tcp] [.....172.16.0.1][32960] -> [..192.168.10.50][...80] guessed: [...499] [ip4][..tcp] [.....172.16.0.1][32974] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] @@ -1887,14 +1904,15 @@ new: [...611] [ip4][..tcp] [.....172.16.0.1][35034] -> [..192.168.10.50][...80] new: [...612] [ip4][..tcp] [.....172.16.0.1][35048] -> [..192.168.10.50][...80] analyse: [...606] [ip4][..tcp] [.....172.16.0.1][34940] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.897| 0.655| 1.187|1408178.323| 0.000] - [PKTLEN......: 66.000| 1934.000| 727.800| 751.000|564013.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.897| 0.655| 1.187| 1408178.323| 3.500] + [PKTLEN......: 52.000| 1920.000| 713.800| 751.000| 564013.200| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.2,0.9,4896.4,4897.2,3.1,3.9,250.4,254.5,4.1,1006.9,1011.0,4.1,267.3,271.2,3.9,1008.0,1012.0,4.0,246.8,250.4,3.6,1038.7,1042.4,3.7,241.6,245.2,3.6,1046.3,1049.9,3.8,242.0] - [PKTLENS.....: 74,74,66,449,66,1837,66,651,1934,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1934,66,449,1836,66,651] + [PKTLENS.....: 60,60,52,435,52,1823,52,637,1920,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1920,52,435,1822,52,637] + [ENTROPIES...: 4.6,5.1,5.0,5.9,4.9,7.7,4.9,6.0,7.8,4.9,5.9,7.7,5.0,6.0,7.8,5.0,5.9,7.7,5.0,6.0,7.8,5.0,5.9,7.7,5.0,6.0,7.8,4.9,5.9,7.7,5.0,6.0] new: [...613] [ip4][..tcp] [.....172.16.0.1][35074] -> [..192.168.10.50][...80] new: [...614] [ip4][..tcp] [.....172.16.0.1][35088] -> [..192.168.10.50][...80] new: [...615] [ip4][..tcp] [.....172.16.0.1][35114] -> [..192.168.10.50][...80] @@ -2003,14 +2021,15 @@ new: [...648] [ip4][..tcp] [.....172.16.0.1][35696] -> [..192.168.10.50][...80] new: [...649] [ip4][..tcp] [.....172.16.0.1][35722] -> [..192.168.10.50][...80] analyse: [...643] [ip4][..tcp] [.....172.16.0.1][35626] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.954| 0.620| 0.972|945707.024| 0.000] - [PKTLEN......: 66.000| 1934.000| 730.700| 755.500|570797.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.954| 0.620| 0.972| 945707.024| 3.700] + [PKTLEN......: 52.000| 1920.000| 716.700| 755.500| 570797.200| 4.200] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.1,0.7,3953.2,3953.8,3.0,3.8,1020.6,1024.3,3.7,248.2,252.3,4.2,1041.7,1046.0,4.3,255.1,258.8,3.6,1007.1,1010.8,3.7,252.7,256.2,3.6,1010.5,1014.2,3.8,262.9,266.7,3.8,1039.9] - [PKTLENS.....: 74,74,66,651,66,1934,66,449,1836,66,651,1932,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449,1836,66,651,1933,66,449] + [PKTLENS.....: 60,60,52,637,52,1920,52,435,1822,52,637,1918,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435,1822,52,637,1919,52,435] + [ENTROPIES...: 4.6,5.1,5.0,6.0,4.9,7.8,5.0,5.9,7.7,5.0,6.0,7.8,5.0,5.9,7.7,5.0,6.0,7.8,5.0,5.9,7.7,5.0,6.0,7.8,5.0,5.9,7.7,4.9,6.0,7.8,4.9,5.9] new: [...650] [ip4][..tcp] [.....172.16.0.1][35736] -> [..192.168.10.50][...80] new: [...651] [ip4][..tcp] [.....172.16.0.1][35762] -> [..192.168.10.50][...80] guessed: [...574] [ip4][..tcp] [.....172.16.0.1][34372] -> [..192.168.10.50][...80] [HTTP][Web][Acceptable] diff --git a/test/results/flow-info/aimini-http.pcap.out b/test/results/flow-info/aimini-http.pcap.out index 663e4f32b..f5db44c4c 100644 --- a/test/results/flow-info/aimini-http.pcap.out +++ b/test/results/flow-info/aimini-http.pcap.out @@ -6,14 +6,15 @@ new: [.....2] [ip4][..tcp] [.....10.101.0.2][28502] -> [.....10.102.0.2][...80] detected: [.....2] [ip4][..tcp] [.....10.101.0.2][28502] -> [.....10.102.0.2][...80] [HTTP.Aimini][Download][Fun] analyse: [.....1] [ip4][..tcp] [.....10.101.0.2][28501] -> [.....10.102.0.2][...80] [HTTP.Aimini][Download][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.129| 0.000] - [PKTLEN......: 60.000| 1514.000| 838.400| 690.000|476082.300| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.129| 3.400] + [PKTLEN......: 46.000| 1500.000| 824.400| 690.000| 476082.300| 4.400] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] [DIRECTIONS..: 0,0,1,1,0,0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,0,0,0,0] [IATS(ms)....: 0.5,1.1,0.4,1.0,0.0,0.7,0.1,0.9,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.2,0.0,0.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.2,0.0,0.1,1.1,0.0] - [PKTLENS.....: 62,62,62,62,60,649,60,649,1514,1514,1514,1514,1514,1514,1514,290,1514,1514,60,1514,1514,60,1514,1514,60,1514,290,60,60,60,1514,1514] + [PKTLENS.....: 48,48,48,48,46,635,46,635,1500,1500,1500,1500,1500,1500,1500,276,1500,1500,46,1500,1500,46,1500,1500,46,1500,276,46,46,46,1500,1500] + [ENTROPIES...: 3.9,4.1,4.3,4.5,3.8,6.0,4.0,6.0,7.7,7.9,7.7,7.9,7.8,7.8,7.9,7.0,7.7,7.9,3.8,7.7,7.9,3.8,7.8,7.8,3.8,7.9,7.0,4.0,4.0,4.0,5.8,4.5] new: [.....3] [ip4][..tcp] [.....10.101.0.2][28503] -> [.....10.102.0.2][...80] detected: [.....3] [ip4][..tcp] [.....10.101.0.2][28503] -> [.....10.102.0.2][...80] [HTTP.Aimini][Download][Fun] new: [.....4] [ip4][..tcp] [.....10.101.0.2][28504] -> [.....10.102.0.2][...80] diff --git a/test/results/flow-info/alexa-app.pcapng.out b/test/results/flow-info/alexa-app.pcapng.out index f8b26e5b5..07c93a4c3 100644 --- a/test/results/flow-info/alexa-app.pcapng.out +++ b/test/results/flow-info/alexa-app.pcapng.out @@ -122,14 +122,15 @@ detection-update: [....38] [ip4][..tcp] [..172.16.42.216][54412] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....38] [ip4][..tcp] [..172.16.42.216][54412] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] analyse: [....37] [ip4][..tcp] [..172.16.42.216][54411] -> [..52.85.209.216][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.091| 0.022| 0.031| 964.249| 0.000] - [PKTLEN......: 66.000| 1514.000| 594.300| 637.000|405792.100| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.091| 0.022| 0.031| 964.249| 3.600] + [PKTLEN......: 52.000| 1500.000| 580.300| 637.000| 405792.100| 4.100] [BINS(c->s)..: 11,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,1,1,1,1,1,1,1,0,0,0] [IATS(ms)....: 47.0,53.0,0.3,73.2,0.1,18.9,0.4,0.3,0.4,88.2,0.3,0.7,0.2,8.1,32.8,75.3,63.7,49.4,70.9,0.8,90.5,2.0,0.4,0.5,0.4,0.5,0.7,0.0,5.3,0.3,1.1] - [PKTLENS.....: 74,74,66,268,66,66,1514,1514,1514,833,66,66,66,66,192,1096,308,66,66,1514,1514,66,1514,1514,1514,464,1514,1126,100,66,66,66] + [PKTLENS.....: 60,60,52,254,52,52,1500,1500,1500,819,52,52,52,52,178,1082,294,52,52,1500,1500,52,1500,1500,1500,450,1500,1112,86,52,52,52] + [ENTROPIES...: 4.6,5.3,5.1,5.6,5.0,5.0,6.9,7.2,7.5,7.6,5.0,5.0,5.0,5.0,6.3,7.8,7.0,5.1,5.0,7.9,7.9,5.0,7.9,7.9,7.9,7.5,7.9,7.8,5.8,5.0,5.0,4.9] detection-update: [....37] [ip4][..tcp] [..172.16.42.216][54411] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][Cloud][Acceptable] detection-update: [....36] [ip4][..tcp] [..172.16.42.216][34019] -> [..54.239.24.186][..443] [TLS.AmazonAWS][Cloud][Acceptable] @@ -137,14 +138,15 @@ detected: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] ERROR-EVENT: Unknown packet type analyse: [....28] [ip4][..tcp] [..172.16.42.216][45661] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.016| 0.161| 0.286|81844.249| 0.000] - [PKTLEN......: 54.000| 1514.000| 380.200| 485.100|235358.500| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.016| 0.161| 0.286| 81844.249| 3.400] + [PKTLEN......: 40.000| 1500.000| 366.200| 485.100| 235358.500| 3.900] [BINS(c->s)..: 12,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0] [IATS(ms)....: 55.7,59.3,1.4,66.6,0.4,0.1,64.1,4.8,0.3,2.7,66.9,3.1,100.8,8.3,108.4,5.9,66.9,500.8,354.1,941.1,3.0,88.7,111.8,176.5,0.2,64.7,9.2,104.2,1015.9,966.5,45.6] - [PKTLENS.....: 74,62,54,261,1514,1514,399,54,54,54,380,60,113,54,1136,60,955,54,1120,1120,60,507,54,1168,60,891,54,54,60,54,60,54] + [PKTLENS.....: 60,48,40,247,1500,1500,385,40,40,40,366,46,99,40,1122,46,941,40,1106,1106,46,493,40,1154,46,877,40,40,46,40,46,40] + [ENTROPIES...: 4.6,5.1,4.8,5.5,6.8,7.3,7.4,4.8,4.8,4.7,7.3,4.7,6.0,4.9,7.8,4.5,7.8,4.8,7.8,7.8,4.6,7.6,4.8,7.8,4.6,7.7,4.9,4.9,4.5,4.8,4.5,4.8] detection-update: [....40] [ip4][..udp] [..172.16.42.216][43350] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] new: [....41] [ip4][..tcp] [..172.16.42.216][42129] -> [..72.21.206.135][..443] new: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] @@ -181,14 +183,15 @@ detection-update: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] analyse: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.836| 0.167| 0.244|59552.047| 0.000] - [PKTLEN......: 54.000| 1514.000| 401.000| 534.600|285800.000| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.836| 0.167| 0.244| 59552.047| 3.700] + [PKTLEN......: 40.000| 1500.000| 387.000| 534.600| 285800.000| 3.900] [BINS(c->s)..: 10,0,0,1,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,0,1,1,1,0,0,0,1,1,0,0,1,0] [IATS(ms)....: 54.2,55.4,0.5,50.3,258.9,520.1,785.3,3.8,0.2,0.1,0.0,60.8,0.3,0.1,0.1,52.1,11.0,287.0,223.9,2.7,139.2,0.2,171.9,179.9,0.1,402.7,22.4,216.5,783.8,835.9,50.5] - [PKTLENS.....: 74,62,54,259,60,259,259,60,1514,1514,1514,688,54,54,54,54,180,1514,105,482,60,60,480,54,1514,1210,60,357,54,54,60,54] + [PKTLENS.....: 60,48,40,245,46,245,245,46,1500,1500,1500,674,40,40,40,40,166,1500,91,468,46,46,466,40,1500,1196,46,343,40,40,46,40] + [ENTROPIES...: 4.6,5.1,4.9,5.6,4.5,5.6,5.6,4.6,7.1,7.3,7.4,7.6,4.8,4.9,4.8,4.8,6.3,7.9,5.9,7.5,4.6,4.6,7.5,4.8,7.9,7.8,4.6,7.4,4.9,4.9,4.6,4.9] detection-update: [....42] [ip4][..tcp] [..172.16.42.216][42130] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] new: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] detected: [....50] [ip4][..tcp] [..172.16.42.216][45680] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] @@ -211,14 +214,15 @@ detection-update: [....54] [ip4][..tcp] [..172.16.42.216][54427] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....55] [ip4][..tcp] [..172.16.42.216][42143] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] analyse: [....52] [ip4][..tcp] [..172.16.42.216][34034] -> [..54.239.24.186][..443] [TLS.AmazonAWS][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.352| 0.044| 0.079| 6215.196| 0.000] - [PKTLEN......: 54.000| 1514.000| 657.200| 676.900|458225.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.352| 0.044| 0.079| 6215.196| 3.500] + [PKTLEN......: 40.000| 1500.000| 643.200| 676.900| 458225.800| 4.100] [BINS(c->s)..: 4,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,11,0,0] [BINS(s->c)..: 11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,0] [IATS(ms)....: 57.0,58.6,1.8,56.8,4.8,0.1,59.3,0.3,22.9,80.0,5.9,71.8,0.3,0.1,0.6,0.3,0.2,1.4,0.3,0.1,67.8,34.8,23.9,352.1,295.3,0.1,57.7,0.7,60.6,0.1,59.8] - [PKTLENS.....: 74,62,54,313,60,60,210,54,105,820,60,564,1514,1439,1514,1514,1514,1514,1514,1514,83,60,60,60,1514,60,60,1514,1514,60,60,1514] + [PKTLENS.....: 60,48,40,299,46,46,196,40,91,806,46,550,1500,1425,1500,1500,1500,1500,1500,1500,69,46,46,46,1500,46,46,1500,1500,46,46,1500] + [ENTROPIES...: 4.7,5.1,4.8,6.0,4.6,4.5,6.4,4.8,5.3,7.7,4.6,7.6,7.9,7.9,7.8,7.9,7.9,7.9,7.9,7.9,5.7,4.5,4.5,4.5,7.9,4.6,4.6,7.9,7.9,4.6,4.6,7.9] new: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] detected: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....56] [ip4][..tcp] [..172.16.42.216][42144] -> [..72.21.206.135][..443] [TLS.Amazon][Web][Acceptable] @@ -260,23 +264,25 @@ detection-update: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [....63] [ip4][..tcp] [..172.16.42.216][54434] -> [..52.85.209.216][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.897| 0.237| 0.560|313730.662| 0.000] - [PKTLEN......: 66.000| 1514.000| 617.100| 665.400|442821.700| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.897| 0.237| 0.560| 313730.662| 2.800] + [PKTLEN......: 52.000| 1500.000| 603.100| 665.400| 442821.700| 4.100] [BINS(c->s)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0] [BINS(s->c)..: 7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,5,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,1] [IATS(ms)....: 52.9,67.2,1.0,63.2,9.6,59.8,0.3,20.9,0.5,0.2,0.2,1.1,0.2,97.5,0.1,7.3,15.9,484.6,0.2,0.2,116.0,306.3,538.3,1116.6,2896.8,0.3,0.2,0.1,0.1,583.2,913.8] - [PKTLENS.....: 74,74,66,583,66,222,66,117,1514,1514,139,1514,1514,1495,66,66,66,66,1514,1514,1223,1223,1514,1514,1514,66,78,78,78,78,66,66] + [PKTLENS.....: 60,60,52,569,52,208,52,103,1500,1500,125,1500,1500,1481,52,52,52,52,1500,1500,1209,1209,1500,1500,1500,52,64,64,64,64,52,52] + [ENTROPIES...: 4.7,5.3,5.0,6.1,5.0,6.6,5.1,5.6,7.9,7.9,6.4,7.9,7.9,7.9,5.0,5.0,5.0,4.9,7.9,7.9,7.8,7.8,7.9,7.9,7.9,4.9,5.0,5.1,5.1,5.1,5.1,5.0] analyse: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.486| 0.102| 0.138|19130.661| 0.000] - [PKTLEN......: 54.000| 1514.000| 700.300| 682.000|465082.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.486| 0.102| 0.138| 19130.661| 3.700] + [PKTLEN......: 40.000| 1500.000| 686.300| 682.000| 465082.800| 4.200] [BINS(c->s)..: 6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 6,1,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 92.4,95.4,2.4,97.4,1.9,14.1,0.3,0.1,113.4,0.3,0.2,49.6,132.6,83.3,183.9,0.3,326.1,293.1,272.4,0.1,443.7,0.4,0.5,0.0,276.5,199.2,0.5,0.0,0.7,486.1,0.4] - [PKTLENS.....: 74,62,54,275,60,60,1514,1514,464,54,54,54,180,105,54,1514,547,60,1514,60,60,1514,1514,1514,225,1514,1514,1514,225,1514,1514,1514] + [PKTLENS.....: 60,48,40,261,46,46,1500,1500,450,40,40,40,166,91,40,1500,533,46,1500,46,46,1500,1500,1500,211,1500,1500,1500,211,1500,1500,1500] + [ENTROPIES...: 4.7,5.1,4.7,5.4,4.6,4.6,7.2,7.3,7.4,4.8,4.8,4.8,6.6,5.8,4.7,7.9,7.6,4.7,7.9,4.5,4.5,7.8,7.9,7.9,7.0,7.8,7.9,7.9,7.0,7.8,7.8,7.9] detection-update: [....65] [ip4][..tcp] [..172.16.42.216][41691] -> [..54.239.29.146][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS new: [....66] [ip4][..tcp] [..172.16.42.216][49606] -> [..52.94.232.134][...80] @@ -376,14 +382,15 @@ detected: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] detected: [....93] [ip4][..tcp] [..172.16.42.216][49630] -> [..52.94.232.134][...80] [HTTP.AmazonAlexa][VirtAssistant][Acceptable] analyse: [....80] [ip4][..tcp] [..172.16.42.216][45703] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.570| 0.289| 0.417|173871.694| 0.000] - [PKTLEN......: 54.000| 1514.000| 385.100| 516.000|266233.000| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.570| 0.289| 0.417| 173871.694| 3.700] + [PKTLEN......: 40.000| 1500.000| 371.100| 516.000| 266233.000| 3.900] [BINS(c->s)..: 8,1,0,0,2,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,0,0] [IATS(ms)....: 325.4,332.9,0.3,247.7,0.2,241.3,0.3,0.3,23.8,0.3,429.9,0.1,1569.5,1485.9,353.0,706.9,73.8,0.3,358.8,0.4,256.6,3.7,0.2,956.2,948.6,95.3,235.6,1.1,0.1,275.4,23.7] - [PKTLENS.....: 74,62,54,293,139,107,54,54,113,1514,188,60,60,188,60,731,54,1514,252,60,539,54,1514,220,539,54,1514,60,571,60,54,1514] + [PKTLENS.....: 60,48,40,279,125,93,40,40,99,1500,174,46,46,174,46,717,40,1500,238,46,525,40,1500,206,525,40,1500,46,557,46,40,1500] + [ENTROPIES...: 4.7,5.2,4.8,5.8,6.1,6.1,4.8,4.8,5.9,7.9,6.9,4.6,4.5,6.9,4.6,7.7,4.8,7.9,7.1,4.7,7.6,4.8,7.9,7.0,7.6,4.8,7.9,4.7,7.6,4.7,4.7,7.9] detection-update: [....92] [ip4][..tcp] [..172.16.42.216][45715] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] RISK: Weak TLS Cipher detection-update: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] @@ -400,25 +407,27 @@ new: [....97] [ip4][..tcp] [..172.16.42.216][41821] -> [...54.231.72.88][..443] detected: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][Cloud][Acceptable] analyse: [....87] [ip4][..tcp] [..172.16.42.216][45710] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.192| 0.160| 0.282|79548.359| 0.000] - [PKTLEN......: 54.000| 1514.000| 357.000| 486.700|236894.100| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.192| 0.160| 0.282| 79548.359| 3.500] + [PKTLEN......: 40.000| 1500.000| 343.000| 486.700| 236894.100| 3.900] [BINS(c->s)..: 4,1,0,1,1,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [BINS(s->c)..: 10,1,1,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,1,0,0,0,1,0,1,1,1,0,0,1,1,0,0,0,1,1,1,0,0,1] [IATS(ms)....: 214.4,219.1,3.7,1161.8,1191.6,0.1,0.0,75.9,170.4,0.4,119.0,9.7,7.9,105.5,90.0,79.1,135.4,22.4,255.4,0.3,202.3,1.2,199.7,0.1,0.1,204.8,0.0,11.4,221.9,0.1,253.2] - [PKTLENS.....: 74,62,54,293,293,60,139,107,54,60,192,54,113,1514,60,220,60,60,1147,1514,268,60,555,1514,284,176,60,60,539,1514,204,60] + [PKTLENS.....: 60,48,40,279,279,46,125,93,40,46,178,40,99,1500,46,206,46,46,1133,1500,254,46,541,1500,270,162,46,46,525,1500,190,46] + [ENTROPIES...: 4.7,5.1,4.8,5.9,5.9,4.6,6.1,6.0,4.7,4.6,6.5,4.7,5.9,7.9,4.6,6.9,4.6,4.6,7.8,7.9,7.1,4.6,7.5,7.9,7.2,6.6,4.5,4.6,7.6,7.9,6.8,4.6] detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][Cloud][Acceptable] detection-update: [....96] [ip4][..tcp] [..172.16.42.216][41820] -> [...54.231.72.88][..443] [TLS.AmazonAWS][Cloud][Acceptable] analyse: [....89] [ip4][..tcp] [..172.16.42.216][45712] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.080| 0.209| 0.303|92031.574| 0.000] - [PKTLEN......: 54.000| 1514.000| 374.500| 516.500|266795.300| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.080| 0.209| 0.303| 92031.574| 3.700] + [PKTLEN......: 40.000| 1500.000| 360.500| 516.500| 266795.300| 3.800] [BINS(c->s)..: 7,1,0,0,0,2,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1] [IATS(ms)....: 1005.7,1080.3,210.2,18.7,169.7,18.0,105.0,0.1,107.2,0.3,11.7,34.8,0.1,215.2,0.3,0.1,21.7,195.6,0.3,202.8,0.7,212.9,0.3,205.8,11.0,236.3,754.7,0.3,888.9,405.4,377.3] - [PKTLENS.....: 74,74,62,54,293,62,54,139,107,54,54,113,1514,268,60,60,60,555,1514,220,60,715,1514,252,60,571,54,1514,220,60,1514,60] + [PKTLENS.....: 60,60,48,40,279,48,40,125,93,40,40,99,1500,254,46,46,46,541,1500,206,46,701,1500,238,46,557,40,1500,206,46,1500,46] + [ENTROPIES...: 4.7,4.6,5.1,4.8,5.9,5.1,4.9,6.0,6.1,4.8,4.9,5.8,7.9,7.2,4.7,4.6,4.6,7.6,7.9,7.0,4.7,7.7,7.9,7.1,4.6,7.6,4.9,7.9,6.9,4.5,7.9,4.5] new: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] detected: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] detection-update: [....98] [ip4][..udp] [..172.16.42.216][41639] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] @@ -464,41 +473,45 @@ detection-update: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] RISK: Weak TLS Cipher analyse: [...107] [ip4][..tcp] [..172.16.42.216][40856] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.326| 0.037| 0.075| 5555.152| 0.000] - [PKTLEN......: 54.000| 1514.000| 559.400| 489.800|239933.900| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.326| 0.037| 0.075| 5555.152| 3.000] + [PKTLEN......: 40.000| 1500.000| 545.400| 489.800| 239933.900| 4.400] [BINS(c->s)..: 7,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,0,1] [IATS(ms)....: 55.9,57.4,1.4,113.3,0.4,112.3,0.1,3.2,65.7,1.4,70.0,0.2,85.3,246.6,0.1,0.0,0.1,325.6,0.3,3.8,0.8,0.2,0.3,0.1,0.3,0.3,0.6,0.4,1.1,6.7,1.2] - [PKTLENS.....: 74,62,54,265,1514,1289,54,54,380,60,113,1514,284,60,1035,603,603,603,54,54,1514,1514,755,1115,603,603,603,603,603,603,54,603] + [PKTLENS.....: 60,48,40,251,1500,1275,40,40,366,46,99,1500,270,46,1021,589,589,589,40,40,1500,1500,741,1101,589,589,589,589,589,589,40,589] + [ENTROPIES...: 4.6,5.2,4.8,5.6,7.3,7.3,4.9,4.9,7.3,4.6,6.1,7.9,7.2,4.6,7.8,7.7,7.6,7.6,4.9,4.8,7.9,7.9,7.7,7.8,7.6,7.6,7.7,7.6,7.6,7.6,4.9,7.7] analyse: [...105] [ip4][..tcp] [..172.16.42.216][40854] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.933| 0.089| 0.198|39194.591| 0.000] - [PKTLEN......: 54.000| 1514.000| 464.100| 541.500|293230.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.933| 0.089| 0.198| 39194.591| 3.000] + [PKTLEN......: 40.000| 1500.000| 450.100| 541.500| 293230.800| 4.000] [BINS(c->s)..: 11,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [BINS(s->c)..: 4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0] [IATS(ms)....: 109.9,111.6,1.6,102.0,0.2,101.6,0.3,1.9,56.2,0.1,87.5,19.1,7.6,147.9,304.1,639.4,932.7,32.7,0.1,0.0,0.7,0.1,0.0,0.3,0.6,110.7,0.2,1.8,0.2,0.1,0.1] - [PKTLENS.....: 74,62,54,265,1514,1289,54,54,380,60,113,54,1514,268,60,1514,1514,60,1035,603,603,603,603,603,1483,91,54,54,54,54,54,54] + [PKTLENS.....: 60,48,40,251,1500,1275,40,40,366,46,99,40,1500,254,46,1500,1500,46,1021,589,589,589,589,589,1469,77,40,40,40,40,40,40] + [ENTROPIES...: 4.7,5.2,4.8,5.6,7.2,7.3,4.8,4.8,7.3,4.7,6.1,4.9,7.9,7.2,4.5,7.9,7.9,4.7,7.8,7.6,7.7,7.7,7.6,7.6,7.9,5.7,4.8,4.8,4.9,4.8,4.9,4.9] analyse: [....88] [ip4][..tcp] [..172.16.42.216][45711] -> [..52.94.232.134][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 9.247| 1.357| 2.197|4827473.510| 0.000] - [PKTLEN......: 54.000| 1514.000| 439.800| 556.200|309356.400| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 9.247| 1.357| 2.197| 4827473.510| 3.500] + [PKTLEN......: 40.000| 1500.000| 425.800| 556.200| 309356.400| 3.900] [BINS(c->s)..: 9,1,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 7,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,1,0,1,1,0,0,0,1,1,0,0,1] [IATS(ms)....: 992.4,1100.5,1.1,243.6,0.8,17.2,3008.6,6019.8,9247.0,0.1,67.2,0.3,0.3,66.7,669.5,0.3,275.2,528.0,1079.9,2835.2,350.0,114.6,72.1,219.3,5051.1,0.3,5193.9,65.0,174.2,2275.4,2411.2] - [PKTLENS.....: 74,74,62,62,54,54,293,293,293,139,107,54,54,113,60,1514,1132,1514,1514,1514,60,1132,60,955,54,1514,236,60,859,54,54,60] + [PKTLENS.....: 60,60,48,48,40,40,279,279,279,125,93,40,40,99,46,1500,1118,1500,1500,1500,46,1118,46,941,40,1500,222,46,845,40,40,46] + [ENTROPIES...: 4.7,4.7,5.2,5.1,4.9,4.9,5.8,5.8,5.8,6.0,5.9,4.7,4.8,6.0,4.6,7.9,7.8,7.9,7.9,7.9,4.6,7.8,4.6,7.8,4.7,7.9,6.9,4.7,7.7,4.9,4.9,4.5] analyse: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 19.096| 0.770| 3.358|11273140.961| 0.000] - [PKTLEN......: 54.000| 1514.000| 281.500| 412.900|170449.200| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 19.096| 0.770| 3.358| 11273140.961| 1.400] + [PKTLEN......: 40.000| 1500.000| 267.500| 412.900| 170449.200| 3.900] [BINS(c->s)..: 7,0,1,1,0,0,5,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 8,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,0,0,1,1,1,0,0] [IATS(ms)....: 123.6,128.0,5.4,470.5,0.6,0.6,0.0,1232.5,1.5,5.0,0.7,0.7,10.0,973.2,0.5,0.1,0.0,190.9,73.2,0.3,171.9,0.1,117.0,408.2,413.7,66.7,140.9,83.3,0.1,166.3,19096.2] - [PKTLENS.....: 74,62,54,246,60,1514,1514,536,246,246,54,54,54,180,60,60,60,99,54,1514,290,60,212,118,292,247,246,60,60,272,54,356] + [PKTLENS.....: 60,48,40,232,46,1500,1500,522,232,232,40,40,40,166,46,46,46,85,40,1500,276,46,198,104,278,233,232,46,46,258,40,342] + [ENTROPIES...: 4.7,5.1,4.8,5.5,4.6,7.2,7.3,7.6,5.5,5.5,4.8,4.9,4.7,6.3,4.5,4.5,4.8,5.6,4.8,7.9,7.2,4.5,6.8,6.0,7.1,7.0,6.9,4.5,4.6,7.0,4.8,7.3] detection-update: [....99] [ip4][..tcp] [..172.16.42.216][44001] -> [..176.32.101.52][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS new: [...108] [ip4][..udp] [..172.16.42.216][20922] -> [....172.16.42.1][...53] @@ -561,27 +574,29 @@ detected: [...121] [ip4][..tcp] [..172.16.42.216][51987] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] detected: [...124] [ip4][..tcp] [..172.16.42.216][51990] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] analyse: [...120] [ip4][..tcp] [..172.16.42.216][51986] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.295| 0.052| 0.098| 9533.209| 0.000] - [PKTLEN......: 66.000| 1514.000| 611.000| 635.800|404189.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.295| 0.052| 0.098| 9533.209| 3.000] + [PKTLEN......: 52.000| 1500.000| 597.000| 635.800| 404189.900| 4.100] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,1,1,0,0] [IATS(ms)....: 58.0,60.3,1.6,154.7,0.4,0.4,0.4,0.5,0.5,0.2,0.4,156.7,0.3,4.1,0.1,3.4,0.2,0.1,0.2,0.1,0.1,0.1,7.0,268.3,295.2,18.3,286.3,0.5,0.4,286.6,4.3] - [PKTLENS.....: 74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,66,66,1514,441,66,66,66,66,66,66,66,613,613,441,78,606,1514,1514,66,66] + [PKTLENS.....: 60,60,52,599,52,1500,1500,1500,1500,1500,1500,1500,52,52,1500,427,52,52,52,52,52,52,52,599,599,427,64,592,1500,1500,52,52] + [ENTROPIES...: 4.7,5.2,5.0,6.0,5.1,7.1,7.8,7.8,7.9,7.8,7.8,7.8,5.0,5.0,7.8,6.5,5.0,5.0,5.0,5.0,5.0,5.0,5.0,6.0,6.0,6.5,5.0,5.9,7.5,7.8,5.0,5.0] new: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] detected: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] detection-update: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] RISK: Weak TLS Cipher analyse: [...125] [ip4][..tcp] [..172.16.42.216][40871] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.107| 0.141| 0.257|65864.266| 0.000] - [PKTLEN......: 54.000| 1514.000| 444.000| 555.400|308431.600| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.107| 0.141| 0.257| 65864.266| 3.200] + [PKTLEN......: 40.000| 1500.000| 430.000| 555.400| 308431.600| 4.000] [BINS(c->s)..: 7,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [BINS(s->c)..: 6,2,2,1,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1] [IATS(ms)....: 111.1,112.4,0.8,179.9,0.1,0.0,179.9,2.9,0.3,3.3,0.5,135.1,0.2,170.2,502.2,1107.1,16.8,0.2,0.2,0.0,0.0,0.0,706.6,0.4,9.7,355.9,0.3,629.2,147.8,0.1,0.1] - [PKTLENS.....: 74,62,54,297,60,139,107,54,54,113,1514,300,60,60,1514,1514,60,1514,135,1514,167,443,91,54,54,54,1514,332,60,1035,603,603] + [PKTLENS.....: 60,48,40,283,46,125,93,40,40,99,1500,286,46,46,1500,1500,46,1500,121,1500,153,429,77,40,40,40,1500,318,46,1021,589,589] + [ENTROPIES...: 4.7,5.1,4.8,5.9,4.5,6.2,6.0,4.8,4.9,6.0,7.9,7.1,4.5,4.6,7.9,7.9,4.6,7.9,6.4,7.9,6.6,7.5,5.8,4.8,4.8,4.7,7.9,7.3,4.6,7.8,7.6,7.7] new: [...126] [ip4][..tcp] [..172.16.42.216][51992] -> [....52.84.63.56][...80] new: [...127] [ip4][..tcp] [..172.16.42.216][51993] -> [....52.84.63.56][...80] new: [...128] [ip4][..tcp] [..172.16.42.216][51994] -> [....52.84.63.56][...80] @@ -595,14 +610,15 @@ detected: [...130] [ip4][..tcp] [..172.16.42.216][51996] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] detected: [...131] [ip4][..tcp] [..172.16.42.216][51997] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] analyse: [...129] [ip4][..tcp] [..172.16.42.216][51995] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.179| 0.023| 0.044| 1924.322| 0.000] - [PKTLEN......: 66.000| 1514.000| 757.400| 681.300|464196.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.179| 0.023| 0.044| 1924.322| 3.100] + [PKTLEN......: 52.000| 1500.000| 743.400| 681.300| 464196.800| 4.300] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,12,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,0] [IATS(ms)....: 31.3,34.1,0.6,113.4,46.4,0.0,0.0,0.1,0.0,0.0,11.2,1.6,7.2,179.1,0.1,0.1,0.1,0.1,0.1,3.4,0.3,0.4,4.5,99.2,0.3,120.8,46.9,0.2,0.3,0.8,17.5] - [PKTLENS.....: 74,74,66,613,66,1514,1514,1514,1514,1514,1514,1514,1237,1237,66,66,66,66,66,66,66,66,78,613,1514,1514,66,1514,1350,1514,1514,66] + [PKTLENS.....: 60,60,52,599,52,1500,1500,1500,1500,1500,1500,1500,1223,1223,52,52,52,52,52,52,52,52,64,599,1500,1500,52,1500,1336,1500,1500,52] + [ENTROPIES...: 4.7,5.3,4.8,6.0,5.0,7.1,7.7,7.6,7.6,7.7,7.7,7.7,7.5,7.5,5.1,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.2,6.0,7.1,7.8,5.1,7.8,7.8,7.8,7.8,5.0] update: [....27] [ip4][..udp] [..172.16.42.216][54886] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] update: [....14] [ip4][.icmp] [....172.16.42.1] -> [..172.16.42.216] [ICMP][Network][Acceptable] update: [....21] [ip4][..udp] [..172.16.42.216][41030] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][VirtAssistant][Acceptable] @@ -620,14 +636,15 @@ update: [....19] [ip4][..udp] [..172.16.42.216][.7358] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] update: [....17] [ip4][..udp] [..172.16.42.216][19967] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] analyse: [...126] [ip4][..tcp] [..172.16.42.216][51992] -> [....52.84.63.56][...80] [HTTP.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.511| 0.042| 0.110|12114.281| 0.000] - [PKTLEN......: 66.000| 1514.000| 693.600| 671.900|451493.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.511| 0.042| 0.110| 12114.281| 2.500] + [PKTLEN......: 52.000| 1500.000| 679.600| 671.900| 451493.000| 4.200] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,1,1] [IATS(ms)....: 25.0,26.3,0.4,110.2,0.1,0.2,0.3,0.4,0.4,1.1,0.5,0.4,0.4,114.9,0.2,0.1,0.1,3.5,0.1,26.3,0.3,0.1,0.1,0.1,0.2,4.7,62.5,45.1,368.8,510.9,0.4] - [PKTLENS.....: 74,74,66,613,66,66,1514,1514,1514,1514,1514,1514,1514,1514,66,66,66,66,1514,1309,66,66,66,66,66,66,613,1309,78,613,1514,1514] + [PKTLENS.....: 60,60,52,599,52,52,1500,1500,1500,1500,1500,1500,1500,1500,52,52,52,52,1500,1295,52,52,52,52,52,52,599,1295,64,599,1500,1500] + [ENTROPIES...: 4.7,5.2,5.1,6.0,5.0,5.0,7.1,7.8,7.8,7.8,7.8,7.8,7.8,7.8,5.0,5.0,4.9,5.0,7.8,7.6,5.0,5.0,5.0,5.0,5.0,5.0,6.0,7.6,5.2,6.0,7.1,7.8] new: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] detected: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] detection-update: [...132] [ip4][..tcp] [..172.16.42.216][40878] -> [..54.239.29.253][..443] [TLS.Amazon][Web][Acceptable] @@ -639,14 +656,15 @@ idle: [.....2] [ip6][icmp6] [.....................................::] -> [...............................ff02::16] [ICMPV6][Network][Acceptable] idle: [.....1] [ip6][icmp6] [.....................................::] -> [......................ff02::1:ffd3:fbc2] [ICMPV6][Network][Acceptable] analyse: [....16] [ip4][..tcp] [..172.16.42.216][55242] -> [..52.85.209.197][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 120.003| 3.968| 21.185|448816230.695| 0.000] - [PKTLEN......: 66.000| 1514.000| 450.500| 570.000|324877.800| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 120.003| 3.968| 21.185| 448816230.695| 0.300] + [PKTLEN......: 52.000| 1500.000| 436.500| 570.000| 324877.800| 3.900] [BINS(c->s)..: 9,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1,0,0] [BINS(s->c)..: 7,3,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,1,1,1,1,1,0,0,0,0,1,1,1,1,0,1,1] [IATS(ms)....: 77.1,79.5,13.2,60.9,0.4,0.6,0.1,48.6,1.8,3.6,177.8,227.4,44.5,20.0,267.2,445.6,122.6,0.1,0.0,0.0,282.5,8.7,270.5,1.6,407.0,0.1,164.1,0.1,290.0,120002.8,0.1] - [PKTLENS.....: 74,74,66,287,66,1514,1514,640,66,66,66,192,308,66,1430,1430,66,1514,314,110,100,66,66,1514,1017,66,66,1329,100,66,97,66] + [PKTLENS.....: 60,60,52,273,52,1500,1500,626,52,52,52,178,294,52,1416,1416,52,1500,300,96,86,52,52,1500,1003,52,52,1315,86,52,83,52] + [ENTROPIES...: 4.7,5.3,5.0,5.4,5.1,7.0,7.2,7.6,5.0,5.1,5.0,6.6,7.2,5.0,7.9,7.9,5.1,7.9,7.3,6.1,5.8,5.1,5.1,7.9,7.8,5.1,5.1,7.9,5.9,5.1,5.6,5.1] detection-update: [....16] [ip4][..tcp] [..172.16.42.216][55242] -> [..52.85.209.197][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS new: [...134] [ip4][..tcp] [..172.16.42.216][45751] -> [..52.94.232.134][..443] @@ -759,14 +777,15 @@ detection-update: [...146] [ip4][..udp] [..172.16.42.216][59908] -> [....172.16.42.1][...53] [DNS.AmazonAlexa][VirtAssistant][Acceptable] new: [...147] [ip4][..tcp] [..172.16.42.216][38757] -> [..54.239.28.178][..443] analyse: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 8.001| 0.664| 1.905|3629965.115| 0.000] - [PKTLEN......: 54.000| 1514.000| 438.700| 584.700|341856.600| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 8.001| 0.664| 1.905| 3629965.115| 2.500] + [PKTLEN......: 40.000| 1500.000| 424.700| 584.700| 341856.600| 3.800] [BINS(c->s)..: 9,0,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 8,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,1,1,0,0,1,0,1,0,0,1,1,0,0,0,1,0,1,0,1,1,0] [IATS(ms)....: 133.8,140.4,3.2,141.6,1.3,0.1,137.2,0.3,0.1,2.7,82.2,0.2,95.7,0.4,359.1,405.4,633.6,688.6,100.8,373.1,50.8,202.6,7767.1,1.6,8001.1,353.8,410.1,314.8,108.3,0.2,84.0] - [PKTLENS.....: 74,62,54,261,1514,1514,399,54,54,54,380,60,113,1514,204,60,1514,113,54,1514,60,683,54,1514,300,60,54,60,1514,60,60,54] + [PKTLENS.....: 60,48,40,247,1500,1500,385,40,40,40,366,46,99,1500,190,46,1500,99,40,1500,46,669,40,1500,286,46,40,46,1500,46,46,40] + [ENTROPIES...: 4.7,5.2,4.8,5.6,6.8,7.3,7.4,4.7,4.8,4.9,7.4,4.6,6.0,7.9,6.9,4.6,7.9,6.0,4.8,7.9,4.7,7.7,4.8,7.9,7.3,4.5,4.8,4.5,7.9,4.6,4.6,4.9] detection-update: [...142] [ip4][..tcp] [..172.16.42.216][50799] -> [..54.239.28.178][..443] [TLS.Amazon][Web][Acceptable] RISK: Weak TLS Cipher detected: [...147] [ip4][..tcp] [..172.16.42.216][38757] -> [..54.239.28.178][..443] [TLS.AmazonAWS][Cloud][Acceptable] @@ -791,14 +810,15 @@ detection-update: [...151] [ip4][..tcp] [..172.16.42.216][49067] -> [..216.58.194.78][..443] [TLS.PlayStore][SoftwareUpdate][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [...149] [ip4][..tcp] [..172.16.42.216][41828] -> [..52.85.209.143][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.106| 0.022| 0.031| 964.869| 0.000] - [PKTLEN......: 66.000| 1514.000| 539.800| 600.400|360465.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.106| 0.022| 0.031| 964.869| 3.600] + [PKTLEN......: 52.000| 1500.000| 525.800| 600.400| 360465.600| 4.100] [BINS(c->s)..: 9,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 5,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,1,1,1,0,1,1,1,1,1,1,0,1,0] [IATS(ms)....: 42.7,43.7,0.7,45.0,4.0,0.5,0.6,0.3,50.6,0.8,0.3,1.1,7.3,12.7,0.3,65.6,42.6,4.2,48.9,0.4,25.2,76.4,106.0,0.2,0.6,0.6,0.3,0.0,102.0,2.9,1.9] - [PKTLENS.....: 74,74,66,268,66,1514,1514,1514,833,66,66,66,66,192,1514,781,78,192,1514,78,320,66,66,1514,1514,1514,697,608,143,66,163,66] + [PKTLENS.....: 60,60,52,254,52,1500,1500,1500,819,52,52,52,52,178,1500,767,64,178,1500,64,306,52,52,1500,1500,1500,683,594,129,52,149,52] + [ENTROPIES...: 4.7,5.2,5.0,5.6,5.0,6.9,7.2,7.5,7.6,5.1,4.9,5.0,4.9,6.3,7.9,7.7,5.2,6.3,7.9,5.1,7.1,5.0,5.0,7.9,7.9,7.9,7.7,7.6,6.3,5.0,6.5,4.8] detection-update: [...149] [ip4][..tcp] [..172.16.42.216][41828] -> [..52.85.209.143][..443] [TLS.Amazon][Web][Acceptable] new: [...152] [ip4][..udp] [..172.16.42.216][.4612] -> [....172.16.42.1][...53] detected: [...152] [ip4][..udp] [..172.16.42.216][.4612] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] @@ -853,49 +873,53 @@ detection-update: [...157] [ip4][..tcp] [..172.16.42.216][38483] -> [..52.85.209.143][..443] [TLS.Amazon][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn analyse: [...154] [ip4][..tcp] [..172.16.42.216][41913] -> [...52.84.62.115][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.262| 0.033| 0.059| 3460.134| 0.000] - [PKTLEN......: 66.000| 1514.000| 631.000| 624.900|390532.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.262| 0.033| 0.059| 3460.134| 3.500] + [PKTLEN......: 52.000| 1500.000| 617.000| 624.900| 390532.600| 4.200] [BINS(c->s)..: 10,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,2,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,0,0,0,0,1,1,0,0,1,0,1,1] [IATS(ms)....: 16.7,17.9,1.6,27.3,5.3,0.5,0.5,0.3,32.5,0.3,12.9,0.3,0.1,39.0,52.8,61.9,0.5,0.3,0.1,35.1,0.7,5.1,216.8,261.8,0.2,39.4,7.5,74.2,66.6,42.1,0.4] - [PKTLENS.....: 74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1343,1514,1514,770,100,66,66,1308,1308,862,100,66,1319,100,78,1514,1514] + [PKTLENS.....: 60,60,52,271,52,1500,1500,1500,750,52,52,52,52,178,310,1329,1500,1500,756,86,52,52,1294,1294,848,86,52,1305,86,64,1500,1500] + [ENTROPIES...: 4.7,5.2,5.0,5.7,5.0,7.1,7.3,7.5,7.6,5.1,5.1,5.1,5.0,6.3,7.2,7.8,7.9,7.9,7.7,5.8,4.9,4.9,7.8,7.8,7.7,5.8,4.9,7.8,5.8,4.9,7.9,7.9] detection-update: [...154] [ip4][..tcp] [..172.16.42.216][41913] -> [...52.84.62.115][..443] [TLS.Amazon][Web][Acceptable] analyse: [...157] [ip4][..tcp] [..172.16.42.216][38483] -> [..52.85.209.143][..443] [TLS.Amazon][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.241| 0.031| 0.057| 3274.655| 0.000] - [PKTLEN......: 66.000| 1514.000| 634.400| 578.400|334504.200| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.241| 0.031| 0.057| 3274.655| 3.400] + [PKTLEN......: 52.000| 1500.000| 620.400| 578.400| 334504.200| 4.300] [BINS(c->s)..: 6,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,2,0,1,0,0,1,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 34.0,35.1,2.2,37.9,5.1,0.5,0.2,42.9,0.3,0.1,30.8,68.8,38.4,227.1,241.4,50.1,58.4,55.5,3.8,2.0,4.4,1.6,0.7,7.8,0.1,0.1,9.0,0.3,3.1,0.8,10.2] - [PKTLENS.....: 74,74,66,260,66,1514,1514,632,66,66,66,192,117,732,732,117,78,66,1110,441,270,829,919,455,1514,191,571,1514,1514,1514,1514,1514] + [PKTLENS.....: 60,60,52,246,52,1500,1500,618,52,52,52,178,103,718,718,103,64,52,1096,427,256,815,905,441,1500,177,557,1500,1500,1500,1500,1500] + [ENTROPIES...: 4.7,5.2,5.1,5.4,5.2,7.0,7.3,7.7,5.0,5.1,5.1,6.6,6.1,7.7,7.7,6.1,5.1,5.2,7.8,7.4,7.1,7.7,7.8,7.5,7.9,6.8,7.6,7.9,7.9,7.9,7.9,7.9] new: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] detected: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] analyse: [...155] [ip4][..tcp] [..172.16.42.216][41914] -> [...52.84.62.115][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.264| 0.057| 0.086| 7393.244| 0.000] - [PKTLEN......: 66.000| 1514.000| 546.200| 595.200|354289.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.264| 0.057| 0.086| 7393.244| 3.600] + [PKTLEN......: 52.000| 1500.000| 532.200| 595.200| 354289.100| 4.100] [BINS(c->s)..: 12,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,0,0,0,0,0,0,0] [BINS(s->c)..: 2,2,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,0,0,1,1,1,0,0,0,0,1,1,1,0,0] [IATS(ms)....: 22.8,24.0,0.9,22.8,6.6,0.6,0.6,0.3,39.7,0.1,0.1,0.2,6.8,37.6,46.2,226.7,213.1,3.9,222.3,264.1,0.1,55.3,103.4,0.1,10.4,183.9,242.5,1.0,0.1,38.6,0.1] - [PKTLENS.....: 74,74,66,285,66,1514,1514,1514,764,66,66,66,66,192,324,1351,324,78,1351,1351,944,100,100,66,66,78,1336,1514,1514,522,66,66] + [PKTLENS.....: 60,60,52,271,52,1500,1500,1500,750,52,52,52,52,178,310,1337,310,64,1337,1337,930,86,86,52,52,64,1322,1500,1500,508,52,52] + [ENTROPIES...: 4.7,5.3,5.1,5.7,5.1,7.1,7.3,7.5,7.6,5.1,5.0,5.1,5.0,6.4,7.2,7.9,7.2,5.0,7.9,7.9,7.8,5.8,5.8,5.1,5.1,5.1,7.8,7.9,7.9,7.5,5.1,5.1] detection-update: [...155] [ip4][..tcp] [..172.16.42.216][41914] -> [...52.84.62.115][..443] [TLS.Amazon][Web][Acceptable] detection-update: [...158] [ip4][..udp] [..172.16.42.216][.2707] -> [....172.16.42.1][...53] [DNS.Amazon][Web][Acceptable] new: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] detected: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] [TLS.Amazon][Web][Acceptable] new: [...160] [ip4][..tcp] [..172.16.42.216][47606] -> [..72.21.206.121][..443] analyse: [...145] [ip4][..tcp] [..172.16.42.216][44912] -> [...54.239.23.94][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 7.471| 0.614| 1.478|2183643.136| 0.000] - [PKTLEN......: 54.000| 1514.000| 540.200| 637.500|406420.100| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 7.471| 0.614| 1.478| 2183643.136| 2.800] + [PKTLEN......: 40.000| 1500.000| 526.200| 637.500| 406420.100| 3.900] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,1,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,1,1] [IATS(ms)....: 168.5,171.2,1.5,108.9,4.4,1.7,0.7,112.7,0.3,4.1,0.2,6.2,0.1,10.4,13.1,1.1,0.3,290.4,0.0,0.0,0.1,299.4,0.7,529.3,1065.9,2114.2,3665.4,7470.6,595.2,595.1,1817.1] - [PKTLENS.....: 74,62,54,281,60,60,1514,1514,54,54,1514,669,54,54,180,1514,1438,374,60,60,105,60,54,1438,1438,1438,1438,54,60,1438,60,60] + [PKTLENS.....: 60,48,40,267,46,46,1500,1500,40,40,1500,655,40,40,166,1500,1424,360,46,46,91,46,40,1424,1424,1424,1424,40,46,1424,46,46] + [ENTROPIES...: 4.6,5.1,4.8,5.7,4.6,4.5,7.1,7.3,4.8,4.8,7.4,7.6,4.9,4.8,6.3,7.9,7.9,7.3,4.4,4.3,5.9,4.4,4.7,7.9,7.9,7.9,7.9,4.8,4.3,7.9,4.5,4.5] detection-update: [...145] [ip4][..tcp] [..172.16.42.216][44912] -> [...54.239.23.94][..443] [TLS.AmazonAWS][Cloud][Acceptable] detected: [...160] [ip4][..tcp] [..172.16.42.216][47606] -> [..72.21.206.121][..443] [TLS.Amazon][Web][Acceptable] detection-update: [...159] [ip4][..tcp] [..172.16.42.216][47605] -> [..72.21.206.121][..443] [TLS.Amazon][Web][Acceptable] diff --git a/test/results/flow-info/amqp.pcap.out b/test/results/flow-info/amqp.pcap.out index edb1a7ec5..eda7b5bb7 100644 --- a/test/results/flow-info/amqp.pcap.out +++ b/test/results/flow-info/amqp.pcap.out @@ -8,14 +8,15 @@ detected: [.....3] [ip4][..tcp] [......127.0.0.1][44206] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable] detected: [.....2] [ip4][..tcp] [......127.0.1.1][.5672] -> [......127.0.0.1][44204] [AMQP][RPC][Acceptable] analyse: [.....1] [ip4][..tcp] [......127.0.0.1][44205] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.002| 0.224| 0.537|287986.745| 0.000] - [PKTLEN......: 66.000| 395.000| 132.000| 99.500| 9895.700| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.002| 0.224| 0.537| 287986.745| 2.400] + [PKTLEN......: 52.000| 381.000| 118.000| 99.500| 9895.700| 4.600] [BINS(c->s)..: 0,6,0,5,0,0,1,0,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.0,0.2,0.2,0.1,0.1,2001.7,2001.7,0.2,0.2,0.1,0.1,1032.6,1032.6,0.1,0.1,0.1,0.1,11.0,11.0,0.1,0.1,0.1,0.1,17.7,17.7,0.1,0.1,0.1,0.1,412.7,412.7] - [PKTLENS.....: 107,66,162,66,369,66,107,66,162,66,369,66,104,66,162,66,395,66,103,66,162,66,271,66,105,66,162,66,325,66,104,66] + [PKTLENS.....: 93,52,148,52,355,52,93,52,148,52,355,52,90,52,148,52,381,52,89,52,148,52,257,52,91,52,148,52,311,52,90,52] + [ENTROPIES...: 4.9,4.6,5.1,4.6,5.4,4.6,4.9,4.6,5.2,4.6,5.4,4.6,4.9,4.6,5.1,4.5,5.4,4.6,4.9,4.6,5.1,4.6,5.5,4.5,4.8,4.5,5.1,4.6,5.5,4.6,4.9,4.6] idle: [.....2] [ip4][..tcp] [......127.0.1.1][.5672] -> [......127.0.0.1][44204] [AMQP][RPC][Acceptable] idle: [.....1] [ip4][..tcp] [......127.0.0.1][44205] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable] idle: [.....3] [ip4][..tcp] [......127.0.0.1][44206] -> [......127.0.1.1][.5672] [AMQP][RPC][Acceptable] diff --git a/test/results/flow-info/android.pcap.out b/test/results/flow-info/android.pcap.out index c7dda0700..f6be9c78d 100644 --- a/test/results/flow-info/android.pcap.out +++ b/test/results/flow-info/android.pcap.out @@ -168,14 +168,15 @@ detected: [....60] [ip4][..udp] [...192.168.2.16][39760] -> [....192.168.2.1][...53] [DNS.GoogleServices][Web][Acceptable] detected: [....58] [ip4][..tcp] [...192.168.2.16][43646] -> [..172.217.20.76][..443] [TLS.DataSaver][Web][Fun] analyse: [....42] [ip4][..tcp] [...192.168.2.16][32996] -> [.216.239.38.120][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.405| 0.048| 0.104|10866.215| 0.000] - [PKTLEN......: 66.000| 1484.000| 430.500| 552.700|305506.200| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.405| 0.048| 0.104| 10866.215| 3.000] + [PKTLEN......: 52.000| 1470.000| 416.500| 552.700| 305506.200| 3.900] [BINS(c->s)..: 13,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,5,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,0,0,0,0,0,0] [IATS(ms)....: 13.7,15.0,32.7,47.5,16.6,0.0,34.5,0.3,386.5,404.6,19.7,197.6,221.1,19.2,15.0,27.7,41.8,1.7,0.0,0.0,1.0,1.6,0.1,0.0,0.0,1.2,0.0,1.2,2.7,0.0,0.0] - [PKTLENS.....: 74,74,66,246,66,1484,1202,66,66,159,358,66,578,66,100,66,655,66,1484,1484,1421,1484,66,1484,396,102,66,66,66,66,66,66] + [PKTLENS.....: 60,60,52,232,52,1470,1188,52,52,145,344,52,564,52,86,52,641,52,1470,1470,1407,1470,52,1470,382,88,52,52,52,52,52,52] + [ENTROPIES...: 4.7,5.3,5.1,5.5,5.1,7.2,7.4,5.1,5.1,6.1,7.1,5.0,7.5,4.9,5.4,5.0,7.6,5.0,7.9,7.8,7.9,7.8,5.1,7.8,7.4,5.6,5.1,5.1,5.1,5.1,5.0,5.0] detection-update: [....59] [ip4][..tcp] [...192.168.2.16][33014] -> [.216.239.38.120][..443] [TLS.Google][Web][Acceptable] detection-update: [....55] [ip4][..tcp] [...192.168.2.16][51944] -> [.172.217.21.202][..443] [TLS.DataSaver][Web][Fun] detection-update: [....60] [ip4][..udp] [...192.168.2.16][39760] -> [....192.168.2.1][...53] [DNS.GoogleServices][Web][Acceptable] diff --git a/test/results/flow-info/anyconnect-vpn.pcap.out b/test/results/flow-info/anyconnect-vpn.pcap.out index 308495666..ac9c398c1 100644 --- a/test/results/flow-info/anyconnect-vpn.pcap.out +++ b/test/results/flow-info/anyconnect-vpn.pcap.out @@ -44,14 +44,15 @@ detection-update: [....15] [ip4][..tcp] [.....10.0.0.227][56919] -> [....8.37.102.91][..443] [TLS][Web][Safe] RISK: Weak TLS Cipher, Missing SNI TLS Extn analyse: [....15] [ip4][..tcp] [.....10.0.0.227][56919] -> [....8.37.102.91][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.072| 0.022| 0.022| 465.545| 0.000] - [PKTLEN......: 66.000| 1514.000| 504.700| 597.200|356597.600| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.072| 0.022| 0.022| 465.545| 4.000] + [PKTLEN......: 52.000| 1500.000| 490.700| 597.200| 356597.600| 4.000] [BINS(c->s)..: 11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,2,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,0,0,0] [IATS(ms)....: 39.5,39.5,0.4,43.7,1.2,44.5,40.9,0.0,40.9,0.0,38.2,0.0,38.3,0.0,33.2,0.0,71.5,0.0,38.3,6.1,35.1,41.2,0.2,42.3,2.9,0.0,0.0,44.9,0.1] - [PKTLENS.....: 78,70,66,233,66,1514,66,1514,1514,66,66,1514,1181,66,66,1514,1514,1333,66,66,677,66,141,66,1175,66,359,711,119,66,66,66] + [PKTLENS.....: 64,56,52,219,52,1500,52,1500,1500,52,52,1500,1167,52,52,1500,1500,1319,52,52,663,52,127,52,1161,52,345,697,105,52,52,52] + [ENTROPIES...: 4.3,5.1,4.8,5.5,4.8,7.3,4.8,7.1,7.2,4.9,4.8,7.4,5.9,4.8,4.8,6.8,7.2,7.5,4.7,4.8,7.6,4.7,6.2,4.8,7.8,4.9,7.3,7.7,5.8,4.9,4.8,4.8] detection-update: [....15] [ip4][..tcp] [.....10.0.0.227][56919] -> [....8.37.102.91][..443] [TLS][Web][Safe] RISK: Weak TLS Cipher, Missing SNI TLS Extn new: [....16] [ip4][..udp] [.....10.0.0.227][63107] -> [....75.75.76.76][...53] @@ -110,14 +111,15 @@ detection-update: [....35] [ip4][..udp] [.....10.0.0.227][59222] -> [....75.75.75.75][...53] [DNS][Network][Acceptable] detection-update: [....36] [ip4][..udp] [.....10.0.0.227][57017] -> [....75.75.75.75][...53] [DNS][Network][Acceptable] analyse: [....30] [ip4][..tcp] [.....10.0.0.227][56921] -> [....8.37.96.194][.4287] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.385| 0.079| 0.122|14784.686| 0.000] - [PKTLEN......: 66.000| 1434.000| 299.000| 416.200|173206.900| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.385| 0.079| 0.122| 14784.686| 3.700] + [PKTLEN......: 52.000| 1420.000| 285.000| 416.200| 173206.900| 3.900] [BINS(c->s)..: 9,2,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,1,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1] [IATS(ms)....: 28.5,28.6,0.3,35.2,11.6,46.5,4.2,33.1,3.0,31.9,1.5,30.5,1.7,30.8,254.9,281.1,5.1,31.3,315.0,342.2,26.3,53.5,25.8,25.8,4.8,30.5,2.7,28.4,358.2,384.8,2.1] - [PKTLENS.....: 78,78,66,214,66,1374,66,1261,66,117,66,510,66,477,66,377,66,181,66,791,66,1434,66,1174,66,128,66,136,66,124,66,124] + [PKTLENS.....: 64,64,52,200,52,1360,52,1247,52,103,52,496,52,463,52,363,52,167,52,777,52,1420,52,1160,52,114,52,122,52,110,52,110] + [ENTROPIES...: 4.3,5.0,4.8,5.4,5.1,7.4,4.9,7.6,4.9,5.9,4.8,7.5,5.0,7.5,4.9,7.3,5.0,6.5,5.0,7.7,5.0,7.9,4.9,7.8,4.9,6.1,5.0,6.2,4.9,6.0,5.1,6.1] new: [....37] [ip4][..tcp] [.....10.0.0.227][56881] -> [.162.222.43.153][..443] [MIDSTREAM] new: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] detected: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] [TLS][Web][Safe] @@ -127,14 +129,15 @@ detection-update: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] [TLS][Web][Safe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn analyse: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.138| 0.027| 0.033| 1098.419| 0.000] - [PKTLEN......: 66.000| 1514.000| 531.300| 619.300|383541.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.138| 0.027| 0.033| 1098.419| 3.600] + [PKTLEN......: 52.000| 1500.000| 517.300| 619.300| 383541.000| 4.000] [BINS(c->s)..: 12,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,8,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0] [IATS(ms)....: 42.4,42.4,2.0,46.9,1.2,46.1,40.3,0.0,40.3,0.0,37.2,0.0,37.2,0.0,97.2,138.0,40.9,1.2,43.3,9.0,0.0,0.0,0.0,0.0,0.0,0.0,51.2] - [PKTLENS.....: 78,70,66,218,66,1514,66,1514,1514,66,66,1514,1181,66,66,420,141,66,1031,66,1514,223,1514,223,1514,223,1514,223,66,66,66,66] + [PKTLENS.....: 64,56,52,204,52,1500,52,1500,1500,52,52,1500,1167,52,52,406,127,52,1017,52,1500,209,1500,209,1500,209,1500,209,52,52,52,52] + [ENTROPIES...: 4.2,5.0,4.7,5.5,4.7,7.3,4.7,7.1,7.2,4.8,4.8,7.4,5.9,4.8,4.8,7.4,6.2,4.8,7.8,4.9,7.9,6.9,7.9,6.9,7.9,6.7,7.8,6.8,4.8,4.8,4.8,4.8] detection-update: [....38] [ip4][..tcp] [.....10.0.0.227][56929] -> [....8.37.102.91][..443] [TLS][Web][Safe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn new: [....39] [ip4][..tcp] [.....10.0.0.227][56865] -> [.....10.0.0.149][.8008] [MIDSTREAM] @@ -191,14 +194,15 @@ detection-update: [....58] [ip4][..udp] [.....10.0.0.227][54107] -> [....8.37.102.91][..443] [DTLS][Web][Safe] RISK: Obsolete TLS (v1.1 or older) analyse: [....58] [ip4][..udp] [.....10.0.0.227][54107] -> [....8.37.102.91][..443] [DTLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.047| 0.016| 0.019| 352.973| 0.000] - [PKTLEN......: 90.000| 407.000| 213.100| 70.700| 5001.800| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.047| 0.016| 0.019| 352.973| 3.900] + [PKTLEN......: 76.000| 393.000| 199.100| 70.700| 5001.800| 4.900] [BINS(c->s)..: 0,0,1,11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,0,0,2,5,1,2,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,0,0,1,1,1,1,1,0,0,1,1,1,1,0,0,1,0,1,0,1,0,1,0,0,0,1] [IATS(ms)....: 43.5,43.9,46.6,47.0,13.8,22.4,0.1,45.4,0.0,0.0,0.2,0.0,8.9,0.2,3.2,0.0,34.6,0.0,41.1,0.5,5.7,3.7,11.8,10.0,4.2,4.6,47.0,47.1,0.2,0.4,3.8] - [PKTLENS.....: 141,90,161,230,135,167,167,167,263,215,215,215,199,151,167,359,311,183,231,167,167,311,167,279,199,407,199,279,167,183,183,343] + [PKTLENS.....: 127,76,147,216,121,153,153,153,249,201,201,201,185,137,153,345,297,169,217,153,153,297,153,265,185,393,185,265,153,169,169,329] + [ENTROPIES...: 5.5,4.4,5.9,6.0,5.5,6.4,6.3,6.4,7.0,6.7,6.7,6.7,6.5,6.2,6.4,7.3,7.1,6.5,6.8,6.4,6.3,7.1,6.4,7.1,6.6,7.3,6.7,7.1,6.5,6.6,6.5,7.3] new: [....60] [ip4][..udp] [.....10.0.0.227][52595] -> [.......10.0.0.1][..192] new: [....61] [ip4][..udp] [.....10.0.0.151][.1900] -> [.....10.0.0.227][57547] detected: [....61] [ip4][..udp] [.....10.0.0.151][.1900] -> [.....10.0.0.227][57547] [SSDP][System][Acceptable] diff --git a/test/results/flow-info/anydesk.pcapng.out b/test/results/flow-info/anydesk.pcapng.out index a58329ffe..f20038436 100644 --- a/test/results/flow-info/anydesk.pcapng.out +++ b/test/results/flow-info/anydesk.pcapng.out @@ -12,14 +12,15 @@ detection-update: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing analyse: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.603| 0.177| 0.394|155451.113| 0.000] - [PKTLEN......: 54.000| 1514.000| 406.700| 555.200|308238.000| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.603| 0.177| 0.394| 155451.113| 2.800] + [PKTLEN......: 40.000| 1500.000| 392.700| 555.200| 308238.000| 3.800] [BINS(c->s)..: 8,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 9,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,2,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,1] [IATS(ms)....: 164.8,164.9,0.6,1.1,165.0,165.4,0.5,0.5,0.3,0.3,1.8,2.0,164.9,165.2,0.2,0.2,0.2,0.3,218.6,218.7,0.6,0.9,1215.5,1216.3,0.0,0.1,0.9,0.0,0.0,1602.9,0.1] - [PKTLENS.....: 74,60,54,317,60,1354,54,1354,54,60,54,1148,60,105,54,94,54,200,60,200,54,125,60,133,1514,1514,1256,60,60,60,1514,1194] + [PKTLENS.....: 60,46,40,303,46,1340,40,1340,40,46,40,1134,46,91,40,80,40,186,46,186,40,111,46,119,1500,1500,1242,46,46,46,1500,1180] + [ENTROPIES...: 4.8,4.9,4.8,5.4,4.4,7.5,4.8,7.8,4.8,4.6,4.7,7.6,4.4,5.8,4.8,5.8,4.8,6.7,4.4,6.8,4.8,6.3,4.4,6.4,7.9,7.9,7.8,4.4,4.4,4.4,7.9,7.8] detection-update: [.....2] [ip4][..tcp] [192.168.149.129][43535] -> [..51.83.238.219][...80] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing DAEMON-EVENT: [Processed: 6963 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -45,14 +46,15 @@ detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing analyse: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS.AnyDesk][RemoteAccess][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.022| 0.471| 0.869|754614.927| 0.000] - [PKTLEN......: 54.000| 3980.000| 320.300| 747.400|558552.100| 3.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.022| 0.471| 0.869| 754614.927| 2.900] + [PKTLEN......: 40.000| 3966.000| 306.300| 747.400| 558552.100| 3.100] [BINS(c->s)..: 6,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1] [BINS(s->c)..: 11,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,1,0,0,1,1,0,1,1,0,0,1,1,1,0,1,1,0,0,1,0] [IATS(ms)....: 0.5,0.5,0.3,0.4,0.3,10.5,10.9,39.6,40.3,8.7,9.5,516.9,517.5,1.6,27.8,26.2,2.4,56.3,902.9,957.3,1754.2,1753.7,16.4,71.2,2966.8,3021.8,4.0] - [PKTLENS.....: 66,66,54,299,60,60,1514,197,54,1340,60,968,94,54,101,60,89,88,60,88,54,3980,60,60,60,93,60,155,54,113,60,130] + [PKTLENS.....: 52,52,40,285,46,46,1500,183,40,1326,46,954,80,40,87,46,75,74,46,74,40,3966,46,46,46,79,46,141,40,99,46,116] + [ENTROPIES...: 4.5,4.7,4.7,5.4,4.2,4.3,7.7,6.2,4.7,7.7,4.3,7.8,5.6,4.6,5.7,4.2,5.5,5.6,4.3,5.6,4.7,8.0,4.2,4.3,4.2,5.7,4.3,6.5,4.6,6.0,4.3,6.2] DAEMON-EVENT: [Processed: 9484 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 7|updates: 0] new: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] @@ -63,14 +65,15 @@ detection-update: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Missing SNI TLS Extn, Desktop/File Sharing analyse: [.....7] [ip4][..tcp] [..192.168.1.128][48260] -> [195.181.174.176][..443] [TLS.AnyDesk][RemoteAccess][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 8.445| 0.583| 2.064|4258557.067| 0.000] - [PKTLEN......: 66.000| 1514.000| 342.900| 495.500|245485.500| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 8.445| 0.583| 2.064| 4258557.067| 1.500] + [PKTLEN......: 52.000| 1500.000| 328.900| 495.500| 245485.500| 3.800] [BINS(c->s)..: 8,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 7,4,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,1,0,0,1,1] [IATS(ms)....: 17.7,17.8,0.9,17.8,3.4,20.3,0.1,0.0,3.8,21.9,18.1,0.1,0.0,0.9,64.2,13.4,76.8,1.5,18.4,206.6,224.8,0.0,0.0,18.7,0.0,62.8,0.0,80.2,8427.9,8444.6,314.0] - [PKTLENS.....: 74,74,66,355,66,1514,66,1146,66,1160,117,66,106,66,213,66,212,66,151,66,159,1514,1514,1287,66,66,106,104,66,151,66,159] + [PKTLENS.....: 60,60,52,341,52,1500,52,1132,52,1146,103,52,92,52,199,52,198,52,137,52,145,1500,1500,1273,52,52,92,90,52,137,52,145] + [ENTROPIES...: 4.8,5.3,5.1,5.6,5.1,7.5,5.1,7.7,5.1,7.7,6.0,5.1,6.1,5.1,6.9,5.2,6.9,5.2,6.6,5.2,6.6,7.9,7.9,7.8,5.2,5.2,6.1,5.9,5.1,6.5,5.2,6.6] end: [.....6] [ip4][..tcp] [..192.168.1.178][52039] -> [..192.168.1.187][.7070] idle: [.....5] [ip4][..tcp] [..192.168.1.187][54164] -> [..192.168.1.178][.7070] [TLS.AnyDesk][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn, Desktop/File Sharing diff --git a/test/results/flow-info/bad-dns-traffic.pcap.out b/test/results/flow-info/bad-dns-traffic.pcap.out index 22c646290..f17ace4dc 100644 --- a/test/results/flow-info/bad-dns-traffic.pcap.out +++ b/test/results/flow-info/bad-dns-traffic.pcap.out @@ -22,14 +22,15 @@ detection-update: [.....2] [ip4][..udp] [..192.168.43.91][56354] -> [........4.2.2.4][...53] [DNS][Network][Acceptable] RISK: Suspicious DGA Domain name, Risky Domain Name analyse: [.....2] [ip4][..udp] [..192.168.43.91][56354] -> [........4.2.2.4][...53] [DNS][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.063| 4.102| 1.074| 0.689|474850.951| 0.000] - [PKTLEN......: 95.000| 323.000| 129.200| 50.600| 2560.600| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.063| 4.102| 1.074| 0.689| 474850.951| 4.700] + [PKTLEN......: 81.000| 309.000| 115.200| 50.600| 2560.600| 4.900] [BINS(c->s)..: 0,13,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1] [IATS(ms)....: 1006.5,1005.8,1008.1,1008.5,4101.9,73.2,63.1,1023.9,1006.7,2080.9,1018.8,962.5,1014.1,1012.6,1013.6,1040.3,1038.2,1060.2,1011.7,991.1,1041.5,1066.6,1017.8,982.3,1029.5,1026.2,1027.8,1007.4,2080.4,166.4,305.9] - [PKTLENS.....: 133,133,133,133,133,164,95,130,95,95,126,95,128,95,130,95,128,95,128,95,126,95,128,95,130,95,128,95,95,174,290,323] + [PKTLENS.....: 119,119,119,119,119,150,81,116,81,81,112,81,114,81,116,81,114,81,114,81,112,81,114,81,116,81,114,81,81,160,276,309] + [ENTROPIES...: 4.9,5.0,5.0,5.0,5.0,4.9,5.0,5.0,5.0,5.1,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,4.9,5.0,4.9,5.0,5.0,5.0,5.0,5.0,4.9,4.2,4.3] update: [.....1] [ip4][..udp] [..192.168.43.91][35966] -> [........4.2.2.4][...53] [DNS][Network][Acceptable] RISK: Suspicious DGA Domain name, Risky Domain Name update: [.....2] [ip4][..udp] [..192.168.43.91][56354] -> [........4.2.2.4][...53] [DNS][Network][Acceptable] diff --git a/test/results/flow-info/bitcoin.pcap.out b/test/results/flow-info/bitcoin.pcap.out index bf92f591d..152e13e76 100644 --- a/test/results/flow-info/bitcoin.pcap.out +++ b/test/results/flow-info/bitcoin.pcap.out @@ -8,52 +8,56 @@ detected: [.....2] [ip4][..tcp] [..192.168.1.142][55328] -> [..69.118.54.122][.8333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [.....2] [ip4][..tcp] [..192.168.1.142][55328] -> [..69.118.54.122][.8333] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 141.657| 9.231| 28.185|794377756.606| 0.000] - [PKTLEN......: 86.000| 1514.000| 1196.700| 570.200|325114.200| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 141.657| 9.231| 28.185| 794377756.606| 1.900] + [PKTLEN......: 72.000| 1500.000| 1182.700| 570.200| 325114.200| 4.800] [BINS(c->s)..: 0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0] [DIRECTIONS..: 0,1,1,1,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 52.7,59.2,36072.7,6972.6,71059.7,141657.3,28238.3,0.1,33.0,0.0,0.0,1933.1,0.0,0.0,0.0,0.0,4.5,16.8,0.3,4.1,0.5,12.1,1.1,0.3,10.6,15.7,2.7,0.0,3.1,4.1,7.9] - [PKTLENS.....: 171,171,86,127,121,127,110,1514,1514,1514,1514,1045,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] + [PKTLENS.....: 157,157,72,113,107,113,96,1500,1500,1500,1500,1031,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500] + [ENTROPIES...: 4.3,4.4,4.9,5.2,4.7,5.6,4.9,7.4,7.5,7.5,7.5,7.4,3.6,3.4,3.5,3.5,3.5,3.4,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5] new: [.....3] [ip4][..tcp] [..192.168.1.142][55348] -> [..74.89.181.229][.8333] [MIDSTREAM] detected: [.....3] [ip4][..tcp] [..192.168.1.142][55348] -> [..74.89.181.229][.8333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [.....3] [ip4][..tcp] [..192.168.1.142][55348] -> [..74.89.181.229][.8333] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 100.111| 6.495| 19.445|378100231.700| 0.000] - [PKTLEN......: 86.000| 1514.000| 1169.300| 597.200|356626.800| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 100.111| 6.495| 19.445| 378100231.700| 2.000] + [PKTLEN......: 72.000| 1500.000| 1155.300| 597.200| 356626.800| 4.700] [BINS(c->s)..: 0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0] [DIRECTIONS..: 0,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 59.2,103.2,9823.2,39766.1,21773.2,100110.7,311.6,29237.0,0.0,63.5,0.0,0.1,1.8,36.3,0.1,10.1,0.0,2.2,0.0,22.5,0.0,0.0,5.4,1.9,16.7,0.1,3.3,3.2,0.1,2.6,1.0] - [PKTLENS.....: 171,171,86,182,121,121,110,121,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] + [PKTLENS.....: 157,157,72,168,107,107,96,107,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500] + [ENTROPIES...: 4.5,4.5,5.1,5.3,4.9,4.9,5.1,4.8,3.6,3.5,3.6,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5,3.5] new: [.....4] [ip4][..tcp] [..192.168.1.142][55383] -> [....66.68.83.22][.8333] [MIDSTREAM] detected: [.....4] [ip4][..tcp] [..192.168.1.142][55383] -> [....66.68.83.22][.8333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol DAEMON-EVENT: [Processed: 214 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] analyse: [.....4] [ip4][..tcp] [..192.168.1.142][55383] -> [....66.68.83.22][.8333] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 134.322| 8.966| 25.482|649325705.167| 0.000] - [PKTLEN......: 86.000| 1514.000| 1089.600| 630.500|397582.100| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 134.322| 8.966| 25.482| 649325705.167| 2.200] + [PKTLEN......: 72.000| 1500.000| 1075.600| 630.500| 397582.100| 4.700] [BINS(c->s)..: 0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] [BINS(s->c)..: 1,4,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0] [DIRECTIONS..: 0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 62.3,90.5,14042.4,39643.2,11452.0,9238.6,22700.4,134322.5,190.5,216.5,0.1,56.8,0.0,0.0,0.0,45582.9,5.5,2.9,79.7,2.4,56.4,14.9,38.3,1.1,29.4,10.2,41.4,0.0,29.6,11.8,15.8] - [PKTLENS.....: 171,171,86,127,127,127,182,127,110,1514,1514,1514,1514,1514,1514,331,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] + [PKTLENS.....: 157,157,72,113,113,113,168,113,96,1500,1500,1500,1500,1500,1500,317,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500] + [ENTROPIES...: 4.3,4.5,5.2,5.6,5.6,5.4,5.2,5.5,5.0,6.6,6.6,6.6,6.6,6.7,6.7,6.2,3.5,3.4,3.5,3.5,3.5,3.5,3.5,3.5,3.4,3.4,3.5,3.5,3.5,3.5,3.5,3.5] new: [.....5] [ip4][..tcp] [..192.168.1.142][55400] -> [.195.218.16.178][.8333] [MIDSTREAM] detected: [.....5] [ip4][..tcp] [..192.168.1.142][55400] -> [.195.218.16.178][.8333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [.....5] [ip4][..tcp] [..192.168.1.142][55400] -> [.195.218.16.178][.8333] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 41.186| 2.780| 7.976|63609669.419| 0.000] - [PKTLEN......: 86.000| 1514.000| 1120.500| 621.500|386298.000| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 41.186| 2.780| 7.976| 63609669.419| 2.200] + [PKTLEN......: 72.000| 1500.000| 1106.500| 621.500| 386298.000| 4.700] [BINS(c->s)..: 0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,3,0,0] [BINS(s->c)..: 1,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0] [DIRECTIONS..: 0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 128.2,113.3,17195.1,11450.8,3438.7,6.8,2755.3,41186.4,319.9,321.8,0.0,347.4,8283.5,31.9,35.0,52.7,19.0,36.6,49.3,41.1,63.9,2.3,29.1,27.7,37.4,32.7,49.2,24.6,33.7,41.1,34.1] - [PKTLENS.....: 171,171,86,121,121,121,121,127,110,1514,1514,1514,1399,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] + [PKTLENS.....: 157,157,72,107,107,107,107,113,96,1500,1500,1500,1385,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500] + [ENTROPIES...: 4.4,4.4,5.0,4.7,4.7,4.8,4.8,5.6,5.0,6.6,6.6,6.6,6.6,3.4,3.4,3.3,3.3,3.4,3.4,3.3,3.3,3.3,3.3,3.3,3.3,3.3,3.3,3.3,3.3,3.4,3.4,3.3] DAEMON-EVENT: [Processed: 494 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 5 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....6] [ip4][..tcp] [..192.168.1.142][55487] -> [.184.58.165.119][.8333] [MIDSTREAM] diff --git a/test/results/flow-info/bittorrent.pcap.out b/test/results/flow-info/bittorrent.pcap.out index de6e221d6..fb97d0f29 100644 --- a/test/results/flow-info/bittorrent.pcap.out +++ b/test/results/flow-info/bittorrent.pcap.out @@ -64,14 +64,15 @@ detected: [....21] [ip4][..tcp] [....192.168.1.3][52922] -> [..95.237.193.34][11321] [BitTorrent][Download][Acceptable] RISK: Known Proto on Non Std Port analyse: [....17] [ip4][..tcp] [....192.168.1.3][52915] -> [..198.100.146.9][60163] [BitTorrent][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.012| 0.920| 0.247| 0.229|52345.696| 0.000] - [PKTLEN......: 80.000| 1506.000| 736.400| 635.200|403438.900| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.012| 0.920| 0.247| 0.229| 52345.696| 4.400] + [PKTLEN......: 66.000| 1492.000| 722.400| 635.200| 403438.900| 4.400] [BINS(c->s)..: 5,1,1,1,3,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,12,0,0] [DIRECTIONS..: 0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,0,1,1,1,1,0,1,1] [IATS(ms)....: 176.8,184.0,361.0,337.3,477.6,920.0,779.8,619.5,619.4,156.9,158.1,151.0,161.2,12.0,185.6,163.5,148.9,165.8,153.5,19.2,148.7,12.8,146.1,495.9,130.3,32.1,133.8,27.3,421.5,129.5,27.4] - [PKTLENS.....: 134,146,625,242,80,190,104,100,1506,83,1180,83,623,95,83,403,83,202,623,1506,1506,1506,1506,1506,202,1506,1506,1506,1506,211,1506,1506] + [PKTLENS.....: 120,132,611,228,66,176,90,86,1492,69,1166,69,609,81,69,389,69,188,609,1492,1492,1492,1492,1492,188,1492,1492,1492,1492,197,1492,1492] + [ENTROPIES...: 6.0,6.1,4.9,5.5,4.8,3.9,5.4,4.3,7.8,4.5,7.7,4.6,7.6,4.7,4.6,7.4,4.6,2.9,7.6,4.9,7.7,7.7,7.8,7.8,3.1,7.7,7.8,7.8,7.8,3.1,7.8,7.9] new: [....22] [ip4][..tcp] [....192.168.1.3][52927] -> [.83.216.184.241][51413] [MIDSTREAM] detected: [....22] [ip4][..tcp] [....192.168.1.3][52927] -> [.83.216.184.241][51413] [BitTorrent][Download][Acceptable] new: [....23] [ip4][..tcp] [....192.168.1.3][52926] -> [..93.65.249.100][31336] [MIDSTREAM] diff --git a/test/results/flow-info/bittorrent_utp.pcap.out b/test/results/flow-info/bittorrent_utp.pcap.out index 918c55c72..e94e66ec3 100644 --- a/test/results/flow-info/bittorrent_utp.pcap.out +++ b/test/results/flow-info/bittorrent_utp.pcap.out @@ -5,14 +5,15 @@ detected: [.....1] [ip4][..udp] [..82.243.113.43][64969] -> [....192.168.1.5][40959] [BitTorrent][Download][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....1] [ip4][..udp] [..82.243.113.43][64969] -> [....192.168.1.5][40959] [BitTorrent][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 5.430| 0.412| 1.202|1445669.503| 0.000] - [PKTLEN......: 62.000| 1514.000| 511.200| 600.800|360942.700| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 5.430| 0.412| 1.202| 1445669.503| 2.400] + [PKTLEN......: 48.000| 1500.000| 497.200| 600.800| 360942.700| 4.000] [BINS(c->s)..: 3,0,0,3,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0] [BINS(s->c)..: 11,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0] [IATS(ms)....: 4392.2,1037.9,5430.3,116.8,116.9,100.5,240.4,139.9,4.5,110.6,115.0,1.0,58.6,60.6,88.2,88.1,37.5,37.7,24.5,24.4,43.7,55.5,11.6,11.8,11.9,53.7,52.8,104.1,173.3,8.3,17.5] - [PKTLENS.....: 146,146,62,72,252,519,62,62,117,271,62,62,146,1514,68,1514,68,1514,68,1514,68,96,1514,68,1514,68,1514,62,62,1051,1051,1051] + [PKTLENS.....: 132,132,48,58,238,505,48,48,103,257,48,48,132,1500,54,1500,54,1500,54,1500,54,82,1500,54,1500,54,1500,48,48,1037,1037,1037] + [ENTROPIES...: 5.8,5.9,4.5,4.2,4.4,5.3,4.7,5.3,3.9,5.4,5.3,4.8,5.8,7.8,4.5,7.8,4.6,7.8,4.6,7.8,4.6,4.1,7.8,4.7,7.6,4.7,7.8,4.9,4.8,7.8,7.8,7.7] idle: [.....1] [ip4][..udp] [..82.243.113.43][64969] -> [....192.168.1.5][40959] [BitTorrent][Download][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/bot.pcap.out b/test/results/flow-info/bot.pcap.out index 60bbf1353..c450bcc22 100644 --- a/test/results/flow-info/bot.pcap.out +++ b/test/results/flow-info/bot.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] detected: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP.Azure][Cloud][Acceptable] analyse: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP.Azure][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.114| 0.014| 0.036| 1309.010| 0.000] - [PKTLEN......: 64.000| 1498.000| 1104.500| 631.200|398369.000| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.114| 0.014| 0.036| 1309.010| 2.200] + [PKTLEN......: 46.000| 1480.000| 1086.500| 631.200| 398369.000| 4.600] [BINS(c->s)..: 6,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1] [IATS(ms)....: 0.4,106.5,0.0,106.7,7.6,0.1,0.1,0.1,0.0,0.0,0.8,0.0,0.0,0.0,114.2,0.3,105.4,0.1,0.0,0.0,0.1,0.0,0.0,0.0,0.2,0.0,0.1,0.0,0.8,0.1,0.5] - [PKTLENS.....: 66,66,64,374,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,1498,64,64,1498] + [PKTLENS.....: 48,48,46,356,46,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,46,46,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,1480,46,46,1480] + [ENTROPIES...: 4.7,4.8,4.7,5.6,4.7,6.4,7.5,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.1,4.7,4.6,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.4,5.9,7.9,5.5,4.9,4.7,4.7,5.1] end: [.....1] [ip4][..tcp] [...40.77.167.36][64768] -> [...89.31.72.220][...80] [HTTP.Azure][Cloud][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/capwap.pcap.out b/test/results/flow-info/capwap.pcap.out index 75c06e6cd..2f61aca04 100644 --- a/test/results/flow-info/capwap.pcap.out +++ b/test/results/flow-info/capwap.pcap.out @@ -17,27 +17,29 @@ detected: [.....4] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12380] [CAPWAP][Network][Acceptable] update: [.....1] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12379] [CAPWAP][Network][Acceptable] analyse: [.....4] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12380] [CAPWAP][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.093| 0.751| 2.532|6409154.986| 0.000] - [PKTLEN......: 106.000| 1499.000| 512.200| 485.400|235625.000| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.093| 0.751| 2.532| 6409154.986| 1.600] + [PKTLEN......: 92.000| 1485.000| 498.200| 485.400| 235625.000| 4.400] [BINS(c->s)..: 0,0,5,3,0,0,0,0,0,1,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0] [BINS(s->c)..: 0,0,1,6,1,0,0,0,1,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0] [DIRECTIONS..: 0,0,1,0,1,0,0,0,1,1,1,1,1,0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,1,0,1,0] [IATS(ms)....: 0.8,9998.4,10093.4,96.4,2.6,0.0,0.1,182.4,0.0,0.1,314.1,135.3,2.7,0.2,111.8,0.0,157.3,0.0,325.7,280.1,0.0,39.5,0.0,39.5,0.3,2.1,1.0,0.5,0.5] - [PKTLENS.....: 156,156,115,106,147,590,590,360,590,590,179,329,420,137,1499,1499,1499,1451,1035,1451,475,155,123,139,155,139,123,891,155,123,139,875] + [PKTLENS.....: 142,142,101,92,133,576,576,346,576,576,165,315,406,123,1485,1485,1485,1437,1021,1437,461,141,109,125,141,125,109,877,141,109,125,861] + [ENTROPIES...: 3.9,3.9,4.8,4.6,5.4,6.6,6.9,6.4,6.9,6.8,6.4,7.1,7.1,5.5,7.9,7.9,7.9,7.9,7.8,7.8,7.5,6.3,5.8,6.0,6.3,6.0,5.8,7.8,6.3,5.8,6.1,7.7] new: [.....5] [ip4][..udp] [..192.168.10.10][12380] -> [...192.168.10.9][.5247] detected: [.....5] [ip4][..udp] [..192.168.10.10][12380] -> [...192.168.10.9][.5247] [CAPWAP][Network][Acceptable] update: [.....2] [ip4][..udp] [..192.168.10.10][49259] -> [255.255.255.255][...53] ERROR-EVENT: Unknown packet type analyse: [.....5] [ip4][..udp] [..192.168.10.10][12380] -> [...192.168.10.9][.5247] [CAPWAP][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.500| 4.000| 1.016| 0.875|765810.835| 0.000] - [PKTLEN......: 122.000| 325.000| 195.400| 58.400| 3415.700| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.500| 4.000| 1.016| 0.875| 765810.835| 4.600] + [PKTLEN......: 108.000| 311.000| 181.400| 58.400| 3415.700| 4.900] [BINS(c->s)..: 0,0,6,7,2,9,2,5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 500.0,500.0,499.9,3000.0,500.0,500.0,500.0,500.0,499.9,500.0,500.0,500.0,500.0,1000.0,1000.0,500.0,2999.8,1000.0,1000.0,500.0,1999.8,500.0,500.0,1000.0,500.0,1500.0,499.9,2000.0,1000.0,1000.0,3999.8] - [PKTLENS.....: 122,209,296,151,238,151,122,209,325,151,122,122,151,296,151,209,209,296,151,209,122,267,180,209,209,209,267,151,122,209,238,180] + [PKTLENS.....: 108,195,282,137,224,137,108,195,311,137,108,108,137,282,137,195,195,282,137,195,108,253,166,195,195,195,253,137,108,195,224,166] + [ENTROPIES...: 4.3,4.8,5.2,4.7,4.9,4.8,4.4,5.0,5.1,4.6,4.4,4.4,4.8,5.0,4.6,4.9,4.9,5.0,4.6,4.9,4.4,4.9,4.8,5.1,4.9,4.8,5.0,4.7,4.3,4.9,4.9,4.7] update: [.....3] [ip4][..udp] [..192.168.10.10][12380] -> [255.255.255.255][.5246] [CAPWAP][Network][Acceptable] update: [.....1] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12379] [CAPWAP][Network][Acceptable] update: [.....4] [ip4][..udp] [...192.168.10.9][.5246] -> [..192.168.10.10][12380] [CAPWAP][Network][Acceptable] diff --git a/test/results/flow-info/cassandra.pcap.out b/test/results/flow-info/cassandra.pcap.out index c151b6cc6..e109eb7e9 100644 --- a/test/results/flow-info/cassandra.pcap.out +++ b/test/results/flow-info/cassandra.pcap.out @@ -6,23 +6,25 @@ new: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] detected: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] analyse: [.....1] [ip4][..tcp] [......127.0.0.1][46536] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 26.002| 1.755| 6.369|40566842.720| 0.000] - [PKTLEN......: 66.000|25214.000| 1951.600| 5902.900|34844344.000| 2.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 26.002| 1.755| 6.369| 40566842.720| 1.300] + [PKTLEN......: 52.000|25200.000| 1937.600| 5902.900| 34844348.000| 2.000] [BINS(c->s)..: 9,2,3,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,2,2,1,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,0] [IATS(ms)....: 0.0,0.0,0.2,0.3,5.7,5.7,0.2,0.6,1.5,1.6,1.6,2.3,1.1,3.5,3.5,2.8,4.8,1.9,1.8,0.7,2.5,2.0,1.4,3.4,25963.2,26002.2,1164.0,1204.4,1.3,2.3,5.7] - [PKTLENS.....: 74,74,66,75,66,127,66,97,75,124,75,167,182,193,11145,66,119,557,387,380,257,66,21816,25214,66,124,66,140,147,139,144,157] + [PKTLENS.....: 60,60,52,61,52,113,52,83,61,110,61,153,168,179,11131,52,105,543,373,366,243,52,21802,25200,52,110,52,126,133,125,130,143] + [ENTROPIES...: 4.4,4.8,4.6,4.4,4.6,5.2,4.6,4.9,4.5,5.2,4.5,5.4,4.9,5.4,3.8,4.6,5.3,5.0,5.2,4.8,4.9,4.7,5.2,4.6,4.7,5.4,4.7,5.4,4.9,5.5,5.1,5.3] analyse: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 25.937| 2.293| 6.507|42345709.961| 0.000] - [PKTLEN......: 66.000|11512.000| 466.300| 1984.700|3939065.000| 1.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 25.937| 2.293| 6.507| 42345709.961| 2.000] + [PKTLEN......: 52.000|11498.000| 452.300| 1984.700| 3939065.000| 1.700] [BINS(c->s)..: 10,2,4,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.0,0.0,0.7,0.7,5.3,5.3,0.3,0.7,1.7,4.5,3.4,25897.1,25937.1,6.0,46.6,0.7,0.0,0.0,1.2,1.1,2.3,1.2,3.3,41.7,7689.9,7730.3,0.8,0.2,0.6,40.1,3670.2] - [PKTLENS.....: 74,74,66,75,66,127,66,97,75,140,11512,66,201,66,113,140,66,139,66,147,144,66,157,289,66,113,94,66,101,94,66,291] + [PKTLENS.....: 60,60,52,61,52,113,52,83,61,126,11498,52,187,52,99,126,52,125,52,133,130,52,143,275,52,99,80,52,87,80,52,277] + [ENTROPIES...: 4.4,4.8,4.7,4.5,4.7,5.2,4.7,4.9,4.6,5.3,3.9,4.8,5.7,4.7,5.2,5.4,4.7,5.5,4.7,4.9,5.1,4.8,5.3,5.1,4.7,5.2,4.9,4.6,5.0,4.8,4.6,5.7] end: [.....1] [ip4][..tcp] [......127.0.0.1][46536] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] end: [.....2] [ip4][..tcp] [......127.0.0.1][46537] -> [......127.0.0.1][.9042] [Cassandra][Database][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/check_mk_new.pcap.out b/test/results/flow-info/check_mk_new.pcap.out index 0e8139d09..88493f8b8 100644 --- a/test/results/flow-info/check_mk_new.pcap.out +++ b/test/results/flow-info/check_mk_new.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] detected: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] [CHECKMK][DataTransfer][Acceptable] analyse: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] [CHECKMK][DataTransfer][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.002| 0.001| 0.001| 0.660| 0.000] - [PKTLEN......: 66.000| 568.000| 109.500| 116.800|13650.400| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.002| 0.001| 0.001| 0.660| 4.300] + [PKTLEN......: 52.000| 554.000| 95.500| 116.800| 13650.400| 4.400] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.0,0.2,2.1,2.1,0.1,0.1,0.1,0.1,1.9,1.8,0.1,0.1,1.3,1.2,0.1,0.2,0.1,0.1,1.2,1.2,0.2,0.2,2.0,2.0,1.8,1.8,1.9,1.9,0.7,0.7,0.1] - [PKTLENS.....: 74,74,66,81,66,331,66,76,66,67,66,75,66,568,66,75,66,84,66,477,66,82,66,82,66,83,66,79,66,131,66,75] + [PKTLENS.....: 60,60,52,67,52,317,52,62,52,53,52,61,52,554,52,61,52,70,52,463,52,68,52,68,52,69,52,65,52,117,52,61] + [ENTROPIES...: 4.8,5.3,5.1,5.4,5.0,5.4,5.1,5.4,5.0,5.1,5.0,5.2,5.0,3.8,5.1,5.2,5.0,5.4,5.1,4.4,5.1,5.4,5.1,5.4,5.1,5.5,5.1,5.3,5.0,5.4,5.1,5.2] end: [.....1] [ip4][..tcp] [.192.168.100.22][58998] -> [.192.168.100.50][.6556] [CHECKMK][DataTransfer][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/chrome.pcap.out b/test/results/flow-info/chrome.pcap.out index 3da7f70df..b56fdf619 100644 --- a/test/results/flow-info/chrome.pcap.out +++ b/test/results/flow-info/chrome.pcap.out @@ -7,14 +7,15 @@ new: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] detected: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....1] [ip4][..tcp] [..192.168.1.178][64393] -> [...146.48.58.18][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.629| 0.057| 0.154|23802.585| 0.000] - [PKTLEN......: 66.000| 1506.000| 619.400| 632.900|400560.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.629| 0.057| 0.154| 23802.585| 2.400] + [PKTLEN......: 52.000| 1492.000| 605.400| 632.900| 400560.700| 4.200] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1] [IATS(ms)....: 28.8,28.9,0.3,29.8,7.0,0.2,36.6,0.5,0.5,13.6,0.3,42.3,0.0,0.2,0.0,28.6,0.0,627.9,1.2,629.0,0.1,0.2,0.3,0.1,0.3,0.3,1.1,131.1,160.1,5.6,0.1] - [PKTLENS.....: 78,74,66,583,66,1506,1506,66,772,66,146,816,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,717,66,1506,1506] + [PKTLENS.....: 64,60,52,569,52,1492,1492,52,758,52,132,802,52,52,355,355,52,52,1492,1492,52,1492,1492,52,1492,1471,52,52,703,52,1492,1492] + [ENTROPIES...: 4.4,5.2,4.9,4.4,5.0,7.8,7.9,5.0,7.7,5.1,6.2,7.7,5.1,5.1,7.4,7.4,5.0,5.1,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,5.0,5.0,7.7,5.1,7.9,7.9] detection-update: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe] new: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] new: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] @@ -25,58 +26,63 @@ detected: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.469| 0.038| 0.110|12173.627| 0.000] - [PKTLEN......: 66.000| 1506.000| 631.100| 638.000|407026.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.469| 0.038| 0.110| 12173.627| 2.300] + [PKTLEN......: 52.000| 1492.000| 617.100| 638.000| 407026.800| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,0,1,0,0] [IATS(ms)....: 28.5,28.6,0.6,28.4,2.8,30.5,2.0,28.4,0.1,26.4,441.8,468.8,1.7,1.4,30.2,0.1,0.1,0.2,0.1,0.1,0.2,0.1,0.1,0.3,0.2,0.3,0.5,0.8,26.0,25.3,1.8] - [PKTLENS.....: 78,74,66,701,66,326,66,146,66,369,66,783,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,66,1029,66,770] + [PKTLENS.....: 64,60,52,687,52,312,52,132,52,355,52,769,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,52,1015,52,756] + [ENTROPIES...: 4.4,5.3,4.9,7.1,5.1,6.9,5.0,6.3,5.2,7.4,5.1,7.7,5.1,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,4.9,7.9,7.9,5.0,7.9,7.9,5.0,4.9,7.8,5.0,7.7] detection-update: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.035| 0.006| 0.011| 126.441| 0.000] - [PKTLEN......: 66.000| 1506.000| 542.700| 598.400|358096.100| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.035| 0.006| 0.011| 126.441| 3.100] + [PKTLEN......: 52.000| 1492.000| 528.700| 598.400| 358096.100| 4.100] [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,1,0,0,0,0] [IATS(ms)....: 26.8,26.8,1.3,28.2,6.8,1.3,0.0,35.0,0.0,0.4,0.3,27.6,0.0,26.9,1.4,1.4,1.1,0.0,1.1,0.1,0.2,0.2,0.4,0.1,0.1,0.0,0.3,0.0,0.7,1.7] - [PKTLENS.....: 78,74,66,583,66,1506,1506,772,66,66,146,772,66,369,66,66,369,66,1506,1506,66,66,1506,1506,66,1506,1506,412,66,66,66,820] + [PKTLENS.....: 64,60,52,569,52,1492,1492,758,52,52,132,758,52,355,52,52,355,52,1492,1492,52,52,1492,1492,52,1492,1492,398,52,52,52,806] + [ENTROPIES...: 4.4,5.3,5.0,4.4,5.1,7.9,7.9,7.7,5.0,5.0,6.2,7.7,5.0,7.4,5.1,5.0,7.3,5.0,7.9,7.9,5.0,4.9,7.9,7.9,5.0,7.9,7.9,7.5,4.9,5.0,4.9,7.8] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][64411] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.031| 0.008| 0.012| 146.160| 0.000] - [PKTLEN......: 66.000| 1506.000| 713.600| 675.500|456346.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.031| 0.008| 0.012| 146.160| 3.400] + [PKTLEN......: 52.000| 1492.000| 699.600| 675.500| 456346.800| 4.200] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1] [IATS(ms)....: 29.3,29.3,0.9,29.0,2.5,30.7,0.6,0.3,26.2,1.1,2.3,28.7,1.8,0.2,2.0,0.4,0.5,0.9,0.1,0.1,0.2,0.1,0.1,0.3,0.1,0.9,26.9,0.1,26.2,1.5,0.1] - [PKTLENS.....: 78,74,66,701,66,326,66,146,772,66,66,369,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,1506,66,1506,1506] + [PKTLENS.....: 64,60,52,687,52,312,52,132,758,52,52,355,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,52,1492,1492,52,1492,1492] + [ENTROPIES...: 4.5,5.3,5.1,7.1,5.1,7.0,5.0,6.3,7.7,5.1,5.1,7.4,5.1,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,5.1,7.9,4.9,7.9,7.9,5.0,7.9,7.9] detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][64409] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.038| 0.007| 0.012| 150.077| 0.000] - [PKTLEN......: 66.000| 1506.000| 643.300| 651.900|424923.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.038| 0.007| 0.012| 150.077| 3.200] + [PKTLEN......: 52.000| 1492.000| 629.300| 651.900| 424923.800| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1,0,1] [IATS(ms)....: 28.7,28.7,1.3,29.9,9.6,0.1,0.0,38.3,0.0,0.5,0.2,28.0,0.1,0.1,0.0,27.5,0.0,1.2,1.3,2.5,0.1,0.1,0.2,0.1,0.1,0.2,0.2,0.2,0.4,0.4,25.3] - [PKTLENS.....: 78,74,66,583,66,1506,1506,772,66,66,146,772,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,66,1506] + [PKTLENS.....: 64,60,52,569,52,1492,1492,758,52,52,132,758,52,52,355,355,52,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,52,1492,52,1492] + [ENTROPIES...: 4.5,5.2,5.1,4.4,5.1,7.8,7.9,7.7,5.0,5.0,6.2,7.7,5.0,5.1,7.4,7.4,5.0,5.0,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,5.1,7.9,4.9,7.9,5.1,7.9] detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][64410] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.032| 0.008| 0.013| 163.814| 0.000] - [PKTLEN......: 66.000| 1506.000| 623.700| 634.700|402848.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.032| 0.008| 0.013| 163.814| 3.300] + [PKTLEN......: 52.000| 1492.000| 609.700| 634.700| 402848.700| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0] [IATS(ms)....: 29.8,29.8,1.1,30.0,2.5,31.5,0.4,0.2,32.0,0.0,0.0,31.5,1.0,0.1,1.1,0.1,0.2,0.1,0.1,0.1,0.1,0.2,0.5,0.1,0.6,0.1,1.5,27.3,0.1,26.1,4.6] - [PKTLENS.....: 78,74,66,701,66,326,66,146,772,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,1506,66,1506,1506,66,1506,66,1506,799,66,775] + [PKTLENS.....: 64,60,52,687,52,312,52,132,758,52,355,52,52,1492,1492,52,1492,52,1492,52,1492,1492,52,1492,1492,52,1492,52,1492,785,52,761] + [ENTROPIES...: 4.4,5.3,5.0,7.1,5.1,6.9,5.0,6.2,7.7,5.0,7.4,5.1,4.9,7.9,7.9,5.0,7.8,4.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,5.0,7.9,4.9,7.9,7.7,5.0,7.7] detection-update: [.....3] [ip4][..tcp] [..192.168.1.178][64408] -> [...146.48.58.18][..443] [TLS][Web][Safe] end: [.....1] [ip4][..tcp] [..192.168.1.178][64393] -> [...146.48.58.18][..443] [TLS][Web][Safe] end: [.....2] [ip4][..tcp] [..192.168.1.178][64394] -> [...146.48.58.18][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/citrix.pcap.out b/test/results/flow-info/citrix.pcap.out index fec2906b5..22befc11e 100644 --- a/test/results/flow-info/citrix.pcap.out +++ b/test/results/flow-info/citrix.pcap.out @@ -2,13 +2,14 @@ new: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] detected: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] [Citrix][Network][Acceptable] analyse: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] [Citrix][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.056| 0.005| 0.012| 154.959| 0.000] - [PKTLEN......: 64.000| 401.000| 114.300| 63.600| 4041.600| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.056| 0.005| 0.012| 154.959| 2.600] + [PKTLEN......: 50.000| 387.000| 100.300| 63.600| 4041.600| 4.800] [BINS(c->s)..: 5,18,1,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0] [IATS(ms)....: 2.1,2.1,6.1,6.1,4.1,7.1,1.0,0.0,0.0,0.0,0.0,1.0,1.0,0.0,0.0,0.0,0.0,1.0,0.0,0.0,2.0,0.0,0.0,0.0,0.0,1.0,0.0,56.3,46.1,4.1,4.1] - [PKTLENS.....: 64,64,64,64,64,76,212,121,101,102,105,401,97,225,109,147,117,111,109,117,112,97,97,97,114,117,111,109,142,64,64,64] + [PKTLENS.....: 50,50,50,50,50,62,198,107,87,88,91,387,83,211,95,133,103,97,95,103,98,83,83,83,100,103,97,95,128,50,50,50] + [ENTROPIES...: 4.1,4.5,4.0,4.6,4.5,4.2,5.2,4.6,4.8,4.8,4.3,4.8,4.5,3.3,4.1,4.2,4.1,4.4,4.1,4.2,4.3,4.5,4.4,4.4,4.2,4.1,4.2,4.3,4.0,4.2,4.3,4.3] idle: [.....1] [ip4][..tcp] [.......21.0.0.8][45225] -> [.......22.0.0.7][.1494] [Citrix][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/coap_mqtt.pcap.out b/test/results/flow-info/coap_mqtt.pcap.out index 9e991ac3c..420bc9b38 100644 --- a/test/results/flow-info/coap_mqtt.pcap.out +++ b/test/results/flow-info/coap_mqtt.pcap.out @@ -46,83 +46,91 @@ detected: [....13] [ip4][..tcp] [.192.168.56.101][17501] -> [...192.168.56.1][53524] [MQTT][RPC][Acceptable] RISK: Known Proto on Non Std Port analyse: [....11] [ip4][..tcp] [...192.168.56.1][53528] -> [.192.168.56.101][17501] [MQTT][RPC][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.439| 0.304| 1.061|1125807.423| 0.000] - [PKTLEN......: 54.000| 140.000| 76.300| 30.100| 907.000| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.439| 0.304| 1.061| 1125807.423| 1.600] + [PKTLEN......: 40.000| 126.000| 62.300| 30.100| 907.000| 4.900] [BINS(c->s)..: 11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1] [IATS(ms)....: 0.1,0.2,4.6,4.9,1.0,9.3,9.1,2.8,3.5,0.5,2.4,21.8,23.4,198.7,4438.9,4242.4,38.5,37.9,0.5,2.3,62.5,65.0,1.2,38.7,37.8,0.5,2.8,66.7,69.7,1.1,39.4] - [PKTLENS.....: 66,66,60,73,54,58,114,58,69,59,138,60,114,58,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54] + [PKTLENS.....: 52,52,46,59,40,44,100,44,55,45,124,46,100,44,46,126,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40] + [ENTROPIES...: 4.5,4.8,4.4,5.1,4.6,4.5,5.5,4.6,5.0,4.7,5.7,4.4,5.5,4.6,4.3,5.6,4.5,4.6,5.5,4.7,4.7,5.6,4.4,4.6,4.6,5.5,4.6,4.6,5.6,4.3,4.6,4.7] analyse: [.....9] [ip4][..tcp] [...192.168.56.1][53522] -> [.192.168.56.101][17501] [MQTT][RPC][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 27.506| 1.802| 6.725|45219399.598| 0.000] - [PKTLEN......: 54.000| 140.000| 77.400| 32.800| 1072.600| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 27.506| 1.802| 6.725| 45219399.598| 1.200] + [PKTLEN......: 40.000| 126.000| 63.400| 32.800| 1072.600| 4.800] [BINS(c->s)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0] [IATS(ms)....: 0.7,199.1,27505.9,27310.4,42.7,40.0,0.1,0.5,60.4,61.2,1.6,38.9,37.7,0.6,2.9,66.3,69.5,1.2,39.6,39.1,1.0,2.4,62.7,65.3,1.8,40.5,38.7,0.2,6.2,66.7,73.1] - [PKTLENS.....: 60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60] + [PKTLENS.....: 46,42,46,126,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46] + [ENTROPIES...: 4.5,4.6,4.3,5.6,4.7,4.6,5.5,4.6,4.7,5.6,4.4,4.7,4.5,5.6,4.6,4.8,5.6,4.4,4.7,4.6,5.5,4.6,4.7,5.6,4.4,4.7,4.6,5.5,4.7,4.8,5.6,4.4] analyse: [....10] [ip4][..tcp] [...192.168.56.1][53523] -> [.192.168.56.101][17501] [MQTT][RPC][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 13.151| 0.876| 3.198|10225378.656| 0.000] - [PKTLEN......: 54.000| 140.000| 77.400| 32.800| 1072.600| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 13.151| 0.876| 3.198| 10225378.656| 1.400] + [PKTLEN......: 40.000| 126.000| 63.400| 32.800| 1072.600| 4.800] [BINS(c->s)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,0] [IATS(ms)....: 0.4,199.9,13150.8,12952.3,38.6,38.0,0.5,2.1,62.6,65.0,1.0,38.8,38.1,0.5,2.6,66.8,69.6,1.2,39.5,39.1,1.0,2.4,62.9,65.5,0.8,40.2,39.5,0.2,5.6,67.5,73.2] - [PKTLENS.....: 60,56,60,140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60] + [PKTLENS.....: 46,42,46,126,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46] + [ENTROPIES...: 4.4,4.7,4.3,5.6,4.7,4.6,5.5,4.6,4.7,5.6,4.4,4.7,4.6,5.5,4.7,4.8,5.6,4.4,4.7,4.7,5.5,4.7,4.7,5.6,4.4,4.7,4.7,5.5,4.7,4.8,5.6,4.4] analyse: [....13] [ip4][..tcp] [.192.168.56.101][17501] -> [...192.168.56.1][53524] [MQTT][RPC][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.074| 0.031| 0.027| 714.536| 0.000] - [PKTLEN......: 54.000| 140.000| 79.000| 33.200| 1105.200| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.074| 0.031| 0.027| 714.536| 4.300] + [PKTLEN......: 40.000| 126.000| 65.000| 33.200| 1105.200| 4.800] [BINS(c->s)..: 13,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1] [IATS(ms)....: 2.0,38.6,37.1,0.5,2.4,62.3,64.9,0.8,38.7,38.1,0.5,2.3,67.3,69.7,0.7,39.4,39.5,0.9,2.3,63.2,65.6,1.6,40.3,38.7,0.2,6.1,67.2,73.5,2.5,42.4,39.9] - [PKTLENS.....: 140,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114,54,58,140,60,60,54,114] + [PKTLENS.....: 126,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100,40,44,126,46,46,40,100] + [ENTROPIES...: 5.6,4.6,4.6,5.5,4.6,4.7,5.6,4.3,4.6,4.6,5.5,4.5,4.6,5.6,4.3,4.6,4.7,5.5,4.6,4.6,5.6,4.4,4.7,4.6,5.5,4.7,4.8,5.6,4.4,4.6,4.7,5.5] new: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] detected: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [....12] [ip4][..udp] [...192.168.56.1][50311] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.002| 0.118| 0.106| 0.019| 373.406| 0.000] - [PKTLEN......: 59.000| 143.000| 99.600| 38.600| 1486.700| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 0.118| 0.106| 0.019| 373.406| 4.900] + [PKTLEN......: 45.000| 129.000| 85.600| 38.600| 1486.700| 4.800] [BINS(c->s)..: 0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 1.8,103.9,104.0,109.0,108.5,105.4,105.9,113.8,113.7,106.8,107.1,109.4,109.0,108.9,116.0,117.8,112.3,110.6,110.8,109.9,107.9,108.0,108.0,113.1,114.0,110.8,110.4,107.4,111.2,109.5,105.1] - [PKTLENS.....: 138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59] + [PKTLENS.....: 124,47,123,46,122,45,129,52,125,48,122,45,124,47,124,47,126,49,123,46,124,47,123,46,123,46,123,46,129,52,122,45] + [ENTROPIES...: 5.5,5.0,5.5,5.1,5.5,5.0,5.7,5.2,5.6,5.1,5.5,5.0,5.6,5.0,5.5,5.0,5.6,5.1,5.5,5.0,5.5,5.0,5.5,5.0,5.5,5.1,5.5,5.1,5.7,5.3,5.6,5.0] new: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] detected: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.002| 0.128| 0.112| 0.021| 434.412| 0.000] - [PKTLEN......: 60.000| 142.000| 100.500| 38.500| 1485.600| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 0.128| 0.112| 0.021| 434.412| 4.900] + [PKTLEN......: 46.000| 128.000| 86.500| 38.500| 1485.600| 4.900] [BINS(c->s)..: 0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 2.4,112.9,114.3,107.8,108.1,108.0,108.0,109.5,111.4,119.1,118.3,117.0,117.0,127.7,125.1,114.0,113.0,120.2,120.9,111.5,111.3,105.6,107.8,113.8,112.0,122.6,125.5,113.0,110.0,123.5,125.7] - [PKTLENS.....: 137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64] + [PKTLENS.....: 123,46,127,50,126,49,128,51,123,46,125,48,126,49,125,48,123,46,124,47,128,51,126,49,123,46,123,46,123,46,127,50] + [ENTROPIES...: 5.5,5.0,5.6,5.1,5.6,5.0,5.7,5.2,5.5,5.0,5.5,5.0,5.6,5.1,5.6,5.1,5.5,5.1,5.6,5.1,5.6,5.1,5.5,4.9,5.5,5.1,5.5,5.0,5.5,5.1,5.7,5.2] new: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] detected: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.131| 0.117| 0.022| 500.202| 0.000] - [PKTLEN......: 60.000| 143.000| 101.200| 38.500| 1485.300| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.131| 0.117| 0.022| 500.202| 4.900] + [PKTLEN......: 46.000| 129.000| 87.200| 38.500| 1485.300| 4.900] [BINS(c->s)..: 0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 1.3,105.0,107.1,122.6,124.6,114.9,120.4,119.7,111.5,123.9,123.0,105.4,109.4,122.9,120.1,118.0,119.4,130.1,131.4,131.3,129.0,120.1,121.3,112.3,114.8,128.9,125.5,128.0,127.0,125.1,128.5] - [PKTLENS.....: 139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63] + [PKTLENS.....: 125,48,129,52,125,48,126,49,126,49,123,46,123,46,123,46,128,51,126,49,127,50,125,48,125,48,128,51,127,50,126,49] + [ENTROPIES...: 5.5,5.1,5.6,5.2,5.6,5.0,5.6,5.1,5.7,5.1,5.5,5.0,5.5,5.0,5.6,5.1,5.6,5.2,5.6,5.0,5.7,5.2,5.6,5.1,5.6,5.1,5.6,5.2,5.6,5.1,5.6,5.0] analyse: [....16] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.005| 0.172| 0.127| 0.026| 689.813| 0.000] - [PKTLEN......: 59.000| 143.000| 101.100| 38.600| 1487.100| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.005| 0.172| 0.127| 0.026| 689.813| 4.900] + [PKTLEN......: 45.000| 129.000| 87.100| 38.600| 1487.100| 4.900] [BINS(c->s)..: 0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 5.1,140.5,139.4,127.3,129.3,138.0,134.5,137.7,141.2,137.9,138.6,132.6,133.3,132.1,136.8,172.3,164.6,137.8,136.7,122.3,121.6,117.1,118.7,128.8,133.2,115.5,110.1,123.6,124.5,106.7,105.6] - [PKTLENS.....: 141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65] + [PKTLENS.....: 127,50,128,51,123,46,123,46,126,49,123,46,122,45,127,50,125,48,129,52,126,49,124,47,125,48,129,52,124,47,128,51] + [ENTROPIES...: 5.6,5.1,5.6,5.1,5.5,5.1,5.5,5.1,5.6,5.1,5.5,5.1,5.5,5.0,5.6,5.2,5.6,5.1,5.7,5.3,5.6,5.1,5.6,5.1,5.5,5.1,5.6,5.2,5.5,5.0,5.6,5.2] idle: [....12] [ip4][..udp] [...192.168.56.1][50311] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] idle: [....15] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] idle: [....14] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] diff --git a/test/results/flow-info/collectd.pcap.out b/test/results/flow-info/collectd.pcap.out index 87a17d965..1deed6e9f 100644 --- a/test/results/flow-info/collectd.pcap.out +++ b/test/results/flow-info/collectd.pcap.out @@ -34,14 +34,15 @@ update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] analyse: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.000| 8.710| 3.352|11236716.577| 0.000] - [PKTLEN......: 1353.000| 1388.000| 1371.600| 10.800| 116.600| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.000| 8.710| 3.352| 11236716.577| 4.800] + [PKTLEN......: 1339.000| 1374.000| 1357.600| 10.800| 116.600| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,26,4,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 9999.0,10000.5,9999.5,9999.9,9999.9,0.5,10000.0,10000.1,9999.7,10000.0,9999.9,10000.0,0.4,9999.8,9999.9,10000.1,9999.9,9999.8,10000.1,0.8,9999.6,9999.6,10000.2,10000.1,9999.9,9999.7,0.6,10000.1,9999.2,10000.4,9999.9] - [PKTLENS.....: 1385,1365,1371,1361,1365,1355,1369,1388,1379,1385,1386,1380,1386,1368,1375,1376,1353,1371,1368,1353,1365,1364,1367,1370,1384,1361,1381,1383,1388,1355,1359,1376] + [PKTLENS.....: 1371,1351,1357,1347,1351,1341,1355,1374,1365,1371,1372,1366,1372,1354,1361,1362,1339,1357,1354,1339,1351,1350,1353,1356,1370,1347,1367,1369,1374,1341,1345,1362] + [ENTROPIES...: 4.5,4.6,4.6,4.7,4.5,4.5,4.4,4.6,4.6,4.6,4.6,4.5,4.5,4.5,4.6,4.6,4.6,4.6,4.5,4.5,4.4,4.6,4.5,4.6,4.6,4.6,4.6,4.5,4.6,4.6,4.6,4.6] update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] update: [.....7] [ip4][..udp] [......127.0.0.1][35988] -> [......127.0.0.1][25826] [collectd][System][Acceptable] new: [.....8] [ip4][..udp] [......127.0.0.1][36832] -> [......127.0.0.1][25826] diff --git a/test/results/flow-info/dnp3.pcap.out b/test/results/flow-info/dnp3.pcap.out index 0f717b2f7..4b99ebe46 100644 --- a/test/results/flow-info/dnp3.pcap.out +++ b/test/results/flow-info/dnp3.pcap.out @@ -4,68 +4,73 @@ new: [.....1] [ip4][..tcp] [.......10.0.0.8][.2789] -> [.......10.0.0.3][20000] detected: [.....1] [ip4][..tcp] [.......10.0.0.8][.2789] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....1] [ip4][..tcp] [.......10.0.0.8][.2789] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 120.146| 12.647| 35.851|1285324797.903| 0.000] - [PKTLEN......: 60.000| 79.000| 66.200| 6.800| 46.800| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 120.146| 12.647| 35.851| 1285324797.903| 0.400] + [PKTLEN......: 46.000| 65.000| 52.200| 6.800| 46.800| 5.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0] [IATS(ms)....: 0.2,0.4,1.6,151.6,2891.9,0.8,3043.1,21.2,212.0,120145.7] - [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78] + [PKTLENS.....: 48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,55,55,55,65,65,65,46,46,46,57,57,57,46,46,46,64,64] + [ENTROPIES...: 4.3,4.3,4.3,4.7,4.7,4.7,4.1,4.1,4.1,4.9,4.9,4.9,4.1,4.1,4.1,4.8,4.8,4.8,5.1,5.1,5.1,4.1,4.1,4.1,4.8,4.8,4.8,4.1,4.1,4.1,4.9,4.9] DAEMON-EVENT: [Processed: 39 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..tcp] [.......10.0.0.8][.2803] -> [.......10.0.0.3][20000] detected: [.....2] [ip4][..tcp] [.......10.0.0.8][.2803] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....2] [ip4][..tcp] [.......10.0.0.8][.2803] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 17.487| 5.095| 6.400|40966232.736| 0.000] - [PKTLEN......: 60.000| 78.000| 64.800| 7.100| 50.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 17.487| 5.095| 6.400| 40966232.736| 2.200] + [PKTLEN......: 46.000| 64.000| 50.800| 7.100| 50.000| 5.000] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1] [IATS(ms)....: 0.2,0.4,1.5,181.2,17203.3,17487.3,4814.1,4907.0,3276.8,3079.9] - [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60] + [PKTLENS.....: 48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,64,64,64,46,46,46,64,64,64,46,46,46,46,46,46,46,46] + [ENTROPIES...: 4.3,4.3,4.3,4.6,4.6,4.6,4.0,4.0,4.0,4.6,4.6,4.6,4.1,4.1,4.1,4.8,4.8,4.8,4.1,4.1,4.1,4.9,4.9,4.9,4.1,4.1,4.1,4.1,4.1,4.1,4.1,4.1] DAEMON-EVENT: [Processed: 78 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] detected: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] end: [.....2] [ip4][..tcp] [.......10.0.0.8][.2803] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 82.989| 8.549| 24.817|615875493.233| 0.000] - [PKTLEN......: 60.000| 79.000| 66.200| 6.800| 46.800| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 82.989| 8.549| 24.817| 615875493.233| 0.200] + [PKTLEN......: 46.000| 65.000| 52.200| 6.800| 46.800| 5.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0] [IATS(ms)....: 0.2,0.4,1.5,145.0,996.9,0.8,1141.4,10.3,204.1,82989.4] - [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,79,79,79,60,60,60,71,71,71,60,60,60,78,78] + [PKTLENS.....: 48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,55,55,55,65,65,65,46,46,46,57,57,57,46,46,46,64,64] + [ENTROPIES...: 4.2,4.2,4.2,4.7,4.7,4.7,4.1,4.1,4.1,4.9,4.9,4.9,4.1,4.1,4.1,4.8,4.8,4.8,5.1,5.1,5.1,4.2,4.2,4.2,4.8,4.8,4.8,4.1,4.1,4.1,4.9,4.9] DAEMON-EVENT: [Processed: 216 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....4] [ip4][..tcp] [.......10.0.0.9][.1080] -> [.......10.0.0.3][20000] idle: [.....1] [ip4][..tcp] [.......10.0.0.8][.2789] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] detected: [.....4] [ip4][..tcp] [.......10.0.0.9][.1080] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....4] [ip4][..tcp] [.......10.0.0.9][.1080] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 75.076| 22.122| 29.810|888614640.681| 0.000] - [PKTLEN......: 60.000| 77.000| 66.700| 5.900| 34.500| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 75.076| 22.122| 29.810| 888614640.681| 1.900] + [PKTLEN......: 46.000| 63.000| 52.700| 5.900| 34.500| 5.000] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1] [IATS(ms)....: 0.2,0.4,75028.6,75076.4,0.5,48.2,0.6,153.0,35338.8,35569.8] - [PKTLENS.....: 62,62,62,62,62,62,60,60,60,69,69,69,71,71,71,71,71,71,60,60,60,77,77,77,60,60,60,72,72,72,71,71] + [PKTLENS.....: 48,48,48,48,48,48,46,46,46,55,55,55,57,57,57,57,57,57,46,46,46,63,63,63,46,46,46,58,58,58,57,57] + [ENTROPIES...: 4.2,4.2,4.2,4.7,4.7,4.7,4.2,4.2,4.2,4.9,4.9,4.9,4.7,4.7,4.7,4.8,4.8,4.8,4.2,4.2,4.2,4.9,4.9,4.9,4.2,4.2,4.2,4.9,4.9,4.9,4.7,4.7] DAEMON-EVENT: [Processed: 351 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....5] [ip4][..tcp] [.......10.0.0.8][.1086] -> [.......10.0.0.3][20000] detected: [.....5] [ip4][..tcp] [.......10.0.0.8][.1086] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....5] [ip4][..tcp] [.......10.0.0.8][.1086] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.639| 0.563| 1.000|999705.674| 0.000] - [PKTLEN......: 60.000| 79.000| 66.200| 6.800| 46.100| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.639| 0.563| 1.000| 999705.674| 1.500] + [PKTLEN......: 46.000| 65.000| 52.200| 6.800| 46.100| 5.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0] [IATS(ms)....: 0.1,0.3,1.3,168.6,2471.1,0.8,2639.4,99.8,232.2,15.3] - [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,69,69,69,78,78,78,60,60,60,71,71,71,60,60,60,79,79] + [PKTLENS.....: 48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,55,55,55,64,64,64,46,46,46,57,57,57,46,46,46,65,65] + [ENTROPIES...: 4.2,4.2,4.2,4.7,4.7,4.7,4.1,4.1,4.1,4.9,4.9,4.9,4.2,4.2,4.2,4.8,4.8,4.8,4.9,4.9,4.9,4.1,4.1,4.1,4.8,4.8,4.8,4.2,4.2,4.2,5.1,5.1] idle: [.....3] [ip4][..tcp] [.......10.0.0.8][.2828] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] DAEMON-EVENT: [Processed: 444 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] @@ -79,27 +84,29 @@ detected: [.....7] [ip4][..tcp] [.......10.0.0.8][.1184] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] idle: [.....5] [ip4][..tcp] [.......10.0.0.8][.1086] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....7] [ip4][..tcp] [.......10.0.0.8][.1184] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 9.488| 2.471| 3.592|12904304.738| 0.000] - [PKTLEN......: 60.000| 78.000| 66.800| 7.000| 48.700| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 9.488| 2.471| 3.592| 12904304.738| 1.900] + [PKTLEN......: 46.000| 64.000| 52.800| 7.000| 48.700| 5.000] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0] [IATS(ms)....: 0.2,0.4,1.4,192.8,9227.0,9487.8,187.1,2636.4,2814.1,167.8] - [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,71,71,71,60,60,60,78,78,78,71,71,71,60,60] + [PKTLENS.....: 48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,64,64,64,57,57,57,46,46,46,64,64,64,57,57,57,46,46] + [ENTROPIES...: 4.2,4.2,4.2,4.6,4.6,4.6,4.0,4.0,4.0,4.8,4.8,4.8,4.1,4.1,4.1,4.9,4.9,4.9,4.9,4.9,4.9,4.1,4.1,4.1,4.9,4.9,4.9,4.9,4.9,4.9,4.1,4.1] DAEMON-EVENT: [Processed: 504 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 7|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 1] new: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] detected: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] analyse: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.963| 1.541| 1.422|2023320.715| 0.000] - [PKTLEN......: 60.000| 78.000| 64.800| 7.100| 50.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.963| 1.541| 1.422| 2023320.715| 2.500] + [PKTLEN......: 46.000| 64.000| 50.800| 7.100| 50.000| 5.000] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1] [IATS(ms)....: 0.2,0.4,1.5,125.3,3672.1,3963.2,1744.3,1702.4,2163.8,2038.6] - [PKTLENS.....: 62,62,62,62,62,62,60,60,60,71,71,71,60,60,60,78,78,78,60,60,60,78,78,78,60,60,60,60,60,60,60,60] + [PKTLENS.....: 48,48,48,48,48,48,46,46,46,57,57,57,46,46,46,64,64,64,46,46,46,64,64,64,46,46,46,46,46,46,46,46] + [ENTROPIES...: 4.2,4.2,4.2,4.6,4.6,4.6,4.1,4.1,4.1,4.9,4.9,4.9,4.1,4.1,4.1,4.9,4.9,4.9,4.2,4.2,4.2,5.0,5.0,5.0,4.1,4.1,4.1,4.1,4.1,4.1,4.2,4.2] end: [.....8] [ip4][..tcp] [.......10.0.0.9][.1084] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] idle: [.....6] [ip4][..tcp] [.......10.0.0.8][.1159] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] idle: [.....7] [ip4][..tcp] [.......10.0.0.8][.1184] -> [.......10.0.0.3][20000] [DNP3][IoT-Scada][Acceptable] diff --git a/test/results/flow-info/dns-tunnel-iodine.pcap.out b/test/results/flow-info/dns-tunnel-iodine.pcap.out index 618d7b867..96f2b3993 100644 --- a/test/results/flow-info/dns-tunnel-iodine.pcap.out +++ b/test/results/flow-info/dns-tunnel-iodine.pcap.out @@ -6,14 +6,15 @@ detection-update: [.....1] [ip4][..udp] [......10.0.2.30][44639] -> [......10.0.2.20][...53] [DNS][Network][Acceptable] RISK: Suspicious DNS Traffic analyse: [.....1] [ip4][..udp] [......10.0.2.30][44639] -> [......10.0.2.20][...53] [DNS][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.003| 0.162| 0.368|135658.824| 0.000] - [PKTLEN......: 82.000| 1476.000| 246.600| 286.600|82112.700| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.003| 0.162| 0.368| 135658.824| 2.400] + [PKTLEN......: 68.000| 1462.000| 232.600| 286.600| 82112.700| 4.400] [BINS(c->s)..: 0,6,4,1,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,4,1,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,0,0,0] [IATS(ms)....: 0.1,0.9,1.1,5.8,5.7,0.4,0.3,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.2,0.3,0.6,0.4,0.2,0.3,0.5,0.4,0.2,0.2,1001.7,1002.3,1001.5,1003.0,1002.5] - [PKTLENS.....: 82,103,103,144,88,137,123,166,132,184,138,196,118,156,134,188,88,96,88,95,88,93,323,1092,323,1476,323,323,323,323,323,323] + [PKTLENS.....: 68,89,89,130,74,123,109,152,118,170,124,182,104,142,120,174,74,82,74,81,74,79,309,1078,309,1462,309,309,309,309,309,309] + [ENTROPIES...: 4.2,4.5,4.8,4.9,4.0,5.1,4.6,4.8,4.7,4.8,5.5,5.9,5.1,5.4,5.6,5.9,4.1,4.4,4.1,4.3,4.0,4.3,4.1,7.5,3.3,7.6,4.1,4.1,4.1,4.1,4.1,4.1] idle: [.....1] [ip4][..udp] [......10.0.2.30][44639] -> [......10.0.2.20][...53] [DNS][Network][Acceptable] RISK: Suspicious DNS Traffic DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dns_doh.pcap.out b/test/results/flow-info/dns_doh.pcap.out index 293c91776..1de92abe0 100644 --- a/test/results/flow-info/dns_doh.pcap.out +++ b/test/results/flow-info/dns_doh.pcap.out @@ -5,13 +5,14 @@ detected: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun] detection-update: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun] analyse: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.535| 0.064| 0.132|17379.013| 0.000] - [PKTLEN......: 54.000| 1354.000| 230.900| 327.300|107137.200| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.535| 0.064| 0.132| 17379.013| 3.000] + [PKTLEN......: 40.000| 1340.000| 216.900| 327.300| 107137.200| 3.900] [BINS(c->s)..: 9,2,3,1,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 87.1,87.2,1.8,92.2,0.0,0.0,90.4,0.5,1.5,0.9,26.1,0.9,0.1,0.1,102.7,7.8,0.0,0.0,83.4,0.0,17.9,147.6,535.3,0.7,88.8,0.1,525.4,0.0,10.7,0.0] - [PKTLENS.....: 78,66,54,571,54,1354,1354,54,54,503,54,118,224,297,133,54,591,404,85,54,54,54,85,54,116,147,116,157,54,54,258,85] + [PKTLENS.....: 64,52,40,557,40,1340,1340,40,40,489,40,104,210,283,119,40,577,390,71,40,40,40,71,40,102,133,102,143,40,40,244,71] + [ENTROPIES...: 4.4,4.8,4.5,5.4,4.7,7.8,7.9,4.6,4.5,7.5,4.6,5.7,6.9,7.2,6.3,4.7,7.6,7.4,5.7,4.7,4.7,4.7,5.7,4.8,6.1,6.4,6.0,6.4,4.8,4.7,7.1,5.6] idle: [.....1] [ip4][..tcp] [....172.20.10.4][49877] -> [.104.16.248.249][..443] [TLS.DoH_DoT][Network][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dns_exfiltration.pcap.out b/test/results/flow-info/dns_exfiltration.pcap.out index b0b49f6f9..8332eb8b6 100644 --- a/test/results/flow-info/dns_exfiltration.pcap.out +++ b/test/results/flow-info/dns_exfiltration.pcap.out @@ -7,14 +7,15 @@ detection-update: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable] RISK: Suspicious DGA Domain name, Risky Domain Name analyse: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.004| 1.036| 0.914| 0.282|79410.348| 0.000] - [PKTLEN......: 101.000| 386.000| 146.400| 59.100| 3497.900| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.004| 1.036| 0.914| 0.282| 79410.348| 4.800] + [PKTLEN......: 87.000| 372.000| 132.400| 59.100| 3497.900| 4.900] [BINS(c->s)..: 0,13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,13,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 170.6,1035.5,866.5,1015.3,1015.6,4.6,4.0,1010.0,1010.4,1009.2,1009.1,1008.5,1008.4,1009.5,1009.4,1008.0,1008.1,1008.7,1008.6,1009.8,1009.8,1010.0,1010.1,1009.0,1008.9,1008.5,1008.4,1007.7,1007.8,1008.8,1008.7] - [PKTLENS.....: 215,386,166,286,136,193,101,148,101,148,101,156,101,148,101,158,101,158,101,156,101,148,101,158,101,158,101,158,101,148,101,148] + [PKTLENS.....: 201,372,152,272,122,179,87,134,87,134,87,142,87,134,87,144,87,144,87,142,87,134,87,144,87,144,87,144,87,134,87,134] + [ENTROPIES...: 4.7,4.7,4.8,4.8,4.7,4.9,4.7,4.9,4.6,4.8,4.6,4.9,4.6,4.8,4.6,4.9,4.6,4.8,4.6,4.8,4.6,4.8,4.7,4.9,4.6,4.9,4.6,4.9,4.7,4.8,4.5,4.9] update: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable] RISK: Suspicious DGA Domain name, Risky Domain Name idle: [.....1] [ip4][..udp] [.192.168.220.56][56373] -> [192.168.203.167][...53] [DNS][Network][Acceptable] diff --git a/test/results/flow-info/doq_adguard.pcapng.out b/test/results/flow-info/doq_adguard.pcapng.out index cc2b34a0c..1bbbdf5d1 100644 --- a/test/results/flow-info/doq_adguard.pcapng.out +++ b/test/results/flow-info/doq_adguard.pcapng.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] detected: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] [QUIC.DoH_DoT][Network][Fun] analyse: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] [QUIC.DoH_DoT][Network][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.885| 0.161| 0.453|205274.628| 0.000] - [PKTLEN......: 73.000| 1294.000| 456.800| 522.900|273444.500| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.885| 0.161| 0.453| 205274.628| 2.400] + [PKTLEN......: 59.000| 1280.000| 442.800| 522.900| 273444.500| 4.100] [BINS(c->s)..: 4,8,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,5,0,0,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,2,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,1,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1] [IATS(ms)....: 36.5,41.7,43.2,0.1,0.0,41.9,6.7,38.4,6.6,58.7,0.0,206.5,0.0,419.1,0.1,0.7,29.2,153.2,0.1,8.2,0.1,10.5,39.6,0.1,37.0,45.0,51.5,1830.4,0.1,0.0,1885.3] - [PKTLENS.....: 1274,182,1274,1294,1294,1284,97,98,198,95,1284,1284,1284,1284,269,73,97,98,83,306,154,100,73,83,437,73,84,73,101,103,103,83] + [PKTLENS.....: 1260,168,1260,1280,1280,1270,83,84,184,81,1270,1270,1270,1270,255,59,83,84,69,292,140,86,59,69,423,59,70,59,87,89,89,69] + [ENTROPIES...: 7.8,6.7,7.9,7.8,7.8,7.8,5.8,5.7,6.8,5.8,7.8,7.8,7.8,7.8,7.2,5.6,5.8,5.8,5.7,7.2,6.7,6.0,5.6,5.7,7.4,5.5,5.7,5.4,6.0,6.1,6.1,5.6] idle: [.....1] [ip4][..udp] [.192.168.12.169][41070] -> [...94.140.14.14][..784] [QUIC.DoH_DoT][Network][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dos_win98_smb_netbeui.pcap.out b/test/results/flow-info/dos_win98_smb_netbeui.pcap.out index 47c71d3da..470c9cb9a 100644 --- a/test/results/flow-info/dos_win98_smb_netbeui.pcap.out +++ b/test/results/flow-info/dos_win98_smb_netbeui.pcap.out @@ -179,14 +179,15 @@ ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type analyse: [.....3] [ip4][..udp] [192.168.239.129][..137] -> [192.168.239.255][..137] [NetBIOS][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 96.434| 4.235| 17.262|297969697.948| 0.000] - [PKTLEN......: 110.000| 110.000| 110.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 96.434| 4.235| 17.262| 297969697.948| 1.500] + [PKTLEN......: 96.000| 96.000| 96.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 0.5,0.1,39.0,710.2,0.1,0.0,39.5,709.8,0.1,0.0,40.3,710.1,0.1,0.1,40.0,760.7,749.9,749.1,750.1,96434.4,763.9,760.0,756.0,755.2,752.2,756.6,760.0,22000.9,749.9,749.9,755.0] - [PKTLENS.....: 110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110,110] + [PKTLENS.....: 96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96,96] + [ENTROPIES...: 4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.3,4.3,4.3,4.3,4.3,4.3,4.3,4.2,4.4,4.4,4.4,4.4,4.3,4.3,4.3,4.3] idle: [.....2] [ip4][.icmp] [192.168.239.129] -> [......224.0.0.2] [ICMP][Network][Acceptable] idle: [.....3] [ip4][..udp] [192.168.239.129][..137] -> [192.168.239.255][..137] [NetBIOS][System][Acceptable] idle: [.....1] [ip4][..udp] [192.168.239.129][..137] -> [..192.168.239.2][..137] [NetBIOS][System][Acceptable] diff --git a/test/results/flow-info/drda_db2.pcap.out b/test/results/flow-info/drda_db2.pcap.out index 5dd8b4b7c..25f6eef0d 100644 --- a/test/results/flow-info/drda_db2.pcap.out +++ b/test/results/flow-info/drda_db2.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] detected: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] [DRDA][Database][Acceptable] analyse: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] [DRDA][Database][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 17.986| 1.315| 4.366|19063346.561| 0.000] - [PKTLEN......: 54.000| 717.000| 197.000| 190.600|36335.200| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 17.986| 1.315| 4.366| 19063346.561| 1.800] + [PKTLEN......: 40.000| 703.000| 183.000| 190.600| 36335.200| 4.300] [BINS(c->s)..: 10,0,1,0,0,1,0,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,4,0,1,0,0,0,1,0,0,0,0,2,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0] [IATS(ms)....: 0.5,0.5,117.3,117.7,0.7,9.1,43.4,966.1,1129.7,349.3,477.6,7.5,71.6,64.4,182.7,413.2,622.4,30.3,5.5,2.6,0.5,1.6,2.0,1.6,1.1,154.3,17828.3,17986.1,9.9,7.0,168.4] - [PKTLENS.....: 62,62,54,229,54,161,318,54,295,54,717,54,524,64,108,54,296,684,144,65,64,108,322,455,64,108,54,383,466,64,108,54] + [PKTLENS.....: 48,48,40,215,40,147,304,40,281,40,703,40,510,50,94,40,282,670,130,51,50,94,308,441,50,94,40,369,452,50,94,40] + [ENTROPIES...: 4.4,4.7,4.7,5.6,4.7,5.5,5.5,4.6,5.4,4.7,5.5,4.7,4.4,4.8,5.0,4.8,5.6,5.1,4.7,4.9,4.8,5.0,5.4,4.3,4.8,5.0,4.7,5.0,4.3,4.8,5.1,4.6] end: [.....1] [ip4][..tcp] [..192.168.106.1][.4847] -> [192.168.106.128][50000] [DRDA][Database][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/dropbox.pcap.out b/test/results/flow-info/dropbox.pcap.out index 33bb4d167..ebfc6bf20 100644 --- a/test/results/flow-info/dropbox.pcap.out +++ b/test/results/flow-info/dropbox.pcap.out @@ -6,45 +6,49 @@ new: [.....2] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] detected: [.....2] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [.....1] [ip4][..udp] [...192.168.56.1][50311] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.002| 0.118| 0.106| 0.019| 373.406| 0.000] - [PKTLEN......: 59.000| 143.000| 99.600| 38.600| 1486.700| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 0.118| 0.106| 0.019| 373.406| 4.900] + [PKTLEN......: 45.000| 129.000| 85.600| 38.600| 1486.700| 4.800] [BINS(c->s)..: 0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 1.8,103.9,104.0,109.0,108.5,105.4,105.9,113.8,113.7,106.8,107.1,109.4,109.0,108.9,116.0,117.8,112.3,110.6,110.8,109.9,107.9,108.0,108.0,113.1,114.0,110.8,110.4,107.4,111.2,109.5,105.1] - [PKTLENS.....: 138,61,137,60,136,59,143,66,139,62,136,59,138,61,138,61,140,63,137,60,138,61,137,60,137,60,137,60,143,66,136,59] + [PKTLENS.....: 124,47,123,46,122,45,129,52,125,48,122,45,124,47,124,47,126,49,123,46,124,47,123,46,123,46,123,46,129,52,122,45] + [ENTROPIES...: 5.5,5.0,5.5,5.1,5.5,5.0,5.7,5.2,5.6,5.1,5.5,5.0,5.6,5.0,5.5,5.0,5.6,5.1,5.5,5.0,5.5,5.0,5.5,5.0,5.5,5.1,5.5,5.1,5.7,5.3,5.6,5.0] new: [.....3] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] detected: [.....3] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [.....2] [ip4][..udp] [...192.168.56.1][50318] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.002| 0.128| 0.112| 0.021| 434.412| 0.000] - [PKTLEN......: 60.000| 142.000| 100.500| 38.500| 1485.600| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 0.128| 0.112| 0.021| 434.412| 4.900] + [PKTLEN......: 46.000| 128.000| 86.500| 38.500| 1485.600| 4.900] [BINS(c->s)..: 0,0,6,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 2.4,112.9,114.3,107.8,108.1,108.0,108.0,109.5,111.4,119.1,118.3,117.0,117.0,127.7,125.1,114.0,113.0,120.2,120.9,111.5,111.3,105.6,107.8,113.8,112.0,122.6,125.5,113.0,110.0,123.5,125.7] - [PKTLENS.....: 137,60,141,64,140,63,142,65,137,60,139,62,140,63,139,62,137,60,138,61,142,65,140,63,137,60,137,60,137,60,141,64] + [PKTLENS.....: 123,46,127,50,126,49,128,51,123,46,125,48,126,49,125,48,123,46,124,47,128,51,126,49,123,46,123,46,123,46,127,50] + [ENTROPIES...: 5.5,5.0,5.6,5.1,5.6,5.0,5.7,5.2,5.5,5.0,5.5,5.0,5.6,5.1,5.6,5.1,5.5,5.1,5.6,5.1,5.6,5.1,5.5,4.9,5.5,5.1,5.5,5.0,5.5,5.1,5.7,5.2] new: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] detected: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] analyse: [.....3] [ip4][..udp] [...192.168.56.1][50312] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.131| 0.117| 0.022| 500.202| 0.000] - [PKTLEN......: 60.000| 143.000| 101.200| 38.500| 1485.300| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.131| 0.117| 0.022| 500.202| 4.900] + [PKTLEN......: 46.000| 129.000| 87.200| 38.500| 1485.300| 4.900] [BINS(c->s)..: 0,0,3,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 1.3,105.0,107.1,122.6,124.6,114.9,120.4,119.7,111.5,123.9,123.0,105.4,109.4,122.9,120.1,118.0,119.4,130.1,131.4,131.3,129.0,120.1,121.3,112.3,114.8,128.9,125.5,128.0,127.0,125.1,128.5] - [PKTLENS.....: 139,62,143,66,139,62,140,63,140,63,137,60,137,60,137,60,142,65,140,63,141,64,139,62,139,62,142,65,141,64,140,63] + [PKTLENS.....: 125,48,129,52,125,48,126,49,126,49,123,46,123,46,123,46,128,51,126,49,127,50,125,48,125,48,128,51,127,50,126,49] + [ENTROPIES...: 5.5,5.1,5.6,5.2,5.6,5.0,5.6,5.1,5.7,5.1,5.5,5.0,5.5,5.0,5.6,5.1,5.6,5.2,5.6,5.0,5.7,5.2,5.6,5.1,5.6,5.1,5.6,5.2,5.6,5.1,5.6,5.0] analyse: [.....4] [ip4][..udp] [...192.168.56.1][50319] -> [.192.168.56.101][17500] [Dropbox][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.005| 0.172| 0.127| 0.026| 689.813| 0.000] - [PKTLEN......: 59.000| 143.000| 101.100| 38.600| 1487.100| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.005| 0.172| 0.127| 0.026| 689.813| 4.900] + [PKTLEN......: 45.000| 129.000| 87.100| 38.600| 1487.100| 4.900] [BINS(c->s)..: 0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 5.1,140.5,139.4,127.3,129.3,138.0,134.5,137.7,141.2,137.9,138.6,132.6,133.3,132.1,136.8,172.3,164.6,137.8,136.7,122.3,121.6,117.1,118.7,128.8,133.2,115.5,110.1,123.6,124.5,106.7,105.6] - [PKTLENS.....: 141,64,142,65,137,60,137,60,140,63,137,60,136,59,141,64,139,62,143,66,140,63,138,61,139,62,143,66,138,61,142,65] + [PKTLENS.....: 127,50,128,51,123,46,123,46,126,49,123,46,122,45,127,50,125,48,129,52,126,49,124,47,125,48,129,52,124,47,128,51] + [ENTROPIES...: 5.6,5.1,5.6,5.1,5.5,5.1,5.5,5.1,5.6,5.1,5.5,5.1,5.5,5.0,5.6,5.2,5.6,5.1,5.7,5.3,5.6,5.1,5.6,5.1,5.5,5.1,5.6,5.2,5.5,5.0,5.6,5.2] DAEMON-EVENT: [Processed: 800 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....5] [ip4][..udp] [..192.168.1.105][55407] -> [..192.168.1.254][...53] diff --git a/test/results/flow-info/emotet.pcap.out b/test/results/flow-info/emotet.pcap.out index 251633348..0af7f09a8 100644 --- a/test/results/flow-info/emotet.pcap.out +++ b/test/results/flow-info/emotet.pcap.out @@ -4,27 +4,29 @@ new: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] detected: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable] analyse: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.056| 0.539| 0.774|599161.176| 0.000] - [PKTLEN......: 54.000| 752.000| 94.800| 121.900|14849.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.056| 0.539| 0.774| 599161.176| 3.700] + [PKTLEN......: 40.000| 738.000| 80.800| 121.900| 14849.500| 4.300] [BINS(c->s)..: 8,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0] [IATS(ms)....: 749.5,749.7,1106.3,1106.8,0.8,369.8,370.6,0.9,325.6,326.2,0.5,0.3,0.7,841.2,842.4,0.9,0.4,0.4,3054.7,3056.4,1.6,247.2,247.8,0.5,1205.1,1205.6,0.4,443.0,443.6,0.7,0.3] - [PKTLENS.....: 66,58,54,108,75,54,214,66,54,72,86,54,56,54,72,70,54,56,54,94,91,54,100,87,54,101,60,54,62,93,54,752] + [PKTLENS.....: 52,44,40,94,61,40,200,52,40,58,72,40,42,40,58,56,40,42,40,80,77,40,86,73,40,87,46,40,48,79,40,738] + [ENTROPIES...: 4.6,5.0,5.0,5.5,5.4,4.8,5.7,5.4,4.8,5.5,5.7,4.8,5.0,4.7,5.3,5.4,4.8,4.9,4.8,5.3,5.6,4.8,5.4,5.6,4.8,5.5,5.1,4.8,5.1,5.3,4.8,5.6] DAEMON-EVENT: [Processed: 626 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] detected: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable] analyse: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.204| 0.029| 0.060| 3581.477| 0.000] - [PKTLEN......: 54.000| 1415.000| 834.000| 663.100|439751.800| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.204| 0.029| 0.060| 3581.477| 2.700] + [PKTLEN......: 40.000| 1401.000| 820.000| 663.100| 439751.800| 4.400] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0] [IATS(ms)....: 115.8,115.9,0.3,0.5,204.2,0.1,204.4,0.4,0.2,0.6,0.2,0.2,0.4,0.2,0.5,0.7,0.2,0.2,0.5,115.0,0.2,115.3,0.3,0.3,0.6,9.2,0.2,9.5,0.5,0.2,0.7] - [PKTLENS.....: 66,58,54,500,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54,1415,1415,54] + [PKTLENS.....: 52,44,40,486,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40,1401,1401,40] + [ENTROPIES...: 4.7,4.9,4.7,5.8,4.6,7.4,7.7,4.7,7.8,7.8,4.7,7.8,7.9,4.7,7.8,7.9,4.8,7.8,7.9,4.7,7.9,7.8,4.8,7.9,7.9,4.8,7.9,7.8,4.7,7.8,7.8,4.8] end: [.....1] [ip4][..tcp] [....10.2.25.102][57309] -> [..193.252.22.84][..587] [SMTP][Email][Acceptable] DAEMON-EVENT: [Processed: 834 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] @@ -33,14 +35,15 @@ detection-update: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable] RISK: Binary App Transfer analyse: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.261| 0.031| 0.066| 4320.020| 0.000] - [PKTLEN......: 60.000| 1442.000| 671.700| 680.400|462891.900| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.261| 0.031| 0.066| 4320.020| 3.000] + [PKTLEN......: 46.000| 1428.000| 657.700| 680.400| 462891.900| 4.100] [BINS(c->s)..: 16,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 97.3,97.5,0.4,260.9,260.4,3.2,3.2,9.5,9.5,6.2,0.1,6.3,0.1,0.1,0.1,0.2,0.1,0.1,0.2,0.2,0.0,2.6,2.7,60.6,60.7,9.9,9.8,15.1,15.1,12.9,12.9] - [PKTLENS.....: 66,62,60,279,1442,60,1442,60,1442,60,1442,1442,60,1442,60,1442,60,1442,60,1442,60,60,1442,60,1442,60,1442,60,1442,60,1442,60] + [PKTLENS.....: 52,48,46,265,1428,46,1428,46,1428,46,1428,1428,46,1428,46,1428,46,1428,46,1428,46,46,1428,46,1428,46,1428,46,1428,46,1428,46] + [ENTROPIES...: 4.6,5.0,4.3,5.7,4.8,4.4,5.5,4.3,6.0,4.3,6.0,6.2,4.3,5.9,4.4,4.4,4.4,4.5,4.3,4.5,4.4,4.4,4.6,4.4,4.5,4.4,4.5,4.3,4.6,4.3,4.6,4.4] end: [.....2] [ip4][..tcp] [....10.3.29.101][56309] -> [.104.161.127.22][...80] [HTTP][Web][Acceptable] DAEMON-EVENT: [Processed: 1663 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 3|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] @@ -50,14 +53,15 @@ detection-update: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable] RISK: Binary App Transfer, HTTP Suspicious User-Agent analyse: [.....4] [ip4][..tcp] [....10.4.25.101][49797] -> [..77.105.36.156][...80] [HTTP][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.292| 0.042| 0.080| 6342.811| 0.000] - [PKTLEN......: 60.000| 1442.000| 892.900| 652.600|425943.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.292| 0.042| 0.080| 6342.811| 2.900] + [PKTLEN......: 46.000| 1428.000| 878.900| 652.600| 425943.000| 4.500] [BINS(c->s)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,18,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0] [IATS(ms)....: 184.2,184.5,0.2,171.8,120.6,0.1,0.1,292.2,2.7,0.1,0.1,0.1,2.9,2.7,0.1,0.1,3.0,164.7,0.1,0.1,164.8,2.8,0.1,0.1,3.0,2.9,0.1,0.1,0.2,3.2,0.1] - [PKTLENS.....: 66,66,60,206,60,626,1442,1442,60,1442,1442,1442,1114,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,60,1442,1442,1442,1442,60,60] + [PKTLENS.....: 52,52,46,192,46,612,1428,1428,46,1428,1428,1428,1100,46,1428,1428,1428,46,1428,1428,1428,46,1428,1428,1428,46,1428,1428,1428,1428,46,46] + [ENTROPIES...: 4.7,4.8,4.5,5.7,4.4,5.6,4.0,5.1,4.5,5.1,5.0,5.3,5.5,4.5,5.1,5.2,5.5,4.5,5.2,5.1,5.3,4.5,5.4,5.1,5.1,4.4,5.2,5.4,5.4,4.9,4.5,4.4] end: [.....3] [ip4][..tcp] [....10.4.20.102][54319] -> [107.161.178.210][...80] [HTTP][Web][Acceptable] RISK: Binary App Transfer new: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] @@ -66,14 +70,15 @@ detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn analyse: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.263| 0.117| 0.292|85184.340| 0.000] - [PKTLEN......: 60.000| 1442.000| 696.000| 663.200|439900.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.263| 0.117| 0.292| 85184.340| 2.700] + [PKTLEN......: 46.000| 1428.000| 682.000| 663.200| 439900.200| 4.200] [BINS(c->s)..: 11,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,1,1,0,0,0,1,1] [IATS(ms)....: 109.4,109.6,14.1,123.8,13.2,122.9,52.7,132.9,80.3,6.5,151.9,1117.1,0.1,0.2,1262.5,0.1,2.9,0.1,3.1,96.9,0.1,96.9,3.1,0.1,0.2,0.1,3.3,0.1,2.9,0.1] - [PKTLENS.....: 66,66,60,203,60,1432,60,147,296,60,534,60,1442,1442,1442,60,60,1442,1442,66,1442,1442,74,1442,1442,1442,1442,74,74,74,1442,1442] + [PKTLENS.....: 52,52,46,189,46,1418,46,133,282,46,520,46,1428,1428,1428,46,46,1428,1428,52,1428,1428,60,1428,1428,1428,1428,60,60,60,1428,1428] + [ENTROPIES...: 4.7,4.9,4.5,5.4,4.6,7.5,4.6,5.9,7.1,4.5,7.5,4.5,7.9,7.9,7.9,4.5,4.5,7.9,7.9,5.0,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,5.1,5.1,7.8,7.9] detection-update: [.....5] [ip4][..tcp] [....10.4.25.101][49803] -> [138.197.147.101][..443] [TLS][Web][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn new: [.....6] [ip4][..tcp] [....10.4.25.101][49804] -> [138.197.147.101][..443] diff --git a/test/results/flow-info/ethereum.pcap.out b/test/results/flow-info/ethereum.pcap.out index 6fd239ca7..6db558b01 100644 --- a/test/results/flow-info/ethereum.pcap.out +++ b/test/results/flow-info/ethereum.pcap.out @@ -56,26 +56,28 @@ detected: [....26] [ip4][..udp] [..192.168.1.184][30303] -> [...128.0.51.140][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....13] [ip4][..tcp] [..192.168.1.184][56615] -> [.35.158.244.151][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.063| 0.008| 0.018| 335.828| 0.000] - [PKTLEN......: 60.000| 561.000| 105.200| 114.100|13011.400| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.063| 0.008| 0.018| 335.828| 2.400] + [PKTLEN......: 46.000| 547.000| 91.200| 114.100| 13011.400| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 42.9,43.0,2.2,63.5,0.8,0.0,62.1,0.0,0.4,0.3,0.4,0.4,0.1,0.0,0.1,0.0,0.1,0.2,0.3,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,27.6,0.0] - [PKTLENS.....: 78,74,66,561,66,514,98,66,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] + [PKTLENS.....: 64,60,52,547,52,500,84,52,52,53,52,54,52,65,68,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46] + [ENTROPIES...: 4.5,5.3,5.0,7.6,5.2,7.6,5.9,5.1,5.1,5.3,5.1,5.3,5.1,5.5,5.7,5.1,5.1,5.2,5.1,5.8,5.2,6.7,5.2,5.5,5.9,5.2,5.2,5.5,5.5,5.1,3.7,3.7] new: [....27] [ip4][..tcp] [..192.168.1.184][56630] -> [..40.67.144.128][30303] detected: [....24] [ip4][..tcp] [..192.168.1.184][56628] -> [....3.209.45.79][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....22] [ip4][..tcp] [..192.168.1.184][56626] -> [178.128.195.220][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.063| 0.009| 0.019| 355.411| 0.000] - [PKTLEN......: 66.000| 612.000| 121.800| 122.800|15078.800| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.063| 0.009| 0.019| 355.411| 2.700] + [PKTLEN......: 52.000| 598.000| 107.800| 122.800| 15078.800| 4.400] [BINS(c->s)..: 14,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1] [IATS(ms)....: 42.9,43.0,1.9,62.9,2.0,0.0,0.0,0.0,0.0,63.0,0.0,0.0,0.0,0.1,0.1,0.0,1.3,0.0,0.1,0.0,0.1,0.4,0.0,0.0,0.0,0.1,32.2,0.0,0.0,30.2,0.8] - [PKTLENS.....: 78,74,66,612,66,470,98,67,222,69,66,66,66,66,82,66,66,98,67,190,69,82,98,67,114,81,82,78,78,78,338,78] + [PKTLENS.....: 64,60,52,598,52,456,84,53,208,55,52,52,52,52,68,52,52,84,53,176,55,68,84,53,100,67,68,64,64,64,324,64] + [ENTROPIES...: 4.4,5.4,5.1,7.7,5.2,7.5,6.0,5.2,6.9,5.3,5.1,5.0,5.0,5.0,5.5,5.0,5.0,5.9,5.0,6.8,5.2,5.4,5.9,5.0,6.0,5.4,5.4,5.2,5.2,5.2,7.3,5.2] detected: [.....9] [ip4][..tcp] [..192.168.1.184][56612] -> [...66.42.82.246][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol detected: [....25] [ip4][..tcp] [..192.168.1.184][56629] -> [....51.38.60.79][30303] [Mining][Mining][Unsafe] @@ -88,14 +90,15 @@ detected: [....11] [ip4][..tcp] [..192.168.1.184][56611] -> [..104.42.217.25][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....23] [ip4][..tcp] [..192.168.1.184][56627] -> [..34.255.23.113][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.070| 0.011| 0.024| 583.849| 0.000] - [PKTLEN......: 60.000| 578.000| 104.300| 111.300|12394.700| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.070| 0.011| 0.024| 583.849| 2.400] + [PKTLEN......: 46.000| 564.000| 90.300| 111.300| 12394.700| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 70.0,70.2,1.4,62.1,2.1,0.0,0.0,0.0,0.0,0.0,62.7,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.6,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.1,0.0,63.7,0.0] - [PKTLENS.....: 78,74,66,578,66,468,98,67,68,79,82,66,66,66,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] + [PKTLENS.....: 64,60,52,564,52,454,84,53,54,65,68,52,52,52,52,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46] + [ENTROPIES...: 4.4,5.3,5.0,7.6,5.2,7.6,5.9,5.3,5.3,5.5,5.6,5.1,5.0,5.0,5.0,5.1,5.1,5.3,5.1,6.0,5.2,6.7,5.2,5.5,5.8,5.1,5.2,5.5,5.6,5.1,3.6,3.6] new: [....31] [ip4][..udp] [..192.168.1.184][30303] -> [..111.229.0.180][20182] detected: [....31] [ip4][..udp] [..192.168.1.184][30303] -> [..111.229.0.180][20182] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -107,14 +110,15 @@ detected: [....15] [ip4][..tcp] [..192.168.1.184][56618] -> [.52.231.165.108][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....25] [ip4][..tcp] [..192.168.1.184][56629] -> [....51.38.60.79][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.073| 0.008| 0.018| 321.083| 0.000] - [PKTLEN......: 60.000| 487.000| 99.000| 93.300| 8701.200| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.073| 0.008| 0.018| 321.083| 2.400] + [PKTLEN......: 46.000| 473.000| 85.000| 93.300| 8701.200| 4.500] [BINS(c->s)..: 15,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1] [IATS(ms)....: 36.4,36.5,1.5,44.0,0.5,0.0,0.1,0.0,0.0,43.1,0.0,0.0,0.0,0.0,0.7,0.0,0.1,0.0,0.0,0.1,0.1,0.1,0.0,0.0,0.0,72.9,0.0,0.0,0.7,0.0,0.0] - [PKTLENS.....: 78,74,66,487,66,406,98,67,68,95,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60] + [PKTLENS.....: 64,60,52,473,52,392,84,53,54,81,52,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46,46,46,46,46] + [ENTROPIES...: 4.4,5.4,5.1,7.5,5.3,7.4,6.0,5.2,5.3,5.9,5.1,5.1,5.1,5.0,5.1,5.9,5.1,6.7,5.2,5.6,5.9,5.2,5.2,5.5,5.6,5.1,5.3,4.0,3.9,4.0,4.0,4.0] detected: [....16] [ip4][..tcp] [..192.168.1.184][56620] -> [191.234.162.198][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol detected: [....30] [ip4][..tcp] [..192.168.1.184][56633] -> [.82.145.220.249][30303] [Mining][Mining][Unsafe] @@ -134,23 +138,25 @@ detected: [....17] [ip4][..tcp] [..192.168.1.184][56621] -> [..52.187.207.27][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....28] [ip4][..tcp] [..192.168.1.184][56632] -> [...51.38.81.180][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.079| 0.012| 0.027| 705.641| 0.000] - [PKTLEN......: 60.000| 545.000| 104.400| 111.100|12335.600| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.079| 0.012| 0.027| 705.641| 2.400] + [PKTLEN......: 46.000| 531.000| 90.400| 111.100| 12335.600| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 68.5,68.6,1.4,78.1,1.9,0.1,78.6,0.0,0.2,0.0,0.0,0.2,0.0,0.0,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,67.2,0.0] - [PKTLENS.....: 78,74,66,545,66,505,98,66,66,67,68,79,66,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] + [PKTLENS.....: 64,60,52,531,52,491,84,52,52,53,54,65,52,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46] + [ENTROPIES...: 4.4,5.3,5.0,7.6,5.2,7.6,6.0,5.2,5.1,5.3,5.3,5.6,5.1,5.1,5.1,5.6,5.3,5.1,5.1,5.9,5.2,6.8,5.3,5.6,5.9,5.1,5.2,5.5,5.6,5.1,3.9,3.9] analyse: [....30] [ip4][..tcp] [..192.168.1.184][56633] -> [.82.145.220.249][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.077| 0.012| 0.026| 688.970| 0.000] - [PKTLEN......: 60.000| 508.000| 101.100| 105.300|11090.000| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.077| 0.012| 0.026| 688.970| 2.400] + [PKTLEN......: 46.000| 494.000| 87.100| 105.300| 11090.000| 4.400] [BINS(c->s)..: 13,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 74.2,74.3,1.2,77.3,76.1,0.7,0.0,0.6,0.0,0.2,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,52.0,0.0,0.2,0.0,0.0,0.0,0.1,0.0,0.0,0.0,0.1] - [PKTLENS.....: 78,74,66,508,488,66,98,98,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60,60] + [PKTLENS.....: 64,60,52,494,474,52,84,84,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46,46,46,46,46,46,46,46] + [ENTROPIES...: 4.4,5.4,5.1,7.6,7.5,5.1,5.9,6.0,5.1,5.1,6.0,5.2,6.8,5.3,5.6,5.7,5.0,5.2,5.5,5.6,5.1,3.7,3.7,3.7,3.7,3.7,3.7,3.7,3.7,3.7,3.7,3.7] new: [....35] [ip4][..tcp] [..192.168.1.184][56637] -> [.35.233.197.131][30303] new: [....36] [ip4][..tcp] [..192.168.1.184][56638] -> [209.250.240.205][30303] new: [....37] [ip4][..udp] [..192.168.1.184][30303] -> [.35.180.246.169][30301] @@ -160,14 +166,15 @@ detected: [....33] [ip4][..tcp] [..192.168.1.184][56634] -> [..159.203.84.31][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....24] [ip4][..tcp] [..192.168.1.184][56628] -> [....3.209.45.79][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.164| 0.023| 0.053| 2778.035| 0.000] - [PKTLEN......: 60.000| 536.000| 103.000| 105.000|11031.500| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.164| 0.023| 0.053| 2778.035| 2.400] + [PKTLEN......: 46.000| 522.000| 89.000| 105.000| 11031.500| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 134.4,134.5,2.0,164.5,0.7,163.1,0.2,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.2,0.2,0.4,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,112.9,0.0] - [PKTLENS.....: 78,74,66,461,66,536,66,98,67,66,66,68,79,82,66,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60] + [PKTLENS.....: 64,60,52,447,52,522,52,84,53,52,52,54,65,68,52,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46] + [ENTROPIES...: 4.4,5.3,5.0,7.5,5.1,7.6,4.9,6.0,5.2,5.0,5.0,5.3,5.6,5.6,5.0,5.0,4.9,5.1,5.0,5.9,5.1,6.8,5.2,5.5,5.9,5.1,5.1,5.5,5.5,5.0,5.1,3.7] detected: [....36] [ip4][..tcp] [..192.168.1.184][56638] -> [209.250.240.205][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol detected: [....34] [ip4][..tcp] [..192.168.1.184][56635] -> [.162.228.29.160][30303] [Mining][Mining][Unsafe] @@ -176,26 +183,28 @@ new: [....40] [ip4][..tcp] [..192.168.1.184][56642] -> [..178.62.10.218][30303] new: [....41] [ip4][..tcp] [..192.168.1.184][56643] -> [..178.62.29.183][30303] analyse: [....36] [ip4][..tcp] [..192.168.1.184][56638] -> [209.250.240.205][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.043| 0.007| 0.014| 203.606| 0.000] - [PKTLEN......: 66.000| 560.000| 120.000| 112.400|12624.200| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.043| 0.007| 0.014| 203.606| 2.800] + [PKTLEN......: 52.000| 546.000| 106.000| 112.400| 12624.200| 4.500] [BINS(c->s)..: 13,3,0,2,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1] [IATS(ms)....: 32.6,32.7,1.1,41.2,3.0,43.1,1.1,0.0,0.1,0.0,0.0,2.2,0.0,0.0,1.1,0.0,0.0,0.1,0.1,0.4,0.0,0.0,0.0,0.1,33.8,0.0,0.0,0.0,33.3,0.0,0.1] - [PKTLENS.....: 78,74,66,481,66,560,66,98,67,190,69,82,98,67,209,66,66,66,82,66,98,67,114,81,82,78,78,78,78,226,178,66] + [PKTLENS.....: 64,60,52,467,52,546,52,84,53,176,55,68,84,53,195,52,52,52,68,52,84,53,100,67,68,64,64,64,64,212,164,52] + [ENTROPIES...: 4.5,5.4,5.1,7.6,5.2,7.6,5.0,5.9,5.0,6.7,5.2,5.5,6.1,5.2,6.8,5.0,5.1,5.1,5.6,5.1,5.9,5.2,6.1,5.6,5.5,5.1,5.1,5.2,5.1,6.9,6.7,5.2] new: [....42] [ip4][..tcp] [..192.168.1.184][56644] -> [..13.230.108.42][30303] detected: [....39] [ip4][..tcp] [..192.168.1.184][56641] -> [.144.91.120.135][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....27] [ip4][..tcp] [..192.168.1.184][56630] -> [..40.67.144.128][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.158| 0.021| 0.049| 2374.200| 0.000] - [PKTLEN......: 60.000| 497.000| 101.300| 103.800|10779.300| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.158| 0.021| 0.049| 2374.200| 2.400] + [PKTLEN......: 46.000| 483.000| 87.300| 103.800| 10779.300| 4.400] [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] [IATS(ms)....: 158.1,158.1,1.9,112.7,1.0,0.0,111.8,0.0,0.1,0.0,0.1,0.0,0.9,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,111.1,0.0,0.8,0.0,0.0,0.0,0.0,0.0] - [PKTLENS.....: 78,74,66,497,66,489,98,66,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60] + [PKTLENS.....: 64,60,52,483,52,475,84,52,52,68,68,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46,46,46,46,46] + [ENTROPIES...: 4.5,5.3,5.1,7.6,5.2,7.5,5.9,5.1,5.2,5.7,5.6,5.1,5.2,5.8,5.1,6.7,5.1,5.4,5.8,5.1,5.1,5.4,5.5,5.0,3.6,3.6,3.6,3.6,3.6,3.6,3.6,3.6] new: [....43] [ip4][..tcp] [..192.168.1.184][56645] -> [.185.219.133.62][30303] detected: [....38] [ip4][..tcp] [..192.168.1.184][56639] -> [.18.219.167.159][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -208,36 +217,39 @@ RISK: Unsafe Protocol new: [....45] [ip4][..tcp] [..192.168.1.184][56647] -> [.182.162.161.61][30303] analyse: [....11] [ip4][..tcp] [..192.168.1.184][56611] -> [..104.42.217.25][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.202| 0.031| 0.071| 5088.628| 0.000] - [PKTLEN......: 60.000| 556.000| 105.800| 115.500|13350.200| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.202| 0.031| 0.071| 5088.628| 2.400] + [PKTLEN......: 46.000| 542.000| 91.800| 115.500| 13350.200| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 195.0,195.1,1.2,202.3,0.3,0.0,201.3,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.1,0.1,0.6,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,175.4,0.4] - [PKTLENS.....: 78,74,66,556,66,533,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60] + [PKTLENS.....: 64,60,52,542,52,519,84,52,52,53,52,54,65,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46] + [ENTROPIES...: 4.4,5.3,5.0,7.6,5.2,7.6,5.9,5.1,5.2,5.3,5.2,5.3,5.5,5.2,5.2,5.6,5.2,5.2,5.2,5.7,5.1,6.7,5.1,5.5,5.8,5.0,5.1,5.5,5.4,5.1,5.2,3.7] detected: [....44] [ip4][..tcp] [..192.168.1.184][56646] -> [..172.105.94.62][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....33] [ip4][..tcp] [..192.168.1.184][56634] -> [..159.203.84.31][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.109| 0.018| 0.040| 1575.808| 0.000] - [PKTLEN......: 60.000| 637.000| 109.600| 130.900|17130.100| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.109| 0.018| 0.040| 1575.808| 2.400] + [PKTLEN......: 46.000| 623.000| 95.600| 130.900| 17130.100| 4.300] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,0,1,1,0,0,0,1,0,0,0,0,0,0,1,1] [IATS(ms)....: 107.6,107.7,1.5,109.0,1.8,109.4,0.7,0.0,0.1,0.0,0.1,1.0,0.2,0.1,0.1,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.0,0.0,0.1,0.0,0.0,0.0,107.1,0.0] - [PKTLENS.....: 78,74,66,637,66,579,66,98,67,190,69,82,98,66,67,66,68,66,79,82,66,66,98,66,67,66,68,79,82,66,60,60] + [PKTLENS.....: 64,60,52,623,52,565,52,84,53,176,55,68,84,52,53,52,54,52,65,68,52,52,84,52,53,52,54,65,68,52,46,46] + [ENTROPIES...: 4.5,5.4,5.1,7.7,5.2,7.7,5.2,5.9,5.2,6.9,5.2,5.6,5.9,5.1,5.2,5.1,5.3,5.1,5.6,5.7,5.1,5.1,5.8,5.2,5.2,5.1,5.1,5.3,5.6,5.1,4.0,4.0] new: [....46] [ip4][..tcp] [..192.168.1.184][56650] -> [.35.228.250.140][30303] new: [....47] [ip4][..tcp] [..192.168.1.184][56651] -> [..138.201.12.87][30303] analyse: [....41] [ip4][..tcp] [..192.168.1.184][56643] -> [..178.62.29.183][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.049| 0.009| 0.018| 316.609| 0.000] - [PKTLEN......: 66.000| 535.000| 106.900| 97.800| 9570.500| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.049| 0.009| 0.018| 316.609| 2.700] + [PKTLEN......: 52.000| 521.000| 92.900| 97.800| 9570.500| 4.500] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,1] [IATS(ms)....: 44.4,44.5,1.1,47.4,2.6,0.0,48.9,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.6,0.0,0.1,0.0,0.1,0.4,0.0,0.0,0.0,0.1,43.3,0.5,42.7,0.2,0.0] - [PKTLENS.....: 78,74,66,535,66,384,98,66,66,67,66,191,68,66,66,82,66,98,67,190,69,82,98,67,114,81,82,66,98,66,67,70] + [PKTLENS.....: 64,60,52,521,52,370,84,52,52,53,52,177,54,52,52,68,52,84,53,176,55,68,84,53,100,67,68,52,84,52,53,56] + [ENTROPIES...: 4.5,5.4,5.1,7.6,5.1,7.5,5.9,5.0,5.0,5.2,5.1,6.7,5.3,5.0,5.0,5.7,5.1,5.9,5.2,6.7,5.2,5.5,5.8,5.1,6.1,5.5,5.6,5.1,5.9,5.0,5.2,5.4] new: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] detected: [....47] [ip4][..tcp] [..192.168.1.184][56651] -> [..138.201.12.87][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -246,117 +258,128 @@ detected: [....50] [ip4][..udp] [..192.168.1.184][30303] -> [.18.219.167.159][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....43] [ip4][..tcp] [..192.168.1.184][56645] -> [.185.219.133.62][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.052| 0.010| 0.019| 354.234| 0.000] - [PKTLEN......: 66.000| 476.000| 107.900| 97.700| 9536.300| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.052| 0.010| 0.019| 354.234| 2.800] + [PKTLEN......: 52.000| 462.000| 93.900| 97.700| 9536.300| 4.500] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,0,0,0,0,1,0,1,0,1,0,1,0,0,0,0,0,0,1,1,1,0,1] [IATS(ms)....: 47.2,47.4,1.6,49.5,3.7,51.6,0.8,0.0,1.0,0.1,0.0,0.0,0.0,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.4,0.0,0.0,0.0,0.1,45.6,1.1,0.0,46.3,0.1] - [PKTLENS.....: 78,74,66,476,66,448,66,98,67,98,190,66,69,82,67,66,222,66,69,66,82,66,98,67,114,81,82,66,66,98,66,67] + [PKTLENS.....: 64,60,52,462,52,434,52,84,53,84,176,52,55,68,53,52,208,52,55,52,68,52,84,53,100,67,68,52,52,84,52,53] + [ENTROPIES...: 4.5,5.3,5.1,7.5,5.2,7.4,5.0,5.8,5.1,5.9,6.7,5.1,5.2,5.4,5.2,5.1,6.9,5.1,5.3,5.1,5.4,5.1,5.6,5.1,6.0,5.4,5.5,5.2,5.2,5.8,5.1,5.2] new: [....51] [ip4][..tcp] [..192.168.1.184][56655] -> [.202.112.28.106][30303] detected: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol detected: [....46] [ip4][..tcp] [..192.168.1.184][56650] -> [.35.228.250.140][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....15] [ip4][..tcp] [..192.168.1.184][56618] -> [.52.231.165.108][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.262| 0.038| 0.087| 7588.779| 0.000] - [PKTLEN......: 60.000| 519.000| 104.200| 109.100|11904.300| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.262| 0.038| 0.087| 7588.779| 2.300] + [PKTLEN......: 46.000| 505.000| 90.200| 109.100| 11904.300| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 261.7,261.8,1.5,222.8,0.1,0.0,0.0,221.3,0.0,0.0,0.2,0.0,0.2,0.0,0.1,0.0,0.1,0.0,0.6,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,211.4,0.0] - [PKTLENS.....: 78,74,66,516,66,519,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60] + [PKTLENS.....: 64,60,52,502,52,505,84,53,52,52,52,54,65,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46] + [ENTROPIES...: 4.5,5.3,5.0,7.6,5.2,7.6,5.8,5.2,5.1,5.1,5.1,5.3,5.6,5.1,5.1,5.7,5.2,5.1,5.1,5.7,5.1,6.9,5.1,5.5,5.8,5.1,5.2,5.5,5.5,5.0,5.2,3.8] analyse: [....16] [ip4][..tcp] [..192.168.1.184][56620] -> [191.234.162.198][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.263| 0.038| 0.087| 7624.721| 0.000] - [PKTLEN......: 60.000| 578.000| 106.100| 117.400|13788.700| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.263| 0.038| 0.087| 7624.721| 2.300] + [PKTLEN......: 46.000| 564.000| 92.100| 117.400| 13788.700| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 263.1,263.2,1.3,221.8,0.2,0.0,0.0,220.8,0.0,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.7,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,212.6,0.2] - [PKTLENS.....: 78,74,66,578,66,525,98,67,66,66,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] + [PKTLENS.....: 64,60,52,564,52,511,84,53,52,52,52,54,65,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46] + [ENTROPIES...: 4.4,5.3,4.9,7.6,5.2,7.5,6.0,5.2,5.1,5.1,5.1,5.2,5.6,5.1,5.1,5.6,5.2,5.1,5.1,5.9,5.0,6.7,5.1,5.4,5.8,5.0,5.0,5.4,5.5,5.0,3.7,3.7] detected: [....49] [ip4][..tcp] [..192.168.1.184][56654] -> [..85.214.108.52][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol new: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] new: [....53] [ip4][..tcp] [..192.168.1.184][56658] -> [.157.230.152.87][30303] analyse: [....47] [ip4][..tcp] [..192.168.1.184][56651] -> [..138.201.12.87][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.037| 0.006| 0.012| 148.778| 0.000] - [PKTLEN......: 60.000| 483.000| 98.100| 91.500| 8376.200| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.037| 0.006| 0.012| 148.778| 2.600] + [PKTLEN......: 46.000| 469.000| 84.100| 91.500| 8376.200| 4.500] [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] [IATS(ms)....: 32.6,32.6,1.2,33.9,3.9,36.5,0.4,0.4,0.1,0.1,0.1,0.1,0.4,0.0,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,31.1,0.1,0.0,0.1,0.0,0.6,0.1,0.0] - [PKTLENS.....: 78,74,66,483,66,393,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60] + [PKTLENS.....: 64,60,52,469,52,379,52,84,52,68,52,68,52,84,53,176,55,68,84,53,54,65,68,52,52,46,46,46,46,46,46,46] + [ENTROPIES...: 4.5,5.4,5.1,7.6,5.3,7.4,5.1,6.0,5.1,5.7,5.2,5.7,5.1,6.0,5.2,6.8,5.3,5.6,5.9,5.2,5.3,5.6,5.6,5.2,5.3,3.7,3.7,3.7,3.7,3.7,3.7,3.7] analyse: [....44] [ip4][..tcp] [..192.168.1.184][56646] -> [..172.105.94.62][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.116| 0.012| 0.026| 687.065| 0.000] - [PKTLEN......: 66.000| 540.000| 116.300| 108.500|11769.500| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.116| 0.012| 0.026| 687.065| 2.900] + [PKTLEN......: 52.000| 526.000| 102.300| 108.500| 11769.500| 4.500] [BINS(c->s)..: 14,4,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,1,1,1,1,1,1,0,0,1,0,0,0] [IATS(ms)....: 25.5,25.6,1.2,25.9,91.4,116.0,0.8,0.0,0.1,0.0,0.0,24.5,23.6,0.4,0.0,0.0,0.0,0.7,0.1,0.7,0.0,0.0,0.0,23.3,0.0,24.1,0.2,0.3,0.0,0.0,0.0] - [PKTLENS.....: 78,74,66,540,66,398,66,98,67,190,69,82,306,66,98,67,114,81,66,82,66,66,66,66,274,66,66,98,66,67,69,78] + [PKTLENS.....: 64,60,52,526,52,384,52,84,53,176,55,68,292,52,84,53,100,67,52,68,52,52,52,52,260,52,52,84,52,53,55,64] + [ENTROPIES...: 4.4,5.3,5.0,7.6,5.1,7.4,5.1,5.9,5.1,6.8,5.1,5.5,7.2,5.1,5.8,5.1,5.9,5.5,5.2,5.5,5.2,5.2,5.2,5.2,7.1,5.2,5.0,5.7,5.2,5.1,5.2,5.3] analyse: [....48] [ip4][..tcp] [..192.168.1.184][56652] -> [..176.9.136.209][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.035| 0.006| 0.012| 149.558| 0.000] - [PKTLEN......: 60.000| 597.000| 104.600| 116.900|13676.100| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.035| 0.006| 0.012| 149.558| 2.500] + [PKTLEN......: 46.000| 583.000| 90.600| 116.900| 13676.100| 4.400] [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] [IATS(ms)....: 32.8,32.8,1.3,33.9,2.4,35.0,0.3,0.2,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,32.6,0.0,0.1,0.1,0.1,0.0,0.0,0.1] - [PKTLENS.....: 78,74,66,597,66,494,66,98,66,82,82,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60] + [PKTLENS.....: 64,60,52,583,52,480,52,84,52,68,68,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46,46,46,46,46] + [ENTROPIES...: 4.5,5.4,5.1,7.6,5.3,7.5,5.1,5.9,5.1,5.7,5.7,5.1,5.1,5.9,5.2,6.8,5.2,5.7,5.9,5.2,5.2,5.5,5.6,5.2,3.7,3.7,3.7,3.7,3.7,3.7,3.7,3.7] new: [....54] [ip4][..tcp] [..192.168.1.184][56660] -> [...51.161.23.12][30303] new: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] new: [....56] [ip4][..tcp] [..192.168.1.184][56662] -> [..35.229.232.19][30303] new: [....57] [ip4][..tcp] [..192.168.1.184][56663] -> [124.217.235.180][30303] analyse: [....34] [ip4][..tcp] [..192.168.1.184][56635] -> [.162.228.29.160][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.159| 0.026| 0.057| 3248.179| 0.000] - [PKTLEN......: 60.000| 479.000| 101.500| 99.100| 9815.100| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.159| 0.026| 0.057| 3248.179| 2.500] + [PKTLEN......: 46.000| 465.000| 87.500| 99.100| 9815.100| 4.500] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,0,0,1,0,0,0,0,0,0,0,1,0,1,1] [IATS(ms)....: 157.7,157.8,1.6,152.9,8.1,159.4,1.2,0.0,0.1,0.0,0.1,1.9,0.0,0.5,0.0,0.1,0.0,0.1,0.0,0.1,0.1,0.2,0.0,0.1,0.0,0.0,0.0,0.7,0.4,149.7,0.6] - [PKTLENS.....: 78,74,66,479,66,471,66,98,67,190,69,82,98,67,66,66,68,79,66,66,82,66,98,67,68,79,82,66,66,66,66,60] + [PKTLENS.....: 64,60,52,465,52,457,52,84,53,176,55,68,84,53,52,52,54,65,52,52,68,52,84,53,54,65,68,52,52,52,52,46] + [ENTROPIES...: 4.4,5.3,5.1,7.5,5.2,7.5,5.0,5.9,5.2,6.9,5.2,5.5,5.9,5.2,5.0,5.1,5.3,5.6,5.1,5.0,5.6,5.0,5.7,5.1,5.1,5.3,5.5,5.1,5.2,5.1,5.2,3.8] analyse: [....38] [ip4][..tcp] [..192.168.1.184][56639] -> [.18.219.167.159][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.131| 0.020| 0.046| 2133.935| 0.000] - [PKTLEN......: 60.000| 587.000| 107.000| 122.200|14931.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.131| 0.020| 0.046| 2133.935| 2.400] + [PKTLEN......: 46.000| 573.000| 93.000| 122.200| 14931.500| 4.300] [BINS(c->s)..: 16,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1] [IATS(ms)....: 130.8,130.9,1.3,122.8,1.3,122.7,0.2,0.0,0.1,0.0,0.1,0.1,0.1,0.1,0.1,0.1,0.3,0.0,0.0,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,121.1,0.0,0.0,0.0] - [PKTLENS.....: 78,74,66,587,66,556,66,98,67,66,66,81,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60] + [PKTLENS.....: 64,60,52,573,52,542,52,84,53,52,52,67,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46] + [ENTROPIES...: 4.5,5.3,5.0,7.6,5.2,7.5,5.1,5.9,5.2,5.0,5.0,5.5,5.1,5.6,5.1,5.2,5.0,5.9,5.1,6.8,5.1,5.6,5.7,5.1,5.1,5.4,5.6,5.1,3.9,4.0,4.0,4.0] analyse: [....46] [ip4][..tcp] [..192.168.1.184][56650] -> [.35.228.250.140][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.057| 0.011| 0.022| 493.706| 0.000] - [PKTLEN......: 66.000| 528.000| 114.400| 109.700|12030.800| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.057| 0.011| 0.022| 493.706| 2.800] + [PKTLEN......: 52.000| 514.000| 100.400| 109.700| 12030.800| 4.500] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,0,1,1] [IATS(ms)....: 56.8,56.9,1.6,56.4,2.3,57.1,0.5,0.5,0.1,0.0,0.1,0.0,0.2,0.0,0.1,0.0,0.0,1.1,0.9,0.4,0.0,0.0,0.0,0.1,56.5,0.0,0.0,55.9,0.0,1.8,0.0] - [PKTLENS.....: 78,74,66,528,66,508,66,98,66,209,67,66,66,98,67,190,69,82,82,66,98,67,114,81,82,66,98,148,66,66,96,66] + [PKTLENS.....: 64,60,52,514,52,494,52,84,52,195,53,52,52,84,53,176,55,68,68,52,84,53,100,67,68,52,84,134,52,52,82,52] + [ENTROPIES...: 4.5,5.2,5.1,7.5,5.2,7.5,5.2,5.8,5.1,6.8,5.2,5.0,5.0,5.9,5.1,6.7,5.2,5.5,5.7,5.1,5.9,5.2,6.0,5.5,5.5,5.2,5.9,6.6,5.1,5.1,5.8,5.3] analyse: [....18] [ip4][..tcp] [..192.168.1.184][56622] -> [..18.138.108.67][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.300| 0.044| 0.100|10075.352| 0.000] - [PKTLEN......: 60.000| 597.000| 102.300| 106.200|11275.500| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.300| 0.044| 0.100| 10075.352| 2.300] + [PKTLEN......: 46.000| 583.000| 88.300| 106.200| 11275.500| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 300.4,300.4,1.7,253.4,0.7,0.0,252.4,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.4,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,252.8,0.0] - [PKTLENS.....: 78,74,66,597,66,384,98,66,66,67,66,68,79,66,66,82,66,66,66,98,67,190,69,82,98,67,68,79,82,66,60,60] + [PKTLENS.....: 64,60,52,583,52,370,84,52,52,53,52,54,65,52,52,68,52,52,52,84,53,176,55,68,84,53,54,65,68,52,46,46] + [ENTROPIES...: 4.4,5.3,5.0,7.7,5.1,7.4,5.9,5.0,5.0,5.2,5.0,5.3,5.5,5.0,5.0,5.6,5.2,5.0,5.0,5.8,5.0,6.7,5.2,5.4,5.8,5.0,5.2,5.3,5.4,5.0,3.7,3.7] analyse: [....19] [ip4][..tcp] [..192.168.1.184][56623] -> [...18.138.81.28][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.308| 0.045| 0.103|10532.101| 0.000] - [PKTLEN......: 60.000| 537.000| 103.800| 108.100|11684.800| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.308| 0.045| 0.103| 10532.101| 2.400] + [PKTLEN......: 46.000| 523.000| 89.800| 108.100| 11684.800| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1] [IATS(ms)....: 308.0,308.1,2.1,260.3,1.6,259.8,0.5,0.5,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.0,0.1,0.0,0.0,0.0,0.0,0.0,2.3,1.9,254.5,0.0] - [PKTLENS.....: 78,74,66,537,66,488,66,98,66,67,68,66,66,79,82,66,66,98,67,190,69,82,98,67,68,79,82,66,66,66,66,60] + [PKTLENS.....: 64,60,52,523,52,474,52,84,52,53,54,52,52,65,68,52,52,84,53,176,55,68,84,53,54,65,68,52,52,52,52,46] + [ENTROPIES...: 4.5,5.4,5.1,7.6,5.2,7.5,5.1,5.9,5.0,5.2,5.2,5.0,5.0,5.6,5.6,5.0,5.0,5.8,5.0,6.7,5.2,5.4,5.9,5.1,5.1,5.5,5.5,5.0,5.2,5.1,5.2,3.8] new: [....58] [ip4][..udp] [183.129.242.164][.1024] -> [..192.168.1.184][30303] detected: [....58] [ip4][..udp] [183.129.242.164][.1024] -> [..192.168.1.184][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -365,14 +388,15 @@ detected: [....53] [ip4][..tcp] [..192.168.1.184][56658] -> [.157.230.152.87][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....10] [ip4][..tcp] [..192.168.1.184][56610] -> [..165.22.107.33][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.339| 0.050| 0.114|12910.542| 0.000] - [PKTLEN......: 60.000| 640.000| 106.100| 119.200|14212.100| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.339| 0.050| 0.114| 12910.542| 2.400] + [PKTLEN......: 46.000| 626.000| 92.100| 119.200| 14212.100| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,1,1] [IATS(ms)....: 339.2,339.3,1.3,287.2,2.5,288.4,1.0,0.0,1.0,0.0,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.0,0.1,0.6,0.3,285.6,0.0] - [PKTLENS.....: 78,74,66,640,66,462,66,98,67,66,66,98,67,68,79,190,66,69,66,82,82,66,98,67,68,79,82,66,66,66,60,60] + [PKTLENS.....: 64,60,52,626,52,448,52,84,53,52,52,84,53,54,65,176,52,55,52,68,68,52,84,53,54,65,68,52,52,52,46,46] + [ENTROPIES...: 4.5,5.4,5.0,7.6,5.0,7.5,5.1,5.8,5.1,5.0,5.0,5.8,5.0,5.1,5.5,6.7,5.0,5.2,5.0,5.4,5.5,5.0,5.9,5.0,5.1,5.4,5.6,5.1,5.2,5.1,3.7,3.7] detected: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol new: [....59] [ip4][..udp] [..192.168.1.184][30303] -> [.202.112.28.106][30303] @@ -383,14 +407,15 @@ detected: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....17] [ip4][..tcp] [..192.168.1.184][56621] -> [..52.187.207.27][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.355| 0.054| 0.122|14890.530| 0.000] - [PKTLEN......: 60.000| 591.000| 106.400| 118.100|13953.700| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.355| 0.054| 0.122| 14890.530| 2.400] + [PKTLEN......: 46.000| 577.000| 92.400| 118.100| 13953.700| 4.400] [BINS(c->s)..: 17,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 354.5,354.6,1.5,316.9,1.3,316.7,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.0,0.1,0.0,0.1,0.1,0.3,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,313.9,0.3] - [PKTLENS.....: 78,74,66,591,66,517,66,98,66,67,66,68,66,79,82,66,66,66,66,98,67,190,69,82,98,67,68,79,82,66,66,60] + [PKTLENS.....: 64,60,52,577,52,503,52,84,52,53,52,54,52,65,68,52,52,52,52,84,53,176,55,68,84,53,54,65,68,52,52,46] + [ENTROPIES...: 4.5,5.4,5.1,7.6,5.2,7.6,5.1,5.9,5.1,5.3,5.1,5.3,5.1,5.5,5.7,5.0,5.1,5.1,5.0,5.7,5.0,6.9,5.1,5.4,5.8,5.0,5.0,5.4,5.4,5.0,5.1,3.7] new: [....60] [ip4][..udp] [..192.168.1.184][30303] -> [..106.12.39.168][30333] detected: [....60] [ip4][..udp] [..192.168.1.184][30303] -> [..106.12.39.168][30333] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -407,25 +432,27 @@ detected: [....57] [ip4][..tcp] [..192.168.1.184][56663] -> [124.217.235.180][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....54] [ip4][..tcp] [..192.168.1.184][56660] -> [...51.161.23.12][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.147| 0.028| 0.054| 2939.853| 0.000] - [PKTLEN......: 66.000| 639.000| 114.200| 122.100|14898.100| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.147| 0.028| 0.054| 2939.853| 2.800] + [PKTLEN......: 52.000| 625.000| 100.200| 122.100| 14898.100| 4.400] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1] [IATS(ms)....: 139.3,139.4,1.7,141.7,7.2,147.3,0.8,0.0,0.1,0.0,0.1,6.7,5.8,0.3,0.2,0.7,0.0,0.0,0.8,0.0,0.0,0.4,0.0,0.0,0.0,0.0,130.0,0.2,0.8,130.5,0.3] - [PKTLENS.....: 78,74,66,639,66,487,66,98,67,190,69,82,98,66,67,66,216,75,82,66,66,66,98,67,114,81,82,66,66,98,66,67] + [PKTLENS.....: 64,60,52,625,52,473,52,84,53,176,55,68,84,52,53,52,202,61,68,52,52,52,84,53,100,67,68,52,52,84,52,53] + [ENTROPIES...: 4.5,5.3,5.0,7.7,5.1,7.6,5.1,5.8,5.1,6.7,5.2,5.6,5.9,5.1,5.3,5.1,6.9,5.5,5.7,5.1,5.1,5.0,5.8,5.0,6.1,5.5,5.5,5.1,5.1,6.0,5.0,5.2] new: [....63] [ip4][..tcp] [..192.168.1.184][56672] -> [139.162.255.210][30303] new: [....64] [ip4][..tcp] [..192.168.1.184][56673] -> [..78.47.147.155][30303] analyse: [....62] [ip4][..tcp] [..192.168.1.184][56671] -> [..86.107.243.62][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.039| 0.010| 0.016| 256.751| 0.000] - [PKTLEN......: 66.000| 606.000| 121.000| 118.700|14100.300| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.039| 0.010| 0.016| 256.751| 3.100] + [PKTLEN......: 52.000| 592.000| 107.000| 118.700| 14100.300| 4.400] [BINS(c->s)..: 17,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,1,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0] [IATS(ms)....: 39.1,39.2,1.5,38.4,0.4,37.3,0.8,0.0,0.0,0.0,0.1,39.2,38.3,0.3,0.3,0.6,0.0,0.0,0.0,0.1,30.7,30.6,0.3,0.2,0.0,0.0,0.0,0.0,0.1,0.0,0.1] - [PKTLENS.....: 78,74,66,606,66,430,66,98,67,190,69,82,306,66,66,66,98,67,114,81,82,274,66,66,98,67,69,78,82,98,67,70] + [PKTLENS.....: 64,60,52,592,52,416,52,84,53,176,55,68,292,52,52,52,84,53,100,67,68,260,52,52,84,53,55,64,68,84,53,56] + [ENTROPIES...: 4.5,5.3,5.1,7.7,5.2,7.5,5.1,5.8,5.1,6.7,5.2,5.6,7.3,5.0,5.1,5.2,5.8,5.1,6.1,5.5,5.6,7.1,5.0,5.2,5.7,5.2,5.2,5.4,5.6,5.9,5.2,5.3] new: [....65] [ip4][..tcp] [..192.168.1.184][56674] -> [...94.68.55.162][30303] detected: [....63] [ip4][..tcp] [..192.168.1.184][56672] -> [139.162.255.210][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -435,36 +462,39 @@ detected: [....66] [ip4][..tcp] [..192.168.1.184][56675] -> [..35.235.37.216][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....53] [ip4][..tcp] [..192.168.1.184][56658] -> [.157.230.152.87][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.184| 0.035| 0.071| 5044.452| 0.000] - [PKTLEN......: 66.000| 649.000| 114.100| 121.000|14650.900| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.184| 0.035| 0.071| 5044.452| 2.600] + [PKTLEN......: 52.000| 635.000| 100.100| 121.000| 14650.900| 4.400] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0] [IATS(ms)....: 179.3,179.4,1.8,184.4,0.2,182.8,0.1,0.1,0.1,0.1,0.4,0.0,0.4,0.0,0.1,0.1,0.2,0.0,0.1,0.0,0.0,0.3,0.0,0.0,0.0,0.2,176.5,0.9,1.0,0.0,177.6] - [PKTLENS.....: 78,74,66,649,66,457,66,98,66,67,66,227,80,66,66,82,66,98,67,190,69,82,98,67,125,70,82,66,66,98,67,66] + [PKTLENS.....: 64,60,52,635,52,443,52,84,52,53,52,213,66,52,52,68,52,84,53,176,55,68,84,53,111,56,68,52,52,84,53,52] + [ENTROPIES...: 4.5,5.3,5.0,7.7,5.2,7.4,5.1,5.9,5.1,5.3,5.1,7.0,5.6,5.1,5.1,5.6,5.0,5.8,5.1,6.8,5.1,5.4,5.8,5.1,6.2,5.1,5.4,5.1,5.2,5.9,5.3,5.0] detected: [....65] [ip4][..tcp] [..192.168.1.184][56674] -> [...94.68.55.162][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol new: [....67] [ip4][..tcp] [..192.168.1.184][56678] -> [..13.251.14.199][30303] analyse: [....63] [ip4][..tcp] [..192.168.1.184][56672] -> [139.162.255.210][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.042| 0.007| 0.015| 228.263| 0.000] - [PKTLEN......: 60.000| 452.000| 98.000| 90.700| 8221.200| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.042| 0.007| 0.015| 228.263| 2.600] + [PKTLEN......: 46.000| 438.000| 84.000| 90.700| 8221.200| 4.500] [BINS(c->s)..: 14,2,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] [IATS(ms)....: 41.4,41.5,1.3,42.4,1.0,42.1,0.2,0.2,0.4,0.4,0.4,0.4,0.2,0.0,0.1,0.0,0.1,0.1,0.0,0.1,0.0,0.0,0.0,39.1,1.4,0.0,0.1,0.1,0.0,0.1,0.1] - [PKTLENS.....: 78,74,66,452,66,422,66,98,66,82,66,82,66,98,67,190,69,82,98,67,68,79,82,66,66,60,60,60,60,60,60,60] + [PKTLENS.....: 64,60,52,438,52,408,52,84,52,68,52,68,52,84,53,176,55,68,84,53,54,65,68,52,52,46,46,46,46,46,46,46] + [ENTROPIES...: 4.5,5.4,5.1,7.5,5.1,7.5,5.0,5.9,5.0,5.7,5.0,5.6,5.0,5.7,5.1,6.8,5.2,5.4,5.8,5.1,5.1,5.4,5.5,5.1,5.2,3.7,3.7,3.7,3.7,3.7,3.7,3.7] new: [....68] [ip4][..tcp] [..192.168.1.184][56679] -> [..35.228.158.52][30303] analyse: [....55] [ip4][..tcp] [..192.168.1.184][56661] -> [....52.9.128.68][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.194| 0.037| 0.074| 5538.541| 0.000] - [PKTLEN......: 66.000| 538.000| 114.200| 109.000|11872.900| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.194| 0.037| 0.074| 5538.541| 2.700] + [PKTLEN......: 52.000| 524.000| 100.200| 109.000| 11872.900| 4.500] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,1,1,0,1,0,1,1,0] [IATS(ms)....: 179.2,179.3,1.5,193.5,0.4,0.0,192.3,0.0,0.2,0.2,0.7,0.0,0.1,0.0,0.1,2.8,2.1,0.4,0.0,0.0,0.0,0.1,193.8,0.2,0.8,194.1,0.1,0.1,1.1,0.0,1.2] - [PKTLENS.....: 78,74,66,538,66,494,98,66,66,198,66,98,67,190,69,82,94,66,98,67,114,81,82,66,66,98,66,147,66,97,66,66] + [PKTLENS.....: 64,60,52,524,52,480,84,52,52,184,52,84,53,176,55,68,80,52,84,53,100,67,68,52,52,84,52,133,52,83,52,52] + [ENTROPIES...: 4.5,5.3,5.0,7.6,4.9,7.5,5.8,4.9,4.9,6.8,4.9,5.8,5.1,6.7,5.1,5.3,5.8,4.9,5.8,5.1,6.2,5.3,5.4,5.0,5.0,5.9,5.0,6.5,5.0,5.9,5.2,5.0] new: [....69] [ip4][..tcp] [..192.168.1.184][56680] -> [...138.59.17.58][30303] new: [....70] [ip4][..tcp] [..192.168.1.184][56681] -> [207.180.206.216][30303] detected: [....68] [ip4][..tcp] [..192.168.1.184][56679] -> [..35.228.158.52][30303] [Mining][Mining][Unsafe] @@ -475,24 +505,26 @@ detected: [....70] [ip4][..tcp] [..192.168.1.184][56681] -> [207.180.206.216][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....65] [ip4][..tcp] [..192.168.1.184][56674] -> [...94.68.55.162][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.075| 0.014| 0.028| 803.714| 0.000] - [PKTLEN......: 66.000| 613.000| 119.000| 126.800|16079.300| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.075| 0.014| 0.028| 803.714| 2.700] + [PKTLEN......: 52.000| 599.000| 105.000| 126.800| 16079.300| 4.400] [BINS(c->s)..: 15,3,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1] [IATS(ms)....: 71.3,71.4,1.3,75.1,1.0,0.0,74.8,0.0,0.1,0.1,0.5,0.5,0.2,0.0,0.1,0.0,0.1,0.3,0.0,0.0,0.0,0.1,69.6,0.8,0.0,69.7,0.7,0.0,0.7,0.0,0.1] - [PKTLENS.....: 78,74,66,613,66,570,98,66,66,209,66,83,66,98,67,190,69,82,98,67,114,81,82,66,66,98,66,148,96,66,66,66] + [PKTLENS.....: 64,60,52,599,52,556,84,52,52,195,52,69,52,84,53,176,55,68,84,53,100,67,68,52,52,84,52,134,82,52,52,52] + [ENTROPIES...: 4.4,5.3,5.0,7.6,5.2,7.6,5.8,5.0,5.0,6.9,5.0,5.5,5.0,5.7,5.1,6.8,5.1,5.5,5.9,5.2,6.1,5.6,5.5,5.2,5.2,5.8,5.0,6.4,5.9,5.0,5.0,5.1] new: [....72] [ip4][..tcp] [..192.168.1.184][56684] -> [...51.83.237.44][30303] analyse: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.263| 0.042| 0.096| 9182.918| 0.000] - [PKTLEN......: 60.000| 605.000| 105.400| 121.500|14755.200| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.263| 0.042| 0.096| 9182.918| 2.400] + [PKTLEN......: 46.000| 591.000| 91.400| 121.500| 14755.200| 4.300] [BINS(c->s)..: 13,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 259.7,259.8,1.3,261.4,3.0,263.1,0.5,0.4,0.3,0.2,0.2,0.0,0.1,0.0,0.0,0.1,0.0,0.1,0.0,0.0,0.0,260.1,0.0,0.0,0.1,0.1,0.0,0.7,0.0,0.0,0.0] - [PKTLENS.....: 78,74,66,605,66,525,66,98,66,98,66,98,67,190,69,82,98,67,68,79,82,66,60,60,60,60,60,60,60,60,60,60] + [PKTLENS.....: 64,60,52,591,52,511,52,84,52,84,52,84,53,176,55,68,84,53,54,65,68,52,46,46,46,46,46,46,46,46,46,46] + [ENTROPIES...: 4.5,5.3,5.0,7.6,5.2,7.5,4.9,5.8,4.9,5.8,4.9,5.8,5.1,6.7,5.1,5.5,5.8,5.0,5.1,5.5,5.4,5.0,3.7,3.7,3.7,3.7,3.7,3.7,3.7,3.7,3.7,3.7] new: [....73] [ip4][..tcp] [..192.168.1.184][56685] -> [...88.99.93.219][30303] detected: [....72] [ip4][..tcp] [..192.168.1.184][56684] -> [...51.83.237.44][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol @@ -506,14 +538,15 @@ detected: [....74] [ip4][..tcp] [..192.168.1.184][56686] -> [.206.189.107.35][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol analyse: [....64] [ip4][..tcp] [..192.168.1.184][56673] -> [..78.47.147.155][30303] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.286| 0.027| 0.065| 4262.303| 0.000] - [PKTLEN......: 66.000| 633.000| 123.600| 120.400|14503.600| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.286| 0.027| 0.065| 4262.303| 2.600] + [PKTLEN......: 52.000| 619.000| 109.600| 120.400| 14503.600| 4.500] [BINS(c->s)..: 16,5,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,1,0,0] [IATS(ms)....: 40.4,40.4,1.5,40.9,246.5,285.9,40.6,40.6,0.7,0.0,0.1,0.0,0.0,0.4,0.0,0.0,0.0,0.1,39.4,0.2,0.9,0.7,39.7,0.2,0.0,0.0,0.0,0.1,1.1,0.8,0.2] - [PKTLENS.....: 78,74,66,633,66,306,78,413,66,98,67,190,69,82,98,67,114,81,82,66,66,66,130,66,98,67,69,78,82,274,66,98] + [PKTLENS.....: 64,60,52,619,52,292,64,399,52,84,53,176,55,68,84,53,100,67,68,52,52,52,116,52,84,53,55,64,68,260,52,84] + [ENTROPIES...: 4.5,5.3,5.1,7.7,5.2,7.2,5.2,7.4,5.1,5.9,5.2,6.8,5.2,5.6,5.9,5.2,6.2,5.5,5.6,5.3,5.3,5.3,6.4,5.1,5.9,5.2,5.3,5.5,5.6,7.1,5.1,5.9] end: [....52] [ip4][..tcp] [..192.168.1.184][56657] -> [.138.75.171.190][30303] [Mining][Mining][Unsafe] RISK: Unsafe Protocol idle: [....69] [ip4][..tcp] [..192.168.1.184][56680] -> [...138.59.17.58][30303] [Mining][Mining][Unsafe] diff --git a/test/results/flow-info/exe_download.pcap.out b/test/results/flow-info/exe_download.pcap.out index eca925875..414130a36 100644 --- a/test/results/flow-info/exe_download.pcap.out +++ b/test/results/flow-info/exe_download.pcap.out @@ -7,14 +7,15 @@ detection-update: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Download][Acceptable] RISK: Binary App Transfer, HTTP Suspicious User-Agent, HTTP Numeric IP Address analyse: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.320| 0.062| 0.115|13236.602| 0.000] - [PKTLEN......: 54.000| 1514.000| 868.500| 668.400|446708.300| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.320| 0.062| 0.115| 13236.602| 3.000] + [PKTLEN......: 40.000| 1500.000| 854.500| 668.400| 446708.300| 4.400] [BINS(c->s)..: 10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,2,0,0,8,0,0,7,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,1,1,0] [IATS(ms)....: 319.3,319.5,0.7,1.1,298.1,0.0,298.6,1.6,0.1,1.8,2.4,2.7,0.0,5.0,0.2,28.6,0.1,28.9,100.7,305.8,0.0,0.0,0.1,205.2,0.2,0.2,0.7,0.0,0.0,0.0,0.7] - [PKTLENS.....: 66,58,54,207,54,1514,1322,54,1418,1418,54,1418,1514,1302,54,1418,1418,1418,54,54,1514,1514,1226,1418,54,1418,54,1514,1514,1514,1130,54] + [PKTLENS.....: 52,44,40,193,40,1500,1308,40,1404,1404,40,1404,1500,1288,40,1404,1404,1404,40,40,1500,1500,1212,1404,40,1404,40,1500,1500,1500,1116,40] + [ENTROPIES...: 4.4,4.9,4.6,5.8,4.7,3.7,0.3,4.6,0.3,4.4,4.6,5.7,5.5,5.4,4.5,5.9,5.8,5.7,4.6,4.6,5.4,5.4,5.4,5.7,4.6,5.6,4.5,5.7,5.8,5.6,5.7,4.6] end: [.....1] [ip4][..tcp] [....10.9.25.101][49165] -> [..144.91.69.195][...80] [HTTP][Download][Acceptable] RISK: Binary App Transfer, HTTP Suspicious User-Agent, HTTP Numeric IP Address DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/exe_download_as_png.pcap.out b/test/results/flow-info/exe_download_as_png.pcap.out index 6a58cb2a7..8f1e980e2 100644 --- a/test/results/flow-info/exe_download_as_png.pcap.out +++ b/test/results/flow-info/exe_download_as_png.pcap.out @@ -7,14 +7,15 @@ detection-update: [.....1] [ip4][..tcp] [....10.9.25.101][49197] -> [..185.98.87.185][...80] [HTTP][Web][Acceptable] RISK: Binary App Transfer, HTTP Numeric IP Address analyse: [.....1] [ip4][..tcp] [....10.9.25.101][49197] -> [..185.98.87.185][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.613| 0.094| 0.193|37090.865| 0.000] - [PKTLEN......: 54.000| 1514.000| 869.000| 664.600|441668.300| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.613| 0.094| 0.193| 37090.865| 2.700] + [PKTLEN......: 40.000| 1500.000| 855.000| 664.600| 441668.300| 4.400] [BINS(c->s)..: 10,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,17,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,0,1,1,0,1,1,0,1,1] [IATS(ms)....: 400.2,400.5,0.2,0.7,612.7,0.0,613.0,0.4,0.5,0.8,0.4,0.5,0.9,1.1,0.4,1.6,0.4,0.7,1.1,417.7,1.4,0.1,419.5,0.7,0.4,0.9,2.6,0.2,2.8,26.6,0.3] - [PKTLENS.....: 66,58,54,203,54,1514,1322,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418,1418,54,1418,1418,54,1418,1418,54,1418,1418] + [PKTLENS.....: 52,44,40,189,40,1500,1308,40,1404,1404,40,1404,1404,40,1404,1404,40,1404,1404,40,1404,1404,1404,40,1404,1404,40,1404,1404,40,1404,1404] + [ENTROPIES...: 4.6,4.9,4.7,5.5,4.6,3.4,0.3,4.8,0.3,4.6,4.8,4.5,3.4,4.7,3.3,3.5,4.7,4.1,5.3,4.7,5.5,4.6,5.0,4.7,4.4,2.7,4.7,6.3,4.4,4.7,4.0,2.8] end: [.....1] [ip4][..tcp] [....10.9.25.101][49197] -> [..185.98.87.185][...80] [HTTP][Web][Acceptable] RISK: Binary App Transfer, HTTP Numeric IP Address DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/facebook.pcap.out b/test/results/flow-info/facebook.pcap.out index 17db51e79..7497132a1 100644 --- a/test/results/flow-info/facebook.pcap.out +++ b/test/results/flow-info/facebook.pcap.out @@ -9,14 +9,15 @@ detected: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun] detection-update: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun] analyse: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.155| 0.037| 0.058| 3352.274| 0.000] - [PKTLEN......: 66.000| 1454.000| 569.100| 613.300|376153.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.155| 0.037| 0.058| 3352.274| 3.300] + [PKTLEN......: 52.000| 1440.000| 555.100| 613.300| 376153.100| 4.100] [BINS(c->s)..: 10,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,2,1,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0] [IATS(ms)....: 132.1,132.1,0.2,154.7,0.5,155.0,0.2,3.3,129.4,125.9,0.4,0.4,0.8,119.2,4.5,123.7,0.6,0.6,1.2,4.9,0.6,5.6,8.9,7.8,16.7,0.9,0.5,1.4,0.8,0.7,1.4] - [PKTLENS.....: 74,74,66,583,66,212,66,117,452,147,104,104,108,66,1454,445,66,1454,590,66,1454,1454,66,1454,1454,66,1454,1454,66,1454,1454,66] + [PKTLENS.....: 60,60,52,569,52,198,52,103,438,133,90,90,94,52,1440,431,52,1440,576,52,1440,1440,52,1440,1440,52,1440,1440,52,1440,1440,52] + [ENTROPIES...: 4.8,5.2,5.1,6.2,5.1,6.5,5.1,5.5,7.5,6.5,5.6,5.9,6.0,5.0,7.8,7.6,5.0,7.9,7.6,5.0,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,5.0,7.8,7.9,5.0] idle: [.....1] [ip4][..tcp] [..192.168.43.18][52066] -> [..66.220.156.68][..443] idle: [.....2] [ip4][..tcp] [..192.168.43.18][44614] -> [....31.13.86.36][..443] [TLS.Facebook][SocialNetwork][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/fastcgi.pcap.out b/test/results/flow-info/fastcgi.pcap.out index 729151ced..6f0c6320c 100644 --- a/test/results/flow-info/fastcgi.pcap.out +++ b/test/results/flow-info/fastcgi.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] detected: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] [FastCGI][Network][Safe] analyse: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] [FastCGI][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.020| 0.130| 0.496|246254.469| 0.000] - [PKTLEN......: 66.000| 1514.000| 553.200| 672.800|452637.900| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.020| 0.130| 0.496| 246254.469| 1.000] + [PKTLEN......: 52.000| 1500.000| 539.200| 672.800| 452637.900| 3.900] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,0,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.2,0.2,0.0,0.1,0.0,0.2,0.1,0.0,0.1,0.0,0.0,0.0,2019.9,2020.1,0.2,0.1,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.0,0.0,0.0] - [PKTLENS.....: 74,74,66,82,1121,74,66,74,74,66,66,66,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514,66,1514] + [PKTLENS.....: 60,60,52,68,1107,60,52,60,60,52,52,52,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500,52,1500] + [ENTROPIES...: 4.4,4.9,4.7,4.2,6.0,4.6,4.7,4.6,4.6,4.7,4.6,4.7,4.7,7.6,4.9,7.8,4.9,7.8,4.8,7.8,4.9,7.8,4.8,7.8,4.8,7.8,4.8,7.9,4.9,7.8,4.8,7.8] end: [.....1] [ip4][..tcp] [.......10.0.0.9][38254] -> [......10.0.0.11][.9000] [FastCGI][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/firefox.pcap.out b/test/results/flow-info/firefox.pcap.out index dc107dfe1..9d247d46f 100644 --- a/test/results/flow-info/firefox.pcap.out +++ b/test/results/flow-info/firefox.pcap.out @@ -6,14 +6,15 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Web][Safe] new: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] analyse: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.577| 0.067| 0.148|21926.652| 0.000] - [PKTLEN......: 66.000| 1506.000| 599.100| 633.000|400627.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.577| 0.067| 0.148| 21926.652| 2.800] + [PKTLEN......: 52.000| 1492.000| 585.100| 633.000| 400627.700| 4.100] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,1,1] [IATS(ms)....: 26.7,26.8,1.3,27.3,5.8,0.0,31.8,0.5,0.5,211.0,0.3,236.0,0.0,1.3,0.0,26.1,0.0,575.4,1.2,576.6,0.3,0.1,0.3,0.1,0.1,0.2,1.4,145.8,171.4,2.9,1.4] - [PKTLENS.....: 78,74,66,583,66,1506,1506,66,772,66,146,452,66,66,369,369,66,66,1506,1506,66,1506,1506,66,1506,1485,66,66,431,66,1506,1506] + [PKTLENS.....: 64,60,52,569,52,1492,1492,52,758,52,132,438,52,52,355,355,52,52,1492,1492,52,1492,1492,52,1492,1471,52,52,417,52,1492,1492] + [ENTROPIES...: 4.4,5.3,5.0,5.2,5.2,7.8,7.9,5.0,7.7,5.1,6.3,7.4,5.1,5.0,7.3,7.4,5.0,5.0,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,5.0,5.0,7.4,5.1,7.8,7.9] new: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] detected: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] [TLS][Web][Safe] @@ -23,59 +24,64 @@ new: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] new: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] analyse: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.231| 0.023| 0.053| 2771.897| 0.000] - [PKTLEN......: 66.000| 1506.000| 656.300| 649.700|422101.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.231| 0.023| 0.053| 2771.897| 3.000] + [PKTLEN......: 52.000| 1492.000| 642.300| 649.700| 422101.600| 4.200] [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,0,1,0,1,1,0,1,1,1,1,0] [IATS(ms)....: 34.4,34.5,3.3,32.3,1.5,30.5,4.2,18.6,31.6,0.0,8.9,18.5,3.0,0.1,21.6,203.5,231.0,1.0,0.2,0.0,28.7,0.2,0.2,0.9,0.1,1.0,0.1,0.4,0.0,0.0,0.5] - [PKTLENS.....: 78,74,66,746,66,326,66,146,416,66,369,66,66,1506,1042,66,447,66,1506,1506,1506,66,1506,66,1506,1506,66,1506,1506,1506,1506,66] + [PKTLENS.....: 64,60,52,732,52,312,52,132,402,52,355,52,52,1492,1028,52,433,52,1492,1492,1492,52,1492,52,1492,1492,52,1492,1492,1492,1492,52] + [ENTROPIES...: 4.5,5.2,5.0,7.2,5.1,7.0,5.0,6.3,7.3,5.0,7.4,5.0,5.1,7.9,7.8,5.0,7.5,5.0,7.9,7.9,7.9,5.0,7.9,5.0,7.9,7.9,5.0,7.9,7.9,7.9,7.9,5.0] detected: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.221| 0.023| 0.050| 2549.799| 0.000] - [PKTLEN......: 66.000| 1506.000| 622.900| 649.700|422127.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.221| 0.023| 0.050| 2549.799| 3.100] + [PKTLEN......: 52.000| 1492.000| 608.900| 649.700| 422127.900| 4.100] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0] [IATS(ms)....: 27.4,27.4,16.2,42.1,1.2,27.2,10.1,34.7,0.0,24.7,195.8,221.4,1.8,27.4,3.4,28.7,1.1,0.2,26.6,1.0,0.1,1.1,0.1,0.1,0.2,0.1,0.1,0.3,0.3,0.2,0.5] - [PKTLENS.....: 78,74,66,746,66,326,66,146,66,369,66,433,66,1406,66,436,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66] + [PKTLENS.....: 64,60,52,732,52,312,52,132,52,355,52,419,52,1392,52,422,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52] + [ENTROPIES...: 4.5,5.1,5.0,7.2,5.0,6.9,5.0,6.3,5.0,7.4,5.0,7.4,5.0,7.9,4.9,7.4,5.0,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,5.0] detection-update: [.....3] [ip4][..tcp] [..192.168.1.178][51588] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.030| 0.007| 0.010| 104.605| 0.000] - [PKTLEN......: 66.000| 1506.000| 614.500| 660.200|435829.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.030| 0.007| 0.010| 104.605| 3.700] + [PKTLEN......: 52.000| 1492.000| 600.500| 660.200| 435829.600| 4.100] [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,0,1] [IATS(ms)....: 26.8,26.8,3.3,29.2,2.4,28.4,2.9,12.8,29.6,0.0,13.9,11.4,1.7,0.1,13.2,0.1,0.3,1.0,0.8,0.1,0.2,0.1,0.1,0.2,0.1,0.3,0.1,0.3,12.0,12.2,0.1] - [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,66,1506,1506,66,1506] + [PKTLENS.....: 64,60,52,732,52,312,52,132,422,52,355,52,52,1492,1492,52,1492,52,1492,52,1492,52,1492,52,1492,1492,52,52,1492,1492,52,1492] + [ENTROPIES...: 4.4,5.2,5.0,7.2,5.0,7.0,5.0,6.3,7.4,5.1,7.3,5.0,5.0,7.9,7.9,5.0,7.9,4.9,7.9,5.1,7.8,4.9,7.9,5.0,7.9,7.9,5.0,4.9,7.9,7.9,5.0,7.9] detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][51600] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.046| 0.009| 0.012| 154.305| 0.000] - [PKTLEN......: 66.000| 1506.000| 592.400| 641.500|411570.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.046| 0.009| 0.012| 154.305| 3.600] + [PKTLEN......: 52.000| 1492.000| 578.400| 641.500| 411570.000| 4.100] [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0] [IATS(ms)....: 28.1,28.2,5.5,31.7,1.1,27.2,20.3,4.0,45.6,1.3,22.6,2.8,3.1,0.1,6.1,0.1,0.2,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.2,0.4,0.3,1.5,18.6,0.0,17.4] - [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,1506,1506,66,1506,66,1506,799,66] + [PKTLENS.....: 64,60,52,732,52,312,52,132,422,52,355,52,52,1492,1492,52,1492,52,1492,52,1492,52,1492,52,1492,1492,52,1492,52,1492,785,52] + [ENTROPIES...: 4.4,5.2,5.0,7.2,5.1,7.0,5.0,6.2,7.5,5.0,7.4,5.0,5.1,7.8,7.9,5.0,7.9,4.9,7.9,5.1,7.8,4.9,7.9,5.1,7.9,7.9,5.0,7.9,4.9,7.9,7.7,5.0] detection-update: [.....4] [ip4][..tcp] [..192.168.1.178][51599] -> [...146.48.58.18][..443] [TLS][Web][Safe] analyse: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.037| 0.010| 0.013| 180.101| 0.000] - [PKTLEN......: 66.000| 1506.000| 547.200| 619.500|383804.700| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.037| 0.010| 0.013| 180.101| 3.600] + [PKTLEN......: 52.000| 1492.000| 533.200| 619.500| 383804.700| 4.000] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,0,1] [IATS(ms)....: 28.6,28.7,7.7,37.4,1.5,31.1,2.2,13.0,31.0,0.1,15.9,15.4,0.5,0.1,16.0,0.3,0.4,0.6,0.1,0.2,0.0,0.4,0.0,0.2,0.5,36.5,0.1,0.1,36.1,0.2,0.4] - [PKTLENS.....: 78,74,66,746,66,326,66,146,436,66,369,66,66,1506,1506,66,1506,1506,66,1506,1506,412,66,66,66,445,66,1506,1506,66,66,1506] + [PKTLENS.....: 64,60,52,732,52,312,52,132,422,52,355,52,52,1492,1492,52,1492,1492,52,1492,1492,398,52,52,52,431,52,1492,1492,52,52,1492] + [ENTROPIES...: 4.5,5.2,5.0,7.2,5.1,7.0,5.0,6.2,7.6,5.1,7.4,5.0,5.1,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,7.4,5.0,4.9,4.9,7.4,5.0,7.9,7.9,5.0,4.9,7.9] detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][51601] -> [...146.48.58.18][..443] [TLS][Web][Safe] idle: [.....1] [ip4][..tcp] [..192.168.1.178][51577] -> [...146.48.58.18][..443] [TLS][Web][Safe] idle: [.....2] [ip4][..tcp] [..192.168.1.178][51583] -> [...146.48.58.18][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/fix.pcap.out b/test/results/flow-info/fix.pcap.out index 3eeb4311b..4144f8821 100644 --- a/test/results/flow-info/fix.pcap.out +++ b/test/results/flow-info/fix.pcap.out @@ -14,38 +14,41 @@ new: [.....6] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][47962] [MIDSTREAM] detected: [.....6] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][47962] [FIX][RPC][Safe] analyse: [.....3] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45578] [FIX][RPC][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.315| 0.065| 0.068| 4636.039| 0.000] - [PKTLEN......: 54.000| 511.000| 107.100| 87.500| 7658.200| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.315| 0.065| 0.068| 4636.039| 4.400] + [PKTLEN......: 40.000| 497.000| 93.100| 87.500| 7658.200| 4.600] [BINS(c->s)..: 4,6,1,1,1,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.2,0.2,52.4,3.6,94.0,87.6,49.4,50.7,50.7,52.8,52.9,49.7,49.6,49.7,49.7,49.5,49.4,49.8,49.8,50.0,50.0,49.9,49.9,49.6,49.6,49.8,49.8,50.2,50.2,314.9,315.0] - [PKTLENS.....: 93,60,140,169,54,60,511,60,230,60,233,60,143,60,110,60,185,60,112,60,81,60,106,60,81,60,89,60,108,60,81,60] + [PKTLENS.....: 79,46,126,155,40,46,497,46,216,46,219,46,129,46,96,46,171,46,98,46,67,46,92,46,67,46,75,46,94,46,67,46] + [ENTROPIES...: 5.2,4.4,6.4,5.1,4.8,4.5,5.2,4.4,5.0,4.5,5.2,4.4,5.1,4.5,5.1,4.5,5.1,4.4,5.1,4.3,5.1,4.5,5.0,4.4,5.1,4.4,5.2,4.5,4.9,4.5,5.1,4.4] new: [.....7] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38652] [MIDSTREAM] detected: [.....7] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38652] [FIX][RPC][Safe] new: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [MIDSTREAM] detected: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [FIX][RPC][Safe] analyse: [.....2] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][47968] [FIX][RPC][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.300| 0.091| 0.084| 7079.807| 0.000] - [PKTLEN......: 66.000| 153.000| 86.000| 23.600| 558.300| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.300| 0.091| 0.084| 7079.807| 4.200] + [PKTLEN......: 52.000| 139.000| 72.000| 23.600| 558.300| 4.900] [BINS(c->s)..: 6,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.1,100.1,0.1,100.2,0.1,100.0,0.1,100.1,0.0,99.9,100.0,100.2,100.2,100.8,100.8,300.2,0.0,300.2,0.0,0.2,17.9,82.4,142.0,200.5,158.5,100.0,99.9,0.4,0.4,200.2,200.3] - [PKTLENS.....: 96,66,101,92,66,66,101,100,66,66,92,66,135,66,91,66,105,135,66,66,153,66,105,66,101,66,101,66,90,66,98,66] + [PKTLENS.....: 82,52,87,78,52,52,87,86,52,52,78,52,121,52,77,52,91,121,52,52,139,52,91,52,87,52,87,52,76,52,84,52] + [ENTROPIES...: 5.4,5.2,5.4,5.4,5.1,5.2,5.4,5.4,5.1,5.2,5.3,5.1,5.6,5.2,5.5,5.2,5.4,5.2,5.1,5.1,6.5,5.1,5.5,5.2,5.5,5.2,5.2,5.2,5.2,5.2,5.4,5.1] new: [.....9] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38646] [MIDSTREAM] detected: [.....9] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][38646] [FIX][RPC][Safe] analyse: [.....1] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][43594] [FIX][RPC][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.291| 0.178| 0.113|12753.578| 0.000] - [PKTLEN......: 66.000| 254.000| 109.700| 52.000| 2700.500| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.291| 0.178| 0.113| 12753.578| 4.500] + [PKTLEN......: 52.000| 240.000| 95.700| 52.000| 2700.500| 4.800] [BINS(c->s)..: 2,4,3,5,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1] [IATS(ms)....: 0.2,0.3,0.3,250.6,0.1,250.6,0.0,0.2,18.2,232.1,291.3,250.1,209.0,250.7,250.7,250.6,250.6,250.7,250.7,250.7,250.7,250.6,0.0,250.7,0.0,251.5,251.5,249.7,249.8,250.3,250.3] - [PKTLENS.....: 152,66,91,66,105,152,66,66,151,66,169,66,169,66,186,66,169,66,169,66,118,66,254,113,66,66,135,66,203,66,118,66] + [PKTLENS.....: 138,52,77,52,91,138,52,52,137,52,155,52,155,52,172,52,155,52,155,52,104,52,240,99,52,52,121,52,189,52,104,52] + [ENTROPIES...: 5.5,5.2,5.3,5.1,5.4,5.4,5.2,5.1,6.4,5.1,5.4,5.2,5.5,5.2,5.6,5.2,5.4,5.2,5.5,5.2,5.4,5.2,5.6,5.6,5.2,5.2,5.5,5.2,5.4,5.2,5.5,5.2] new: [....10] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][39094] [MIDSTREAM] detected: [....10] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][39094] [FIX][RPC][Safe] new: [....11] [ip4][..tcp] [..217.192.86.32][.4000] -> [...192.168.0.20][53330] [MIDSTREAM] @@ -53,23 +56,25 @@ new: [....12] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40928] [MIDSTREAM] detected: [....12] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40928] [FIX][RPC][Safe] analyse: [.....5] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45584] [FIX][RPC][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 5.507| 0.699| 1.281|1640706.605| 0.000] - [PKTLEN......: 54.000| 141.000| 77.600| 21.900| 481.200| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 5.507| 0.699| 1.281| 1640706.605| 3.700] + [PKTLEN......: 40.000| 127.000| 63.600| 21.900| 481.200| 4.900] [BINS(c->s)..: 2,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1] [IATS(ms)....: 0.2,500.7,500.7,200.4,200.5,0.2,89.7,210.7,340.3,500.7,460.5,5507.3,5507.3,601.0,601.0,400.4,400.5,701.0,701.0,400.4,400.4,600.6,600.6,400.8,400.8,600.8,600.8,0.2,54.3,45.7,140.3] - [PKTLENS.....: 89,60,89,60,93,60,141,54,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,89,60,93,60,140,54,89,60] + [PKTLENS.....: 75,46,75,46,79,46,127,40,75,46,75,46,75,46,75,46,75,46,75,46,75,46,75,46,75,46,79,46,126,40,75,46] + [ENTROPIES...: 4.9,4.4,5.2,4.4,5.2,4.5,6.5,4.7,5.0,4.5,5.2,4.5,5.2,4.5,5.0,4.5,5.1,4.5,5.2,4.5,5.2,4.5,5.2,4.5,5.0,4.5,5.2,4.5,6.4,4.7,5.0,4.5] analyse: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [FIX][RPC][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.175| 1.332| 1.132|1282462.056| 0.000] - [PKTLEN......: 66.000| 151.000| 91.700| 28.500| 811.200| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.175| 1.332| 1.132| 1282462.056| 4.400] + [PKTLEN......: 52.000| 137.000| 77.700| 28.500| 811.200| 4.900] [BINS(c->s)..: 2,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1] [IATS(ms)....: 0.1,1093.3,1093.4,599.0,599.0,1546.1,1546.1,0.2,22.8,2072.7,2137.8,913.3,870.7,442.0,442.0,3366.1,3366.1,1195.4,1195.4,437.7,437.7,1550.2,1550.2,0.2,22.4,1711.4,1774.3,1498.2,1457.5,4175.1,4175.0] - [PKTLENS.....: 105,66,126,66,105,66,105,66,151,66,105,66,105,66,126,66,105,66,126,66,105,66,105,66,151,66,105,66,147,66,105,66] + [PKTLENS.....: 91,52,112,52,91,52,91,52,137,52,91,52,91,52,112,52,91,52,112,52,91,52,91,52,137,52,91,52,133,52,91,52] + [ENTROPIES...: 5.6,5.1,5.5,5.1,5.5,5.1,5.4,5.1,6.3,5.1,5.4,5.2,5.5,5.2,5.4,5.2,5.4,5.1,5.6,5.2,5.4,5.2,5.4,5.1,6.5,5.2,5.5,5.1,5.5,5.2,5.5,5.2] idle: [.....3] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45578] [FIX][RPC][Safe] idle: [.....5] [ip4][..tcp] [..208.245.107.3][.4000] -> [...192.168.0.20][45584] [FIX][RPC][Safe] idle: [.....8] [ip4][..tcp] [.....8.17.22.31][.4000] -> [...192.168.0.20][40918] [FIX][RPC][Safe] diff --git a/test/results/flow-info/fix2.pcap.out b/test/results/flow-info/fix2.pcap.out index c3a494883..d26daac5e 100644 --- a/test/results/flow-info/fix2.pcap.out +++ b/test/results/flow-info/fix2.pcap.out @@ -6,23 +6,25 @@ detected: [.....1] [ip4][..tcp] [.....10.101.0.2][34962] -> [.....10.102.0.2][.1024] [FIX][RPC][Safe] detected: [.....2] [ip4][..tcp] [.....10.101.0.2][34963] -> [.....10.102.0.9][.1024] [FIX][RPC][Safe] analyse: [.....1] [ip4][..tcp] [.....10.101.0.2][34962] -> [.....10.102.0.2][.1024] [FIX][RPC][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.026| 0.000] - [PKTLEN......: 60.000| 174.000| 106.600| 46.700| 2179.900| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.026| 3.100] + [PKTLEN......: 46.000| 160.000| 92.600| 46.700| 2179.900| 4.800] [BINS(c->s)..: 7,0,4,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,0,3,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,1,0,1,0,1,1,1,0,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1] [IATS(ms)....: 0.6,0.7,0.0,0.1,0.1,0.0,0.0,0.0,0.2,0.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0] - [PKTLENS.....: 62,62,60,139,62,60,147,144,60,152,144,152,146,60,60,147,60,60,60,152,60,174,157,174,60,60,60,60,157,147,160,152] + [PKTLENS.....: 48,48,46,125,48,46,133,130,46,138,130,138,132,46,46,133,46,46,46,138,46,160,143,160,46,46,46,46,143,133,146,138] + [ENTROPIES...: 3.9,4.5,3.8,5.1,4.5,3.8,5.2,5.3,4.0,5.4,5.3,5.4,5.2,4.0,4.0,5.2,3.8,4.0,3.8,5.4,3.8,5.3,5.3,5.3,3.8,4.0,4.0,4.0,5.3,5.2,5.4,5.4] analyse: [.....2] [ip4][..tcp] [.....10.101.0.2][34963] -> [.....10.102.0.9][.1024] [FIX][RPC][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.020| 0.000] - [PKTLEN......: 60.000| 174.000| 106.000| 46.100| 2122.500| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.001| 0.000| 0.000| 0.020| 3.300] + [PKTLEN......: 46.000| 160.000| 92.000| 46.100| 2122.500| 4.800] [BINS(c->s)..: 6,0,5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,3,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,1,1,1,0,1,1,0,1,0,1,0,1,0,1,1,1,0,1,0,1,1,0] [IATS(ms)....: 0.6,0.6,0.0,0.1,0.1,0.1,0.0,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0] - [PKTLENS.....: 62,62,60,139,147,144,152,62,60,144,60,60,152,146,60,147,60,152,60,174,157,147,160,60,60,60,160,162,144,60,60,60] + [PKTLENS.....: 48,48,46,125,133,130,138,48,46,130,46,46,138,132,46,133,46,138,46,160,143,133,146,46,46,46,146,148,130,46,46,46] + [ENTROPIES...: 3.9,4.5,3.8,5.1,5.2,5.3,5.4,4.5,3.8,5.3,4.0,4.0,5.4,5.2,4.1,5.2,3.8,5.4,3.8,5.3,5.3,5.2,5.4,4.1,4.1,4.1,5.4,5.5,5.3,4.1,4.1,3.8] end: [.....1] [ip4][..tcp] [.....10.101.0.2][34962] -> [.....10.102.0.2][.1024] [FIX][RPC][Safe] end: [.....2] [ip4][..tcp] [.....10.101.0.2][34963] -> [.....10.102.0.9][.1024] [FIX][RPC][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/forticlient.pcap.out b/test/results/flow-info/forticlient.pcap.out index 6fedb2121..d0dce6def 100644 --- a/test/results/flow-info/forticlient.pcap.out +++ b/test/results/flow-info/forticlient.pcap.out @@ -37,14 +37,15 @@ detection-update: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][VPN][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS analyse: [.....5] [ip4][..tcp] [..192.168.1.178][61820] -> [....82.81.46.13][10443] [TLS.FortiClient][VPN][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.495| 0.071| 0.112|12454.003| 0.000] - [PKTLEN......: 66.000| 1506.000| 267.000| 343.000|117623.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.495| 0.071| 0.112| 12454.003| 3.700] + [PKTLEN......: 52.000| 1492.000| 253.000| 343.000| 117623.000| 4.100] [BINS(c->s)..: 9,4,1,0,1,0,0,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,0,0,0,1,0,0,1,1] [IATS(ms)....: 62.6,62.7,2.3,64.5,19.9,1.9,84.0,11.2,85.3,74.2,429.6,495.0,65.4,84.5,160.2,75.7,71.6,6.3,142.9,0.6,65.6,0.3,0.2,2.9,4.0,0.0,64.2,57.2,0.4,4.0,0.1] - [PKTLENS.....: 78,74,66,379,66,1506,1047,66,224,308,66,596,841,66,362,937,66,357,113,66,113,66,113,66,113,131,117,113,66,113,125,125] + [PKTLENS.....: 64,60,52,365,52,1492,1033,52,210,294,52,582,827,52,348,923,52,343,99,52,99,52,99,52,99,117,103,99,52,99,111,111] + [ENTROPIES...: 4.4,5.3,5.0,6.1,5.2,7.1,7.7,5.1,6.7,7.2,5.0,7.6,7.7,5.1,7.4,7.8,5.1,7.4,6.0,5.2,6.1,5.2,6.1,5.1,6.0,6.2,6.0,6.2,5.1,6.1,6.2,6.3] end: [.....1] [ip4][..tcp] [..192.168.1.178][61805] -> [....82.81.46.13][10443] end: [.....2] [ip4][..tcp] [..192.168.1.178][61806] -> [....82.81.46.13][10443] end: [.....3] [ip4][..tcp] [..192.168.1.178][61811] -> [....82.81.46.13][10443] diff --git a/test/results/flow-info/ftp-start-tls.pcap.out b/test/results/flow-info/ftp-start-tls.pcap.out index 6af809aac..449d4a530 100644 --- a/test/results/flow-info/ftp-start-tls.pcap.out +++ b/test/results/flow-info/ftp-start-tls.pcap.out @@ -11,14 +11,15 @@ detection-update: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Download][Unsafe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Unsafe Protocol, Missing SNI TLS Extn analyse: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.040| 0.005| 0.010| 91.331| 0.000] - [PKTLEN......: 60.000| 566.000| 174.900| 164.200|26956.400| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.040| 0.005| 0.010| 91.331| 3.200] + [PKTLEN......: 46.000| 552.000| 160.900| 164.200| 26956.400| 4.400] [BINS(c->s)..: 4,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,7,0,0,0,2,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1] [IATS(ms)....: 0.4,0.1,1.3,15.0,0.1,17.8,3.9,0.1,0.8,0.0,4.3,3.3,0.1,1.0,0.0,0.0,0.0,0.1,0.0,2.6,8.5,40.4,0.1,34.7,4.5,0.7,2.2,1.8,0.3,2.7,2.2] - [PKTLENS.....: 60,60,60,60,127,127,64,60,60,85,85,204,60,60,566,566,269,566,566,269,60,384,105,105,91,136,136,91,136,136,99,144] + [PKTLENS.....: 46,46,46,46,113,113,50,46,46,71,71,190,46,46,552,552,255,552,552,255,46,370,91,91,77,122,122,77,122,122,85,130] + [ENTROPIES...: 4.2,4.8,4.8,4.4,5.4,5.4,5.0,4.3,4.3,5.3,5.3,5.2,4.4,4.4,6.8,7.2,7.0,6.8,7.2,7.0,4.5,7.2,5.9,5.9,5.7,6.2,6.2,5.8,6.3,6.3,6.0,6.3] detection-update: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Download][Unsafe] RISK: Weak TLS Cipher, TLS (probably) Not Carrying HTTPS, Unsafe Protocol, Missing SNI TLS Extn idle: [.....1] [ip4][..tcp] [...10.238.26.36][62092] -> [...10.220.50.76][...21] [FTPS][Download][Unsafe] diff --git a/test/results/flow-info/ftp.pcap.out b/test/results/flow-info/ftp.pcap.out index fdd9717dc..b9d7b0b48 100644 --- a/test/results/flow-info/ftp.pcap.out +++ b/test/results/flow-info/ftp.pcap.out @@ -5,27 +5,29 @@ detected: [.....1] [ip4][..tcp] [..192.168.1.212][50694] -> [...90.130.70.73][...21] [FTP_CONTROL][Download][Unsafe] RISK: Unsafe Protocol analyse: [.....1] [ip4][..tcp] [..192.168.1.212][50694] -> [...90.130.70.73][...21] [FTP_CONTROL][Download][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.090| 0.019| 0.021| 426.190| 0.000] - [PKTLEN......: 66.000| 307.000| 85.900| 42.700| 1824.000| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.090| 0.019| 0.021| 426.190| 4.100] + [PKTLEN......: 52.000| 293.000| 71.900| 42.700| 1824.000| 4.800] [BINS(c->s)..: 18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1] [IATS(ms)....: 27.4,27.5,29.0,29.0,0.5,27.7,0.3,27.4,0.2,69.1,21.2,90.0,0.3,27.1,0.0,26.8,0.1,27.0,0.1,26.9,0.0,0.3,27.5,27.3,0.1,0.0,0.7,27.1,26.5,0.1,26.8] - [PKTLENS.....: 78,74,66,86,66,82,66,100,66,79,66,89,66,71,66,100,66,72,81,131,66,66,77,110,66,307,66,96,88,66,71,100] + [PKTLENS.....: 64,60,52,72,52,68,52,86,52,65,52,75,52,57,52,86,52,58,67,117,52,52,63,96,52,293,52,82,74,52,57,86] + [ENTROPIES...: 4.2,5.3,4.9,5.6,4.9,5.4,5.2,5.7,4.9,5.2,5.1,5.7,4.9,5.0,5.0,5.6,4.8,5.0,5.5,5.3,4.9,4.9,5.2,5.7,4.9,5.0,4.9,5.6,5.6,4.9,5.1,5.7] new: [.....2] [ip4][..tcp] [..192.168.1.212][50695] -> [...90.130.70.73][25685] detected: [.....2] [ip4][..tcp] [..192.168.1.212][50695] -> [...90.130.70.73][25685] [FTP_DATA][Download][Acceptable] RISK: Known Proto on Non Std Port new: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] analyse: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.030| 0.006| 0.011| 123.407| 0.000] - [PKTLEN......: 66.000| 1506.000| 832.000| 717.500|514855.000| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.030| 0.006| 0.011| 123.407| 3.100] + [PKTLEN......: 52.000| 1492.000| 818.000| 717.500| 514855.000| 4.300] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,0,1,1] [IATS(ms)....: 28.8,28.8,29.6,29.6,0.3,0.3,0.6,0.6,0.3,0.5,0.8,0.4,0.4,0.1,0.3,0.0,0.4,0.0,0.3,27.5,27.8,0.2,0.2,1.7,0.1,0.0,1.8,1.9,1.9,0.2,1.8] - [PKTLENS.....: 78,74,66,1506,78,1506,66,1506,66,1506,1506,66,1506,66,1506,1506,1506,66,66,1506,1506,66,1506,66,1506,1506,66,66,1506,66,1506,1506] + [PKTLENS.....: 64,60,52,1492,64,1492,52,1492,52,1492,1492,52,1492,52,1492,1492,1492,52,52,1492,1492,52,1492,52,1492,1492,52,52,1492,52,1492,1492] + [ENTROPIES...: 4.3,5.3,4.9,0.4,5.0,0.4,5.0,0.4,4.8,0.4,0.4,4.9,0.4,4.8,0.4,0.4,0.4,4.9,4.8,0.4,0.4,4.9,0.4,4.8,0.4,0.4,5.2,5.0,0.4,4.8,0.4,0.4] not-detected: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] [Unknown][Unrated] end: [.....3] [ip4][..tcp] [..192.168.1.212][50696] -> [...90.130.70.73][24523] [Unknown][Unrated] end: [.....1] [ip4][..tcp] [..192.168.1.212][50694] -> [...90.130.70.73][...21] [FTP_CONTROL][Download][Unsafe] diff --git a/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out b/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out index 94591c2d0..75820a1b4 100644 --- a/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out +++ b/test/results/flow-info/fuzz-2006-06-26-2594.pcap.out @@ -519,14 +519,15 @@ detection-update: [...111] [ip4][..udp] [....192.168.1.2][.2757] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] RISK: Malformed Packet analyse: [.....1] [ip4][..udp] [....192.168.1.2][..137] -> [..192.168.1.255][..137] [NetBIOS][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.742| 47.495| 20.018| 22.628|512023754.441| 0.000] - [PKTLEN......: 92.000| 92.000| 92.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.742| 47.495| 20.018| 22.628| 512023754.441| 3.900] + [PKTLEN......: 78.000| 78.000| 78.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 746.3,47494.7,744.6,751.1,46512.3,745.7,46548.5,1500.6,45837.6,749.4,751.1,46756.5,741.8,751.1,45988.0,749.2,47479.8,47268.1,749.4,47258.0,751.1,46297.9,749.8,46628.0,750.2,751.1,45907.7,749.4,751.1,46347.7,750.0] - [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92] + [PKTLENS.....: 78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78] + [ENTROPIES...: 4.3,4.2,4.2,4.3,4.2,4.2,4.2,4.3,4.3,4.3,4.3,4.3,4.3,4.2,4.2,4.2,4.3,4.2,4.2,4.3,4.2,4.2,4.2,4.3,4.2,4.2,4.3,4.3,4.3,4.3,4.2,3.2] idle: [....76] [ip4][..udp] [..192.168.130.1][...53] -> [....192.168.1.2][.2741] [DNS][Network][Acceptable] idle: [....75] [ip4][..udp] [....192.168.1.2][.2741] -> [....192.168.1.1][...53] update: [....58] [ip4][..120] [....192.168.1.2] -> [..212.242.33.35] @@ -961,14 +962,15 @@ detected: [...165] [ip4][..udp] [....192.168.1.2][.2788] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] new: [...166] [ip4][....0] [....192.168.1.1] -> [....192.168.1.2] analyse: [....12] [ip4][..udp] [..212.242.33.35][.5060] -> [....192.168.1.2][.5060] [SIP][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.026| 279.042| 51.474| 59.389|3527099352.613| 0.000] - [PKTLEN......: 47.000| 1118.000| 381.000| 296.200|87757.200| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.026| 279.042| 51.474| 59.389| 3527099352.613| 4.200] + [PKTLEN......: 33.000| 1104.000| 367.000| 296.200| 87757.200| 4.400] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,0,0,0,2,0,0,1,1,0,0,0,0,0,0,4,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1] [IATS(ms)....: 17474.8,107207.5,89874.9,17280.7,167478.6,167525.2,17335.8,73902.7,91241.1,17333.2,25.9,17725.0,29031.8,29092.7,68237.2,29272.4,29031.8,29031.6,29031.5,18604.5,279041.8,227.1,15287.5,17115.0,32679.4,257.3,76383.1,29031.1,58063.5,24495.5,17375.1] - [PKTLENS.....: 528,388,509,528,722,528,722,533,528,722,348,512,47,47,47,47,47,47,47,47,867,635,382,47,1118,487,377,47,47,47,480,715] + [PKTLENS.....: 514,374,495,514,708,514,708,519,514,708,334,498,33,33,33,33,33,33,33,33,853,621,368,33,1104,473,363,33,33,33,466,701] + [ENTROPIES...: 5.8,5.8,5.8,5.8,5.8,1.5,3.4,2.9,5.8,4.1,5.8,3.2,4.1,4.1,4.1,4.1,4.1,4.1,4.1,4.1,5.8,5.8,5.7,4.1,1.5,5.8,4.6,4.1,4.0,4.1,3.3,2.3] ERROR-EVENT: Unknown packet type ERROR-EVENT: nDPI IPv4/L4 payload detection failed new: [...167] [ip4][..udp] [....192.168.1.2][.2789] -> [....192.168.1.1][...53] diff --git a/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out b/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out index c71604825..f00b6bd2e 100644 --- a/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out +++ b/test/results/flow-info/fuzz-2020-02-16-11740.pcap.out @@ -69,14 +69,15 @@ ERROR-EVENT: nDPI IPv4/L4 payload detection failed idle: [.....5] [ip4][..udp] [....10.12.64.30][29200] -> [..198.226.25.53][.1813] [Radius][Network][Acceptable] analyse: [.....3] [ip4][..udp] [....10.12.64.30][29200] -> [..198.226.25.53][.1812] [Radius][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.155| 612.411| 61.128| 140.850|19838793242.640| 0.000] - [PKTLEN......: 179.000| 745.000| 506.200| 248.200|61618.100| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.155| 612.411| 61.128| 140.850|19838793242.640| 2.700] + [PKTLEN......: 165.000| 731.000| 492.200| 248.200| 61618.100| 4.800] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,4,3,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,1,1,0,1,0,1,0,1,0,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0] [IATS(ms)....: 155.2,452627.7,595.4,114837.3,612411.2,44261.5,205.2,4046.5,4037.8,201.9,4553.2,187.1,43562.4,202.6,48502.1,3244.5,3442.4,3335.8,3536.4,209.1,201.4,255983.2,256164.3,599.6,6263.0,492.5,7309.6,8000.5,8015.3,522.3,7260.9] - [PKTLENS.....: 697,257,239,318,239,745,179,697,179,697,206,745,697,745,697,206,179,697,745,179,697,206,745,239,725,745,725,318,745,239,725,745] + [PKTLENS.....: 683,243,225,304,225,731,165,683,165,683,192,731,683,731,683,192,165,683,731,165,683,192,731,225,711,731,711,304,731,225,711,731] + [ENTROPIES...: 6.0,2.8,6.3,6.9,6.4,5.6,6.0,6.1,6.0,0.9,6.1,6.0,6.1,2.9,4.1,6.1,6.0,6.0,6.1,6.0,5.0,6.1,6.1,6.4,6.0,6.1,5.5,6.8,6.1,6.5,5.8,4.2] ERROR-EVENT: Unknown L3 protocol new: [....13] [ip4][..udp] [..198.162.25.53][.1810] -> [....10.12.64.30][29200] ERROR-EVENT: Unknown packet type diff --git a/test/results/flow-info/git.pcap.out b/test/results/flow-info/git.pcap.out index 92368f3c6..fcfa3f212 100644 --- a/test/results/flow-info/git.pcap.out +++ b/test/results/flow-info/git.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] detected: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] [Git][Collaborative][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] [Git][Collaborative][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.100| 0.025| 0.029| 818.762| 0.000] - [PKTLEN......: 66.000| 2946.000| 704.900| 773.900|598945.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.100| 0.025| 0.029| 818.762| 3.800] + [PKTLEN......: 52.000| 2932.000| 690.900| 773.900| 598945.800| 4.100] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,1,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1] [IATS(ms)....: 57.9,58.0,0.1,56.1,43.8,99.9,54.7,54.7,0.5,49.5,48.9,45.5,0.0,17.8,63.4,1.8,0.2,2.0,0.9,0.2,1.1,0.2,0.2,0.7,0.4,1.1,50.6,0.2,50.8,0.5,0.7] - [PKTLENS.....: 74,74,66,135,66,267,66,962,66,593,66,75,66,74,1506,66,1506,1506,66,1506,1506,66,2946,66,1506,1506,66,1506,1506,66,1506,1506] + [PKTLENS.....: 60,60,52,121,52,253,52,948,52,579,52,61,52,60,1492,52,1492,1492,52,1492,1492,52,2932,52,1492,1492,52,1492,1492,52,1492,1492] + [ENTROPIES...: 4.7,5.3,5.1,5.6,5.2,5.7,5.1,5.0,5.2,5.0,5.2,5.3,5.2,5.4,4.9,5.2,6.3,7.8,5.2,7.9,7.9,5.2,7.9,5.0,7.9,7.9,5.2,7.9,7.8,5.1,7.8,7.8] end: [.....1] [ip4][..tcp] [...192.168.0.77][47991] -> [...5.153.231.21][.9418] [Git][Collaborative][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/gnutella.pcap.out b/test/results/flow-info/gnutella.pcap.out index 46a647992..b3f592cc9 100644 --- a/test/results/flow-info/gnutella.pcap.out +++ b/test/results/flow-info/gnutella.pcap.out @@ -575,32 +575,35 @@ detected: [...327] [ip4][..udp] [......10.0.2.15][28681] -> [...84.28.53.225][44859] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol analyse: [...239] [ip4][..tcp] [......10.0.2.15][50285] -> [..75.133.101.93][52367] [Gnutella][Download][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 8.796| 0.767| 2.113|4465727.373| 0.000] - [PKTLEN......: 54.000| 1514.000| 423.200| 491.700|241767.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 8.796| 0.767| 2.113| 4465727.373| 2.600] + [PKTLEN......: 40.000| 1500.000| 409.200| 491.700| 241767.600| 4.100] [BINS(c->s)..: 9,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1] [IATS(ms)....: 111.8,112.0,0.2,0.6,122.2,123.8,1.7,510.2,510.3,125.4,7.0,133.1,508.5,509.1,643.4,701.9,8737.9,8796.5,643.9,0.1,644.7,118.6,3.0,121.6,121.6,0.1,121.5,120.9,0.1,121.0,117.5] - [PKTLENS.....: 66,58,54,653,54,666,104,54,367,54,196,437,54,82,54,463,54,100,54,1514,1066,54,654,1502,54,1514,642,54,1514,642,54,654] + [PKTLENS.....: 52,44,40,639,40,652,90,40,353,40,182,423,40,68,40,449,40,86,40,1500,1052,40,640,1488,40,1500,628,40,1500,628,40,640] + [ENTROPIES...: 4.6,4.8,4.7,5.8,4.6,5.7,5.6,4.7,7.1,4.6,6.7,7.4,4.7,5.3,4.6,7.4,4.8,5.6,4.6,7.8,7.8,4.7,7.6,7.9,4.7,7.9,7.6,4.7,7.9,7.6,4.7,7.7] analyse: [...238] [ip4][..tcp] [......10.0.2.15][50284] -> [.104.156.226.72][53258] [Gnutella][Download][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 8.218| 0.797| 1.971|3884024.594| 0.000] - [PKTLEN......: 54.000| 1078.000| 296.600| 381.800|145784.600| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 8.218| 0.797| 1.971| 3884024.594| 2.900] + [PKTLEN......: 40.000| 1064.000| 282.600| 381.800| 145784.600| 3.900] [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1] [IATS(ms)....: 128.3,128.7,0.4,0.9,178.6,178.8,0.0,501.2,501.5,98.4,140.7,469.4,511.6,1191.0,1233.5,8175.8,8218.5,772.3,828.1,95.7,89.5,96.9,110.1,405.4,409.6,95.4,89.1,2.8,63.4,0.6,0.6] - [PKTLENS.....: 66,58,54,654,54,682,104,54,367,54,588,54,82,54,456,54,100,54,1078,54,1078,54,1078,54,1078,54,1078,54,69,54,64,54] + [PKTLENS.....: 52,44,40,640,40,668,90,40,353,40,574,40,68,40,442,40,86,40,1064,40,1064,40,1064,40,1064,40,1064,40,55,40,50,40] + [ENTROPIES...: 4.7,4.7,4.6,5.8,4.5,5.7,5.6,4.6,7.2,4.6,7.5,4.7,5.4,4.6,7.3,4.7,5.7,4.6,7.8,4.7,7.8,4.7,7.8,4.7,7.8,4.7,7.8,4.7,4.9,4.6,4.9,4.6] analyse: [...288] [ip4][..tcp] [......10.0.2.15][50312] -> [104.238.172.250][23548] [Gnutella][Download][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 8.692| 0.666| 2.111|4456211.546| 0.000] - [PKTLEN......: 54.000| 682.000| 135.800| 170.000|28912.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 8.692| 0.666| 2.111| 4456211.546| 1.900] + [PKTLEN......: 40.000| 668.000| 121.800| 170.000| 28912.700| 4.100] [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 30.9,31.2,0.4,0.8,29.2,31.6,2.5,501.7,502.0,17.1,17.4,35.1,479.7,480.4,544.2,592.6,8643.7,8692.0,0.6,0.6,0.6,0.6,0.4,0.4,0.5,0.4,0.3,0.4,0.4,0.4,0.4] - [PKTLENS.....: 66,58,54,655,54,682,104,54,367,54,196,384,54,81,54,441,54,108,54,64,54,64,54,64,54,64,54,64,54,64,54,64] + [PKTLENS.....: 52,44,40,641,40,668,90,40,353,40,182,370,40,67,40,427,40,94,40,50,40,50,40,50,40,50,40,50,40,50,40,50] + [ENTROPIES...: 4.5,4.7,4.5,5.8,4.5,5.8,5.6,4.6,7.1,4.4,6.7,7.3,4.7,5.3,4.6,7.4,4.6,5.8,4.5,4.7,4.5,4.7,4.5,4.7,4.5,4.7,4.4,4.7,4.5,4.7,4.5,4.6] new: [...328] [ip4][..udp] [......10.0.2.15][28681] -> [.203.220.105.27][19260] detected: [...328] [ip4][..udp] [......10.0.2.15][28681] -> [.203.220.105.27][19260] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol @@ -643,23 +646,25 @@ detected: [...336] [ip4][..udp] [......10.0.2.15][28681] -> [...80.7.252.192][.6888] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol analyse: [...333] [ip4][..tcp] [......10.0.2.15][50327] -> [.69.118.162.229][46906] [HTTP.Gnutella][Media][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.139| 0.307| 0.464|214847.930| 0.000] - [PKTLEN......: 54.000| 1514.000| 862.800| 665.400|442787.600| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.139| 0.307| 0.464| 214847.930| 3.300] + [PKTLEN......: 40.000| 1500.000| 848.800| 665.400| 442787.600| 4.400] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,1,1,1] [IATS(ms)....: 109.0,109.5,0.8,1.6,1123.2,14.9,1138.7,0.5,4.1,0.0,4.4,993.4,0.2,0.0,0.3,993.8,0.1,988.9,0.2,0.0,989.1,4.8,4.8,1004.1,0.1,0.0,0.1,1004.3,1027.6,5.2,0.1] - [PKTLENS.....: 66,58,54,587,54,848,1514,54,1514,1514,118,54,1514,1514,1514,912,54,54,1514,1514,1514,54,912,54,1514,1514,1514,912,54,1514,1514,1514] + [PKTLENS.....: 52,44,40,573,40,834,1500,40,1500,1500,104,40,1500,1500,1500,898,40,40,1500,1500,1500,40,898,40,1500,1500,1500,898,40,1500,1500,1500] + [ENTROPIES...: 4.6,4.6,4.6,5.9,4.5,6.0,0.6,4.8,0.3,0.3,2.4,4.7,0.6,0.5,0.6,5.6,4.7,4.8,7.8,7.8,7.7,4.6,7.7,4.7,7.7,7.8,7.8,7.7,4.8,7.8,7.7,7.8] analyse: [...276] [ip4][..tcp] [......10.0.2.15][50300] -> [..188.61.52.183][11852] [Gnutella][Download][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 13.802| 1.828| 3.934|15478358.540| 0.000] - [PKTLEN......: 54.000| 1514.000| 212.900| 294.000|86413.100| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 13.802| 1.828| 3.934| 15478358.540| 2.800] + [PKTLEN......: 40.000| 1500.000| 198.900| 294.000| 86413.100| 4.000] [BINS(c->s)..: 8,1,2,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,1,0,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0] [IATS(ms)....: 17.2,17.4,3.5,3.9,14.2,15.0,0.7,2.8,2.9,25.8,0.0,26.1,9.0,9.3,15.9,71.8,495.6,483.5,221.2,265.2,15.6,77.3,487.6,467.7,9469.0,9510.7,13761.0,13801.6,1593.6,1634.0,4141.0] - [PKTLENS.....: 66,58,54,653,54,713,125,54,318,54,1514,194,54,180,54,105,54,233,54,418,54,401,54,521,54,129,54,125,54,190,54,115] + [PKTLENS.....: 52,44,40,639,40,699,111,40,304,40,1500,180,40,166,40,91,40,219,40,404,40,387,40,507,40,115,40,111,40,176,40,101] + [ENTROPIES...: 4.6,4.8,4.8,5.8,4.6,5.7,5.6,4.7,5.3,4.7,7.7,6.7,4.7,6.3,4.6,5.2,4.8,6.9,4.8,7.5,4.7,7.4,4.7,7.5,4.8,6.0,4.6,5.8,4.8,6.7,4.6,5.9] update: [...134] [ip4][..udp] [......10.0.2.15][28681] -> [...78.231.73.14][.6346] update: [...128] [ip4][..udp] [......10.0.2.15][28681] -> [..77.141.219.27][37580] update: [...114] [ip4][..udp] [......10.0.2.15][28681] -> [....86.23.75.69][.6346] @@ -746,14 +751,15 @@ detected: [...344] [ip4][..udp] [......10.0.2.15][28681] -> [.207.38.163.228][.6778] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol analyse: [...334] [ip4][..tcp] [......10.0.2.15][50328] -> [..189.147.72.83][26108] [HTTP.Gnutella][Media][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.215| 0.581| 0.506|255907.955| 0.000] - [PKTLEN......: 54.000| 1514.000| 789.100| 623.900|389219.000| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.215| 0.581| 0.506| 255907.955| 4.200] + [PKTLEN......: 40.000| 1500.000| 775.100| 623.900| 389219.000| 4.400] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] [IATS(ms)....: 193.6,195.3,1.8,3.7,1208.8,5.6,0.1,1214.8,993.3,0.1,993.5,1040.3,0.1,1040.5,1001.3,0.1,1001.5,998.2,0.1,998.2,1008.3,0.2,1008.5,1046.8,0.1,1046.9,1000.2,0.1,1000.3,1013.4,0.0] - [PKTLENS.....: 66,58,54,592,54,860,1514,340,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146] + [PKTLENS.....: 52,44,40,578,40,846,1500,326,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132] + [ENTROPIES...: 4.6,4.8,4.7,5.9,4.6,5.9,7.8,7.3,4.7,7.8,7.8,4.8,7.8,7.8,4.8,7.9,7.8,4.7,7.9,7.8,4.8,7.8,7.8,4.7,7.9,7.8,4.8,7.9,7.8,4.8,7.8,7.8] new: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] detected: [...345] [ip4][..tcp] [......10.0.2.15][50330] -> [.69.118.162.229][46906] [HTTP.Gnutella][Download][Potentially Dangerous] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address, Unsafe Protocol @@ -843,14 +849,15 @@ new: [...351] [ip4][..udp] [......10.0.2.15][28681] -> [..187.37.87.189][.6346] new: [...352] [ip4][..udp] [......10.0.2.15][28681] -> [.176.191.49.159][.6346] analyse: [....93] [ip4][..tcp] [......10.0.2.15][50248] -> [109.214.154.216][.6346] [Gnutella][Download][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 22.685| 3.465| 6.256|39132462.055| 0.000] - [PKTLEN......: 54.000| 1078.000| 152.200| 217.400|47264.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 22.685| 3.465| 6.256| 39132462.055| 3.300] + [PKTLEN......: 40.000| 1064.000| 138.200| 217.400| 47264.800| 4.000] [BINS(c->s)..: 9,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,2,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,1,1,0,0,1,0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1] [IATS(ms)....: 399.9,400.2,2.6,3.1,879.2,880.3,1.1,343.3,15.8,359.6,3.0,2.2,5.1,145.1,145.6,10048.7,10048.7,469.5,2.7,472.7,3557.8,3604.1,6175.3,6222.2,413.8,464.5,22633.8,22684.6,605.3,605.0,15818.9] - [PKTLENS.....: 66,58,54,358,54,337,157,54,132,776,54,67,72,54,163,54,118,54,1078,59,54,136,54,84,54,227,54,66,54,137,54,76] + [PKTLENS.....: 52,44,40,344,40,323,143,40,118,762,40,53,58,40,149,40,104,40,1064,45,40,122,40,70,40,213,40,52,40,123,40,62] + [ENTROPIES...: 4.6,4.8,4.6,5.8,4.5,5.6,5.6,4.6,5.6,7.7,4.7,4.7,4.9,4.6,6.3,4.5,5.9,4.5,7.8,4.3,4.8,6.2,4.8,5.5,4.6,6.6,4.7,4.8,4.6,6.2,4.6,4.9] new: [...353] [ip4][..udp] [......10.0.2.15][28681] -> [195.181.151.217][25282] new: [...354] [ip4][..udp] [......10.0.2.15][28681] -> [.80.236.247.120][.1032] new: [...355] [ip4][..udp] [......10.0.2.15][28681] -> [.181.118.53.212][29998] @@ -1171,14 +1178,15 @@ update: [...204] [ip4][..udp] [......10.0.2.15][28681] -> [..84.126.240.32][45313] update: [...202] [ip4][..udp] [......10.0.2.15][28681] -> [.176.134.139.39][.6346] analyse: [....94] [ip4][..tcp] [......10.0.2.15][50249] -> [.86.208.180.181][45883] [Gnutella][Download][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 55.455| 7.491| 14.262|203411798.622| 0.000] - [PKTLEN......: 54.000| 1119.000| 170.900| 244.600|59812.500| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 55.455| 7.491| 14.262| 203411798.622| 3.200] + [PKTLEN......: 40.000| 1105.000| 156.900| 244.600| 59812.500| 4.000] [BINS(c->s)..: 11,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,0,0,1,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,0,0] [IATS(ms)....: 107.0,107.3,0.3,0.8,178.4,179.8,1.4,41.0,98.0,375.7,432.9,10046.8,10046.8,42.3,94.5,6595.0,6594.8,3591.9,3643.9,39.2,93.5,24009.1,24063.3,605.1,604.8,14641.1,23.8,14665.3,55396.9,55455.4,453.2] - [PKTLENS.....: 66,58,54,357,54,337,157,54,926,54,163,54,118,54,1119,54,214,54,84,54,203,54,66,54,137,54,78,503,54,64,54,63] + [PKTLENS.....: 52,44,40,343,40,323,143,40,912,40,149,40,104,40,1105,40,200,40,70,40,189,40,52,40,123,40,64,489,40,50,40,49] + [ENTROPIES...: 4.6,4.6,4.7,5.8,4.6,5.6,5.7,4.6,7.7,4.8,6.3,4.5,6.0,4.6,7.8,4.8,6.7,4.7,5.5,4.6,6.6,4.8,4.9,4.7,6.3,4.7,5.1,7.5,4.8,4.6,4.8,4.6] end: [....35] [ip4][..tcp] [......10.0.2.15][50196] -> [...218.250.6.59][12556] [Gnutella][Download][Potentially Dangerous] RISK: Unsafe Protocol end: [....46] [ip4][..tcp] [......10.0.2.15][50206] -> [175.181.156.244][.8255] [Gnutella][Download][Potentially Dangerous] diff --git a/test/results/flow-info/googledns_android10.pcap.out b/test/results/flow-info/googledns_android10.pcap.out index 0900038ef..d8fdd5105 100644 --- a/test/results/flow-info/googledns_android10.pcap.out +++ b/test/results/flow-info/googledns_android10.pcap.out @@ -24,14 +24,15 @@ detection-update: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....4] [ip4][..tcp] [..192.168.1.159][48048] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.447| 0.072| 0.122|14825.912| 0.000] - [PKTLEN......: 66.000| 1484.000| 282.200| 356.700|127227.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.447| 0.072| 0.122| 14825.912| 3.500] + [PKTLEN......: 52.000| 1470.000| 268.200| 356.700| 127227.700| 4.100] [BINS(c->s)..: 9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0] [IATS(ms)....: 12.8,14.6,0.3,14.8,16.2,1.1,0.1,31.1,1.0,0.5,12.5,28.6,36.9,41.2,19.2,12.5,6.2,5.0,24.3,307.1,326.2,13.8,74.3,386.7,447.4,5.0,23.8,155.7,173.7,5.0,23.2] - [PKTLENS.....: 74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,225,565,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66] + [PKTLENS.....: 60,60,52,206,52,1470,1470,291,52,52,52,145,344,211,52,211,551,52,551,52,211,52,551,52,211,52,551,52,211,52,551,52] + [ENTROPIES...: 4.3,5.0,5.0,5.4,5.0,7.1,7.5,7.1,5.1,5.0,5.1,6.1,7.1,6.7,5.0,6.8,7.6,4.9,7.6,5.1,6.8,5.1,7.5,5.1,6.8,5.0,7.6,5.1,6.8,5.0,7.6,5.1] new: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] detected: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable] new: [.....6] [ip4][..tcp] [........8.8.4.4][..853] -> [..192.168.1.159][47968] [MIDSTREAM] @@ -42,14 +43,15 @@ detection-update: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.254| 0.185| 0.342|116761.002| 0.000] - [PKTLEN......: 66.000| 583.000| 212.200| 197.900|39161.300| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.254| 0.185| 0.342| 116761.002| 3.200] + [PKTLEN......: 52.000| 569.000| 198.200| 197.900| 39161.300| 4.400] [BINS(c->s)..: 8,1,0,0,6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,1] [IATS(ms)....: 12.7,14.1,0.9,14.9,0.1,14.2,1.1,19.6,19.1,13.8,1.3,58.4,651.3,715.0,3.8,23.3,1234.1,1253.7,12.5,32.7,484.0,503.7,3.8,30.8,265.4,292.4,20.3,12.6,11.8,7.4,12.6] - [PKTLENS.....: 74,74,66,583,66,213,66,117,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,225,565,66,66,565] + [PKTLENS.....: 60,60,52,569,52,199,52,103,52,211,52,551,52,211,52,551,52,211,52,551,52,211,52,551,52,211,52,211,551,52,52,551] + [ENTROPIES...: 4.2,4.9,4.8,6.2,4.7,6.1,4.8,5.5,4.8,6.8,4.7,7.5,4.8,6.8,4.8,7.5,4.8,6.7,4.9,7.6,4.9,6.7,4.8,7.6,4.9,6.8,4.9,6.8,7.6,4.9,4.9,7.6] update: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable] idle: [.....5] [ip4][.icmp] [..192.168.1.159] -> [........8.8.8.8] [ICMP][Network][Acceptable] guessed: [.....1] [ip4][..tcp] [........8.8.8.8][..853] -> [..192.168.1.159][55856] [DoH_DoT.Google][Web][Acceptable] @@ -68,14 +70,15 @@ detection-update: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 5.704| 0.390| 1.388|1925240.193| 0.000] - [PKTLEN......: 66.000| 1484.000| 282.200| 356.700|127227.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 5.704| 0.390| 1.388| 1925240.193| 1.500] + [PKTLEN......: 52.000| 1470.000| 268.200| 356.700| 127227.700| 4.100] [BINS(c->s)..: 9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,1] [IATS(ms)....: 14.4,41.9,9.2,49.9,17.6,0.1,0.1,32.5,0.5,0.1,15.4,30.8,15.7,19.9,22.6,85.5,5640.7,5703.8,20.5,7.6,6.2,13.7,17.6,31.1,85.4,103.7,33.2,18.8,6.3,16.2,17.6] - [PKTLENS.....: 74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,565,66,225,66,225,565,66,66,565,66,225,66,225,565,66,66,565] + [PKTLENS.....: 60,60,52,206,52,1470,1470,291,52,52,52,145,344,211,52,551,52,211,52,211,551,52,52,551,52,211,52,211,551,52,52,551] + [ENTROPIES...: 4.3,5.0,4.9,5.4,4.8,7.0,7.5,7.1,4.9,5.0,4.9,5.9,7.0,6.8,4.9,7.5,5.0,6.8,4.9,6.7,7.6,5.0,4.8,7.6,4.8,6.8,4.6,6.8,7.5,5.0,4.9,7.5] end: [.....7] [ip4][..tcp] [..192.168.1.159][48098] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] RISK: TLS (probably) Not Carrying HTTPS idle: [.....8] [ip4][..tcp] [..192.168.1.159][48210] -> [........8.8.4.4][..853] [TLS.DoH_DoT][Network][Fun] diff --git a/test/results/flow-info/http-manipulated.pcap.out b/test/results/flow-info/http-manipulated.pcap.out index 354830f60..30520a457 100644 --- a/test/results/flow-info/http-manipulated.pcap.out +++ b/test/results/flow-info/http-manipulated.pcap.out @@ -10,14 +10,15 @@ detected: [.....2] [ip4][..tcp] [...192.168.0.20][33684] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....2] [ip4][..tcp] [...192.168.0.20][33684] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.073| 0.005| 0.018| 320.351| 0.000] - [PKTLEN......: 54.000| 5894.000| 1464.400| 1938.500|3757919.200| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.073| 0.005| 0.018| 320.351| 1.200] + [PKTLEN......: 40.000| 5880.000| 1450.400| 1938.500| 3757919.500| 3.700] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,10] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.2,0.2,0.1,0.3,0.2,0.4,72.8,73.1,0.2,0.4,0.1,0.1,0.0,0.0,0.0,0.0,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0] - [PKTLENS.....: 66,66,54,440,60,631,54,389,60,2974,54,4434,54,2974,54,4434,54,1514,54,4434,54,2974,54,4434,54,1514,54,5894,54,5894,54,2974] + [PKTLENS.....: 52,52,40,426,46,617,40,375,46,2960,40,4420,40,2960,40,4420,40,1500,40,4420,40,2960,40,4420,40,1500,40,5880,40,5880,40,2960] + [ENTROPIES...: 4.6,4.8,4.7,5.7,4.3,5.7,4.7,5.6,4.3,7.8,4.7,7.9,4.7,7.8,4.6,7.9,4.7,7.7,4.7,7.9,4.7,7.8,4.7,7.8,4.6,7.7,4.6,7.9,4.7,7.9,4.7,7.9] end: [.....1] [ip4][..tcp] [...192.168.0.20][33632] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port end: [.....2] [ip4][..tcp] [...192.168.0.20][33684] -> [....192.168.0.7][.8080] [HTTP][Web][Acceptable] diff --git a/test/results/flow-info/http_auth.pcap.out b/test/results/flow-info/http_auth.pcap.out index b9b0d844b..f5497f955 100644 --- a/test/results/flow-info/http_auth.pcap.out +++ b/test/results/flow-info/http_auth.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] detected: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Web][Acceptable] analyse: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.862| 0.405| 1.194|1424465.723| 0.000] - [PKTLEN......: 66.000| 1514.000| 640.900| 665.600|443042.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.862| 0.405| 1.194| 1424465.723| 2.200] + [PKTLEN......: 52.000| 1500.000| 626.900| 665.600| 443042.200| 4.100] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0] [IATS(ms)....: 180.0,180.1,0.1,194.0,206.4,1.3,401.5,0.6,0.6,0.7,0.7,4.0,4.6,8.7,4.6,3.0,7.6,3.3,5.3,8.6,159.0,4.0,163.0,3.6,4.2,7.9,2.6,2.6,4861.8,4861.8,1269.0] - [PKTLENS.....: 78,74,66,805,66,1514,551,66,145,66,288,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,989,66,66,66,66] + [PKTLENS.....: 64,60,52,791,52,1500,537,52,131,52,274,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,975,52,52,52,52] + [ENTROPIES...: 4.4,5.1,5.1,5.9,5.0,5.4,5.6,5.1,5.4,5.0,5.6,5.1,5.4,5.1,5.0,5.0,5.1,5.1,5.1,5.1,5.1,5.1,5.2,5.1,5.4,5.4,5.0,5.7,5.0,5.0,5.1,5.1] end: [.....1] [ip4][..tcp] [....192.168.0.4][54337] -> [192.254.189.169][...80] [HTTP][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/http_connect.pcap.out b/test/results/flow-info/http_connect.pcap.out index c69fcad18..391408a9d 100644 --- a/test/results/flow-info/http_connect.pcap.out +++ b/test/results/flow-info/http_connect.pcap.out @@ -10,23 +10,25 @@ detected: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe] detection-update: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe] analyse: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.016| 0.003| 0.005| 23.691| 0.000] - [PKTLEN......: 66.000| 1450.000| 563.000| 627.700|394029.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.016| 0.003| 0.005| 23.691| 3.400] + [PKTLEN......: 52.000| 1436.000| 549.000| 627.700| 394029.600| 4.000] [BINS(c->s)..: 13,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 8.8,8.9,2.8,11.3,7.5,16.0,0.1,0.1,0.0,0.0,0.0,0.0,7.3,0.5,15.0,0.0,4.0,11.3,0.7,0.7,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,0.0,0.0,0.1] - [PKTLENS.....: 74,74,66,583,66,1450,66,1450,66,1450,66,985,66,130,555,66,66,125,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450] + [PKTLENS.....: 60,60,52,569,52,1436,52,1436,52,1436,52,971,52,116,541,52,52,111,52,1436,52,1436,52,1436,52,1436,52,1436,52,1436,52,1436] + [ENTROPIES...: 4.7,5.1,5.1,5.3,5.1,7.8,5.1,7.9,5.1,7.9,5.1,7.8,5.1,6.1,7.6,5.0,5.0,6.1,5.1,7.9,5.1,7.9,5.1,7.9,5.1,7.9,5.1,7.9,5.0,7.9,5.1,7.9] analyse: [.....1] [ip4][..tcp] [..192.168.1.103][.1714] -> [..192.168.1.146][.8080] [HTTP_Connect][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.053| 0.007| 0.013| 164.772| 0.000] - [PKTLEN......: 54.000| 5590.000| 813.000| 1594.600|2542806.200| 3.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.053| 0.007| 0.013| 164.772| 3.400] + [PKTLEN......: 40.000| 5576.000| 799.000| 1594.600| 2542806.000| 3.200] [BINS(c->s)..: 7,0,2,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1] [IATS(ms)....: 0.0,2.7,0.4,3.1,9.6,12.4,2.7,16.2,17.3,6.1,7.2,0.5,0.5,0.0,0.0,11.4,0.7,0.1,0.2,12.6,0.0,0.2,0.0,0.1,0.1,0.7,4.0,50.2,53.4,1.2,1.2] - [PKTLENS.....: 66,66,60,257,54,130,571,54,5125,60,118,54,224,54,373,54,113,5590,2822,1438,85,60,54,60,5590,1438,963,60,187,54,129,54] + [PKTLENS.....: 52,52,46,243,40,116,557,40,5111,46,104,40,210,40,359,40,99,5576,2808,1424,71,46,40,46,5576,1424,949,46,173,40,115,40] + [ENTROPIES...: 4.4,4.8,4.5,5.7,4.6,5.7,5.2,4.6,8.0,4.5,6.1,4.7,7.0,4.7,7.4,4.6,6.0,8.0,7.9,7.9,5.6,4.4,4.6,4.5,8.0,7.9,7.8,4.5,6.7,4.7,6.3,4.7] idle: [.....2] [ip4][..udp] [..192.168.1.146][47767] -> [....192.168.1.2][...53] [DNS][Network][Acceptable] idle: [.....3] [ip4][..tcp] [..192.168.1.146][35968] -> [..151.101.2.132][..443] [TLS][Web][Safe] idle: [.....1] [ip4][..tcp] [..192.168.1.103][.1714] -> [..192.168.1.146][.8080] [HTTP_Connect][Web][Acceptable] diff --git a/test/results/flow-info/http_ipv6.pcap.out b/test/results/flow-info/http_ipv6.pcap.out index c4685a89c..6f9e25ff3 100644 --- a/test/results/flow-info/http_ipv6.pcap.out +++ b/test/results/flow-info/http_ipv6.pcap.out @@ -9,14 +9,15 @@ new: [.....4] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][58660] -> [...............2a00:1450:4006:803::2008][..443] [MIDSTREAM] new: [.....5] [ip6][..udp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][55145] -> [.................2a00:1450:400b:c02::5f][..443] analyse: [.....3] [ip6][..udp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][45931] -> [...............2a00:1450:4001:803::1017][..443] [QUIC.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.002| 6.009| 0.604| 1.486|2208638.173| 0.000] - [PKTLEN......: 91.000| 1412.000| 340.600| 376.200|141514.900| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 6.009| 0.604| 1.486| 2208638.173| 2.800] + [PKTLEN......: 77.000| 1398.000| 326.600| 376.200| 141514.900| 4.300] [BINS(c->s)..: 0,9,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0] [BINS(s->c)..: 2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0] [IATS(ms)....: 25.4,26.2,172.4,219.5,15.7,87.2,38.8,110.2,47.0,1.5,26.7,45.8,1752.5,1778.7,6.8,78.3,246.6,318.1,6008.8,6008.7,4.8,76.9,102.6,174.5,2.4,73.9,70.9,142.5,2.9,74.3,992.4] - [PKTLENS.....: 1412,1412,99,1216,94,674,102,252,94,102,581,102,91,257,94,637,105,102,94,262,91,589,105,263,94,586,102,264,94,561,102,265] + [PKTLENS.....: 1398,1398,85,1202,80,660,88,238,80,88,567,88,77,243,80,623,91,88,80,248,77,575,91,249,80,572,88,250,80,547,88,251] + [ENTROPIES...: 4.7,7.9,5.3,7.8,5.2,7.6,5.4,6.9,5.2,5.4,7.5,5.4,4.9,6.9,5.2,7.7,5.6,5.5,5.2,7.0,4.9,7.6,5.5,6.9,5.3,7.6,5.5,6.9,5.2,7.6,5.4,7.0] new: [.....6] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37486] -> [................2a03:b0c0:3:d0::70:1001][..443] new: [.....7] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37488] -> [................2a03:b0c0:3:d0::70:1001][..443] detected: [.....6] [ip6][..tcp] [........2a00:d40:1:3:7aac:c0ff:fea7:d4c][37486] -> [................2a03:b0c0:3:d0::70:1001][..443] [TLS.ntop][Network][Safe] diff --git a/test/results/flow-info/iax.pcap.out b/test/results/flow-info/iax.pcap.out index c37a7d6e1..3fc35effc 100644 --- a/test/results/flow-info/iax.pcap.out +++ b/test/results/flow-info/iax.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] detected: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] [IAX][VoIP][Acceptable] analyse: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] [IAX][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.051| 0.019| 0.011| 120.322| 0.000] - [PKTLEN......: 54.000| 214.000| 175.500| 59.500| 3538.200| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.051| 0.019| 0.011| 120.322| 4.700] + [PKTLEN......: 40.000| 200.000| 161.500| 59.500| 3538.200| 4.900] [BINS(c->s)..: 3,0,1,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 2.2,5.1,7.7,24.4,24.4,24.7,16.9,51.4,9.6,12.3,14.1,6.9,22.8,16.8,31.3,17.9,20.0,11.5,43.2,21.3,13.9,17.1,22.6,0.9,20.5,34.1,6.9,21.0,19.9,18.0,29.1] - [PKTLENS.....: 108,54,54,60,54,60,206,214,214,60,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206] + [PKTLENS.....: 94,40,40,46,40,46,192,200,200,46,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192] + [ENTROPIES...: 4.7,4.3,4.4,4.4,4.4,4.4,1.3,1.5,1.3,4.3,1.1,1.3,1.9,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3,1.3] idle: [.....1] [ip4][..udp] [...82.110.36.84][.4569] -> [..192.168.2.120][.4566] [IAX][VoIP][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/icmp-tunnel.pcap.out b/test/results/flow-info/icmp-tunnel.pcap.out index 0a7b37bd5..83a7a18a3 100644 --- a/test/results/flow-info/icmp-tunnel.pcap.out +++ b/test/results/flow-info/icmp-tunnel.pcap.out @@ -5,14 +5,15 @@ detected: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable] RISK: Malformed Packet analyse: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.999| 13.999| 1.420| 2.297|5274800.751| 0.000] - [PKTLEN......: 126.000| 126.000| 126.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.999| 13.999| 1.420| 2.297| 5274800.751| 4.200] + [PKTLEN......: 112.000| 112.000| 112.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 998.8,1000.0,1000.1,1000.0,1000.1,1000.1,1000.0,1000.0,1000.0,1000.1,1000.0,1000.0,1000.0,999.9,13999.4,1001.2,1001.2,1001.0,1001.0,1001.1,1001.1,1001.0,1000.9,1000.9,1000.9,1001.1,1001.1,1001.0,1001.0,1001.0,1001.0] - [PKTLENS.....: 126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126] + [PKTLENS.....: 112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112] + [ENTROPIES...: 5.6,5.6,5.7,5.7,5.7,5.6,5.6,5.6,5.6,5.6,5.6,5.7,5.7,5.6,5.7,5.7,5.7,5.7,5.6,5.7,5.6,5.7,5.6,5.7,5.6,5.7,5.6,5.6,5.7,5.7,5.7,5.7] update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable] RISK: Malformed Packet update: [.....1] [ip4][.icmp] [192.168.154.131] -> [192.168.154.132] [ICMP][Network][Acceptable] diff --git a/test/results/flow-info/iec60780-5-104.pcap.out b/test/results/flow-info/iec60780-5-104.pcap.out index 24f21aa6e..1d1354188 100644 --- a/test/results/flow-info/iec60780-5-104.pcap.out +++ b/test/results/flow-info/iec60780-5-104.pcap.out @@ -21,13 +21,14 @@ end: [.....4] [ip4][..tcp] [.172.27.248.109][.1572] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable] end: [.....5] [ip4][..tcp] [.172.27.248.109][.1577] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable] analyse: [.....6] [ip4][..tcp] [.172.27.248.109][.1578] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 32.516| 11.085| 10.877|118310385.484| 0.000] - [PKTLEN......: 54.000| 118.000| 65.600| 11.500| 132.400| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 32.516| 11.085| 10.877| 118310385.484| 4.100] + [PKTLEN......: 40.000| 104.000| 51.600| 11.500| 132.400| 5.000] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1] [IATS(ms)....: 0.1,0.3,1.2,4.3,153.9,32516.1,32485.0,17329.0,17462.6,171.2,19844.6,20033.2,171.5,19860.3,20118.3,25436.2,25352.0,204.3,19828.9,20215.2,5341.8,5765.2,10455.9,10671.3,13.9,15.2,139.9,131.3,218.7,19641.5,20056.0] - [PKTLENS.....: 62,62,60,60,60,60,70,60,70,118,60,60,70,60,60,54,70,76,60,60,54,70,60,70,76,70,76,60,77,60,60,54] + [PKTLENS.....: 48,48,46,46,46,46,56,46,56,104,46,46,56,46,46,40,56,62,46,46,40,56,46,56,62,56,62,46,63,46,46,40] + [ENTROPIES...: 4.6,4.9,4.4,4.7,4.7,4.5,4.6,4.5,4.8,4.8,4.5,4.9,4.9,4.5,4.9,4.8,5.1,5.0,4.5,4.9,4.8,4.8,4.5,5.1,5.0,5.0,5.0,4.5,5.0,4.5,4.9,4.8] end: [.....6] [ip4][..tcp] [.172.27.248.109][.1578] -> [..172.27.248.79][.2404] [IEC60870][IoT-Scada][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/imap-starttls.pcap.out b/test/results/flow-info/imap-starttls.pcap.out index 6e411e3ee..4d92af5e1 100644 --- a/test/results/flow-info/imap-starttls.pcap.out +++ b/test/results/flow-info/imap-starttls.pcap.out @@ -11,14 +11,15 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Email][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn analyse: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.678| 0.188| 0.378|143010.873| 0.000] - [PKTLEN......: 54.000| 1514.000| 249.200| 424.600|180326.200| 3.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.678| 0.188| 0.378| 143010.873| 3.300] + [PKTLEN......: 40.000| 1500.000| 235.200| 424.600| 180326.200| 3.600] [BINS(c->s)..: 15,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,2,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1] [IATS(ms)....: 189.8,189.9,188.3,188.3,0.1,192.5,0.3,192.6,0.2,186.5,0.0,186.4,0.4,197.4,0.2,197.1,2.0,0.2,2.2,0.1,3.7,191.6,187.9,1487.0,1677.8,0.2,190.8,0.0,0.3,0.0,189.4] - [PKTLENS.....: 78,66,54,325,54,68,60,281,54,66,86,60,54,372,1514,1514,54,1514,636,54,54,180,105,54,93,133,85,54,54,85,54,60] + [PKTLENS.....: 64,52,40,311,40,54,46,267,40,52,72,46,40,358,1500,1500,40,1500,622,40,40,166,91,40,79,119,71,40,40,71,40,46] + [ENTROPIES...: 4.6,4.7,4.5,5.4,4.7,5.1,4.5,5.2,4.7,5.0,5.3,4.5,4.8,5.4,6.9,7.2,4.7,7.1,7.7,4.4,4.7,6.5,5.5,4.7,5.7,6.1,5.1,4.7,4.7,5.5,4.5,3.9] detection-update: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Email][Safe] RISK: Known Proto on Non Std Port, TLS (probably) Not Carrying HTTPS, Missing SNI TLS Extn end: [.....1] [ip4][..tcp] [..192.168.17.53][49640] -> [.212.227.17.186][..143] [IMAPS][Email][Safe] diff --git a/test/results/flow-info/imap.pcap.out b/test/results/flow-info/imap.pcap.out index 1e029c299..ce031bfd9 100644 --- a/test/results/flow-info/imap.pcap.out +++ b/test/results/flow-info/imap.pcap.out @@ -5,14 +5,15 @@ detected: [.....1] [ip4][..tcp] [......10.40.4.2][46045] -> [......10.40.3.2][..143] [IMAP][Email][Unsafe] RISK: Unsafe Protocol analyse: [.....1] [ip4][..tcp] [......10.40.4.2][46045] -> [......10.40.3.2][..143] [IMAP][Email][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.331| 0.295| 1.060|1123749.069| 0.000] - [PKTLEN......: 66.000| 762.000| 115.900| 125.900|15857.500| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.331| 0.295| 1.060| 1123749.069| 1.400] + [PKTLEN......: 52.000| 748.000| 101.900| 125.900| 15857.500| 4.400] [BINS(c->s)..: 18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,4,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1] [IATS(ms)....: 0.1,0.1,12.9,12.9,0.2,0.4,36.9,36.8,0.1,4330.0,4331.4,1.4,16.8,17.3,39.9,39.5,0.1,0.2,0.6,39.7,39.4,0.1,0.9,1.3,39.0,38.7,0.1,0.1,10.8,47.8,37.2] - [PKTLENS.....: 74,74,66,108,66,85,131,66,98,66,92,93,66,86,87,66,123,66,86,87,66,123,66,87,78,66,325,66,139,178,66,762] + [PKTLENS.....: 60,60,52,94,52,71,117,52,84,52,78,79,52,72,73,52,109,52,72,73,52,109,52,73,64,52,311,52,125,164,52,748] + [ENTROPIES...: 4.5,5.0,4.9,5.5,4.9,5.2,5.6,4.8,5.5,4.9,5.4,5.5,5.0,5.2,5.3,4.9,5.6,4.9,5.2,5.3,5.0,5.6,5.0,5.4,5.2,5.0,5.6,4.9,5.6,5.8,4.9,5.5] idle: [.....1] [ip4][..tcp] [......10.40.4.2][46045] -> [......10.40.3.2][..143] [IMAP][Email][Unsafe] RISK: Unsafe Protocol DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/imo.pcap.out b/test/results/flow-info/imo.pcap.out index 44b07de58..b68fc79d1 100644 --- a/test/results/flow-info/imo.pcap.out +++ b/test/results/flow-info/imo.pcap.out @@ -6,23 +6,25 @@ new: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] detected: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] [IMO][VoIP][Acceptable] analyse: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] [IMO][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.464| 0.060| 0.120|14499.616| 0.000] - [PKTLEN......: 43.000| 149.000| 57.000| 23.000| 529.800| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.464| 0.060| 0.120| 14499.616| 3.200] + [PKTLEN......: 29.000| 135.000| 43.000| 23.000| 529.800| 4.900] [BINS(c->s)..: 15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,0,0] [IATS(ms)....: 36.2,20.9,69.2,11.2,11.0,10.9,11.9,60.3,17.6,7.2,0.0,9.9,379.0,463.8,100.2,9.5,9.9,20.9,0.0,106.5,0.3,0.2,0.2,0.1,19.5,7.8,19.7,23.2,8.0,3.7,407.5] - [PKTLENS.....: 43,43,149,52,52,52,52,52,52,52,52,52,52,43,142,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52] + [PKTLENS.....: 29,29,135,38,38,38,38,38,38,38,38,38,38,29,128,38,38,38,38,38,38,38,38,38,38,38,38,38,38,38,38,38] + [ENTROPIES...: 4.4,4.5,6.6,4.3,4.3,4.3,4.3,4.3,4.4,4.4,4.4,4.4,4.4,4.4,6.4,4.5,4.5,4.5,4.5,4.5,4.4,4.4,4.4,4.5,4.5,4.5,4.4,4.5,4.4,4.5,4.5,4.3] analyse: [.....1] [ip4][..udp] [.192.168.12.169][49207] -> [.185.155.137.30][36535] [IMO][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.003| 0.138| 0.306|93428.728| 0.000] - [PKTLEN......: 52.000| 1266.000| 433.400| 488.900|239046.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.003| 0.138| 0.306| 93428.728| 2.800] + [PKTLEN......: 38.000| 1252.000| 419.400| 488.900| 239046.100| 4.100] [BINS(c->s)..: 0,0,0,0,0,2,5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,1,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.4,41.3,0.0,43.4,10.8,2.2,0.3,10.5,8.1,9.4,10.0,55.7,0.1,0.0,9.7,18.5,13.5,0.3,9.8,9.7,9.6,13.5,0.0,69.3,127.2,99.8,16.6,835.4,861.7,1002.8,1002.6] - [PKTLENS.....: 242,371,53,160,1266,1266,224,242,1266,1266,1266,1266,122,266,53,1266,52,1266,242,52,52,52,52,53,226,139,361,138,242,53,242,53] + [PKTLENS.....: 228,357,39,146,1252,1252,210,228,1252,1252,1252,1252,108,252,39,1252,38,1252,228,38,38,38,38,39,212,125,347,124,228,39,228,39] + [ENTROPIES...: 7.0,7.4,4.2,6.6,7.8,7.9,7.0,6.9,7.8,7.8,7.9,7.8,6.2,7.1,4.1,7.8,4.3,7.9,6.9,4.4,4.4,4.4,4.4,4.2,6.9,6.3,7.5,6.4,6.9,4.2,6.9,4.2] idle: [.....2] [ip4][..udp] [.192.168.12.169][49207] -> [....93.33.47.58][57604] [IMO][VoIP][Acceptable] idle: [.....1] [ip4][..udp] [.192.168.12.169][49207] -> [.185.155.137.30][36535] [IMO][VoIP][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/instagram.pcap.out b/test/results/flow-info/instagram.pcap.out index 45d5631f2..4a0f79e12 100644 --- a/test/results/flow-info/instagram.pcap.out +++ b/test/results/flow-info/instagram.pcap.out @@ -9,14 +9,15 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.0.103][56382] -> [..173.252.107.4][..443] [TLS.Instagram][SocialNetwork][Fun] RISK: Obsolete TLS (v1.1 or older) analyse: [.....2] [ip4][..tcp] [..192.168.0.103][33936] -> [....31.13.93.52][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.572| 0.136| 0.382|146017.665| 0.000] - [PKTLEN......: 66.000| 1464.000| 682.500| 663.900|440818.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.572| 0.136| 0.382| 146017.665| 2.200] + [PKTLEN......: 52.000| 1450.000| 668.500| 663.900| 440818.000| 4.200] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 88.9,75.9,165.0,1522.7,1572.5,340.3,390.0,2.2,2.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.1,29.9,30.0,0.7,0.7,0.7,0.7] - [PKTLENS.....: 1431,66,679,66,1063,66,1464,66,209,66,1464,66,1297,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66] + [PKTLENS.....: 1417,52,665,52,1049,52,1450,52,195,52,1450,52,1283,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52] + [ENTROPIES...: 7.9,5.1,7.7,5.0,7.8,5.0,7.9,5.1,6.7,5.1,7.9,5.1,7.8,5.1,7.9,5.0,7.8,5.1,7.9,5.1,7.8,5.1,7.9,5.1,7.9,5.1,7.9,5.1,7.9,5.1,7.9,5.1] detection-update: [.....2] [ip4][..tcp] [..192.168.0.103][33936] -> [....31.13.93.52][..443] [TLS.Facebook][SocialNetwork][Fun] new: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [MIDSTREAM] detected: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [HTTP.Instagram][SocialNetwork][Fun] @@ -27,35 +28,38 @@ new: [.....6] [ip4][..tcp] [..192.168.0.103][57965] -> [...82.85.26.185][...80] [MIDSTREAM] detected: [.....6] [ip4][..tcp] [..192.168.0.103][57965] -> [...82.85.26.185][...80] [HTTP.Instagram][SocialNetwork][Fun] analyse: [.....3] [ip4][..tcp] [..192.168.0.103][38816] -> [...46.33.70.160][...80] [HTTP.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.033| 0.003| 0.008| 64.366| 0.000] - [PKTLEN......: 66.000| 1484.000| 1226.200| 538.200|289645.800| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.033| 0.003| 0.008| 64.366| 2.900] + [PKTLEN......: 52.000| 1470.000| 1212.200| 538.200| 289645.800| 4.800] [BINS(c->s)..: 5,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0] [DIRECTIONS..: 0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,1,1,1,0,1] [IATS(ms)....: 32.7,33.1,0.8,0.7,1.8,2.1,0.1,0.0,0.3,0.4,0.7,0.6,0.6,0.6,0.6,0.6,0.6,0.6,11.0,1.9,2.0,0.4,0.3,0.8,1.1,0.5,0.5,0.4,0.8,4.1,0.5] - [PKTLENS.....: 326,1484,66,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,66,1484,66,1484,66,1484,1484,1484,1484,1484,1484,66,1484] + [PKTLENS.....: 312,1470,52,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,52,1470,52,1470,52,1470,1470,1470,1470,1470,1470,52,1470] + [ENTROPIES...: 5.9,7.3,5.1,7.7,7.7,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.9,7.7,7.7,7.8,7.7,5.1,7.8,5.1,7.6,5.1,7.8,7.8,7.7,7.7,7.8,7.5,5.1,7.8] analyse: [.....4] [ip4][..tcp] [..192.168.0.103][57936] -> [...82.85.26.162][...80] [HTTP.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.112| 0.011| 0.030| 883.414| 0.000] - [PKTLEN......: 66.000| 1484.000| 785.400| 697.700|486813.200| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.112| 0.011| 0.030| 883.414| 2.300] + [PKTLEN......: 52.000| 1470.000| 771.400| 697.700| 486813.200| 4.300] [BINS(c->s)..: 14,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,15,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,1,0,1,0,1] [IATS(ms)....: 56.8,57.1,1.2,1.0,0.6,0.6,0.4,0.4,0.5,0.5,0.7,0.7,1.3,1.3,1.2,1.2,0.5,0.5,0.4,0.5,111.5,0.0,112.0,0.3,1.3,0.1,0.0,1.0,0.9,0.8,0.5] - [PKTLENS.....: 319,1484,66,1445,66,1484,66,1484,66,1484,66,1484,66,186,66,1484,66,1484,66,1484,66,1484,1484,66,66,1484,1484,1484,66,1484,66,1484] + [PKTLENS.....: 305,1470,52,1431,52,1470,52,1470,52,1470,52,1470,52,172,52,1470,52,1470,52,1470,52,1470,1470,52,52,1470,1470,1470,52,1470,52,1470] + [ENTROPIES...: 5.8,6.9,5.0,7.6,5.0,7.8,5.0,7.8,5.0,7.8,5.1,7.8,5.0,6.5,5.0,6.9,5.0,7.5,5.0,7.8,5.0,7.8,7.8,5.1,5.1,7.8,7.8,7.8,5.1,7.8,5.1,7.8] detection-update: [.....6] [ip4][..tcp] [..192.168.0.103][57965] -> [...82.85.26.185][...80] [HTTP.Instagram][SocialNetwork][Fun] detection-update: [.....5] [ip4][..tcp] [..192.168.0.103][44379] -> [...82.85.26.186][...80] [HTTP.Instagram][SocialNetwork][Fun] new: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [MIDSTREAM] analyse: [.....5] [ip4][..tcp] [..192.168.0.103][44379] -> [...82.85.26.186][...80] [HTTP.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.372| 0.037| 0.093| 8582.227| 0.000] - [PKTLEN......: 66.000| 1484.000| 840.400| 686.900|471900.100| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.372| 0.037| 0.093| 8582.227| 2.300] + [PKTLEN......: 52.000| 1470.000| 826.400| 686.900| 471900.100| 4.400] [BINS(c->s)..: 13,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0] [DIRECTIONS..: 0,1,0,1,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1] [IATS(ms)....: 185.5,185.9,0.4,0.5,0.6,0.1,1.4,0.1,1.4,0.1,0.6,0.7,1.4,0.1,310.3,372.1,63.2,2.2,2.2,0.3,0.3,0.5,0.4,0.7,0.8,0.6,0.5,0.5,0.5,1.0,1.0] - [PKTLENS.....: 325,1484,94,1484,1484,94,94,1484,1484,94,94,1484,94,1484,1484,325,1484,66,1484,66,1474,66,1484,66,1484,66,1484,66,1484,66,1484,1484] + [PKTLENS.....: 311,1470,80,1470,1470,80,80,1470,1470,80,80,1470,80,1470,1470,311,1470,52,1470,52,1460,52,1470,52,1470,52,1470,52,1470,52,1470,1470] + [ENTROPIES...: 5.9,7.8,5.2,7.8,7.8,5.2,5.3,7.8,7.8,5.3,5.3,7.8,5.2,7.8,7.8,5.8,7.2,5.0,7.6,5.0,7.7,5.0,7.8,5.0,7.8,5.0,7.8,5.0,7.8,5.0,7.8,7.8] new: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] [MIDSTREAM] detected: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] [HTTP.Instagram][SocialNetwork][Fun] new: [.....9] [ip4][..udp] [..192.168.0.106][17500] -> [255.255.255.255][17500] @@ -73,14 +77,15 @@ detected: [....15] [ip4][..tcp] [..192.168.0.103][33763] -> [....31.13.93.52][..443] [TLS.Facebook][SocialNetwork][Fun] new: [....16] [ip4][..tcp] [..192.168.0.103][38817] -> [...46.33.70.160][...80] [MIDSTREAM] analyse: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 7.322| 0.237| 1.293|1672842.314| 0.000] - [PKTLEN......: 66.000| 1484.000| 903.300| 693.100|480370.200| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 7.322| 0.237| 1.293| 1672842.314| 0.100] + [PKTLEN......: 52.000| 1470.000| 889.300| 693.100| 480370.200| 4.400] [BINS(c->s)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,18,0,0,0] [DIRECTIONS..: 0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,0,0] [IATS(ms)....: 0.2,0.9,1.5,2.7,0.5,0.4,0.3,0.4,1.5,0.5,1.2,1.8,0.1,0.0,2.3,0.1,3.2,0.4,3.6,1.0,0.5,0.4,2.0,0.9,0.9,0.7,3.6,0.1,4.7,0.2,7321.5] - [PKTLENS.....: 66,66,1484,1484,66,1484,1484,1484,1484,66,66,1484,1484,1484,1484,66,66,1484,1484,66,1484,1484,1484,66,1484,66,1484,1484,1337,66,66,66] + [PKTLENS.....: 52,52,1470,1470,52,1470,1470,1470,1470,52,52,1470,1470,1470,1470,52,52,1470,1470,52,1470,1470,1470,52,1470,52,1470,1470,1323,52,52,52] + [ENTROPIES...: 5.0,5.0,7.8,7.8,5.0,7.8,7.8,7.8,7.8,5.0,5.1,7.8,7.8,7.8,7.8,5.1,5.0,7.8,7.8,5.0,7.8,7.8,7.8,5.1,7.8,5.0,7.8,7.8,7.8,5.1,5.1,5.1] guessed: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Web][Acceptable] detected: [.....7] [ip4][..tcp] [..192.168.0.103][33976] -> [....77.67.29.17][...80] [HTTP][Web][Acceptable] new: [....17] [ip4][..udp] [..192.168.0.103][51219] -> [........8.8.8.8][...53] @@ -127,24 +132,26 @@ new: [....27] [ip4][..tcp] [..192.168.0.103][58053] -> [...82.85.26.162][...80] [MIDSTREAM] detected: [....27] [ip4][..tcp] [..192.168.0.103][58053] -> [...82.85.26.162][...80] [HTTP.Instagram][SocialNetwork][Fun] analyse: [....26] [ip4][..tcp] [..192.168.0.103][58052] -> [...82.85.26.162][...80] [HTTP.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.062| 0.005| 0.015| 225.668| 0.000] - [PKTLEN......: 66.000| 1484.000| 793.200| 693.800|481326.300| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.062| 0.005| 0.015| 225.668| 2.000] + [PKTLEN......: 52.000| 1470.000| 779.200| 693.800| 481326.300| 4.300] [BINS(c->s)..: 14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0] [DIRECTIONS..: 0,1,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,1,1,1] [IATS(ms)....: 61.3,0.2,0.4,62.2,0.3,0.3,1.4,0.7,0.9,0.9,1.6,0.1,0.1,1.6,0.1,0.1,1.3,0.1,0.0,1.3,0.1,0.1,0.0,0.1,0.5,0.5,2.4,2.4,1.4,0.1,0.0] - [PKTLENS.....: 326,1484,1484,1475,66,66,66,1484,66,1484,66,1484,1484,1484,66,66,66,1484,1484,1484,66,66,1484,66,66,1484,66,1484,66,396,1484,1484] + [PKTLENS.....: 312,1470,1470,1461,52,52,52,1470,52,1470,52,1470,1470,1470,52,52,52,1470,1470,1470,52,52,1470,52,52,1470,52,1470,52,382,1470,1470] + [ENTROPIES...: 5.9,7.4,7.8,7.9,5.0,5.0,5.0,7.8,5.0,7.9,5.0,7.8,7.8,7.8,5.0,5.0,5.0,7.8,7.9,7.8,5.0,5.0,7.8,5.0,5.0,7.7,5.0,7.8,5.0,7.4,7.7,7.7] new: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [MIDSTREAM] analyse: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.002| 0.001| 0.001| 0.353| 0.000] - [PKTLEN......: 66.000| 1464.000| 983.400| 664.000|440886.100| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.002| 0.001| 0.001| 0.353| 4.600] + [PKTLEN......: 52.000| 1450.000| 969.400| 664.000| 440886.100| 4.500] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0] [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0] [IATS(ms)....: 0.4,1.5,1.6,0.5,0.5,0.8,1.5,0.1,0.0,1.6,2.2,2.1,0.4,0.2,0.6,0.4,1.3,1.7,0.5,0.2,0.6,0.6,1.0,1.7,0.3,0.5,0.9,0.8,0.3,1.0,0.7] - [PKTLENS.....: 1464,66,1464,66,1464,1464,66,1464,1464,1464,66,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464] + [PKTLENS.....: 1450,52,1450,52,1450,1450,52,1450,1450,1450,52,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450] + [ENTROPIES...: 7.8,5.0,7.5,5.0,7.9,7.9,5.0,7.8,7.4,7.5,5.0,7.9,5.0,7.8,7.9,5.0,7.8,7.8,5.0,7.2,7.8,5.0,7.8,7.9,5.0,7.8,7.8,5.0,7.4,7.9,5.0,7.9] guessed: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP.Facebook][SocialNetwork][Fun] detected: [....28] [ip4][..tcp] [....31.13.86.52][...80] -> [..192.168.0.103][58216] [HTTP.Facebook][SocialNetwork][Fun] update: [....14] [ip4][.icmp] [..192.168.0.103] -> [..192.168.0.103] [ICMP][Network][Acceptable] @@ -157,14 +164,15 @@ new: [....31] [ip4][..udp] [..192.168.0.103][27124] -> [........8.8.8.8][...53] detected: [....31] [ip4][..udp] [..192.168.0.103][27124] -> [........8.8.8.8][...53] [DNS.Instagram][SocialNetwork][Fun] analyse: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.004| 0.001| 0.001| 1.362| 0.000] - [PKTLEN......: 66.000| 1484.000| 819.300| 707.600|500717.400| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.004| 0.001| 0.001| 1.362| 4.300] + [PKTLEN......: 52.000| 1470.000| 805.300| 707.600| 500717.400| 4.300] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0] [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0] [IATS(ms)....: 0.1,2.1,0.4,3.4,0.0,3.2,2.3,0.4,0.9,1.9,0.2,2.6,1.8,3.8,0.1,3.8,0.2,1.3,1.3,0.4,0.2,0.2,0.3,0.5,0.5,0.9,0.9,2.1,2.1,2.0,0.1] - [PKTLENS.....: 1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,1484] + [PKTLENS.....: 1470,52,1470,1470,52,52,1470,52,1470,1470,52,52,1470,52,1470,1470,52,52,1470,52,1470,52,1470,52,1470,52,1470,52,1470,52,1470,1470] + [ENTROPIES...: 7.8,5.1,7.8,7.8,5.1,5.1,7.8,5.1,7.8,7.7,5.0,5.1,7.7,5.1,7.7,7.8,5.2,5.1,7.7,5.2,7.8,5.2,7.8,5.2,7.8,5.1,7.8,5.1,7.8,5.1,7.8,7.8] guessed: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Web][Acceptable] detected: [....29] [ip4][..tcp] [....2.22.236.51][...80] -> [..192.168.0.103][44151] [HTTP][Web][Acceptable] new: [....32] [ip4][..tcp] [...46.33.70.150][...80] -> [..192.168.0.103][40855] @@ -174,14 +182,15 @@ detected: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] detection-update: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] analyse: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.017| 0.003| 0.006| 31.659| 0.000] - [PKTLEN......: 66.000| 1454.000| 647.500| 640.400|410152.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.017| 0.003| 0.006| 31.659| 3.300] + [PKTLEN......: 52.000| 1440.000| 633.500| 640.400| 410152.900| 4.200] [BINS(c->s)..: 11,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0] [IATS(ms)....: 12.4,14.6,0.1,14.6,1.7,0.0,0.0,16.8,0.1,2.0,0.5,16.5,0.7,0.2,12.5,0.6,0.5,0.9,0.3,0.3,0.2,0.2,0.1,0.2,0.3,0.2,2.4,0.1,1.6,0.1,0.1] - [PKTLENS.....: 78,74,66,288,66,1454,1454,369,66,66,130,564,259,696,89,66,1454,1454,66,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66] + [PKTLENS.....: 64,60,52,274,52,1440,1440,355,52,52,116,550,245,682,75,52,1440,1440,52,1440,1440,1440,1440,1440,1440,1440,1440,52,52,52,52,52] + [ENTROPIES...: 4.3,5.1,4.8,6.4,5.0,7.9,7.9,7.4,4.9,4.9,5.9,7.6,7.1,7.7,5.5,5.0,7.9,7.9,5.0,7.9,7.9,7.9,7.9,7.9,7.8,7.9,7.9,5.0,4.9,5.0,4.9,4.9] new: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] new: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] new: [....36] [ip4][..tcp] [...192.168.2.17][49359] -> [....31.13.86.52][..443] @@ -192,23 +201,25 @@ detection-update: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] detection-update: [....36] [ip4][..tcp] [...192.168.2.17][49359] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] analyse: [....36] [ip4][..tcp] [...192.168.2.17][49359] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.159| 0.012| 0.037| 1346.646| 0.000] - [PKTLEN......: 66.000| 1454.000| 536.800| 570.200|325102.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.159| 0.012| 0.037| 1346.646| 2.300] + [PKTLEN......: 52.000| 1440.000| 522.800| 570.200| 325102.600| 4.100] [BINS(c->s)..: 11,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,1,0,0,1,1] [IATS(ms)....: 12.0,14.1,0.6,0.2,14.9,0.1,0.3,0.6,0.4,0.3,0.1,14.0,0.4,0.1,0.1,0.2,0.2,1.4,0.1,1.2,0.1,0.1,0.0,0.5,10.6,8.9,1.6,2.2,142.8,158.9,0.4] - [PKTLENS.....: 78,74,66,485,579,66,66,288,699,1454,1454,1454,66,1454,1454,1454,720,1454,150,66,66,66,66,66,66,100,66,244,66,637,699,1454] + [PKTLENS.....: 64,60,52,471,565,52,52,274,685,1440,1440,1440,52,1440,1440,1440,706,1440,136,52,52,52,52,52,52,86,52,230,52,623,685,1440] + [ENTROPIES...: 4.3,5.0,4.9,7.0,7.6,5.0,5.0,6.8,7.7,7.9,7.9,7.9,4.8,7.9,7.9,7.9,7.7,7.9,6.3,5.0,4.9,4.9,4.8,5.0,4.8,5.9,5.0,7.0,5.0,7.6,7.7,7.9] analyse: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.157| 0.021| 0.045| 2047.640| 0.000] - [PKTLEN......: 66.000| 1454.000| 532.200| 557.600|310915.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.157| 0.021| 0.045| 2047.640| 2.900] + [PKTLEN......: 52.000| 1440.000| 518.200| 557.600| 310915.100| 4.200] [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1] [IATS(ms)....: 11.1,12.2,3.4,0.1,16.0,0.2,0.5,13.0,0.5,11.8,12.0,155.6,0.5,0.1,0.3,0.1,0.1,0.3,0.0,156.5,0.1,0.1,0.1,0.3,2.7,48.7,55.9,8.2,149.2,0.5,0.0] - [PKTLENS.....: 78,74,66,485,595,66,66,288,66,150,244,66,840,1454,1454,1454,1454,1057,1454,100,66,66,66,66,66,654,654,66,66,841,1454,1454] + [PKTLENS.....: 64,60,52,471,581,52,52,274,52,136,230,52,826,1440,1440,1440,1440,1043,1440,86,52,52,52,52,52,640,640,52,52,827,1440,1440] + [ENTROPIES...: 4.3,5.1,5.0,7.0,7.6,5.0,5.0,6.7,4.9,6.3,7.0,4.9,7.7,7.9,7.9,7.9,7.9,7.8,7.8,5.8,5.0,5.0,5.0,5.0,5.0,7.6,7.6,5.0,5.0,7.7,7.8,7.9] idle: [.....8] [ip4][..tcp] [..192.168.0.103][37350] -> [...82.85.26.153][...80] idle: [....22] [ip4][..tcp] [..192.168.0.103][41181] -> [...82.85.26.154][..443] idle: [....23] [ip4][..tcp] [..192.168.0.103][41182] -> [...82.85.26.154][..443] @@ -254,32 +265,35 @@ detection-update: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] detection-update: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] analyse: [....37] [ip4][..tcp] [...192.168.2.17][49360] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.016| 0.003| 0.005| 22.312| 0.000] - [PKTLEN......: 66.000| 1454.000| 733.000| 652.700|426025.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.016| 0.003| 0.005| 22.312| 3.200] + [PKTLEN......: 52.000| 1440.000| 719.000| 652.700| 426025.800| 4.300] [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,1,1,0,1,0,1,1,1,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1] [IATS(ms)....: 11.8,12.9,2.8,0.1,16.4,0.0,0.4,1.1,14.1,0.3,0.6,0.6,0.2,0.3,0.4,0.1,1.1,0.3,0.1,1.7,0.1,0.2,0.0,0.1,10.0,0.1,1.4,0.1,1.4,0.1,0.2] - [PKTLENS.....: 78,74,66,470,592,66,66,288,699,66,89,150,1454,1454,1454,1454,1454,66,1454,1454,66,66,66,66,66,1454,1454,1454,1454,1454,1454,1454] + [PKTLENS.....: 64,60,52,456,578,52,52,274,685,52,75,136,1440,1440,1440,1440,1440,52,1440,1440,52,52,52,52,52,1440,1440,1440,1440,1440,1440,1440] + [ENTROPIES...: 4.3,5.1,4.8,6.9,7.6,5.0,5.0,6.8,7.7,4.9,5.7,6.4,7.9,7.9,7.9,7.9,7.9,5.0,7.9,7.9,5.0,4.8,5.0,5.0,4.9,7.9,7.9,7.9,7.9,7.8,7.9,7.9] analyse: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.470| 0.692| 2.561|6557671.096| 0.000] - [PKTLEN......: 66.000| 1454.000| 474.700| 528.600|279392.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.470| 0.692| 2.561| 6557671.096| 1.200] + [PKTLEN......: 52.000| 1440.000| 460.700| 528.600| 279392.300| 4.100] [BINS(c->s)..: 10,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1] [IATS(ms)....: 11.1,12.4,1.2,0.5,13.3,0.6,0.1,14.2,0.6,14.4,12.5,169.6,0.3,0.2,0.1,0.3,0.1,0.2,0.2,0.0,169.7,0.1,1.8,0.2,0.1,0.5,10413.4,52.2,10469.8,9.8,75.9] - [PKTLENS.....: 78,74,66,485,663,66,66,288,66,150,244,66,839,1454,1454,1454,1454,1454,642,1454,100,66,66,66,66,66,66,601,601,66,66,842] + [PKTLENS.....: 64,60,52,471,649,52,52,274,52,136,230,52,825,1440,1440,1440,1440,1440,628,1440,86,52,52,52,52,52,52,587,587,52,52,828] + [ENTROPIES...: 4.2,5.1,4.9,7.1,7.6,5.0,5.0,6.8,4.9,6.4,7.0,4.8,7.7,7.9,7.9,7.8,7.9,7.9,7.7,7.9,5.8,5.0,5.0,4.9,4.9,4.9,5.0,7.6,7.6,5.1,5.1,7.8] analyse: [....38] [ip4][..tcp] [...192.168.2.17][49361] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.132| 0.012| 0.032| 1010.732| 0.000] - [PKTLEN......: 66.000| 1454.000| 569.500| 619.500|383805.700| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.132| 0.012| 0.032| 1010.732| 2.400] + [PKTLEN......: 52.000| 1440.000| 555.500| 619.500| 383805.700| 4.100] [BINS(c->s)..: 12,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0] [IATS(ms)....: 12.1,13.3,2.5,0.5,16.0,0.0,0.8,14.0,1.4,14.5,16.1,131.7,0.0,0.9,0.2,0.3,0.0,0.1,0.3,0.2,0.2,0.2,0.3,129.9,0.1,0.1,2.6,0.1,0.1,0.0,0.0] - [PKTLENS.....: 78,74,66,470,592,66,66,288,66,150,244,66,840,89,1454,1454,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66,66,66,66] + [PKTLENS.....: 64,60,52,456,578,52,52,274,52,136,230,52,826,75,1440,1440,1440,1440,1440,1440,1440,1440,1440,1440,52,52,52,52,52,52,52,52] + [ENTROPIES...: 4.3,5.1,4.9,7.0,7.5,5.0,5.0,6.8,4.9,6.4,7.0,4.9,7.7,5.6,7.9,7.9,7.9,7.8,7.8,7.9,7.9,7.9,7.9,7.8,5.0,5.0,4.9,4.9,4.8,4.9,4.7,4.9] end: [....33] [ip4][..tcp] [...192.168.2.17][49355] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] end: [....34] [ip4][..tcp] [...192.168.2.17][49357] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] end: [....35] [ip4][..tcp] [...192.168.2.17][49358] -> [....31.13.86.52][..443] [TLS.Instagram][SocialNetwork][Fun] diff --git a/test/results/flow-info/iphone.pcap.out b/test/results/flow-info/iphone.pcap.out index 5bed52647..74d21bd44 100644 --- a/test/results/flow-info/iphone.pcap.out +++ b/test/results/flow-info/iphone.pcap.out @@ -134,44 +134,48 @@ detected: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Streaming][Fun] detection-update: [....48] [ip4][..udp] [...192.168.2.17][65079] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Streaming][Fun] analyse: [....29] [ip4][..tcp] [...192.168.2.17][50580] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.686| 0.087| 0.170|29013.449| 0.000] - [PKTLEN......: 66.000| 1506.000| 324.700| 443.900|197074.700| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.686| 0.087| 0.170| 29013.449| 3.100] + [PKTLEN......: 52.000| 1492.000| 310.700| 443.900| 197074.700| 3.900] [BINS(c->s)..: 8,4,1,0,1,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0] [IATS(ms)....: 34.0,135.8,0.2,135.5,2.1,0.2,8.7,0.0,162.5,0.9,167.4,319.4,0.0,34.7,0.1,651.1,0.6,0.0,0.1,0.1,0.0,0.1,0.2,686.2,0.0,1.2,0.0,33.7,32.5,122.6,156.5] - [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1090,438,104,200,438,66,104,66,66,66,66,637,66] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1076,424,90,186,424,52,90,52,52,52,52,623,52] + [ENTROPIES...: 4.4,5.0,5.0,4.5,4.9,6.7,7.5,7.5,7.3,4.9,4.9,6.0,5.5,6.0,5.0,4.9,5.7,5.6,5.5,7.8,7.4,5.3,6.6,7.4,4.9,5.4,5.0,5.0,4.9,5.1,7.7,5.0] new: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] detected: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Streaming][Fun] detection-update: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Streaming][Fun] analyse: [....45] [ip4][..tcp] [...192.168.2.17][50584] -> [..17.248.176.75][..443] [TLS.AppleiCloud][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.655| 0.067| 0.146|21410.738| 0.000] - [PKTLEN......: 54.000| 1506.000| 313.400| 449.800|202280.400| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.655| 0.067| 0.146| 21410.738| 2.900] + [PKTLEN......: 40.000| 1492.000| 299.400| 449.800| 202280.400| 3.800] [BINS(c->s)..: 9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1] [IATS(ms)....: 34.1,36.1,0.1,34.7,1.6,0.1,2.3,0.1,140.2,0.4,7.3,143.3,0.0,33.9,0.1,1.5,0.0,0.0,0.3,0.4,0.0,0.1,34.9,0.0,1.2,0.0,128.2,155.2,168.0,510.7,654.8] - [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1084,104,450,104,66,104,66,66,66,750,66,54,66] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1070,90,436,90,52,90,52,52,52,736,52,40,52] + [ENTROPIES...: 4.4,5.2,5.1,4.5,5.1,6.7,7.5,7.5,7.3,4.9,5.0,6.0,5.7,6.0,5.0,5.0,5.7,5.8,5.5,7.8,5.5,7.4,5.5,4.9,5.5,5.0,5.0,4.9,7.7,5.0,4.5,5.1] analyse: [....49] [ip4][..tcp] [...192.168.2.17][50587] -> [...92.123.77.26][..443] [TLS.AppleiTunes][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.147| 0.026| 0.045| 1989.449| 0.000] - [PKTLEN......: 66.000| 1506.000| 336.100| 461.100|212650.100| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.147| 0.026| 0.045| 1989.449| 3.200] + [PKTLEN......: 52.000| 1492.000| 322.100| 461.100| 212650.100| 3.900] [BINS(c->s)..: 10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1] [IATS(ms)....: 33.3,146.1,0.1,147.3,1.4,0.2,0.1,0.0,38.6,0.0,0.1,10.9,46.9,12.5,120.2,0.0,0.0,0.2,1.1,0.1,1.5,0.5,107.4,0.0,1.2,31.0,0.5,3.7,0.0,4.5,82.6] - [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,456,66,66,66,146,353,353,112,109,101,1506,566,832,66,66,66,136,66,66,97,66,101,66,66] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1268,442,52,52,52,132,339,339,98,95,87,1492,552,818,52,52,52,122,52,52,83,52,87,52,52] + [ENTROPIES...: 4.5,5.3,5.1,4.5,5.2,7.8,7.9,7.8,7.5,5.1,5.2,5.1,6.2,7.4,7.3,6.1,6.0,5.9,7.9,7.6,7.7,5.2,5.2,5.1,6.2,5.1,5.1,5.8,5.1,5.9,5.1,5.1] analyse: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.804| 0.109| 0.185|34306.707| 0.000] - [PKTLEN......: 66.000| 1506.000| 735.000| 667.300|445284.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.804| 0.109| 0.185| 34306.707| 3.400] + [PKTLEN......: 52.000| 1492.000| 721.000| 667.300| 445284.800| 4.300] [BINS(c->s)..: 8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0] [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0] [IATS(ms)....: 146.0,171.0,0.4,171.3,2.7,0.1,11.1,1.3,11.2,179.7,0.0,0.1,0.1,15.6,168.2,146.4,161.4,0.7,308.7,51.5,198.2,655.7,0.2,0.2,0.3,803.5,1.3,180.3,0.3,0.3,0.2] - [PKTLENS.....: 78,74,66,583,66,1506,1506,1506,1506,1488,66,66,66,66,159,117,66,1183,358,66,1010,66,1178,1506,1506,1506,66,66,1506,1506,1506,1506] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1492,1492,1474,52,52,52,52,145,103,52,1169,344,52,996,52,1164,1492,1492,1492,52,52,1492,1492,1492,1492] + [ENTROPIES...: 4.4,5.0,4.9,4.7,5.0,6.2,4.6,7.1,7.5,7.5,4.9,4.9,4.9,4.8,6.0,5.6,5.0,7.8,7.2,5.1,7.8,4.9,7.8,7.9,7.9,7.9,5.0,5.0,7.9,7.9,7.9,7.8] detection-update: [....38] [ip4][..tcp] [...192.168.2.17][50581] -> [..17.248.185.87][..443] [TLS.AppleiCloud][Web][Acceptable] new: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] detected: [....50] [ip4][..udp] [...192.168.2.17][63677] -> [....192.168.2.1][...53] [DNS.AppleiTunes][Streaming][Fun] diff --git a/test/results/flow-info/ipp.pcap.out b/test/results/flow-info/ipp.pcap.out index 29f69fb88..a486de0e7 100644 --- a/test/results/flow-info/ipp.pcap.out +++ b/test/results/flow-info/ipp.pcap.out @@ -8,14 +8,15 @@ detected: [.....2] [ip4][..tcp] [....10.10.10.49][55342] -> [...10.10.10.251][..631] [HTTP.IPP][System][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address analyse: [.....2] [ip4][..tcp] [....10.10.10.49][55342] -> [...10.10.10.251][..631] [HTTP.IPP][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.009| 0.004| 0.004| 12.440| 0.000] - [PKTLEN......: 66.000| 2962.000| 897.700| 882.800|779357.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.009| 0.004| 0.004| 12.440| 4.200] + [PKTLEN......: 52.000| 2948.000| 883.700| 882.800| 779357.900| 4.200] [BINS(c->s)..: 3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,1,1,1,0,1,0,9] [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1] [IATS(ms)....: 0.7,0.7,0.1,0.0,3.6,1.6,5.1,0.1,0.0,5.8,5.7,0.0,3.7,3.6,0.0,7.3,7.3,0.0,8.8,8.8,0.0,9.1,9.1,0.0,7.2,7.2,0.0,7.6,7.6,0.0,7.2] - [PKTLENS.....: 74,74,66,210,214,66,91,66,2962,1514,66,2962,1586,66,1442,1610,66,1418,1634,66,1394,1658,66,1370,1682,66,1346,1706,66,1322,1730,66] + [PKTLENS.....: 60,60,52,196,200,52,77,52,2948,1500,52,2948,1572,52,1428,1596,52,1404,1620,52,1380,1644,52,1356,1668,52,1332,1692,52,1308,1716,52] + [ENTROPIES...: 4.4,4.7,4.6,5.5,5.4,4.7,5.2,4.6,4.1,4.0,4.7,3.7,3.5,4.7,3.5,3.5,4.6,4.1,4.5,4.7,4.3,4.2,4.7,4.2,4.7,4.7,4.7,4.3,4.7,4.2,4.1,4.6] new: [.....3] [ip4][..tcp] [....10.10.10.49][55343] -> [...10.10.10.251][..631] detected: [.....3] [ip4][..tcp] [....10.10.10.49][55343] -> [...10.10.10.251][..631] [HTTP.IPP][System][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address diff --git a/test/results/flow-info/ipsec_isakmp_esp.pcap.out b/test/results/flow-info/ipsec_isakmp_esp.pcap.out index 7567bc653..e2d473b45 100644 --- a/test/results/flow-info/ipsec_isakmp_esp.pcap.out +++ b/test/results/flow-info/ipsec_isakmp_esp.pcap.out @@ -12,14 +12,15 @@ update: [.....1] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.193][.4500] [IPSec][VPN][Safe] update: [.....2] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.193][..500] [IPSec][VPN][Safe] analyse: [.....1] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.193][.4500] [IPSec][VPN][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 662.067| 87.057| 203.164|41275511887.888| 0.000] - [PKTLEN......: 122.000| 1374.000| 542.100| 468.700|219671.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 662.067| 87.057| 203.164|41275511887.888| 2.000] + [PKTLEN......: 108.000| 1360.000| 528.100| 468.700| 219671.500| 4.500] [BINS(c->s)..: 0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0] [BINS(s->c)..: 0,0,3,0,7,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1] [IATS(ms)....: 122.0,677.0,771.0,222.0,34.0,2372.0,1.0,23.0,2387.0,22.0,24.0,661960.0,662067.0,681.0,743.0,195.0,34.0,407.0,421.0,4.0,138.0,188.0,12771.0,421390.0,408766.0] - [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,1374,174,174,174,942,174,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250] + [PKTLENS.....: 844,236,140,108,124,444,1360,1360,928,1360,160,160,160,928,160,844,236,140,108,124,444,1360,1360,928,160,160,160,1056,160,108,844,236] + [ENTROPIES...: 7.7,7.0,6.1,5.8,6.1,7.4,7.9,7.9,7.8,7.9,6.6,6.7,6.6,7.8,6.6,7.8,6.9,6.2,5.8,6.0,7.4,7.9,7.9,7.8,6.6,6.5,6.8,7.8,6.7,5.7,7.8,6.8] update: [.....1] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.193][.4500] [IPSec][VPN][Safe] update: [.....2] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.193][..500] [IPSec][VPN][Safe] DAEMON-EVENT: [Processed: 61 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -118,23 +119,25 @@ new: [....24] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.227][.4500] detected: [....24] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.227][.4500] [IPSec][VPN][Safe] analyse: [....24] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.227][.4500] [IPSec][VPN][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] - [PKTLEN......: 122.000| 1374.000| 507.000| 453.900|206039.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 108.000| 1360.000| 493.000| 453.900| 206039.000| 4.400] [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0] [BINS(s->c)..: 0,0,4,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1] [IATS(ms)....: ] - [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250] + [PKTLENS.....: 844,236,140,108,124,444,1360,1360,928,160,160,160,1056,160,108,844,236,140,108,124,444,1360,1360,928,160,160,160,1056,160,108,844,236] + [ENTROPIES...: 7.7,6.9,6.3,5.9,6.1,7.4,7.9,7.9,7.8,6.7,6.6,6.5,7.8,6.7,5.8,7.7,6.9,6.3,5.7,6.1,7.5,7.9,7.9,7.8,6.6,6.6,6.6,7.8,6.5,5.7,7.7,6.8] analyse: [....23] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.227][..500] [IPSec][VPN][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] - [PKTLEN......: 94.000| 842.000| 521.000| 320.200|102515.000| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 80.000| 828.000| 507.000| 320.200| 102515.000| 4.700] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: ] - [PKTLENS.....: 818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330] + [PKTLENS.....: 804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316] + [ENTROPIES...: 4.9,4.6,5.0,6.6,5.0,4.6,5.0,6.6,4.9,4.6,5.0,6.4,4.9,4.6,5.0,6.6,4.9,4.6,5.0,6.5,4.9,4.6,5.0,6.6,4.9,4.7,5.0,6.6,4.9,4.6,5.0,6.5] new: [....25] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.226][..500] detected: [....25] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.226][..500] [IPSec][VPN][Safe] new: [....26] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.226][.4500] @@ -144,14 +147,15 @@ new: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] detected: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] [IPSec][VPN][Safe] analyse: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] [IPSec][VPN][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] - [PKTLEN......: 122.000| 1374.000| 665.200| 511.600|261688.400| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 108.000| 1360.000| 651.200| 511.600| 261688.400| 4.500] [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0] [BINS(s->c)..: 0,0,2,0,4,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,4,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1] [IATS(ms)....: ] - [PKTLENS.....: 858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250] + [PKTLENS.....: 844,236,140,108,124,444,1360,1056,160,160,1056,160,1360,1360,1312,844,236,140,108,124,444,1360,1056,160,160,1056,160,1360,1360,1312,844,236] + [ENTROPIES...: 7.7,6.8,6.3,5.8,6.0,7.4,7.9,7.8,6.6,6.6,7.8,6.6,7.8,7.9,7.9,7.8,6.8,6.3,5.9,6.1,7.4,7.9,7.8,6.6,6.7,7.8,6.7,7.9,7.8,7.8,7.7,6.9] new: [....29] [ip4][..udp] [..192.168.2.100][42593] -> [109.237.187.193][.4500] detected: [....29] [ip4][..udp] [..192.168.2.100][42593] -> [109.237.187.193][.4500] [IPSec][VPN][Safe] new: [....30] [ip4][..udp] [..192.168.2.100][42593] -> [109.237.187.193][..500] @@ -169,23 +173,25 @@ new: [....36] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.195][..500] detected: [....36] [ip4][..udp] [..192.168.2.100][10500] -> [109.237.187.195][..500] [IPSec][VPN][Safe] analyse: [....34] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.195][.4500] [IPSec][VPN][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] - [PKTLEN......: 122.000| 1374.000| 584.200| 486.800|236933.900| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 108.000| 1360.000| 570.200| 486.800| 236933.900| 4.500] [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0] [BINS(s->c)..: 0,0,2,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1] [IATS(ms)....: ] - [PKTLENS.....: 858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250] + [PKTLENS.....: 844,236,140,108,124,444,1360,1360,912,160,160,160,1056,160,1360,844,236,140,108,124,444,1360,1360,912,160,160,160,1056,160,1360,844,236] + [ENTROPIES...: 7.7,6.9,6.3,5.7,6.2,7.5,7.9,7.8,7.8,6.7,6.7,6.7,7.8,6.5,7.8,7.7,6.9,6.3,5.8,6.1,7.4,7.9,7.9,7.8,6.5,6.5,6.6,7.8,6.7,7.8,7.7,6.9] analyse: [....18] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.225][.4500] [IPSec][VPN][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] - [PKTLEN......: 122.000| 1374.000| 545.600| 472.200|222978.400| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 108.000| 1360.000| 531.600| 472.200| 222978.400| 4.400] [BINS(c->s)..: 0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0] [BINS(s->c)..: 0,0,3,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1] [IATS(ms)....: ] - [PKTLENS.....: 858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250] + [PKTLENS.....: 844,236,140,108,124,444,1360,1360,928,160,160,160,1056,160,108,844,236,140,108,124,444,1360,1360,912,160,160,160,1056,160,1360,844,236] + [ENTROPIES...: 7.7,6.9,6.3,5.8,6.2,7.5,7.8,7.8,7.8,6.7,6.6,6.6,7.8,6.6,5.7,7.8,7.0,6.2,5.9,6.2,7.5,7.9,7.9,7.8,6.7,6.6,6.6,7.8,6.6,7.8,7.7,6.9] idle: [....28] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.130][.4500] [IPSec][VPN][Safe] idle: [....20] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.131][.4500] [IPSec][VPN][Safe] idle: [....26] [ip4][..udp] [..192.168.2.100][14500] -> [109.237.187.226][.4500] [IPSec][VPN][Safe] diff --git a/test/results/flow-info/jabber.pcap.out b/test/results/flow-info/jabber.pcap.out index d92f7fb7b..9990f0c23 100644 --- a/test/results/flow-info/jabber.pcap.out +++ b/test/results/flow-info/jabber.pcap.out @@ -4,25 +4,27 @@ new: [.....1] [ip4][..tcp] [....172.16.0.62][57094] -> [...172.16.1.138][.5222] detected: [.....1] [ip4][..tcp] [....172.16.0.62][57094] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] analyse: [.....1] [ip4][..tcp] [....172.16.0.62][57094] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.338| 0.039| 0.084| 7085.730| 0.000] - [PKTLEN......: 66.000| 445.000| 142.100| 104.500|10930.100| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.338| 0.039| 0.084| 7085.730| 3.000] + [PKTLEN......: 52.000| 431.000| 128.100| 104.500| 10930.100| 4.600] [BINS(c->s)..: 11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0] [IATS(ms)....: 0.4,0.5,0.4,0.8,0.4,0.4,12.4,12.8,2.4,2.4,0.3,2.0,1.6,0.2,40.8,37.0,77.5,0.2,0.6,337.3,337.7,0.4,0.8,51.1,51.5,6.4,6.4,0.3,0.8,109.1,109.6] - [PKTLENS.....: 78,74,66,88,66,182,66,245,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66] + [PKTLENS.....: 64,60,52,74,52,168,52,231,52,337,52,214,212,52,390,52,172,52,104,52,103,52,168,52,231,52,431,52,175,52,184,52] + [ENTROPIES...: 4.2,5.0,4.9,5.5,4.9,5.4,4.9,5.6,4.7,5.4,4.7,5.6,6.1,4.7,6.1,4.9,5.9,4.9,5.4,4.8,5.5,4.8,5.4,4.8,5.6,4.6,5.4,4.8,5.5,4.8,5.6,4.8] new: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] detected: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] analyse: [.....2] [ip4][..tcp] [....172.16.0.62][57122] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.337| 0.038| 0.085| 7210.629| 0.000] - [PKTLEN......: 66.000| 445.000| 142.000| 104.500|10917.300| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.337| 0.038| 0.085| 7210.629| 2.800] + [PKTLEN......: 52.000| 431.000| 128.000| 104.500| 10917.300| 4.600] [BINS(c->s)..: 11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0] [IATS(ms)....: 0.7,0.7,0.1,0.5,0.4,0.3,0.2,0.5,0.1,0.1,0.2,1.4,1.3,0.2,39.8,41.0,80.7,0.2,0.6,336.4,336.8,0.3,0.8,51.2,51.7,0.1,0.1,0.3,0.8,115.1,115.6] - [PKTLENS.....: 78,74,66,88,66,182,66,243,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66] + [PKTLENS.....: 64,60,52,74,52,168,52,229,52,337,52,214,212,52,390,52,172,52,104,52,103,52,168,52,231,52,431,52,175,52,184,52] + [ENTROPIES...: 4.3,5.1,4.8,5.4,4.9,5.4,4.8,5.6,4.7,5.4,4.8,5.6,6.1,4.8,6.1,4.9,6.0,4.7,5.4,4.8,5.4,4.6,5.4,4.9,5.6,4.8,5.4,4.7,5.4,4.8,5.5,4.7] new: [.....3] [ip4][..tcp] [....172.16.0.62][57126] -> [...172.16.1.138][.5222] [MIDSTREAM] detected: [.....3] [ip4][..tcp] [....172.16.0.62][57126] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] new: [.....4] [ip4][..tcp] [....172.16.0.62][57129] -> [...172.16.1.138][.5222] [MIDSTREAM] @@ -38,14 +40,15 @@ DAEMON-EVENT: [Processed: 243 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] analyse: [.....6] [ip4][..tcp] [....172.16.0.62][57149] -> [...172.16.1.138][.5222] [Jabber][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 600.488| 42.007| 147.105|21639823353.709| 0.000] - [PKTLEN......: 66.000| 529.000| 164.800| 117.900|13893.800| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 600.488| 42.007| 147.105|21639823353.709| 1.400] + [PKTLEN......: 52.000| 515.000| 150.800| 117.900| 13893.800| 4.600] [BINS(c->s)..: 9,4,0,0,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,5,0,0,3,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1] [IATS(ms)....: 5.0,0.0,5.1,0.0,217.0,218.0,1.0,3684.5,3688.3,3.9,600484.2,600487.8,0.0,3.6,0.0,1.1,1.1,7.8,47.5,39.7,0.4,63.0,63.4,0.3,0.5,0.2,0.1,0.0,0.1,46584.0,46624.0] - [PKTLENS.....: 305,474,186,66,66,248,529,66,248,193,66,216,270,172,120,66,286,66,114,66,114,66,288,66,114,167,66,66,171,66,201,66] + [PKTLENS.....: 291,460,172,52,52,234,515,52,234,179,52,202,256,158,106,52,272,52,100,52,100,52,274,52,100,153,52,52,157,52,187,52] + [ENTROPIES...: 5.6,5.5,5.5,4.9,4.9,5.5,5.3,4.9,5.5,5.5,4.9,5.5,5.6,5.5,5.5,4.7,5.6,4.8,5.5,4.9,5.4,4.9,5.6,4.6,5.4,5.5,4.7,4.8,5.7,4.6,5.4,4.9] DAEMON-EVENT: [Processed: 270 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....7] [ip4][..tcp] [...192.168.58.1][53460] -> [.192.168.58.153][.5222] diff --git a/test/results/flow-info/kismet.pcap.out b/test/results/flow-info/kismet.pcap.out index 8bf5896fd..661a354b5 100644 --- a/test/results/flow-info/kismet.pcap.out +++ b/test/results/flow-info/kismet.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] detected: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] [Kismet][Network][Acceptable] analyse: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] [Kismet][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.100| 0.836| 0.406|165002.641| 0.000] - [PKTLEN......: 54.000| 1099.000| 142.900| 184.200|33913.200| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.100| 0.836| 0.406| 165002.641| 4.700] + [PKTLEN......: 40.000| 1085.000| 128.900| 184.200| 33913.200| 4.200] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.0,0.0,0.2,0.2,399.9,399.9,615.2,615.3,399.6,399.6,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.9,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8,1099.8] - [PKTLENS.....: 66,66,54,253,54,72,54,1099,54,129,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189] + [PKTLENS.....: 52,52,40,239,40,58,40,1085,40,115,40,175,40,175,40,175,40,175,40,175,40,175,40,175,40,175,40,175,40,175,40,175] + [ENTROPIES...: 4.2,4.4,4.3,5.3,4.2,4.9,4.3,4.9,4.5,4.6,4.3,5.0,4.3,5.0,4.3,5.0,4.3,5.0,4.3,5.0,4.3,5.0,4.3,5.0,4.3,5.0,4.3,5.0,4.3,5.0,4.3,5.0] idle: [.....1] [ip4][..tcp] [......127.0.0.1][34065] -> [......127.0.0.1][.2501] [Kismet][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/kontiki.pcap.out b/test/results/flow-info/kontiki.pcap.out index 5ef4ef23e..e0950a89f 100644 --- a/test/results/flow-info/kontiki.pcap.out +++ b/test/results/flow-info/kontiki.pcap.out @@ -18,14 +18,15 @@ new: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] detected: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] [ICMP][Network][Acceptable] analyse: [.....3] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.86][.8888] [Kontiki][Media][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.608| 0.045| 0.118|13931.400| 0.000] - [PKTLEN......: 46.000| 1283.000| 818.400| 568.000|322604.600| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.608| 0.045| 0.118| 13931.400| 2.600] + [PKTLEN......: 32.000| 1269.000| 804.400| 568.000| 322604.600| 4.500] [BINS(c->s)..: 7,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,0,1,0,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,1] [IATS(ms)....: 198.6,212.4,193.8,607.7,3.1,5.8,31.2,30.0,8.8,9.1,0.1,0.2,0.0,19.4,18.3,0.1,0.1,0.1,0.1,15.3,14.9,0.0,0.2,0.1,0.0,0.1,15.9,15.4,0.0,0.1,0.1] - [PKTLENS.....: 46,46,46,62,70,259,513,246,218,132,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,1283,58,1283,1283,1283,1283] + [PKTLENS.....: 32,32,32,48,56,245,499,232,204,118,1269,1269,1269,1269,44,1269,1269,1269,1269,1269,44,1269,1269,1269,1269,1269,1269,44,1269,1269,1269,1269] + [ENTROPIES...: 4.3,4.4,4.4,4.8,5.1,6.3,7.3,7.0,6.9,6.2,7.9,7.8,7.8,7.8,4.9,7.8,7.8,7.8,7.8,7.8,4.9,7.9,7.8,7.8,7.8,7.9,7.8,4.9,7.8,7.8,7.9,7.9] idle: [.....8] [ip4][.icmp] [...4.79.219.125] -> [....10.25.32.59] [ICMP][Network][Acceptable] idle: [.....7] [ip4][.icmp] [216.168.241.157] -> [....10.25.32.59] [ICMP][Network][Acceptable] idle: [.....3] [ip4][..udp] [....10.25.32.59][19948] -> [..64.200.148.86][.8888] [Kontiki][Media][Potentially Dangerous] diff --git a/test/results/flow-info/log4j-webapp-exploit.pcap.out b/test/results/flow-info/log4j-webapp-exploit.pcap.out index 12fbce673..38c4abd61 100644 --- a/test/results/flow-info/log4j-webapp-exploit.pcap.out +++ b/test/results/flow-info/log4j-webapp-exploit.pcap.out @@ -18,14 +18,15 @@ ERROR-EVENT: Unknown L3 protocol ERROR-EVENT: Unknown L3 protocol analyse: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 7.289| 0.474| 1.790|3202664.366| 0.000] - [PKTLEN......: 68.000| 76.000| 69.500| 2.200| 4.600| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 7.289| 0.474| 1.790| 3202664.366| 1.100] + [PKTLEN......: 52.000| 60.000| 53.500| 2.200| 4.600| 5.000] [BINS(c->s)..: 17,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 0.1,0.2,7288.6,7288.6,60.5,60.7,0.3,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.2,0.2,0.1,0.1,0.1,0.1,0.1,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.1] - [PKTLENS.....: 76,76,68,71,68,69,68,69,68,69,68,69,68,69,68,69,68,69,68,71,68,73,68,71,68,71,68,71,68,71,68,71] + [PKTLENS.....: 60,60,52,55,52,53,52,53,52,53,52,53,52,53,52,53,52,53,52,55,52,57,52,55,52,55,52,55,52,55,52,55] + [ENTROPIES...: 4.5,5.1,5.0,5.1,4.9,5.0,4.9,5.0,4.8,4.9,4.9,5.0,4.9,5.0,4.9,4.9,4.9,4.9,4.9,4.9,4.9,5.0,4.8,5.0,4.9,5.0,4.9,5.0,4.9,5.0,4.9,4.9] not-detected: [.....4] [ip4][..tcp] [..172.16.238.10][55408] -> [....10.10.10.31][.9001] [Unknown][Unrated] new: [.....5] [ip4][..tcp] [..172.16.238.10][57742] -> [..172.16.238.11][.1389] detected: [.....5] [ip4][..tcp] [..172.16.238.10][57742] -> [..172.16.238.11][.1389] [LDAP][System][Acceptable] diff --git a/test/results/flow-info/long_tls_certificate.pcap.out b/test/results/flow-info/long_tls_certificate.pcap.out index d85fa9462..8fb63b533 100644 --- a/test/results/flow-info/long_tls_certificate.pcap.out +++ b/test/results/flow-info/long_tls_certificate.pcap.out @@ -6,14 +6,15 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable] detection-update: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.371| 0.087| 0.130|17024.252| 0.000] - [PKTLEN......: 54.000| 1506.000| 384.700| 546.600|298744.200| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.371| 0.087| 0.130| 17024.252| 3.400] + [PKTLEN......: 40.000| 1492.000| 370.700| 546.600| 298744.200| 3.700] [BINS(c->s)..: 10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,1] [IATS(ms)....: 370.8,370.9,9.4,360.9,2.8,0.1,0.1,354.4,0.1,0.1,0.1,0.1,8.1,8.1,5.8,200.3,194.6,174.3,0.0,174.3,0.0,2.3,0.1,0.1,0.1,0.1,94.1,91.5,274.6,0.0,0.0] - [PKTLENS.....: 78,78,54,571,60,1506,1506,1506,54,1506,54,1104,54,1104,66,180,1506,66,105,123,54,54,107,110,96,128,92,123,66,66,66,66] + [PKTLENS.....: 64,64,40,557,46,1492,1492,1492,40,1492,40,1090,40,1090,52,166,1492,52,91,109,40,40,93,96,82,114,78,109,52,52,52,52] + [ENTROPIES...: 4.4,4.3,4.7,4.4,4.6,6.2,4.7,4.7,4.6,6.8,4.7,7.5,4.6,7.5,4.7,6.3,6.2,4.9,5.9,6.2,4.7,4.7,5.7,5.7,5.2,6.0,5.3,6.1,4.8,5.1,5.0,5.1] detection-update: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable] end: [.....1] [ip4][..tcp] [...192.168.1.60][55333] -> [.106.15.100.123][..443] [TLS.Alibaba][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/modbus.pcap.out b/test/results/flow-info/modbus.pcap.out index 8b3b6ecd8..cf46f48db 100644 --- a/test/results/flow-info/modbus.pcap.out +++ b/test/results/flow-info/modbus.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [Modbus][IoT-Scada][Acceptable] analyse: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [Modbus][IoT-Scada][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 1.014| 0.452| 0.497|247304.159| 0.000] - [PKTLEN......: 65.000| 66.000| 65.500| 0.500| 0.200| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 1.014| 0.452| 0.497| 247304.159| 3.800] + [PKTLEN......: 51.000| 52.000| 51.500| 0.500| 0.200| 5.000] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 1.1,1.2,0.9,1013.6,1014.2,1.5,0.9,986.5,986.9,1.2,0.9,1000.2,1000.5,1.2,0.9,1000.2,1000.6,1.2,0.9,1000.2,1000.6,1.6,0.9,999.8,1000.4,1.2,0.8,1000.2,1000.6,1.2,0.9] - [PKTLENS.....: 66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65] + [PKTLENS.....: 52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51] + [ENTROPIES...: 4.5,4.7,4.4,4.9,4.4,4.6,4.4,4.9,4.6,4.7,4.6,4.8,4.6,4.7,4.6,4.9,4.6,4.8,4.6,4.9,4.6,4.7,4.6,4.9,4.6,4.8,4.6,4.9,4.6,4.8,4.6,4.9] idle: [.....1] [ip4][..tcp] [192.168.110.131][.2074] -> [192.168.110.138][..502] [Modbus][IoT-Scada][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/monero.pcap.out b/test/results/flow-info/monero.pcap.out index e9a7e0fb3..2a7150d01 100644 --- a/test/results/flow-info/monero.pcap.out +++ b/test/results/flow-info/monero.pcap.out @@ -8,23 +8,25 @@ detected: [.....2] [ip4][..tcp] [..192.168.2.148][53846] -> [116.211.167.195][.3333] [Mining][Mining][Unsafe] RISK: Known Proto on Non Std Port, Unsafe Protocol analyse: [.....1] [ip4][..tcp] [..192.168.2.148][46838] -> [..94.23.199.191][.3333] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 71.693| 7.500| 18.614|346464978.993| 0.000] - [PKTLEN......: 66.000| 1514.000| 372.800| 549.100|301531.900| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 71.693| 7.500| 18.614| 346464978.993| 2.400] + [PKTLEN......: 52.000| 1500.000| 358.800| 549.100| 301531.900| 3.700] [BINS(c->s)..: 8,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0] [BINS(s->c)..: 10,2,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,0,0,1,1,0,1,0,0,0,1,1] [IATS(ms)....: 80.3,80.3,0.1,83.2,0.0,83.1,0.1,81.0,0.0,80.9,0.3,118.0,882.3,1042.5,71569.6,0.2,71693.1,0.0,0.7,81.6,32242.2,0.2,32323.4,1.5,82.5,7433.0,7432.9,3511.8,0.2,3592.7,1.0] - [PKTLENS.....: 74,74,66,164,66,128,66,161,104,185,66,126,66,376,66,1514,1496,66,66,91,66,1514,1496,66,91,66,376,66,1514,1496,66,91] + [PKTLENS.....: 60,60,52,150,52,114,52,147,90,171,52,112,52,362,52,1500,1482,52,52,77,52,1500,1482,52,77,52,362,52,1500,1482,52,77] + [ENTROPIES...: 4.7,5.3,5.1,5.8,5.3,5.7,5.3,6.1,5.7,5.9,5.1,5.8,5.3,5.0,5.2,4.5,4.3,5.3,5.3,5.7,5.2,4.5,4.3,5.4,5.7,5.2,4.9,5.2,4.5,4.3,5.4,5.7] analyse: [.....2] [ip4][..tcp] [..192.168.2.148][53846] -> [116.211.167.195][.3333] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 170.525| 32.857| 51.784|2681624034.542| 0.000] - [PKTLEN......: 54.000| 1498.000| 237.600| 347.600|120860.400| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 170.525| 32.857| 51.784| 2681624034.542| 3.400] + [PKTLEN......: 40.000| 1484.000| 223.600| 347.600| 120860.400| 3.900] [BINS(c->s)..: 12,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0] [BINS(s->c)..: 4,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,1] [IATS(ms)....: 308.1,308.2,0.2,308.1,0.0,308.0,0.7,308.7,0.0,308.0,0.1,346.7,653.9,1043.1,114411.2,114368.8,308.6,308.5,36863.2,36863.2,20419.9,20419.9,170525.4,170525.4,113243.5,113243.5,35871.3,35871.3,15564.6,0.2,15873.5] - [PKTLENS.....: 74,66,54,152,60,116,54,147,92,173,54,114,60,364,54,364,54,364,54,364,54,364,54,364,54,364,54,364,54,1498,1486,60] + [PKTLENS.....: 60,52,40,138,46,102,40,133,78,159,40,100,46,350,40,350,40,350,40,350,40,350,40,350,40,350,40,350,40,1484,1472,46] + [ENTROPIES...: 4.8,4.9,4.8,5.7,4.5,5.4,4.8,5.9,5.4,5.7,4.8,5.5,4.5,4.8,4.8,4.8,4.8,4.7,4.8,4.8,4.8,4.8,4.9,4.8,4.9,4.7,4.9,4.7,4.8,4.5,4.2,4.5] DAEMON-EVENT: [Processed: 198 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] idle: [.....2] [ip4][..tcp] [..192.168.2.148][53846] -> [116.211.167.195][.3333] [Mining][Mining][Unsafe] diff --git a/test/results/flow-info/nest_log_sink.pcap.out b/test/results/flow-info/nest_log_sink.pcap.out index 7d31b64e2..36f399f10 100644 --- a/test/results/flow-info/nest_log_sink.pcap.out +++ b/test/results/flow-info/nest_log_sink.pcap.out @@ -5,14 +5,15 @@ DAEMON-EVENT: [Processed: 30 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] analyse: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.061| 60.122| 38.821| 28.558|815563555.209| 0.000] - [PKTLEN......: 54.000| 60.000| 57.000| 3.000| 9.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.061| 60.122| 38.821| 28.558| 815563555.209| 4.300] + [PKTLEN......: 40.000| 46.000| 43.000| 3.000| 9.000| 5.000] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1] [IATS(ms)....: 60.8,60066.5,60071.0,444.6,512.2,60052.4,60122.1,60064.1,60058.5,139.4,204.1,59876.0,59944.8,60065.8,60071.7,305.5,379.3,59710.1,59782.3,60066.2,60065.0,470.7,541.9,60021.2,60097.0,60072.0,60059.9,163.5,227.3,59834.0,59896.7] - [PKTLENS.....: 60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54] + [PKTLENS.....: 46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40] + [ENTROPIES...: 4.5,4.9,4.5,4.9,4.9,4.5,4.5,4.9,4.5,4.9,4.9,4.5,4.5,4.9,4.5,4.9,4.9,4.5,4.5,4.9,4.4,4.9,4.9,4.4,4.5,4.9,4.5,4.9,4.9,4.5,4.5,4.9] guessed: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable] detected: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable] DAEMON-EVENT: [Processed: 60 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -23,28 +24,30 @@ new: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] detected: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] analyse: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.491| 0.199| 0.354|125081.829| 0.000] - [PKTLEN......: 54.000| 733.000| 255.900| 219.800|48330.300| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.491| 0.199| 0.354| 125081.829| 3.700] + [PKTLEN......: 40.000| 719.000| 241.900| 219.800| 48330.300| 4.400] [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0] [IATS(ms)....: 69.7,72.2,635.6,708.3,5.3,110.8,1347.4,1490.6,118.0,84.3,0.1,88.9,80.3,82.8,83.4,80.0,80.0,80.2,79.6,79.6,80.9,81.4,80.7,80.0,79.3,79.3,79.9,72.2,8.5,80.0,81.8] - [PKTLENS.....: 60,58,60,585,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509] + [PKTLENS.....: 46,44,46,571,40,719,46,92,40,110,40,97,495,95,495,95,495,95,495,95,495,95,495,95,495,95,495,95,46,495,95,495] + [ENTROPIES...: 4.3,4.9,4.4,6.9,4.8,7.1,4.5,5.4,5.0,5.9,5.0,5.7,7.5,5.7,7.5,5.7,7.5,5.7,7.5,5.8,7.5,5.6,7.5,5.7,7.6,5.6,7.6,5.8,4.4,7.5,5.7,7.5] new: [.....4] [ip4][..tcp] [.192.168.242.15][63343] -> [..35.174.82.237][11095] detected: [.....4] [ip4][..tcp] [.192.168.242.15][63343] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] new: [.....5] [ip4][..tcp] [.192.168.242.15][63344] -> [.35.188.154.186][11095] detected: [.....5] [ip4][..tcp] [.192.168.242.15][63344] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] update: [.....2] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] analyse: [.....4] [ip4][..tcp] [.192.168.242.15][63343] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.007| 60.078| 8.258| 19.898|395938807.939| 0.000] - [PKTLEN......: 54.000| 731.000| 181.000| 184.800|34140.600| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.007| 60.078| 8.258| 19.898| 395938807.939| 2.400] + [PKTLEN......: 40.000| 717.000| 167.000| 184.800| 34140.600| 4.300] [BINS(c->s)..: 9,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1] [IATS(ms)....: 64.1,66.7,638.8,711.0,16.5,201.4,1246.7,1463.2,104.9,69.4,22.0,94.7,71.2,78.1,7.1,87.2,75.8,84.5,84.3,76.4,307.3,280.7,43.3,5019.6,5092.3,178.8,59560.5,59727.7,60063.8,60077.6,375.9] - [PKTLENS.....: 60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,215,60,346,116,60,60,54,60,54,54] + [PKTLENS.....: 46,44,46,571,40,717,46,92,40,444,40,100,162,669,46,220,206,220,190,220,201,46,201,46,332,102,46,46,40,46,40,40] + [ENTROPIES...: 4.4,5.0,4.4,7.0,5.0,7.1,4.5,5.5,5.0,7.4,5.0,5.7,6.4,7.7,4.4,6.7,6.7,6.8,6.5,6.8,6.7,4.3,6.7,4.3,7.2,5.8,4.3,4.4,4.9,4.3,4.9,4.9] end: [.....1] [ip4][..tcp] [.192.168.242.15][63340] -> [..35.174.82.237][11095] [NestLogSink.AmazonAWS][Cloud][Acceptable] end: [.....3] [ip4][..tcp] [.192.168.242.15][63342] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] end: [.....5] [ip4][..tcp] [.192.168.242.15][63344] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] @@ -62,14 +65,15 @@ new: [.....7] [ip4][..tcp] [.192.168.242.15][63345] -> [.35.188.154.186][11095] detected: [.....7] [ip4][..tcp] [.192.168.242.15][63345] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] analyse: [.....7] [ip4][..tcp] [.192.168.242.15][63345] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.478| 0.186| 0.338|114146.574| 0.000] - [PKTLEN......: 54.000| 732.000| 255.900| 219.700|48280.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.478| 0.186| 0.338| 114146.574| 3.600] + [PKTLEN......: 40.000| 718.000| 241.900| 219.700| 48280.000| 4.400] [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0] [IATS(ms)....: 61.0,66.3,638.6,696.7,5.2,274.7,1166.9,1477.5,96.3,57.0,0.0,69.6,64.9,63.5,66.2,66.3,63.9,64.1,63.9,63.8,65.2,65.0,63.2,63.3,64.2,64.1,63.8,54.1,11.8,65.2,63.5] - [PKTLENS.....: 60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509] + [PKTLENS.....: 46,44,46,570,40,718,46,92,40,110,40,97,495,95,495,95,495,95,495,95,495,95,495,95,495,95,495,95,46,495,95,495] + [ENTROPIES...: 4.4,5.0,4.4,6.9,4.8,7.1,4.3,5.4,4.7,5.8,4.7,5.6,7.5,5.7,7.5,5.7,7.5,5.7,7.6,5.7,7.5,5.6,7.5,5.6,7.5,5.7,7.5,5.7,4.4,7.5,5.7,7.6] new: [.....8] [ip4][..tcp] [.192.168.242.15][63346] -> [..35.174.82.237][11095] detected: [.....8] [ip4][..tcp] [.192.168.242.15][63346] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] new: [.....9] [ip4][..tcp] [.192.168.242.15][63347] -> [.35.188.154.186][11095] @@ -80,14 +84,15 @@ end: [.....9] [ip4][..tcp] [.192.168.242.15][63347] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] update: [.....6] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] analyse: [.....8] [ip4][..tcp] [.192.168.242.15][63346] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.007| 60.066| 10.038| 21.842|477077551.710| 0.000] - [PKTLEN......: 54.000| 731.000| 176.200| 185.800|34538.800| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.007| 60.066| 10.038| 21.842| 477077551.710| 2.600] + [PKTLEN......: 40.000| 717.000| 162.200| 185.800| 34538.800| 4.300] [BINS(c->s)..: 10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0] [IATS(ms)....: 66.2,68.9,635.0,702.4,15.4,246.0,1210.6,1481.6,108.8,76.2,16.8,97.4,71.0,72.8,6.7,85.9,79.2,75.8,75.0,77.2,97.4,2619.5,2881.1,371.8,59569.0,59778.5,60066.0,60063.7,377.5,447.3,59622.6] - [PKTLENS.....: 60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,54,60,60] + [PKTLENS.....: 46,44,46,571,40,717,46,92,40,444,40,100,162,669,46,220,206,220,190,220,201,46,332,102,46,46,40,46,40,40,46,46] + [ENTROPIES...: 4.4,5.0,4.4,7.0,4.9,7.1,4.5,5.4,4.9,7.5,4.8,5.7,6.5,7.7,4.4,6.7,6.8,6.8,6.7,6.8,6.7,4.5,7.3,5.9,4.4,4.5,5.0,4.5,5.0,5.0,4.5,4.5] idle: [.....6] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] DAEMON-EVENT: [Processed: 424 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 9|skipped: 0|!detected: 0|guessed: 1|detection-updates: 2|updates: 4] @@ -99,14 +104,15 @@ new: [....11] [ip4][..tcp] [.192.168.242.15][63348] -> [.35.188.154.186][11095] detected: [....11] [ip4][..tcp] [.192.168.242.15][63348] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] analyse: [....11] [ip4][..tcp] [.192.168.242.15][63348] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.475| 0.185| 0.337|113653.596| 0.000] - [PKTLEN......: 54.000| 732.000| 255.900| 219.700|48280.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.475| 0.185| 0.337| 113653.596| 3.600] + [PKTLEN......: 40.000| 718.000| 241.900| 219.700| 48280.000| 4.400] [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0] [IATS(ms)....: 56.8,63.4,631.1,692.5,5.0,275.3,1167.1,1475.0,94.9,57.0,0.0,68.3,63.6,63.6,63.3,63.5,64.3,71.1,70.3,64.3,64.5,64.0,64.3,64.3,63.7,63.2,62.9,53.1,10.8,65.0,64.0] - [PKTLENS.....: 60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509] + [PKTLENS.....: 46,44,46,570,40,718,46,92,40,110,40,97,495,95,495,95,495,95,495,95,495,95,495,95,495,95,495,95,46,495,95,495] + [ENTROPIES...: 4.4,5.0,4.4,6.9,4.9,7.1,4.5,5.4,5.0,5.9,4.9,5.7,7.5,5.7,7.6,5.7,7.5,5.7,7.5,5.7,7.5,5.6,7.5,5.7,7.5,5.9,7.5,5.7,4.4,7.5,5.7,7.5] new: [....12] [ip4][..tcp] [.192.168.242.15][63349] -> [..35.174.82.237][11095] detected: [....12] [ip4][..tcp] [.192.168.242.15][63349] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] update: [....10] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] @@ -115,14 +121,15 @@ update: [....10] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] idle: [....10] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] analyse: [....12] [ip4][..tcp] [.192.168.242.15][63349] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.004| 60.116| 15.667| 26.142|683403720.524| 0.000] - [PKTLEN......: 54.000| 732.000| 159.100| 181.000|32752.900| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.004| 60.116| 15.667| 26.142| 683403720.524| 3.100] + [PKTLEN......: 40.000| 718.000| 145.100| 181.000| 32752.900| 4.200] [BINS(c->s)..: 10,1,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1] [IATS(ms)....: 65.1,68.1,678.4,747.3,17.5,94.7,1396.4,1507.7,104.4,70.6,14.5,87.7,68.9,73.0,7.0,83.6,72.6,4.3,74.3,110.5,112.2,137.1,59606.1,59757.9,60076.8,60061.1,60093.4,60092.4,60108.1,60116.2,184.2] - [PKTLENS.....: 60,58,60,584,54,732,60,106,54,258,54,114,176,683,60,234,204,60,234,215,346,116,60,60,54,60,54,60,54,60,54,54] + [PKTLENS.....: 46,44,46,570,40,718,46,92,40,244,40,100,162,669,46,220,190,46,220,201,332,102,46,46,40,46,40,46,40,46,40,40] + [ENTROPIES...: 4.3,5.0,4.4,7.0,4.9,7.1,4.5,5.4,5.0,6.9,4.9,5.6,6.4,7.6,4.3,6.8,6.7,4.5,6.8,6.8,7.3,5.8,4.5,4.4,4.9,4.5,4.9,4.5,4.9,4.5,4.9,5.0] DAEMON-EVENT: [Processed: 562 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 12|skipped: 0|!detected: 0|guessed: 1|detection-updates: 3|updates: 6] new: [....13] [ip4][..tcp] [.192.168.242.15][63350] -> [..35.174.82.237][11095] @@ -134,24 +141,26 @@ new: [....15] [ip4][..tcp] [.192.168.242.15][63351] -> [.35.188.154.186][11095] detected: [....15] [ip4][..tcp] [.192.168.242.15][63351] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] analyse: [....15] [ip4][..tcp] [.192.168.242.15][63351] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.484| 0.189| 0.353|124509.217| 0.000] - [PKTLEN......: 54.000| 733.000| 255.900| 219.800|48309.800| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.484| 0.189| 0.353| 124509.217| 3.600] + [PKTLEN......: 40.000| 719.000| 241.900| 219.800| 48309.800| 4.400] [BINS(c->s)..: 4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0] [IATS(ms)....: 55.5,58.1,637.6,698.6,8.3,132.5,1319.8,1484.0,100.9,62.4,0.0,73.7,66.3,66.1,64.4,70.8,72.5,66.2,63.7,65.4,67.1,65.6,63.5,64.0,64.9,67.0,66.2,76.4,5.2,82.4,64.4] - [PKTLENS.....: 60,58,60,584,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509] + [PKTLENS.....: 46,44,46,570,40,719,46,92,40,110,40,97,495,95,495,95,495,95,495,95,495,95,495,95,495,95,495,95,46,495,95,495] + [ENTROPIES...: 4.3,5.0,4.4,7.0,5.0,7.1,4.5,5.5,5.0,5.8,4.9,5.6,7.6,5.8,7.5,5.7,7.5,5.7,7.5,5.7,7.5,5.7,7.5,5.7,7.6,5.7,7.5,5.7,4.3,7.5,5.7,7.5] new: [....16] [ip4][..tcp] [.192.168.242.15][63352] -> [..35.174.82.237][11095] analyse: [....13] [ip4][..tcp] [.192.168.242.15][63350] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 60.156| 9.910| 20.689|428051338.887| 0.000] - [PKTLEN......: 54.000| 731.000| 161.100| 180.100|32452.700| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 60.156| 9.910| 20.689| 428051338.887| 2.700] + [PKTLEN......: 40.000| 717.000| 147.100| 180.100| 32452.700| 4.200] [BINS(c->s)..: 10,2,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1] [IATS(ms)....: 68.6,72.2,634.4,701.9,15.9,150.9,1314.3,1491.3,109.2,71.0,18.0,93.5,70.2,72.1,7.2,80.0,74.1,77.1,76.5,41.6,115.5,208.5,59946.9,60155.8,60057.7,60124.3,30586.0,30652.9,66.9,1.3,68.3] - [PKTLENS.....: 60,58,60,585,54,731,60,106,54,258,54,114,176,683,60,234,204,234,215,60,346,116,60,60,54,54,60,116,54,60,60,54] + [PKTLENS.....: 46,44,46,571,40,717,46,92,40,244,40,100,162,669,46,220,190,220,201,46,332,102,46,46,40,40,46,102,40,46,46,40] + [ENTROPIES...: 4.3,4.9,4.4,6.9,4.9,7.1,4.5,5.3,5.0,6.9,5.0,5.8,6.5,7.7,4.4,6.8,6.5,6.9,6.8,4.5,7.2,5.9,4.5,4.5,5.0,5.0,4.5,5.6,5.0,4.5,4.6,5.0] detected: [....16] [ip4][..tcp] [.192.168.242.15][63352] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] new: [....17] [ip4][..tcp] [.192.168.242.15][63353] -> [.35.188.154.186][11095] detected: [....17] [ip4][..tcp] [.192.168.242.15][63353] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] @@ -161,14 +170,15 @@ end: [....17] [ip4][..tcp] [.192.168.242.15][63353] -> [.35.188.154.186][11095] [NestLogSink][Cloud][Acceptable] update: [....14] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] analyse: [....16] [ip4][..tcp] [.192.168.242.15][63352] -> [..35.174.82.237][11095] [NestLogSink][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.005| 60.173| 10.045| 21.954|481957439.865| 0.000] - [PKTLEN......: 54.000| 730.000| 176.200| 185.800|34529.800| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.005| 60.173| 10.045| 21.954| 481957439.865| 2.600] + [PKTLEN......: 40.000| 716.000| 162.200| 185.800| 34529.800| 4.300] [BINS(c->s)..: 10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0] [IATS(ms)....: 65.3,67.8,637.5,709.8,18.7,293.4,1174.5,1482.0,109.1,72.2,18.0,90.8,70.3,73.2,8.7,96.5,87.7,75.9,79.0,77.4,126.7,2595.7,2731.0,150.4,59910.8,60056.8,60173.1,60107.0,4.7,60.6,60165.3] - [PKTLENS.....: 60,58,60,586,54,730,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,60,54,60] + [PKTLENS.....: 46,44,46,572,40,716,46,92,40,444,40,100,162,669,46,220,206,220,190,220,201,46,332,102,46,46,40,46,40,46,40,46] + [ENTROPIES...: 4.3,5.0,4.4,6.9,5.0,7.1,4.5,5.4,4.9,7.4,4.8,5.6,6.4,7.6,4.4,6.9,6.7,6.9,6.6,7.0,6.9,4.5,7.3,5.8,4.4,4.5,4.8,4.5,4.9,4.5,4.9,4.5] idle: [....14] [ip4][..udp] [.192.168.242.15][52849] -> [..192.168.242.1][...53] [DNS][Network][Acceptable] DAEMON-EVENT: [Processed: 713 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 17|skipped: 0|!detected: 0|guessed: 1|detection-updates: 4|updates: 8] diff --git a/test/results/flow-info/netbios.pcap.out b/test/results/flow-info/netbios.pcap.out index a2837b091..d5322fa90 100644 --- a/test/results/flow-info/netbios.pcap.out +++ b/test/results/flow-info/netbios.pcap.out @@ -10,14 +10,15 @@ RISK: Unsafe Protocol new: [.....4] [ip4][..tcp] [......10.0.4.24][..139] -> [.....10.0.4.131][.1398] [MIDSTREAM] analyse: [.....1] [ip4][..udp] [.....10.0.4.131][..137] -> [.....10.0.5.255][..137] [NetBIOS][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.014| 0.750| 0.325| 0.215|46083.158| 0.000] - [PKTLEN......: 92.000| 92.000| 92.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.014| 0.750| 0.325| 0.215| 46083.158| 4.600] + [PKTLEN......: 78.000| 78.000| 78.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 471.3,14.0,264.7,470.8,80.2,113.8,555.8,80.0,113.3,146.8,489.8,113.3,146.4,750.0,33.7,749.5,308.6,441.4,307.6,628.9,121.0,628.9,471.0,279.0,470.7,458.5,291.5,334.2,123.8,93.1,532.9] - [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92] + [PKTLENS.....: 78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78] + [ENTROPIES...: 4.1,4.1,4.2,4.1,4.1,4.1,4.1,4.1,4.2,4.2,4.2,4.2,4.2,4.2,4.2,4.1,4.1,4.2,4.1,4.2,4.1,4.2,4.1,4.2,4.1,4.2,4.2,4.2,4.1,4.2,4.2,4.2] new: [.....5] [ip4][..udp] [......10.0.1.87][57836] -> [......10.0.4.24][..137] detected: [.....5] [ip4][..udp] [......10.0.1.87][57836] -> [......10.0.4.24][..137] [NetBIOS][System][Acceptable] new: [.....6] [ip4][..udp] [.....10.0.4.101][..137] -> [.....10.0.5.255][..137] @@ -40,14 +41,15 @@ new: [....14] [ip4][..udp] [......10.0.4.14][..137] -> [.....10.0.5.255][..137] detected: [....14] [ip4][..udp] [......10.0.4.14][..137] -> [.....10.0.5.255][..137] [NetBIOS][System][Acceptable] analyse: [.....2] [ip4][..udp] [.....10.0.5.233][..137] -> [.....10.0.5.255][..137] [NetBIOS][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.749| 1.516| 0.995| 0.356|126784.610| 0.000] - [PKTLEN......: 92.000| 92.000| 92.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.749| 1.516| 0.995| 0.356| 126784.610| 4.900] + [PKTLEN......: 78.000| 78.000| 78.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 749.4,750.1,1510.9,749.4,750.1,1512.1,749.1,750.1,1513.7,749.6,750.2,1509.2,749.9,750.1,1511.1,749.1,750.1,1516.0,749.2,750.1,1508.0,749.3,750.1,1513.5,749.8,750.0,1513.1,749.2,750.1,1506.9,749.4] - [PKTLENS.....: 92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92] + [PKTLENS.....: 78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78] + [ENTROPIES...: 3.9,3.9,3.9,3.9,3.8,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.9,3.8,3.9] new: [....15] [ip4][..udp] [......10.0.1.87][57921] -> [......10.0.4.24][..137] detected: [....15] [ip4][..udp] [......10.0.1.87][57921] -> [......10.0.4.24][..137] [NetBIOS][System][Acceptable] update: [.....1] [ip4][..udp] [.....10.0.4.131][..137] -> [.....10.0.5.255][..137] [NetBIOS][System][Acceptable] diff --git a/test/results/flow-info/netflix.pcap.out b/test/results/flow-info/netflix.pcap.out index c03fdc0b6..0953d09ec 100644 --- a/test/results/flow-info/netflix.pcap.out +++ b/test/results/flow-info/netflix.pcap.out @@ -34,23 +34,25 @@ detection-update: [.....8] [ip4][..tcp] [....192.168.1.7][53117] -> [...52.32.196.36][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....4] [ip4][..tcp] [....192.168.1.7][53105] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.364| 0.040| 0.082| 6699.630| 0.000] - [PKTLEN......: 66.000| 1514.000| 279.200| 396.800|157454.800| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.364| 0.040| 0.082| 6699.630| 3.200] + [PKTLEN......: 52.000| 1500.000| 265.200| 396.800| 157454.800| 3.900] [BINS(c->s)..: 11,1,1,0,0,0,1,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,1,1,1,1,0,0,0] [IATS(ms)....: 46.0,48.6,0.6,54.0,1.6,1.0,54.9,11.1,13.5,9.4,0.3,0.4,58.7,4.6,50.8,1.9,0.2,59.5,0.6,62.1,8.5,4.7,310.9,0.6,363.7,5.8,0.1,0.1,58.1,0.2,0.1] - [PKTLENS.....: 78,74,66,274,66,1514,1514,66,229,66,141,72,111,66,117,66,422,376,66,1006,66,126,66,422,375,66,1006,121,100,66,66,66] + [PKTLENS.....: 64,60,52,260,52,1500,1500,52,215,52,127,58,97,52,103,52,408,362,52,992,52,112,52,408,361,52,992,107,86,52,52,52] + [ENTROPIES...: 4.6,5.3,5.1,5.7,5.2,7.3,7.3,5.1,6.9,5.2,6.4,5.1,6.1,5.2,5.9,5.2,7.5,7.4,5.2,7.8,5.1,6.1,5.1,7.4,7.4,5.2,7.8,6.1,5.8,5.2,5.2,5.1] analyse: [.....7] [ip4][..tcp] [....192.168.1.7][53116] -> [...52.32.196.36][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.200| 0.035| 0.048| 2263.883| 0.000] - [PKTLEN......: 66.000| 1514.000| 444.800| 557.400|310647.700| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.200| 0.035| 0.048| 2263.883| 3.800] + [PKTLEN......: 52.000| 1500.000| 430.800| 557.400| 310647.700| 4.000] [BINS(c->s)..: 10,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0] [BINS(s->c)..: 5,2,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,0,0,1] [IATS(ms)....: 45.5,51.8,0.3,66.4,0.5,13.8,75.5,25.6,26.5,15.6,0.3,0.2,61.0,0.4,44.1,5.1,0.2,57.7,67.8,0.2,2.7,131.0,13.8,8.4,10.0,8.1,2.4,2.3,141.1,1.2,199.9] - [PKTLENS.....: 78,74,66,298,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,742,66,1514,429,1514,66,1130,66,275,66,115,66,1450,581,66] + [PKTLENS.....: 64,60,52,284,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,728,52,1500,415,1500,52,1116,52,261,52,101,52,1436,567,52] + [ENTROPIES...: 4.6,5.3,5.2,5.9,5.2,7.2,7.3,5.2,7.1,5.1,6.3,5.1,6.0,5.1,6.0,5.2,7.9,7.7,5.2,7.9,7.5,7.9,5.2,7.8,5.1,7.1,5.1,6.1,5.2,7.9,7.6,5.2] detection-update: [.....7] [ip4][..tcp] [....192.168.1.7][53116] -> [...52.32.196.36][..443] [TLS.NetFlix][Video][Fun] new: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] detected: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun] @@ -87,14 +89,15 @@ detection-update: [....16] [ip4][..tcp] [....192.168.1.7][53134] -> [...52.89.39.139][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [....15] [ip4][..tcp] [....192.168.1.7][53133] -> [...52.89.39.139][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.350| 0.041| 0.077| 5966.970| 0.000] - [PKTLEN......: 66.000| 1514.000| 544.200| 630.500|397553.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.350| 0.041| 0.077| 5966.970| 3.500] + [PKTLEN......: 52.000| 1500.000| 530.200| 630.500| 397553.600| 4.000] [BINS(c->s)..: 11,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 4,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,7,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0] [IATS(ms)....: 50.8,52.1,3.9,68.9,0.5,14.7,80.5,16.9,16.6,16.1,0.4,0.2,66.7,0.8,50.7,3.2,0.3,61.4,291.2,0.1,350.1,11.8,12.8,24.1,12.5,12.3,13.9,13.7,2.7,13.3,16.3] - [PKTLENS.....: 78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,686,66,1514,1514,66,1514,1416,66,1514,66,251,66,1514,1033,66] + [PKTLENS.....: 64,60,52,260,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,672,52,1500,1500,52,1500,1402,52,1500,52,237,52,1500,1019,52] + [ENTROPIES...: 4.6,5.2,5.1,6.0,5.2,7.3,7.3,5.1,7.0,5.1,6.3,5.0,6.0,5.2,5.9,5.1,7.9,7.7,5.2,7.9,7.9,5.1,7.9,7.9,5.1,7.9,5.0,7.1,5.1,7.9,7.8,5.1] detection-update: [....15] [ip4][..tcp] [....192.168.1.7][53133] -> [...52.89.39.139][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS new: [....17] [ip4][..udp] [....192.168.1.7][57719] -> [....192.168.1.1][...53] @@ -105,23 +108,25 @@ detection-update: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun] detection-update: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun] analyse: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.040| 0.008| 0.010| 109.761| 0.000] - [PKTLEN......: 66.000| 1514.000| 269.300| 414.200|171525.600| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.040| 0.008| 0.010| 109.761| 3.900] + [PKTLEN......: 52.000| 1500.000| 255.300| 414.200| 171525.600| 3.900] [BINS(c->s)..: 8,5,6,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,2,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0] [IATS(ms)....: 11.4,14.4,1.7,21.1,2.9,0.3,24.0,10.4,7.4,16.9,0.4,0.8,30.8,4.7,18.1,26.0,0.2,0.3,0.1,0.2,0.1,0.4,4.5,0.2,40.2,7.1,5.4,4.2,0.5,0.4,2.0] - [PKTLENS.....: 78,74,66,293,66,1514,1514,66,584,66,141,72,111,66,117,66,119,116,108,214,155,155,155,155,154,134,66,104,104,406,1514,66] + [PKTLENS.....: 64,60,52,279,52,1500,1500,52,570,52,127,58,97,52,103,52,105,102,94,200,141,141,141,141,140,120,52,90,90,392,1500,52] + [ENTROPIES...: 4.6,5.3,5.2,5.7,5.3,7.1,7.3,5.2,7.6,5.2,6.3,5.1,6.0,5.3,5.9,5.2,6.1,6.0,6.0,6.9,6.4,6.4,6.5,6.6,6.6,6.4,5.2,6.0,6.0,7.5,7.9,5.3] analyse: [....14] [ip4][..tcp] [....192.168.1.7][53132] -> [...52.89.39.139][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 7.508| 0.502| 1.826|3335198.867| 0.000] - [PKTLEN......: 66.000| 1514.000| 372.800| 520.700|271128.800| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 7.508| 0.502| 1.826| 3335198.867| 1.400] + [PKTLEN......: 52.000| 1500.000| 358.800| 520.700| 271128.800| 3.800] [BINS(c->s)..: 10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 6,3,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,1] [IATS(ms)....: 49.5,50.9,4.4,54.3,2.4,1.0,53.5,43.0,42.8,12.7,0.3,0.2,57.4,5.1,49.3,4.2,0.4,50.0,75.8,32.1,2.0,0.9,5.1,4.7,0.1,7402.2,0.1,7507.8,0.9,35.7,1.0] - [PKTLENS.....: 78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,675,66,66,198,110,100,66,66,66,1514,803,66,66,1514,488] + [PKTLENS.....: 64,60,52,260,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,661,52,52,184,96,86,52,52,52,1500,789,52,52,1500,474] + [ENTROPIES...: 4.6,5.3,5.1,6.0,5.2,7.3,7.3,5.1,7.1,5.1,6.4,5.1,6.0,5.2,6.0,5.2,7.9,7.7,5.2,5.2,6.8,6.1,5.9,5.2,5.2,5.2,7.9,7.7,5.2,5.2,7.9,7.5] detection-update: [....14] [ip4][..tcp] [....192.168.1.7][53132] -> [...52.89.39.139][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS new: [....19] [ip4][..udp] [....192.168.1.7][59180] -> [....192.168.1.1][...53] @@ -134,28 +139,30 @@ new: [....22] [ip4][..tcp] [....192.168.1.7][53150] -> [..184.25.204.25][...80] detected: [....22] [ip4][..tcp] [....192.168.1.7][53150] -> [..184.25.204.25][...80] [HTTP.NetFlix][Video][Fun] analyse: [....21] [ip4][..tcp] [....192.168.1.7][53149] -> [..184.25.204.25][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.007| 1.300| 0.097| 0.230|52797.755| 0.000] - [PKTLEN......: 66.000| 1514.000| 1115.900| 637.700|406609.600| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.007| 1.300| 0.097| 0.230| 52797.755| 3.400] + [PKTLEN......: 52.000| 1500.000| 1101.900| 637.700| 406609.600| 4.600] [BINS(c->s)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0] [IATS(ms)....: 22.7,29.1,36.8,70.3,13.3,32.4,26.0,101.8,6.9,28.0,25.2,45.0,56.4,27.1,27.2,53.8,54.3,26.1,52.1,80.7,53.8,398.5,54.3,39.9,109.6,40.5,26.1,51.5,108.1,13.3,1300.1] - [PKTLENS.....: 78,74,66,311,66,1514,1514,1514,66,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,94] + [PKTLENS.....: 64,60,52,297,52,1500,1500,1500,52,52,1500,1500,52,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,80] + [ENTROPIES...: 4.5,5.3,5.1,5.9,5.3,7.3,7.7,7.7,5.2,5.0,7.8,7.8,5.2,7.8,7.8,7.8,7.7,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.9,7.8,7.8,7.8,7.8,7.8,5.4] new: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] detected: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] detection-update: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] new: [....24] [ip4][..tcp] [....192.168.1.7][53151] -> [.54.201.191.132][...80] detected: [....24] [ip4][..tcp] [....192.168.1.7][53151] -> [.54.201.191.132][...80] [HTTP.NetFlix][Video][Fun] analyse: [....24] [ip4][..tcp] [....192.168.1.7][53151] -> [.54.201.191.132][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.187| 0.029| 0.042| 1791.215| 0.000] - [PKTLEN......: 66.000| 1514.000| 826.300| 674.900|455511.900| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.187| 0.029| 0.042| 1791.215| 4.000] + [PKTLEN......: 52.000| 1500.000| 812.300| 674.900| 455511.900| 4.400] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,13,0,0] [DIRECTIONS..: 0,1,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,0] [IATS(ms)....: 44.1,45.6,3.9,10.7,0.2,60.0,5.7,1.0,135.1,0.3,187.2,5.7,5.7,13.9,14.0,13.3,14.4,27.8,13.3,13.1,9.2,13.3,22.5,13.4,39.3,13.3,13.3,13.9,13.3,13.3,124.5] - [PKTLENS.....: 78,74,66,379,1514,917,66,66,66,728,1514,66,1514,66,1514,66,1514,1514,66,1026,66,1514,1307,66,1514,1514,1514,1514,1514,1514,1514,78] + [PKTLENS.....: 64,60,52,365,1500,903,52,52,52,714,1500,52,1500,52,1500,52,1500,1500,52,1012,52,1500,1293,52,1500,1500,1500,1500,1500,1500,1500,64] + [ENTROPIES...: 4.5,5.3,5.2,5.7,6.0,6.1,5.3,5.3,5.3,6.0,5.7,5.1,6.1,5.2,5.9,5.0,5.8,5.8,5.2,5.8,5.2,5.8,5.8,5.2,5.8,5.8,5.8,5.8,5.8,5.8,5.8,5.2] new: [....25] [ip4][..tcp] [....192.168.1.7][53152] -> [...52.89.39.139][...80] detected: [....25] [ip4][..tcp] [....192.168.1.7][53152] -> [...52.89.39.139][...80] [HTTP.NetFlix][Video][Fun] detection-update: [....25] [ip4][..tcp] [....192.168.1.7][53152] -> [...52.89.39.139][...80] [HTTP.NetFlix][Video][Fun] @@ -164,14 +171,15 @@ new: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] detected: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] analyse: [....20] [ip4][..tcp] [....192.168.1.7][53148] -> [..184.25.204.25][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 6.031| 0.428| 1.232|1516791.529| 0.000] - [PKTLEN......: 66.000| 1514.000| 809.600| 706.600|499284.200| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 6.031| 0.428| 1.232| 1516791.529| 2.300] + [PKTLEN......: 52.000| 1500.000| 795.600| 706.600| 499284.200| 4.300] [BINS(c->s)..: 12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 22.4,28.9,26.8,57.7,0.6,13.2,40.1,31.8,42.8,26.5,25.5,50.2,53.2,30.9,25.5,54.9,53.8,27.2,52.7,79.5,53.8,544.7,1520.0,11.6,27.4,27.3,28.8,635.4,3643.8,6030.9,1.1] - [PKTLENS.....: 78,74,66,312,66,1514,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,94,94,94,86,78,66,66,311,1514,1514] + [PKTLENS.....: 64,60,52,298,52,1500,1500,52,1500,52,1500,1500,52,1500,1500,1500,1500,1500,1500,1500,1500,1500,80,80,80,72,64,52,52,297,1500,1500] + [ENTROPIES...: 4.6,5.2,5.1,5.9,5.3,7.5,7.8,5.1,7.8,5.0,7.8,7.8,5.2,7.8,7.8,7.8,7.8,7.8,7.8,7.9,7.9,7.9,5.4,5.2,5.3,5.4,5.3,5.2,5.2,5.8,7.2,7.8] detection-update: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] new: [....28] [ip4][..tcp] [....192.168.1.7][53153] -> [..184.25.204.24][...80] detection-update: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] @@ -189,47 +197,51 @@ detected: [....30] [ip4][..tcp] [....192.168.1.7][53163] -> [..23.246.11.145][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....30] [ip4][..tcp] [....192.168.1.7][53163] -> [..23.246.11.145][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.004| 0.651| 0.082| 0.154|23582.077| 0.000] - [PKTLEN......: 66.000| 1514.000| 954.800| 683.500|467159.100| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.004| 0.651| 0.082| 0.154| 23582.077| 3.600] + [PKTLEN......: 52.000| 1500.000| 940.800| 683.500| 467159.100| 4.500] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,1,0,1,1,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,0,1,1] [IATS(ms)....: 24.8,26.3,3.8,42.5,4.8,43.8,27.2,40.5,69.4,43.9,44.8,78.3,38.8,79.8,102.6,28.8,14.7,354.3,85.0,14.1,12.4,12.7,651.0,22.9,582.5,8.6,27.5,16.4,16.4,14.7,15.1] - [PKTLENS.....: 78,74,66,422,581,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,94,1514,1514,1514,1514,78,66,1514,1514,66,1514,66,1514,1514] + [PKTLENS.....: 64,60,52,408,567,1500,52,1500,1500,52,1500,52,1500,1500,1500,1500,1500,1500,80,1500,1500,1500,1500,64,52,1500,1500,52,1500,52,1500,1500] + [ENTROPIES...: 4.6,5.3,5.1,6.4,5.9,3.6,5.2,2.5,2.5,5.1,2.5,5.1,2.5,2.6,2.6,3.8,3.8,3.8,5.3,3.9,3.5,3.5,3.5,5.1,5.2,3.5,3.5,5.2,3.5,5.0,3.6,3.6] new: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] detected: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....31] [ip4][..tcp] [....192.168.1.7][53164] -> [..23.246.10.139][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.639| 0.088| 0.152|23073.200| 0.000] - [PKTLEN......: 66.000| 1514.000| 865.900| 697.400|486427.500| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.639| 0.088| 0.152| 23073.200| 3.700] + [PKTLEN......: 52.000| 1500.000| 851.900| 697.400| 486427.500| 4.400] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1] [IATS(ms)....: 18.8,21.4,5.1,35.7,1.0,5.4,35.5,13.2,14.0,20.3,20.4,13.2,116.2,170.2,28.1,56.6,51.6,31.7,27.6,12.8,327.6,131.4,638.9,580.0,19.9,15.0,30.0,13.6,42.3,118.7,118.0] - [PKTLENS.....: 78,74,66,422,582,1514,1514,66,1514,66,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,94,1514,94,1514,86,1514,78,66,1514,66,1514] + [PKTLENS.....: 64,60,52,408,568,1500,1500,52,1500,52,1500,52,1500,52,1500,1500,1500,1500,1500,1500,1500,80,1500,80,1500,72,1500,64,52,1500,52,1500] + [ENTROPIES...: 4.5,5.2,5.0,6.4,5.8,3.6,2.5,5.1,2.6,5.0,2.5,5.0,2.6,5.0,2.6,2.6,3.3,3.8,3.8,3.8,3.8,5.3,3.9,5.3,3.5,5.3,3.5,5.1,4.9,3.5,4.9,3.6] new: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] detected: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....32] [ip4][..tcp] [....192.168.1.7][53171] -> [...23.246.3.140][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.002| 0.044| 0.018| 0.010| 100.655| 0.000] - [PKTLEN......: 66.000| 1514.000| 998.900| 672.700|452466.100| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 0.044| 0.018| 0.010| 100.655| 4.700] + [PKTLEN......: 52.000| 1500.000| 984.900| 672.700| 452466.100| 4.500] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 30.8,32.5,5.5,44.3,2.2,41.1,2.9,12.8,15.6,14.9,15.0,12.8,12.7,26.4,12.8,11.9,13.3,17.2,31.0,13.3,13.6,25.6,14.3,13.9,26.7,13.8,13.3,27.2,13.3,13.3,27.2] - [PKTLENS.....: 78,74,66,420,585,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] + [PKTLENS.....: 64,60,52,406,571,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500] + [ENTROPIES...: 4.5,5.3,5.1,6.4,5.8,3.6,5.2,2.5,2.6,5.2,2.6,5.0,2.6,2.6,5.2,2.5,5.0,2.6,2.6,5.2,2.5,5.1,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.9,3.5] analyse: [....28] [ip4][..tcp] [....192.168.1.7][53153] -> [..184.25.204.24][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.003| 4.094| 0.319| 0.812|659111.739| 0.000] - [PKTLEN......: 66.000| 1514.000| 625.100| 689.400|475329.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.003| 4.094| 0.319| 0.812| 659111.739| 2.800] + [PKTLEN......: 52.000| 1500.000| 611.100| 689.400| 475329.800| 4.000] [BINS(c->s)..: 17,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1] [IATS(ms)....: 24.9,27.7,3.0,28.5,27.9,27.8,80.3,56.8,57.0,49.3,90.4,82.5,40.9,66.5,53.9,192.1,80.5,134.7,711.3,23.0,31.3,47.8,1645.4,40.4,54.8,160.8,1864.4,25.7,40.5,28.5,4093.6] - [PKTLENS.....: 78,74,66,282,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,94,94,94,94,94,94,94,94,86,78,78,66,1514] + [PKTLENS.....: 64,60,52,268,52,1500,1500,52,1500,52,1500,64,1500,1500,1500,1500,1500,1500,1500,80,80,80,80,80,80,80,80,72,64,64,52,1500] + [ENTROPIES...: 4.6,5.3,5.1,5.9,5.3,5.3,5.0,5.3,6.9,5.1,7.9,5.2,7.7,7.8,7.9,7.8,7.8,7.8,7.9,5.3,5.3,5.3,5.3,5.4,5.4,5.4,5.4,5.2,5.2,5.2,5.2,7.8] new: [....33] [ip4][..tcp] [....192.168.1.7][53172] -> [..23.246.11.133][...80] new: [....34] [ip4][..tcp] [....192.168.1.7][53173] -> [..23.246.11.133][...80] new: [....35] [ip4][..tcp] [....192.168.1.7][53174] -> [..23.246.11.141][...80] @@ -264,113 +276,125 @@ detected: [....43] [ip4][..tcp] [....192.168.1.7][53182] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....41] [ip4][..tcp] [....192.168.1.7][53180] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.098| 0.201| 0.403|162731.114| 0.000] - [PKTLEN......: 66.000| 1514.000| 507.700| 638.100|407212.300| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.098| 0.201| 0.403| 162731.114| 3.600] + [PKTLEN......: 52.000| 1500.000| 493.700| 638.100| 407212.300| 3.900] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,0,1] [IATS(ms)....: 61.8,72.3,0.5,134.9,0.4,125.9,1162.3,73.6,0.9,212.9,11.5,409.2,101.1,1.9,70.9,2097.5,79.5,52.1,129.8,120.6,42.9,59.9,67.1,69.4,174.4,284.0,29.4,65.0,252.7,150.5,125.9] - [PKTLENS.....: 78,74,66,426,584,1514,66,94,94,94,94,94,94,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,66,1514] + [PKTLENS.....: 64,60,52,412,570,1500,52,80,80,80,80,80,80,64,64,52,1500,52,1500,52,1500,1500,52,1500,52,1500,64,52,52,1500,52,1500] + [ENTROPIES...: 4.6,5.3,5.0,6.3,5.8,4.4,5.1,5.2,5.2,5.3,5.3,5.4,5.3,5.2,5.2,5.2,4.8,5.2,4.8,5.1,4.8,4.8,5.2,4.8,5.0,4.8,5.2,5.2,5.2,4.6,5.0,4.6] analyse: [....38] [ip4][..tcp] [....192.168.1.7][53177] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.047| 0.281| 0.301|90549.584| 0.000] - [PKTLEN......: 66.000| 1514.000| 504.100| 638.900|408170.900| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.047| 0.281| 0.301| 90549.584| 4.200] + [PKTLEN......: 52.000| 1500.000| 490.100| 638.900| 408170.900| 3.900] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,0,1,1,0,1] [IATS(ms)....: 43.7,45.8,23.6,124.8,4.9,111.6,635.9,176.1,0.2,0.1,41.6,37.4,940.2,0.9,45.4,434.5,483.8,1047.0,74.7,202.4,418.9,472.2,955.3,169.9,525.3,694.3,167.2,252.3,98.0,326.3,148.9] - [PKTLENS.....: 78,74,66,426,585,1514,66,86,86,78,78,78,66,102,1490,66,66,66,1514,1514,66,66,66,1514,66,66,1514,66,1514,1514,66,1514] + [PKTLENS.....: 64,60,52,412,571,1500,52,72,72,64,64,64,52,88,1476,52,52,52,1500,1500,52,52,52,1500,52,52,1500,52,1500,1500,52,1500] + [ENTROPIES...: 4.5,5.3,5.0,6.4,5.8,4.4,5.1,5.3,5.2,5.1,5.2,5.1,5.1,4.9,4.3,5.2,5.2,5.1,4.9,4.9,5.0,5.1,5.1,4.9,5.0,5.0,4.8,5.0,4.6,4.7,5.1,4.8] analyse: [....36] [ip4][..tcp] [....192.168.1.7][53175] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 1.636| 0.284| 0.363|131453.321| 0.000] - [PKTLEN......: 66.000| 1514.000| 550.600| 657.900|432827.800| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 1.636| 0.284| 0.363| 131453.321| 4.000] + [PKTLEN......: 52.000| 1500.000| 536.600| 657.900| 432827.800| 3.900] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1] [IATS(ms)....: 16.1,19.4,23.6,88.6,4.0,82.2,1105.3,26.9,21.8,19.6,0.6,13.1,381.6,1636.2,66.4,119.0,421.4,408.1,882.7,90.2,143.4,490.4,519.4,92.3,121.0,487.1,597.7,217.6,227.5,270.0,221.9] - [PKTLENS.....: 78,74,66,423,584,1514,66,86,86,86,78,78,78,78,1514,1514,66,78,66,1514,1514,66,66,1514,1514,66,66,1514,66,1514,78,1514] + [PKTLENS.....: 64,60,52,409,570,1500,52,72,72,72,64,64,64,64,1500,1500,52,64,52,1500,1500,52,52,1500,1500,52,52,1500,52,1500,64,1500] + [ENTROPIES...: 4.5,5.3,5.1,6.4,5.8,4.5,5.1,5.3,5.4,5.4,5.2,5.2,5.2,5.2,3.8,4.4,5.2,5.1,5.2,4.4,4.4,5.2,5.2,4.4,4.4,5.2,5.2,4.3,5.0,4.4,5.2,4.6] analyse: [....34] [ip4][..tcp] [....192.168.1.7][53173] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.005| 1.397| 0.291| 0.314|98805.531| 0.000] - [PKTLEN......: 66.000| 1514.000| 730.200| 699.000|488561.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.005| 1.397| 0.291| 0.314| 98805.531| 4.200] + [PKTLEN......: 52.000| 1500.000| 716.200| 699.000| 488561.800| 4.200] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1] [IATS(ms)....: 23.9,25.1,18.2,72.5,4.9,71.3,152.2,249.5,985.6,26.7,1397.2,519.1,299.5,499.9,482.3,40.5,55.6,206.8,137.1,537.5,535.2,174.3,571.8,776.0,198.8,230.5,89.9,284.0,128.1,116.3,110.5] - [PKTLENS.....: 78,74,66,423,584,1514,66,1514,66,94,94,1514,86,1514,78,1514,1514,1514,66,1514,66,1514,66,66,1514,66,1514,1514,66,1514,66,1514] + [PKTLENS.....: 64,60,52,409,570,1500,52,1500,52,80,80,1500,72,1500,64,1500,1500,1500,52,1500,52,1500,52,52,1500,52,1500,1500,52,1500,52,1500] + [ENTROPIES...: 4.6,5.3,5.0,6.4,5.8,4.5,5.0,4.2,5.0,5.3,5.3,4.4,5.3,4.4,5.2,4.3,4.5,4.3,5.1,4.3,5.1,4.3,5.1,5.2,4.5,5.0,4.7,4.7,5.1,4.7,5.2,4.7] analyse: [....43] [ip4][..tcp] [....192.168.1.7][53182] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.716| 0.300| 0.539|290723.889| 0.000] - [PKTLEN......: 66.000| 1514.000| 506.600| 638.800|408052.900| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.716| 0.300| 0.539| 290723.889| 3.600] + [PKTLEN......: 52.000| 1500.000| 492.600| 638.800| 408052.900| 3.900] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0] [IATS(ms)....: 61.7,63.1,19.4,172.7,0.3,153.9,1162.5,94.2,1.4,12.3,104.3,65.9,674.7,41.5,40.0,488.9,2716.4,44.9,75.7,28.7,32.8,29.5,133.6,256.1,743.0,71.3,1131.5,569.7,135.4,73.6,104.1] - [PKTLENS.....: 78,74,66,424,584,1514,66,94,86,86,86,86,86,86,78,66,66,1514,1514,66,1514,66,1514,66,1514,78,66,1514,66,1514,1514,66] + [PKTLENS.....: 64,60,52,410,570,1500,52,80,72,72,72,72,72,72,64,52,52,1500,1500,52,1500,52,1500,52,1500,64,52,1500,52,1500,1500,52] + [ENTROPIES...: 4.6,5.4,5.1,6.4,5.8,4.4,5.2,5.3,5.4,5.3,5.4,5.3,5.3,5.3,5.3,5.2,5.0,4.6,4.5,5.1,4.6,5.0,4.5,5.0,4.6,5.2,5.1,4.3,5.0,4.4,4.5,5.1] analyse: [....35] [ip4][..tcp] [....192.168.1.7][53174] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.094| 0.303| 0.556|309287.715| 0.000] - [PKTLEN......: 66.000| 1514.000| 461.800| 616.500|380048.700| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.094| 0.303| 0.556| 309287.715| 3.700] + [PKTLEN......: 52.000| 1500.000| 447.800| 616.500| 380048.700| 3.800] [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,0] [IATS(ms)....: 20.0,22.2,5.3,69.1,0.1,72.2,626.0,607.0,26.6,520.3,51.5,55.5,593.2,41.7,80.3,418.0,3094.3,65.6,425.7,470.0,40.8,85.0,52.1,54.3,117.7,383.1,387.3,709.4,53.7,73.8,158.6] - [PKTLENS.....: 78,74,66,424,584,1514,66,86,86,86,86,78,78,86,78,66,66,1514,78,78,1514,1514,66,1514,66,1514,66,78,1514,78,1514,66] + [PKTLENS.....: 64,60,52,410,570,1500,52,72,72,72,72,64,64,72,64,52,52,1500,64,64,1500,1500,52,1500,52,1500,52,64,1500,64,1500,52] + [ENTROPIES...: 4.5,5.3,5.1,6.4,5.8,4.4,5.1,5.3,5.4,5.4,5.2,5.3,5.2,5.3,5.3,5.3,5.1,4.7,5.2,5.2,4.7,4.7,5.1,4.7,5.1,4.6,5.2,5.3,4.4,5.3,4.5,5.2] analyse: [....42] [ip4][..tcp] [....192.168.1.7][53181] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.609| 0.294| 0.529|280024.056| 0.000] - [PKTLEN......: 66.000| 1514.000| 463.200| 615.600|378913.200| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.609| 0.294| 0.529| 280024.056| 3.500] + [PKTLEN......: 52.000| 1500.000| 449.200| 615.600| 378913.200| 3.800] [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,0,0,0,1,0,0] [IATS(ms)....: 61.9,63.0,9.0,155.1,0.3,150.1,1152.4,92.1,0.5,591.4,113.7,141.7,52.3,0.5,39.9,381.1,2608.5,28.2,68.2,27.2,29.6,26.6,56.5,81.7,44.8,43.7,497.4,496.6,1208.9,807.4,91.6] - [PKTLENS.....: 78,74,66,425,583,1514,66,94,94,94,94,86,78,78,78,66,78,1514,1514,66,1514,66,1514,1514,66,1514,66,78,66,1514,86,86] + [PKTLENS.....: 64,60,52,411,569,1500,52,80,80,80,80,72,64,64,64,52,64,1500,1500,52,1500,52,1500,1500,52,1500,52,64,52,1500,72,72] + [ENTROPIES...: 4.6,5.3,5.1,6.4,5.8,4.4,5.1,5.4,5.3,5.3,5.3,5.3,5.2,5.2,5.2,5.2,5.2,5.0,5.0,5.2,5.0,5.0,5.0,5.0,5.2,5.0,5.0,5.1,5.0,4.7,5.2,5.3] analyse: [....33] [ip4][..tcp] [....192.168.1.7][53172] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.064| 0.322| 0.577|332375.130| 0.000] - [PKTLEN......: 66.000| 1514.000| 509.000| 637.200|406023.800| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.064| 0.322| 0.577| 332375.130| 3.600] + [PKTLEN......: 52.000| 1500.000| 495.000| 637.200| 406023.800| 3.900] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1] [IATS(ms)....: 11.7,15.7,2.4,60.2,1.2,0.1,57.1,107.8,316.9,313.9,536.7,811.2,71.2,122.5,693.7,84.7,585.6,3064.5,52.8,57.9,98.4,231.5,526.2,115.1,0.7,585.7,117.7,1178.9,25.8,79.1,64.3] - [PKTLENS.....: 78,74,66,424,584,1514,1514,66,66,1514,66,94,94,94,94,86,78,86,1514,86,1514,78,1514,94,78,66,78,66,1514,66,1514,1514] + [PKTLENS.....: 64,60,52,410,570,1500,1500,52,52,1500,52,80,80,80,80,72,64,72,1500,72,1500,64,1500,80,64,52,64,52,1500,52,1500,1500] + [ENTROPIES...: 4.5,5.2,5.0,6.3,5.8,4.5,4.2,5.1,5.0,3.8,5.0,5.1,5.1,5.2,5.2,5.2,5.1,5.2,4.3,5.2,4.2,5.0,4.3,5.1,5.1,5.1,5.1,5.1,4.5,5.1,4.5,4.5] analyse: [....39] [ip4][..tcp] [....192.168.1.7][53178] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.546| 0.356| 0.683|466078.499| 0.000] - [PKTLEN......: 66.000| 1514.000| 507.200| 638.400|407523.400| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.546| 0.356| 0.683| 466078.499| 3.500] + [PKTLEN......: 52.000| 1500.000| 493.200| 638.400| 407523.400| 3.900] [BINS(c->s)..: 20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,1] [IATS(ms)....: 43.2,45.3,13.2,106.7,4.9,97.9,1317.7,102.1,98.2,0.2,515.8,59.8,1148.4,57.2,54.9,165.2,3546.3,68.4,92.3,156.0,131.0,70.0,95.9,104.0,104.5,205.1,729.4,92.0,551.2,1189.4,68.2] - [PKTLENS.....: 78,74,66,423,584,1514,66,94,94,86,86,86,86,86,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,1514] + [PKTLENS.....: 64,60,52,409,570,1500,52,80,80,72,72,72,72,72,64,64,52,1500,52,1500,52,1500,1500,52,1500,52,1500,64,52,52,1500,1500] + [ENTROPIES...: 4.5,5.3,5.0,6.4,5.8,4.5,5.1,5.4,5.4,5.4,5.3,5.4,5.4,5.3,5.3,5.3,5.3,4.4,5.2,4.5,5.0,4.5,4.5,5.2,4.5,5.1,4.5,5.3,5.2,5.0,4.4,4.4] analyse: [....40] [ip4][..tcp] [....192.168.1.7][53179] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.457| 0.415| 0.811|658300.731| 0.000] - [PKTLEN......: 66.000| 1514.000| 552.100| 656.800|431419.800| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.457| 0.415| 0.811| 658300.731| 3.600] + [PKTLEN......: 52.000| 1500.000| 538.100| 656.800| 431419.800| 3.900] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1] [IATS(ms)....: 41.4,43.5,2.9,82.1,0.1,78.7,1252.1,77.7,132.2,0.8,525.3,100.7,510.0,513.0,40.3,4457.1,87.0,1393.0,522.4,574.9,39.6,91.2,57.6,58.1,139.0,449.1,380.1,69.9,139.5,473.4,516.8] - [PKTLENS.....: 78,74,66,424,584,1514,66,94,94,86,86,86,86,86,78,78,1514,1514,66,66,1514,1514,66,1514,66,1514,66,1514,1514,66,66,1514] + [PKTLENS.....: 64,60,52,410,570,1500,52,80,80,72,72,72,72,72,64,64,1500,1500,52,52,1500,1500,52,1500,52,1500,52,1500,1500,52,52,1500] + [ENTROPIES...: 4.5,5.3,5.0,6.4,5.8,4.4,5.1,5.3,5.4,5.4,5.4,5.4,5.3,5.3,5.2,5.2,4.4,4.5,5.1,5.2,4.4,4.5,5.2,4.4,5.1,4.5,5.2,4.3,4.3,5.2,5.2,4.4] analyse: [....37] [ip4][..tcp] [....192.168.1.7][53176] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 4.432| 0.435| 0.814|663375.512| 0.000] - [PKTLEN......: 66.000| 1514.000| 418.200| 589.200|347103.400| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 4.432| 0.435| 0.814| 663375.512| 3.600] + [PKTLEN......: 52.000| 1500.000| 404.200| 589.200| 347103.400| 3.700] [BINS(c->s)..: 22,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,1,0,0,0,1,1,0,1] [IATS(ms)....: 43.9,45.8,13.4,88.6,4.9,81.9,1250.8,92.5,118.4,0.7,544.2,69.2,495.5,501.7,62.9,1143.9,28.6,39.1,4432.0,83.0,87.8,169.9,586.4,795.5,292.9,509.0,501.2,1203.5,55.9,83.0,70.7] - [PKTLENS.....: 78,74,66,424,583,1514,66,94,94,86,86,86,86,86,78,78,78,78,78,1514,66,1514,78,66,1514,78,66,66,1514,1514,66,1514] + [PKTLENS.....: 64,60,52,410,569,1500,52,80,80,72,72,72,72,72,64,64,64,64,64,1500,52,1500,64,52,1500,64,52,52,1500,1500,52,1500] + [ENTROPIES...: 4.6,5.2,5.0,6.4,5.8,4.5,5.1,5.3,5.3,5.4,5.4,5.3,5.4,5.3,5.3,5.1,5.3,5.3,5.2,4.3,5.0,4.3,5.2,5.2,4.4,5.2,5.2,5.2,4.3,4.3,5.2,4.4] analyse: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 30.086| 1.958| 7.380|54461959.504| 0.000] - [PKTLEN......: 66.000| 1514.000| 394.000| 556.900|310128.200| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 30.086| 1.958| 7.380| 54461959.504| 1.100] + [PKTLEN......: 52.000| 1500.000| 380.000| 556.900| 310128.200| 3.800] [BINS(c->s)..: 9,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0] [BINS(s->c)..: 9,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,1,1] [IATS(ms)....: 47.0,48.4,1.7,53.1,2.6,1.0,62.3,11.1,6.0,10.8,0.3,0.3,60.3,3.4,50.1,4.4,0.9,0.6,55.9,50.5,0.3,42.7,4.0,5.1,5.2,0.1,57.7,0.3,30033.4,30086.0,0.8] - [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,351,66,66,66,1007,126,66,66,66,97,66] + [PKTLENS.....: 64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1402,1500,1500,52,1500,337,52,52,52,993,112,52,52,52,83,52] + [ENTROPIES...: 4.5,5.3,5.1,5.8,5.1,7.3,7.3,5.1,6.9,5.1,6.1,5.0,6.0,5.2,6.0,5.2,7.9,7.9,7.9,5.2,7.8,7.4,5.1,5.1,5.1,7.8,6.3,5.2,5.1,5.1,5.8,5.1] detection-update: [.....9] [ip4][..tcp] [....192.168.1.7][53118] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun] new: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] new: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] @@ -385,14 +409,15 @@ detection-update: [....48] [ip4][..udp] [....192.168.1.7][60962] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] new: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] analyse: [....11] [ip4][..tcp] [....192.168.1.7][53119] -> [..54.69.204.241][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 30.431| 1.003| 5.373|28867930.620| 0.000] - [PKTLEN......: 66.000| 1514.000| 393.500| 557.000|310204.400| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 30.431| 1.003| 5.373| 28867930.620| 0.200] + [PKTLEN......: 52.000| 1500.000| 379.500| 557.000| 310204.400| 3.800] [BINS(c->s)..: 10,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0] [BINS(s->c)..: 7,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,1,0,0,0,0] [IATS(ms)....: 44.9,46.3,7.4,58.2,1.8,1.0,55.8,12.1,9.9,9.3,0.3,0.2,60.5,0.1,50.8,11.5,0.5,0.2,72.1,60.9,0.3,50.8,0.4,15.7,16.9,0.1,0.1,82.9,0.3,0.1,30431.5] - [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,336,66,66,66,1007,121,100,66,66,66,66] + [PKTLENS.....: 64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1402,1500,1500,52,1500,322,52,52,52,993,107,86,52,52,52,52] + [ENTROPIES...: 4.6,5.3,5.1,5.8,5.2,7.2,7.3,5.1,7.0,5.2,6.3,5.1,5.9,5.3,6.1,5.2,7.9,7.9,7.9,5.2,7.9,7.3,5.2,5.3,5.3,7.8,6.2,5.9,5.2,5.2,5.2,5.0] detection-update: [....11] [ip4][..tcp] [....192.168.1.7][53119] -> [..54.69.204.241][..443] [TLS.NetFlix][Video][Fun] detected: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS @@ -410,67 +435,73 @@ RISK: TLS (probably) Not Carrying HTTPS detection-update: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] [TLS.NetFlix][Video][Fun] analyse: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.266| 0.048| 0.057| 3291.764| 0.000] - [PKTLEN......: 66.000| 1514.000| 879.400| 680.500|463015.400| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.266| 0.048| 0.057| 3291.764| 4.000] + [PKTLEN......: 52.000| 1500.000| 865.400| 680.500| 463015.400| 4.400] [BINS(c->s)..: 5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] [BINS(s->c)..: 5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1] [IATS(ms)....: 53.4,54.6,4.5,73.7,0.5,53.6,123.5,11.6,72.5,62.7,1.5,55.8,52.4,2.2,0.2,0.4,0.2,96.3,96.4,0.2,0.1,0.1,82.6,81.7,0.9,0.2,0.2,38.2,40.6,146.6,266.1] - [PKTLENS.....: 78,74,66,583,66,1514,1146,66,192,117,66,1058,120,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,86] + [PKTLENS.....: 64,60,52,569,52,1500,1132,52,178,103,52,1044,106,52,1500,1500,1500,1500,52,1500,1500,1500,1500,52,1500,1500,1500,1500,1500,1500,1500,72] + [ENTROPIES...: 4.6,5.3,5.2,4.4,5.2,7.2,7.6,5.2,6.6,6.0,5.2,7.8,6.2,5.2,7.9,7.9,7.9,7.9,5.3,7.9,7.9,7.9,7.9,5.2,7.9,7.9,7.9,7.9,7.9,7.9,7.9,5.4] detection-update: [....46] [ip4][..tcp] [....192.168.1.7][53193] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [....47] [ip4][..tcp] [....192.168.1.7][53202] -> [...54.191.17.51][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.282| 0.053| 0.058| 3383.537| 0.000] - [PKTLEN......: 66.000| 1514.000| 566.500| 629.700|396553.700| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.282| 0.053| 0.058| 3383.537| 4.200] + [PKTLEN......: 52.000| 1500.000| 552.500| 629.700| 396553.700| 4.000] [BINS(c->s)..: 10,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [BINS(s->c)..: 5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,0,0] [IATS(ms)....: 50.8,52.1,6.3,61.1,40.7,74.7,170.4,11.8,79.4,67.6,2.0,57.4,55.8,1.7,0.8,0.2,0.2,82.5,79.7,0.2,94.6,127.5,60.6,282.5,10.6,27.6,38.0,39.9,42.9,7.7,0.7] - [PKTLENS.....: 78,74,66,583,66,1514,1146,66,192,117,66,1057,120,66,1514,1514,1514,1514,66,1514,401,66,66,1257,66,1514,1500,66,115,66,97,66] + [PKTLENS.....: 64,60,52,569,52,1500,1132,52,178,103,52,1043,106,52,1500,1500,1500,1500,52,1500,387,52,52,1243,52,1500,1486,52,101,52,83,52] + [ENTROPIES...: 4.6,5.4,5.2,4.4,5.2,7.2,7.7,5.2,6.5,6.0,5.1,7.8,6.2,5.2,7.9,7.9,7.9,7.9,5.1,7.9,7.4,5.2,5.2,7.8,5.2,7.9,7.9,5.2,6.2,5.2,5.8,5.1] detection-update: [....47] [ip4][..tcp] [....192.168.1.7][53202] -> [...54.191.17.51][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.333| 0.059| 0.083| 6944.879| 0.000] - [PKTLEN......: 66.000| 1514.000| 760.100| 703.800|495333.000| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.333| 0.059| 0.083| 6944.879| 3.800] + [PKTLEN......: 52.000| 1500.000| 746.100| 703.800| 495333.000| 4.200] [BINS(c->s)..: 6,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,12,0,0] [BINS(s->c)..: 6,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0] [IATS(ms)....: 69.5,71.0,2.6,55.6,49.1,64.4,167.9,331.9,332.6,26.5,0.7,0.7,87.7,0.5,60.7,8.8,7.1,0.4,81.1,62.8,0.8,0.2,0.1,68.1,67.1,0.8,0.2,0.1,111.2,109.6,2.5] - [PKTLENS.....: 78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1417,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514] + [PKTLENS.....: 64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1403,1500,1500,52,1500,1500,1500,1500,52,1500,1500,1500,1500,52,1500,1500] + [ENTROPIES...: 4.6,5.3,5.2,5.8,5.1,7.2,7.3,5.2,6.9,5.2,6.2,5.1,6.1,5.2,6.0,5.2,7.9,7.9,7.9,5.2,7.9,7.8,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9] detection-update: [....49] [ip4][..tcp] [....192.168.1.7][53203] -> [...52.37.36.252][..443] [TLS.NetFlix][Video][Fun] analyse: [....45] [ip4][..tcp] [....192.168.1.7][53184] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.003| 0.472| 0.093| 0.119|14235.635| 0.000] - [PKTLEN......: 66.000| 1514.000| 698.800| 659.100|434476.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.003| 0.472| 0.093| 0.119| 14235.635| 4.100] + [PKTLEN......: 52.000| 1500.000| 684.800| 659.100| 434476.800| 4.200] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,0,0,0,1,1] [IATS(ms)....: 26.1,27.5,2.6,46.5,5.4,49.4,29.6,29.5,8.5,38.4,5.4,39.8,38.4,39.7,140.3,138.3,356.6,206.9,472.0,29.3,417.4,40.8,81.5,44.0,43.4,83.0,187.8,28.6,25.2,184.4,25.5] - [PKTLENS.....: 78,74,66,575,635,1514,66,677,66,581,643,1514,66,1514,66,1514,1514,94,1514,78,66,1514,1514,66,1514,66,1514,86,78,66,1514,1514] + [PKTLENS.....: 64,60,52,561,621,1500,52,663,52,567,629,1500,52,1500,52,1500,1500,80,1500,64,52,1500,1500,52,1500,52,1500,72,64,52,1500,1500] + [ENTROPIES...: 4.6,5.3,5.1,6.3,5.8,4.5,5.1,4.2,5.1,6.3,5.8,3.8,5.1,6.9,5.0,7.6,7.9,5.2,7.9,5.2,5.1,7.9,7.9,5.1,7.9,5.0,7.9,5.3,5.1,5.1,7.9,7.9] analyse: [....44] [ip4][..tcp] [....192.168.1.7][53183] -> [...23.246.3.140][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.005| 0.731| 0.102| 0.156|24231.225| 0.000] - [PKTLEN......: 66.000| 1514.000| 662.300| 653.400|426995.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.005| 0.731| 0.102| 0.156| 24231.225| 4.000] + [PKTLEN......: 52.000| 1500.000| 648.300| 653.400| 426995.300| 4.200] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,0,0,0,0] [IATS(ms)....: 30.5,31.5,13.2,64.0,5.3,56.4,6.1,68.2,5.4,71.5,109.5,202.7,164.8,560.3,47.3,79.0,279.5,27.7,94.5,26.6,26.1,15.8,70.5,85.9,39.5,39.8,41.6,84.4,730.9,41.5,39.7] - [PKTLENS.....: 78,74,66,571,632,965,66,578,642,1514,66,1514,1514,1514,86,78,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,78,86,78,66] + [PKTLENS.....: 64,60,52,557,618,951,52,564,628,1500,52,1500,1500,1500,72,64,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,64,72,64,52] + [ENTROPIES...: 4.5,5.2,5.2,6.2,5.8,3.9,5.1,6.2,5.7,3.2,5.1,7.9,7.8,7.8,5.3,5.2,5.1,7.8,7.8,5.1,7.8,5.0,5.9,7.8,5.1,7.8,5.0,7.8,5.0,5.2,5.1,5.1] new: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] detected: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....50] [ip4][..tcp] [....192.168.1.7][53210] -> [..23.246.11.133][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.004| 0.530| 0.111| 0.160|25664.158| 0.000] - [PKTLEN......: 66.000| 1514.000| 786.900| 666.800|444580.800| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.004| 0.530| 0.111| 0.160| 25664.158| 3.900] + [PKTLEN......: 52.000| 1500.000| 772.900| 666.800| 444580.800| 4.300] [BINS(c->s)..: 12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,1,1,1,0,1,0,1,0,1,1,0,1,0] [IATS(ms)....: 18.4,19.9,3.7,28.9,18.1,45.8,41.6,39.6,18.5,45.3,5.4,31.7,29.4,29.5,41.1,41.1,82.2,87.7,42.1,64.3,51.5,299.9,159.8,515.7,436.0,526.6,530.0,40.0,69.9,40.4,40.4] - [PKTLENS.....: 78,74,66,575,634,1514,66,635,66,581,643,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,94,1514,78,1514,66,1514,1514,66,1514,66] + [PKTLENS.....: 64,60,52,561,620,1500,52,621,52,567,629,1500,52,1500,52,1500,1500,52,1500,1500,1500,1500,80,1500,64,1500,52,1500,1500,52,1500,52] + [ENTROPIES...: 4.5,5.3,5.2,6.3,5.8,4.5,5.2,4.2,5.2,6.2,5.8,3.4,5.2,7.0,5.1,6.3,3.9,5.1,7.9,7.8,7.8,7.9,5.4,7.9,5.2,7.9,5.2,7.9,7.9,5.2,7.8,5.1] update: [....10] [ip4][..udp] [....192.168.1.7][53776] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] update: [.....2] [ip4][..udp] [....192.168.1.7][51543] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] update: [....13] [ip4][..udp] [....192.168.1.7][51949] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] @@ -481,14 +512,15 @@ detected: [....51] [ip4][..tcp] [....192.168.1.7][53217] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] RISK: HTTP Numeric IP Address analyse: [....51] [ip4][..tcp] [....192.168.1.7][53217] -> [..23.246.11.141][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.286| 0.030| 0.050| 2491.019| 0.000] - [PKTLEN......: 66.000| 1514.000| 833.000| 665.800|443241.700| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.286| 0.030| 0.050| 2491.019| 4.000] + [PKTLEN......: 52.000| 1500.000| 819.000| 665.800| 443241.700| 4.400] [BINS(c->s)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,0] [IATS(ms)....: 13.0,14.8,4.0,30.3,0.8,3.7,30.3,0.2,16.5,35.6,2.0,21.5,3.2,3.3,13.3,13.3,26.5,13.3,13.5,13.8,42.7,56.4,14.7,15.2,71.0,25.5,25.5,25.5,51.6,55.2,286.1] - [PKTLENS.....: 78,74,66,575,634,1514,677,66,66,584,643,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,86] + [PKTLENS.....: 64,60,52,561,620,1500,663,52,52,570,629,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,1500,1500,1500,1500,72] + [ENTROPIES...: 4.5,5.3,5.2,6.3,5.8,4.4,4.2,5.0,5.1,6.2,5.8,4.3,5.1,7.1,5.0,7.9,7.9,5.2,7.9,5.0,7.9,7.9,5.2,7.9,5.0,7.9,7.9,7.9,7.9,7.9,7.9,5.4] update: [....26] [ip4][..udp] [....192.168.1.7][51728] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] update: [....23] [ip4][..udp] [....192.168.1.7][58102] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] update: [....27] [ip4][..udp] [....192.168.1.7][52347] -> [....192.168.1.1][...53] [DNS.NetFlix][Video][Fun] @@ -529,14 +561,15 @@ detection-update: [....58] [ip4][..tcp] [....192.168.1.7][53250] -> [.....52.41.30.5][..443] [TLS.NetFlix][Video][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [....57] [ip4][..tcp] [....192.168.1.7][53249] -> [.....52.41.30.5][..443] [TLS.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.141| 0.020| 0.029| 838.464| 0.000] - [PKTLEN......: 66.000| 1514.000| 434.800| 506.400|256458.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.141| 0.020| 0.029| 838.464| 3.900] + [PKTLEN......: 52.000| 1500.000| 420.800| 506.400| 256458.000| 4.100] [BINS(c->s)..: 12,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 4,0,0,0,1,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 52.7,54.2,4.7,50.1,0.9,46.0,1.1,0.4,2.3,0.6,48.9,36.1,58.6,0.1,1.0,141.4,13.3,12.2,4.7,8.7,8.5,4.5,3.7,4.5,12.4,12.8,15.2,13.9,6.1,6.2,6.8] - [PKTLENS.....: 78,74,66,274,66,211,66,72,111,1514,564,66,66,1514,227,1514,66,559,66,1005,66,439,66,1306,66,1406,66,660,66,808,66,721] + [PKTLENS.....: 64,60,52,260,52,197,52,58,97,1500,550,52,52,1500,213,1500,52,545,52,991,52,425,52,1292,52,1392,52,646,52,794,52,707] + [ENTROPIES...: 4.5,5.3,5.1,6.0,5.2,6.5,5.1,5.2,6.0,7.9,7.6,5.1,5.2,7.9,7.0,7.8,5.1,7.6,5.1,7.8,5.2,7.5,5.1,7.8,5.2,7.9,5.1,7.7,5.1,7.8,5.1,7.7] new: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] detected: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] detection-update: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] @@ -545,33 +578,36 @@ detected: [....60] [ip4][..tcp] [....192.168.1.7][53251] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun] detected: [....61] [ip4][..tcp] [....192.168.1.7][53252] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun] analyse: [....55] [ip4][..tcp] [....192.168.1.7][53239] -> [.....52.41.30.5][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.501| 0.064| 0.122|14766.799| 0.000] - [PKTLEN......: 66.000| 1514.000| 456.800| 552.300|305076.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.501| 0.064| 0.122| 14766.799| 3.300] + [PKTLEN......: 52.000| 1500.000| 442.800| 552.300| 305076.800| 4.000] [BINS(c->s)..: 10,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 5,2,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,1,0,1,0,0,0,1,1] [IATS(ms)....: 58.3,61.2,1.8,70.6,2.9,1.0,71.3,11.6,12.3,13.1,0.1,0.1,65.7,0.8,52.3,3.6,0.2,91.6,51.8,0.3,140.2,3.7,3.4,3.9,5.5,6.4,5.0,437.2,0.9,500.9,291.9] - [PKTLENS.....: 78,74,66,583,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,803,66,1514,490,66,462,66,765,66,100,66,1514,686,66,1514] + [PKTLENS.....: 64,60,52,569,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,789,52,1500,476,52,448,52,751,52,86,52,1500,672,52,1500] + [ENTROPIES...: 4.6,5.3,5.2,4.1,5.0,7.3,7.3,5.2,7.0,5.2,6.3,5.1,6.0,5.1,6.0,5.2,7.9,7.8,5.2,7.9,7.5,5.2,7.6,5.1,7.7,5.2,6.0,5.2,7.9,7.7,5.0,7.9] detection-update: [....55] [ip4][..tcp] [....192.168.1.7][53239] -> [.....52.41.30.5][..443] [TLS.NetFlix][Video][Fun] analyse: [....61] [ip4][..tcp] [....192.168.1.7][53252] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.100| 0.036| 0.022| 464.586| 0.000] - [PKTLEN......: 66.000| 1514.000| 1160.700| 613.300|376142.500| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.100| 0.036| 0.022| 464.586| 4.700] + [PKTLEN......: 52.000| 1500.000| 1146.700| 613.300| 376142.500| 4.700] [BINS(c->s)..: 5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 16.7,17.7,12.0,38.5,0.5,12.7,40.1,27.1,27.1,58.5,99.8,81.1,33.9,23.7,53.8,53.8,65.1,48.0,65.4,13.9,30.9,13.3,28.7,40.4,54.5,28.8,29.4,29.4,27.5,25.5,25.5] - [PKTLENS.....: 78,74,66,311,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514] + [PKTLENS.....: 64,60,52,297,52,1500,1500,52,1500,52,1500,64,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500] + [ENTROPIES...: 4.5,5.2,5.2,5.9,5.3,7.0,7.5,5.1,7.7,5.1,7.7,5.2,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.9,7.8,7.9,7.8,7.9,7.8,7.9,7.9,7.8,7.8] analyse: [....60] [ip4][..tcp] [....192.168.1.7][53251] -> [..184.25.204.10][...80] [HTTP.NetFlix][Video][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.416| 0.126| 0.341|116136.157| 0.000] - [PKTLEN......: 66.000| 1514.000| 781.500| 698.900|488505.900| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.416| 0.126| 0.341| 116136.157| 2.600] + [PKTLEN......: 52.000| 1500.000| 767.500| 698.900| 488505.900| 4.300] [BINS(c->s)..: 12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,1,1,0,1,0] [IATS(ms)....: 15.4,16.8,2.1,27.2,1.0,1.1,27.3,38.1,39.4,39.9,44.7,83.4,40.7,236.7,277.7,1389.8,1416.3,0.3,12.8,48.7,0.2,12.8,12.8,15.9,13.8,16.3,12.8,12.7,23.2,13.3,13.2] - [PKTLENS.....: 78,74,66,311,66,1514,1514,66,1514,66,1514,1514,66,1514,733,66,311,1514,1514,1514,66,66,1514,1514,66,1514,66,1514,1514,66,1514,66] + [PKTLENS.....: 64,60,52,297,52,1500,1500,52,1500,52,1500,1500,52,1500,719,52,297,1500,1500,1500,52,52,1500,1500,52,1500,52,1500,1500,52,1500,52] + [ENTROPIES...: 4.5,5.2,5.1,5.9,5.3,7.3,7.8,5.2,7.8,5.0,7.8,7.8,5.1,7.8,7.7,5.2,5.8,6.9,7.5,7.8,5.1,5.0,7.8,7.8,5.0,7.9,4.9,7.8,7.8,5.1,7.8,5.1] end: [....18] [ip4][..tcp] [....192.168.1.7][53141] -> [..104.86.97.179][..443] [TLS.NetFlix][Video][Fun] idle: [....12] [ip4][....2] [....192.168.1.7] -> [239.255.255.250] [IGMP][Network][Acceptable] idle: [....59] [ip4][..udp] [....192.168.1.7][57093] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] diff --git a/test/results/flow-info/nfsv2.pcap.out b/test/results/flow-info/nfsv2.pcap.out index 2cb0e31cb..21cb66441 100644 --- a/test/results/flow-info/nfsv2.pcap.out +++ b/test/results/flow-info/nfsv2.pcap.out @@ -15,14 +15,15 @@ new: [.....5] [ip4][..udp] [....139.25.22.2][.1023] -> [..139.25.22.102][.2049] detected: [.....5] [ip4][..udp] [....139.25.22.2][.1023] -> [..139.25.22.102][.2049] [NFS][DataTransfer][Acceptable] analyse: [.....5] [ip4][..udp] [....139.25.22.2][.1023] -> [..139.25.22.102][.2049] [NFS][DataTransfer][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.010| 0.040| 0.015| 0.011| 125.000| 0.000] - [PKTLEN......: 70.000| 214.000| 147.500| 43.100| 1860.800| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.010| 0.040| 0.015| 0.011| 125.000| 3.300] + [PKTLEN......: 56.000| 200.000| 133.500| 43.100| 1860.800| 4.900] [BINS(c->s)..: 0,0,0,5,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 40.0,40.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0] - [PKTLENS.....: 166,138,166,90,174,70,174,70,206,170,166,138,166,138,174,170,198,138,174,170,174,70,174,70,174,170,174,70,214,70,166,138] + [PKTLENS.....: 152,124,152,76,160,56,160,56,192,156,152,124,152,124,160,156,184,124,160,156,160,56,160,56,160,156,160,56,200,56,152,124] + [ENTROPIES...: 3.4,3.5,3.4,3.5,3.3,3.3,3.3,3.3,3.3,3.3,3.4,3.3,3.4,3.5,3.3,3.3,3.7,3.4,3.3,3.4,3.4,3.3,3.4,3.2,3.3,3.4,3.4,3.3,3.2,3.2,3.4,3.5] new: [.....6] [ip4][..udp] [....139.25.22.2][.3293] -> [..139.25.22.102][..111] detected: [.....6] [ip4][..udp] [....139.25.22.2][.3293] -> [..139.25.22.102][..111] [NFS][DataTransfer][Acceptable] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/nfsv3.pcap.out b/test/results/flow-info/nfsv3.pcap.out index f0c174016..e72968ec8 100644 --- a/test/results/flow-info/nfsv3.pcap.out +++ b/test/results/flow-info/nfsv3.pcap.out @@ -18,14 +18,15 @@ new: [.....6] [ip4][..udp] [....139.25.22.2][.1022] -> [..139.25.22.102][.2049] detected: [.....6] [ip4][..udp] [....139.25.22.2][.1022] -> [..139.25.22.102][.2049] [NFS][DataTransfer][Acceptable] analyse: [.....6] [ip4][..udp] [....139.25.22.2][.1022] -> [..139.25.22.102][.2049] [NFS][DataTransfer][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.010| 0.050| 0.017| 0.015| 222.222| 0.000] - [PKTLEN......: 74.000| 314.000| 176.400| 63.400| 4021.900| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.010| 0.050| 0.017| 0.015| 222.222| 3.200] + [PKTLEN......: 60.000| 300.000| 162.400| 63.400| 4021.900| 4.900] [BINS(c->s)..: 0,0,0,0,13,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,6,0,2,2,2,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 10.0,10.0,50.0,50.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0,10.0] - [PKTLENS.....: 170,154,170,206,170,210,170,182,178,74,178,74,226,314,170,154,206,186,178,74,178,74,178,282,178,74,222,302,178,282,178,74] + [PKTLENS.....: 156,140,156,192,156,196,156,168,164,60,164,60,212,300,156,140,192,172,164,60,164,60,164,268,164,60,208,288,164,268,164,60] + [ENTROPIES...: 3.3,3.3,3.3,3.2,3.3,3.2,3.3,3.1,3.3,3.2,3.3,3.1,2.9,3.3,3.3,3.1,3.2,3.3,3.3,3.1,3.3,3.1,3.3,3.2,3.3,3.2,3.2,3.3,3.3,3.4,3.5,3.2] new: [.....7] [ip4][..udp] [....139.25.22.2][.3299] -> [..139.25.22.102][..111] detected: [.....7] [ip4][..udp] [....139.25.22.2][.3299] -> [..139.25.22.102][..111] [NFS][DataTransfer][Acceptable] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/nintendo.pcap.out b/test/results/flow-info/nintendo.pcap.out index cc0b61c58..fb07724a7 100644 --- a/test/results/flow-info/nintendo.pcap.out +++ b/test/results/flow-info/nintendo.pcap.out @@ -12,14 +12,15 @@ new: [.....5] [ip4][..udp] [.192.168.12.114][52119] -> [...35.158.74.61][33335] detected: [.....5] [ip4][..udp] [.192.168.12.114][52119] -> [...35.158.74.61][33335] [Nintendo][Game][Fun] analyse: [.....1] [ip4][..udp] [.192.168.12.114][52119] -> [....91.8.243.35][49432] [Nintendo][Game][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.730| 0.194| 0.332|110172.324| 0.000] - [PKTLEN......: 102.000| 854.000| 167.000| 179.500|32207.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.730| 0.194| 0.332| 110172.324| 3.600] + [PKTLEN......: 88.000| 840.000| 153.000| 179.500| 32207.000| 4.500] [BINS(c->s)..: 0,7,7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,4,8,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,1,1,0,1,0,1,1,0,1,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1] [IATS(ms)....: 87.9,239.6,335.4,89.8,30.6,131.2,103.3,500.0,507.3,130.9,234.8,19.3,15.8,5.2,16.9,12.6,53.5,8.8,0.2,60.8,14.2,505.6,501.5,5.1,514.4,94.6,0.2,1729.7,0.1,52.6,0.1] - [PKTLENS.....: 102,102,198,230,118,102,150,118,102,118,150,134,118,118,118,854,118,854,102,102,118,102,102,102,102,102,118,118,118,118,118,118] + [PKTLENS.....: 88,88,184,216,104,88,136,104,88,104,136,120,104,104,104,840,104,840,88,88,104,88,88,88,88,88,104,104,104,104,104,104] + [ENTROPIES...: 6.1,6.1,6.8,6.9,6.2,6.1,6.7,6.2,6.1,6.3,6.6,6.4,6.2,6.2,6.2,6.3,6.3,5.9,5.8,5.9,6.2,5.9,6.1,6.2,6.0,6.0,6.1,6.1,6.0,6.2,6.2,6.2] new: [.....6] [ip4][..udp] [.192.168.12.114][52119] -> [..52.10.205.177][34343] new: [.....7] [ip4][..udp] [.192.168.12.114][18874] -> [...192.168.12.1][...53] detected: [.....7] [ip4][..udp] [.192.168.12.114][18874] -> [...192.168.12.1][...53] [DNS.Nintendo][Game][Fun] @@ -52,14 +53,15 @@ detection-update: [....16] [ip4][..tcp] [.192.168.12.114][31329] -> [....54.192.27.8][..443] [TLS.Nintendo][Game][Fun] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....4] [ip4][..tcp] [..54.187.10.185][..443] -> [.192.168.12.114][48328] [TLS.AmazonAWS][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 14.019| 1.263| 3.443|11853821.379| 0.000] - [PKTLEN......: 66.000| 471.000| 134.200| 98.400| 9678.600| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 14.019| 1.263| 3.443| 11853821.379| 2.400] + [PKTLEN......: 52.000| 457.000| 120.200| 98.400| 9678.600| 4.600] [BINS(c->s)..: 8,5,0,5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,6,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,0,1,1,0,1,0,0,0,1,1,0,0,1] [IATS(ms)....: 6.3,307.1,3508.7,3481.6,0.2,0.0,276.4,18.5,55.2,0.1,35.7,210.9,214.2,255.3,13944.5,14019.1,0.8,0.1,5.3,332.5,29.9,280.4,254.2,215.7,3.4,13.6,231.1,4.3,259.0,453.5,730.8] - [PKTLENS.....: 166,117,66,133,66,124,113,66,117,166,166,66,66,117,66,471,66,113,400,166,66,117,66,382,66,123,113,66,117,66,166,117] + [PKTLENS.....: 152,103,52,119,52,110,99,52,103,152,152,52,52,103,52,457,52,99,386,152,52,103,52,368,52,109,99,52,103,52,152,103] + [ENTROPIES...: 6.5,5.8,5.0,6.0,5.0,6.0,6.0,5.0,5.7,6.6,6.6,5.0,5.1,5.7,5.0,7.5,5.1,6.1,7.4,6.5,5.0,5.8,5.1,7.3,5.1,6.2,6.0,5.1,5.8,5.1,6.7,5.7] new: [....17] [ip4][..udp] [.192.168.12.114][55915] -> [.185.118.169.65][27520] detected: [....17] [ip4][..udp] [.192.168.12.114][55915] -> [.185.118.169.65][27520] [Nintendo][Game][Fun] new: [....18] [ip4][.icmp] [..151.6.184.100] -> [.192.168.12.114] @@ -71,32 +73,35 @@ new: [....21] [ip4][.icmp] [...151.6.184.98] -> [.192.168.12.114] detected: [....21] [ip4][.icmp] [...151.6.184.98] -> [.192.168.12.114] [ICMP][Network][Acceptable] analyse: [....17] [ip4][..udp] [.192.168.12.114][55915] -> [.185.118.169.65][27520] [Nintendo][Game][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.754| 0.078| 0.153|23284.658| 0.000] - [PKTLEN......: 102.000| 886.000| 168.000| 186.200|34652.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.754| 0.078| 0.153| 23284.658| 3.200] + [PKTLEN......: 88.000| 872.000| 154.000| 186.200| 34652.000| 4.500] [BINS(c->s)..: 0,2,18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,1,1,1,0,0,1,0,0,1,1,1] [IATS(ms)....: 0.3,0.4,210.0,0.2,0.4,203.8,0.3,0.2,311.9,2.3,0.2,754.1,1.1,30.7,0.6,242.3,245.6,5.5,2.8,1.9,125.6,0.1,0.0,109.1,0.2,10.7,20.1,10.4,105.8,2.2,28.9] - [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,102,118,118,118,118,886,102,886,118,118,102] + [PKTLENS.....: 104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,168,88,104,104,168,88,104,104,104,104,872,88,872,104,104,88] + [ENTROPIES...: 6.0,6.2,6.0,6.0,6.0,6.0,6.0,6.1,6.0,6.0,6.1,6.1,6.1,6.2,6.0,6.1,6.6,5.9,6.1,6.1,6.7,6.1,6.2,6.3,6.0,6.1,5.6,5.9,5.6,6.1,6.2,5.9] analyse: [....19] [ip4][..udp] [.192.168.12.114][55915] -> [.93.237.131.235][56066] [Nintendo][Game][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.758| 0.106| 0.188|35487.695| 0.000] - [PKTLEN......: 102.000| 886.000| 221.000| 231.800|53743.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.758| 0.106| 0.188| 35487.695| 3.400] + [PKTLEN......: 88.000| 872.000| 207.000| 231.800| 53743.000| 4.400] [BINS(c->s)..: 0,3,13,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,0,1,1,1,0,0,0,0,0] [IATS(ms)....: 0.7,2.7,200.8,0.2,0.4,313.8,0.2,0.3,757.9,0.1,245.9,0.2,38.4,0.2,116.7,3.0,25.9,110.5,1.2,79.7,8.0,87.9,10.1,91.9,20.1,506.4,607.1,9.7,10.2,12.9,36.7] - [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,182,102,886,102,886,102,118,118,102,358,854,486,486] + [PKTLENS.....: 104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,168,88,168,88,872,88,872,88,104,104,88,344,840,472,472] + [ENTROPIES...: 6.0,6.1,6.0,6.0,6.1,6.0,6.1,6.1,6.1,6.2,6.2,6.1,6.1,6.1,6.2,6.2,6.1,6.7,6.0,6.7,5.9,5.6,6.0,5.6,5.8,6.2,6.2,6.0,7.3,5.8,6.2,6.2] analyse: [....20] [ip4][..udp] [.192.168.12.114][55915] -> [..81.61.158.138][51769] [Nintendo][Game][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.649| 0.099| 0.184|33766.533| 0.000] - [PKTLEN......: 102.000| 886.000| 167.500| 186.300|34709.800| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.649| 0.099| 0.184| 33766.533| 3.200] + [PKTLEN......: 88.000| 872.000| 153.500| 186.300| 34709.800| 4.400] [BINS(c->s)..: 0,3,15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,8,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0] [IATS(ms)....: 0.3,0.4,313.5,0.3,0.3,284.3,0.1,0.4,629.4,5.2,43.7,5.3,61.4,0.1,131.6,65.4,7.9,0.2,0.8,31.1,0.4,67.6,2.9,0.5,7.5,105.9,5.7,103.3,9.8,549.4,649.3] - [PKTLENS.....: 118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,118,118,102,118,118,886,102,886,102,118,118,102] + [PKTLENS.....: 104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,168,88,104,104,168,104,104,88,104,104,872,88,872,88,104,104,88] + [ENTROPIES...: 6.1,6.1,6.1,6.0,6.2,6.2,6.2,6.2,6.1,6.0,6.1,6.1,6.1,6.1,6.1,6.7,6.0,6.1,6.2,6.8,6.2,6.2,5.9,6.2,6.2,5.5,5.9,5.6,6.0,6.2,6.1,6.0] guessed: [....11] [ip4][..udp] [.192.168.12.114][55915] -> [...35.158.74.61][10025] [AmazonAWS][Cloud][Acceptable] idle: [....11] [ip4][..udp] [.192.168.12.114][55915] -> [...35.158.74.61][10025] idle: [....15] [ip4][..udp] [.192.168.12.114][51035] -> [...192.168.12.1][...53] [DNS.Nintendo][Game][Fun] diff --git a/test/results/flow-info/nntp.pcap.out b/test/results/flow-info/nntp.pcap.out index 31650d71f..ab42d8014 100644 --- a/test/results/flow-info/nntp.pcap.out +++ b/test/results/flow-info/nntp.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] detected: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] [Usenet][Web][Acceptable] analyse: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] [Usenet][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 25.684| 4.346| 7.782|60565611.348| 0.000] - [PKTLEN......: 54.000| 1514.000| 219.900| 397.400|157950.100| 3.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 25.684| 4.346| 7.782| 60565611.348| 3.100] + [PKTLEN......: 40.000| 1500.000| 205.900| 397.400| 157950.100| 3.600] [BINS(c->s)..: 19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,3,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,0,1,0] [IATS(ms)....: 0.2,0.2,17.0,17.1,0.2,0.4,673.1,673.7,0.6,0.3,40.5,19518.0,19565.8,8.0,4770.1,4784.4,14.3,0.1,0.0,25683.6,25684.3,0.8,12078.4,12090.7,12.5,0.2,0.1,4544.0,0.1,4544.3,0.3] - [PKTLENS.....: 74,74,66,190,66,79,66,113,92,66,115,66,79,1294,66,79,1514,66,186,66,97,116,66,77,1514,66,332,66,72,66,94,54] + [PKTLENS.....: 60,60,52,176,52,65,52,99,78,52,101,52,65,1280,52,65,1500,52,172,52,83,102,52,63,1500,52,318,52,58,52,80,40] + [ENTROPIES...: 4.5,4.9,4.9,5.5,4.9,5.2,5.0,5.6,5.4,5.0,5.5,4.9,5.2,5.7,5.0,5.3,5.9,4.9,5.4,4.9,5.5,5.5,4.9,5.3,5.8,4.8,5.4,4.8,5.0,4.8,5.5,3.7] end: [.....1] [ip4][..tcp] [.192.168.190.20][55630] -> [..192.168.190.5][..119] [Usenet][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/no_sni.pcap.out b/test/results/flow-info/no_sni.pcap.out index b94be78bb..74ffeba9f 100644 --- a/test/results/flow-info/no_sni.pcap.out +++ b/test/results/flow-info/no_sni.pcap.out @@ -8,25 +8,27 @@ detection-update: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Network][Fun] new: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] analyse: [.....2] [ip4][..tcp] [..192.168.1.119][51606] -> [.104.16.249.249][..443] [TLS.DoH_DoT][Network][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.180| 0.028| 0.054| 2913.211| 0.000] - [PKTLEN......: 54.000| 736.000| 141.200| 163.800|26828.900| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.180| 0.028| 0.054| 2913.211| 3.000] + [PKTLEN......: 40.000| 722.000| 127.200| 163.800| 26828.900| 4.200] [BINS(c->s)..: 10,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0] [IATS(ms)....: 137.9,138.0,4.7,0.3,0.1,180.3,3.0,178.2,0.2,0.0,0.1,2.3,6.4,1.4,5.5,15.4,0.1,0.7,0.1,1.4,74.0,13.5,4.2,2.9,0.0,76.8,0.1,5.4,2.5,0.0,8.0] - [PKTLENS.....: 78,66,54,670,60,224,60,736,54,116,60,54,138,60,85,54,205,140,114,146,85,60,60,60,380,85,54,54,60,307,85,54] + [PKTLENS.....: 64,52,40,656,46,210,46,722,40,102,46,40,124,46,71,40,191,126,100,132,71,46,46,46,366,71,40,40,46,293,71,40] + [ENTROPIES...: 4.4,4.9,4.5,7.1,4.6,7.0,4.4,7.7,4.6,6.1,4.5,4.6,6.3,4.4,5.6,4.5,6.8,6.4,6.2,6.4,5.5,4.4,4.4,4.4,7.3,5.7,4.6,4.6,4.5,7.3,5.6,4.6] detected: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS.Cloudflare][Web][Acceptable] detection-update: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS.Cloudflare][Web][Acceptable] analyse: [.....3] [ip4][..tcp] [..192.168.1.119][51612] -> [..104.16.124.96][..443] [TLS.Cloudflare][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.473| 0.050| 0.107|11455.737| 0.000] - [PKTLEN......: 54.000| 1514.000| 381.000| 489.400|239474.400| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.473| 0.050| 0.107| 11455.737| 3.000] + [PKTLEN......: 40.000| 1500.000| 367.000| 489.400| 239474.400| 3.900] [BINS(c->s)..: 12,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,1,1,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0] [IATS(ms)....: 121.2,121.3,5.4,100.4,0.4,95.3,1.0,4.8,0.1,77.1,0.5,71.8,0.2,0.4,0.6,0.2,76.9,15.5,380.4,472.6,2.8,2.8,2.1,2.1,1.6,1.6,1.4,0.3,1.6,0.6,0.6] - [PKTLENS.....: 78,66,54,1001,60,286,54,118,224,917,60,566,54,60,85,54,85,60,60,1092,54,844,54,1445,54,1445,54,1514,407,54,1178,54] + [PKTLENS.....: 64,52,40,987,46,272,40,104,210,903,46,552,40,46,71,40,71,46,46,1078,40,830,40,1431,40,1431,40,1500,393,40,1164,40] + [ENTROPIES...: 4.5,4.9,4.4,7.5,4.5,6.8,4.6,6.0,6.9,7.8,4.5,7.6,4.6,4.5,5.7,4.6,5.6,4.5,4.5,7.8,4.6,7.8,4.6,7.9,4.6,7.9,4.6,7.9,7.4,4.6,7.8,4.6] new: [.....4] [ip4][..tcp] [..192.168.1.119][51635] -> [..104.17.198.37][..443] new: [.....5] [ip4][..tcp] [..192.168.1.119][51636] -> [..104.17.198.37][..443] new: [.....6] [ip4][..tcp] [..192.168.1.119][51637] -> [..104.22.72.170][..443] @@ -43,14 +45,15 @@ detection-update: [.....8] [ip4][..tcp] [..192.168.1.119][51639] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable] detection-update: [.....7] [ip4][..tcp] [..192.168.1.119][51638] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable] analyse: [.....6] [ip4][..tcp] [..192.168.1.119][51637] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.144| 0.032| 0.043| 1852.691| 0.000] - [PKTLEN......: 54.000| 1514.000| 285.300| 409.400|167573.600| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.144| 0.032| 0.043| 1852.691| 3.800] + [PKTLEN......: 40.000| 1500.000| 271.300| 409.400| 167573.600| 3.800] [BINS(c->s)..: 12,0,3,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,0,1,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0] [IATS(ms)....: 81.9,82.0,5.3,129.4,1.7,0.7,126.4,64.0,9.1,0.1,11.9,1.6,143.7,57.1,79.2,1.6,80.8,1.6,14.7,0.3,13.3,11.9,0.0,12.1,0.1,25.4,25.0,0.8,0.8,5.3,5.5] - [PKTLENS.....: 78,66,54,766,60,1514,1385,54,118,224,380,129,129,1385,66,60,566,54,85,60,85,54,581,85,54,54,368,54,85,54,368,54] + [PKTLENS.....: 64,52,40,752,46,1500,1371,40,104,210,366,115,115,1371,52,46,552,40,71,46,71,40,567,71,40,40,354,40,71,40,354,40] + [ENTROPIES...: 4.5,4.9,4.5,7.3,4.5,7.9,7.8,4.7,5.9,7.0,7.4,6.3,6.4,7.8,4.7,4.5,7.6,4.7,5.4,4.5,5.6,4.7,7.6,5.6,4.6,4.6,7.4,4.7,5.6,4.7,7.3,4.7] idle: [.....6] [ip4][..tcp] [..192.168.1.119][51637] -> [..104.22.72.170][..443] [TLS.Cloudflare][Web][Acceptable] end: [.....7] [ip4][..tcp] [..192.168.1.119][51638] -> [..104.22.72.170][..443] end: [.....8] [ip4][..tcp] [..192.168.1.119][51639] -> [..104.22.72.170][..443] diff --git a/test/results/flow-info/ocs.pcap.out b/test/results/flow-info/ocs.pcap.out index 550d1f188..b655c807b 100644 --- a/test/results/flow-info/ocs.pcap.out +++ b/test/results/flow-info/ocs.pcap.out @@ -33,14 +33,15 @@ detected: [....15] [ip4][..tcp] [..192.168.180.2][36680] -> [.178.248.208.54][..443] [TLS.OCS][Media][Fun] RISK: Obsolete TLS (v1.1 or older) analyse: [....13] [ip4][..tcp] [..192.168.180.2][49881] -> [.178.248.208.54][...80] [HTTP.OCS][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.929| 0.088| 0.173|29794.175| 0.000] - [PKTLEN......: 52.000| 715.000| 83.100| 113.800|12942.200| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.929| 0.088| 0.173| 29794.175| 3.500] + [PKTLEN......: 52.000| 715.000| 83.100| 113.800| 12942.200| 4.500] [BINS(c->s)..: 31,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 83.8,14.3,246.9,0.6,0.5,68.4,1.8,71.5,0.5,5.4,4.1,41.7,146.0,90.8,71.1,77.4,63.4,3.7,80.5,1.7,86.1,0.6,67.3,32.6,43.3,386.6,73.7,2.5,928.6,31.7,2.1] [PKTLENS.....: 60,52,715,64,72,72,80,72,72,72,72,72,64,52,64,64,64,52,52,52,52,64,64,64,64,52,52,64,64,52,64,64] + [ENTROPIES...: 4.5,5.1,6.0,5.1,5.2,5.2,5.2,5.2,5.3,5.2,5.2,5.2,5.2,5.1,5.2,5.2,5.1,5.2,5.1,5.1,5.0,5.1,5.2,5.1,5.2,5.1,5.2,5.2,5.2,5.0,5.1,5.1] new: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] detected: [....16] [ip4][..tcp] [..192.168.180.2][32946] -> [.64.233.184.188][..443] [TLS.GoogleServices][Web][Acceptable] RISK: TLS (probably) Not Carrying HTTPS @@ -60,14 +61,15 @@ new: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] detected: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] [HTTP.OCS][Media][Fun] analyse: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] [HTTP.OCS][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.079| 0.027| 0.030| 875.550| 0.000] - [PKTLEN......: 52.000| 204.000| 63.900| 26.300| 690.500| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.079| 0.027| 0.030| 875.550| 4.000] + [PKTLEN......: 52.000| 204.000| 63.900| 26.300| 690.500| 4.900] [BINS(c->s)..: 31,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 71.4,1.5,54.8,1.1,3.6,59.9,0.6,0.1,5.3,64.8,1.7,1.5,79.5,5.5,58.4,1.8,64.6,2.0,67.5,26.5,42.9,26.0,65.4,1.0,48.6,1.3,2.0,1.3,75.5,1.4,4.8] [PKTLENS.....: 60,52,204,52,52,52,52,52,64,64,64,64,72,64,64,72,72,72,64,64,64,52,52,52,52,52,52,52,52,52,64,72] + [ENTROPIES...: 4.6,5.0,5.9,5.2,5.1,5.2,5.2,5.2,5.2,5.2,5.2,5.2,5.3,5.2,5.3,5.3,5.4,5.3,5.3,5.3,5.3,5.2,5.2,5.2,5.1,5.2,5.2,5.1,5.2,5.2,5.3,5.3] update: [....17] [ip4][..udp] [..192.168.180.2][11793] -> [........8.8.8.8][...53] idle: [....20] [ip4][..tcp] [..192.168.180.2][42590] -> [178.248.208.210][...80] [HTTP.OCS][Media][Fun] end: [.....8] [ip4][..tcp] [..192.168.180.2][44959] -> [137.135.129.206][...80] diff --git a/test/results/flow-info/ocsp.pcapng.out b/test/results/flow-info/ocsp.pcapng.out index 04d545155..e4392288b 100644 --- a/test/results/flow-info/ocsp.pcapng.out +++ b/test/results/flow-info/ocsp.pcapng.out @@ -11,23 +11,25 @@ new: [.....3] [ip4][..tcp] [..192.168.1.128][43728] -> [..92.122.95.235][...80] detected: [.....3] [ip4][..tcp] [..192.168.1.128][43728] -> [..92.122.95.235][...80] [HTTP.OCSP][Network][Safe] analyse: [.....2] [ip4][..tcp] [..192.168.1.128][54154] -> [.142.250.184.99][...80] [HTTP.OCSP][Cloud][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.003| 10.243| 7.530| 4.272|18250505.126| 0.000] - [PKTLEN......: 118.000| 820.000| 187.000| 189.100|35745.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.003| 10.243| 7.530| 4.272| 18250505.126| 4.500] + [PKTLEN......: 104.000| 806.000| 173.000| 189.100| 35745.500| 4.500] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0] [IATS(ms)....: 3.4,7.0,7.4,103.0,109.3,10007.8,10013.0,10151.7,10152.0,10240.5,10240.6,10243.1,10242.9,10236.1,10235.9,10239.9,10240.5,10239.9,10239.5,5617.7,5617.9,102.9,109.3,10148.8,10155.0,10236.1,10236.1,10239.8,10239.7,10240.0] - [PKTLENS.....: 126,126,118,512,118,820,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,512,118,820,118,118,118,118,118,118,118,118] + [PKTLENS.....: 112,112,104,498,104,806,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,498,104,806,104,104,104,104,104,104,104,104] + [ENTROPIES...: 3.9,4.3,4.0,6.2,4.4,7.1,4.5,4.4,4.3,4.3,4.4,4.4,4.3,4.4,4.4,4.4,4.3,4.4,4.4,4.4,4.4,6.2,4.4,7.0,4.4,4.4,4.4,4.4,4.4,4.4,4.4,4.4] analyse: [.....3] [ip4][..tcp] [..192.168.1.128][43728] -> [..92.122.95.235][...80] [HTTP.OCSP][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.244| 7.440| 4.399|19348030.751| 0.000] - [PKTLEN......: 118.000| 1007.000| 198.200| 228.700|52281.300| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.244| 7.440| 4.399| 19348030.751| 4.500] + [PKTLEN......: 104.000| 993.000| 184.200| 228.700| 52281.300| 4.400] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 12.0,16.1,0.3,19.6,157.1,176.9,7779.8,7796.1,1.3,16.6,10045.9,10060.7,10239.9,10239.7,10239.8,10240.0,10244.0,10243.9,10239.9,10240.0,10236.0,10236.1,10243.9,10244.0,10236.0,10235.9,10240.0,10239.8,10240.0,10240.0,10239.9] - [PKTLENS.....: 126,126,118,504,118,1007,118,504,118,1007,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118] + [PKTLENS.....: 112,112,104,490,104,993,104,490,104,993,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104] + [ENTROPIES...: 3.9,4.2,4.1,6.3,4.3,7.0,4.4,6.3,4.4,7.0,4.4,4.4,4.4,4.4,4.4,4.4,4.4,4.4,4.3,4.4,4.3,4.4,4.3,4.4,4.4,4.4,4.3,4.4,4.4,4.4,4.4,4.3] new: [.....4] [ip4][..tcp] [..192.168.1.128][34320] -> [.151.139.128.14][...80] detected: [.....4] [ip4][..tcp] [..192.168.1.128][34320] -> [.151.139.128.14][...80] [HTTP.OCSP][Network][Safe] new: [.....5] [ip4][..tcp] [..192.168.1.128][34340] -> [.151.139.128.14][...80] @@ -41,14 +43,15 @@ end: [.....4] [ip4][..tcp] [..192.168.1.128][34320] -> [.151.139.128.14][...80] [HTTP.OCSP][Network][Safe] end: [.....5] [ip4][..tcp] [..192.168.1.128][34340] -> [.151.139.128.14][...80] [HTTP.OCSP][Network][Safe] analyse: [.....6] [ip4][..tcp] [..192.168.1.128][47904] -> [..93.184.220.29][...80] [HTTP.OCSP][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.240| 6.308| 4.932|24328020.165| 0.000] - [PKTLEN......: 118.000| 917.000| 229.700| 247.800|61420.800| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.240| 6.308| 4.932| 24328020.165| 4.300] + [PKTLEN......: 104.000| 903.000| 215.700| 247.800| 61420.800| 4.300] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 3.1,7.5,2.6,10.4,0.3,8.0,10198.6,10205.6,10239.9,10239.7,10240.0,10239.8,10240.1,10240.2,10239.7,10239.9,594.5,595.4,7.8,0.3,7.9,7.3,10142.0,10148.6,10239.9,10240.0,10239.9,10239.9,10240.0,10239.9,10239.9] - [PKTLENS.....: 126,126,118,505,118,917,118,118,118,118,118,118,118,118,118,118,118,505,917,118,505,917,118,118,118,118,118,118,118,118,118,118] + [PKTLENS.....: 112,112,104,491,104,903,104,104,104,104,104,104,104,104,104,104,104,491,903,104,491,903,104,104,104,104,104,104,104,104,104,104] + [ENTROPIES...: 3.9,4.3,4.0,6.3,4.3,7.0,4.4,4.4,4.3,4.4,4.4,4.4,4.4,4.4,4.3,4.4,4.3,6.3,7.0,4.4,6.3,7.0,4.3,4.4,4.3,4.3,4.3,4.4,4.3,4.4,4.3,4.4] DAEMON-EVENT: [Processed: 207 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....7] [ip4][..tcp] [..192.168.1.128][49382] -> [....52.85.15.92][...80] @@ -57,23 +60,25 @@ detected: [.....8] [ip4][..tcp] [..192.168.1.128][59922] -> [..151.101.2.133][...80] [HTTP.OCSP][Network][Safe] end: [.....6] [ip4][..tcp] [..192.168.1.128][47904] -> [..93.184.220.29][...80] [HTTP.OCSP][Network][Safe] analyse: [.....8] [ip4][..tcp] [..192.168.1.128][59922] -> [..151.101.2.133][...80] [HTTP.OCSP][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 10.241| 7.851| 4.241|17983611.077| 0.000] - [PKTLEN......: 118.000| 1462.000| 193.500| 263.000|69147.600| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 10.241| 7.851| 4.241| 17983611.077| 4.500] + [PKTLEN......: 104.000| 1448.000| 179.500| 263.000| 69147.600| 4.200] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 3.4,7.4,0.9,8.1,0.6,9.1,10126.9,10134.8,10240.4,10240.5,10239.2,10239.6,10239.9,10239.7,10239.9,10239.5,10239.9,10240.2,10239.9,10240.1,10240.6,10240.2,10239.6,10239.4,10239.5,10240.0,10240.0,10240.0,2594.9] - [PKTLENS.....: 126,126,118,519,118,1462,772,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118] + [PKTLENS.....: 112,112,104,505,104,1448,758,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104] + [ENTROPIES...: 3.8,4.2,4.1,6.2,4.4,6.9,7.4,4.4,4.4,4.4,4.3,4.4,4.4,4.4,4.4,4.4,4.3,4.3,4.4,4.4,4.4,4.4,4.4,4.3,4.4,4.4,4.4,4.4,4.4,4.4,4.4,4.4] analyse: [.....7] [ip4][..tcp] [..192.168.1.128][49382] -> [....52.85.15.92][...80] [HTTP.OCSP][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.241| 7.462| 4.365|19049033.499| 0.000] - [PKTLEN......: 118.000| 1124.000| 162.300| 185.900|34567.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.241| 7.462| 4.365| 19049033.499| 4.600] + [PKTLEN......: 104.000| 1110.000| 148.300| 185.900| 34567.000| 4.500] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 12.0,16.5,0.4,17.1,110.0,126.6,9996.4,10012.4,10239.9,10239.8,10239.9,10240.2,10239.9,10239.6,10240.0,10240.0,10239.9,10240.1,10239.9,10239.7,10239.9,10240.0,10240.6,10240.6,10239.8,10239.8,10239.3,10239.5,3107.0,3107.9,16.9] - [PKTLENS.....: 126,126,118,514,118,1124,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118] + [PKTLENS.....: 112,112,104,500,104,1110,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104] + [ENTROPIES...: 3.9,4.3,4.0,6.3,4.3,7.0,4.4,4.4,4.3,4.4,4.3,4.4,4.3,4.4,4.3,4.3,4.3,4.4,4.3,4.4,4.3,4.4,4.3,4.3,4.3,4.3,4.3,4.4,4.3,4.3,4.3,4.4] DAEMON-EVENT: [Processed: 274 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 2 / 8|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....9] [ip4][..tcp] [..192.168.1.128][45514] -> [.109.70.240.114][...80] @@ -84,13 +89,14 @@ detected: [....10] [ip4][..tcp] [..192.168.1.128][49034] -> [...23.12.96.145][...80] [HTTP.OCSP][Network][Safe] end: [.....9] [ip4][..tcp] [..192.168.1.128][45514] -> [.109.70.240.114][...80] [HTTP.OCSP][Network][Safe] analyse: [....10] [ip4][..tcp] [..192.168.1.128][49034] -> [...23.12.96.145][...80] [HTTP.OCSP][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.241| 4.682| 4.929|24292207.100| 0.000] - [PKTLEN......: 118.000| 1566.000| 338.200| 431.700|186386.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.241| 4.682| 4.929| 24292207.100| 3.600] + [PKTLEN......: 104.000| 1552.000| 324.200| 431.700| 186386.900| 4.100] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 12.2,16.6,0.5,17.8,3.4,21.7,1169.7,1186.8,9.8,24.7,1031.5,1046.7,2.5,19.0,10158.4,10174.4,10240.2,10240.5,10240.7,10240.4,10239.9,10239.9,10238.7,10240.1,10241.2] - [PKTLENS.....: 126,126,118,504,118,1566,627,118,118,504,118,1566,627,118,118,505,118,1566,628,118,118,118,118,118,118,118,118,118,118,118,118,118] + [PKTLENS.....: 112,112,104,490,104,1552,613,104,104,490,104,1552,613,104,104,491,104,1552,614,104,104,104,104,104,104,104,104,104,104,104,104,104] + [ENTROPIES...: 3.9,4.2,4.0,6.3,4.3,7.0,7.2,4.4,4.4,6.3,4.3,7.0,7.2,4.3,4.3,6.2,4.4,7.0,7.2,4.3,4.3,4.4,4.4,4.4,4.4,4.4,4.4,4.3,4.4,4.4,4.4,4.4] end: [....10] [ip4][..tcp] [..192.168.1.128][49034] -> [...23.12.96.145][...80] [HTTP.OCSP][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/ookla.pcap.out b/test/results/flow-info/ookla.pcap.out index 91a870708..ab9aa8c5e 100644 --- a/test/results/flow-info/ookla.pcap.out +++ b/test/results/flow-info/ookla.pcap.out @@ -6,14 +6,15 @@ new: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] detected: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] [Ookla][Network][Safe] analyse: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] [Ookla][Network][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.138| 0.055| 0.033| 1064.798| 0.000] - [PKTLEN......: 66.000| 100.000| 77.900| 9.700| 93.700| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.138| 0.055| 0.033| 1064.798| 4.700] + [PKTLEN......: 52.000| 86.000| 63.900| 9.700| 93.700| 5.000] [BINS(c->s)..: 21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 36.8,36.9,28.0,64.0,0.1,36.1,38.4,72.7,34.3,27.1,61.9,34.7,97.7,133.2,35.5,27.7,63.1,35.3,68.5,103.7,35.3,26.0,61.1,35.1,103.2,137.7,34.5,32.6,67.3,34.6,94.1] - [PKTLENS.....: 78,74,66,69,66,100,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85] + [PKTLENS.....: 64,60,52,55,52,86,52,71,71,52,71,71,52,71,71,52,71,71,52,71,71,52,71,71,52,71,71,52,71,71,52,71] + [ENTROPIES...: 4.5,5.3,5.1,5.2,5.2,5.5,5.1,5.4,5.5,5.0,5.4,5.5,5.1,5.5,5.5,5.1,5.4,5.6,5.1,5.4,5.6,5.1,5.5,5.5,5.0,5.5,5.6,5.1,5.5,5.5,5.0,5.4] end: [.....2] [ip4][..tcp] [....192.168.1.7][51215] -> [..46.44.253.187][.8080] [Ookla][Network][Safe] end: [.....1] [ip4][..tcp] [....192.168.1.7][51207] -> [..46.44.253.187][...80] [HTTP.Ookla][Network][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/openvpn.pcap.out b/test/results/flow-info/openvpn.pcap.out index c1e86960f..a210a7ff9 100644 --- a/test/results/flow-info/openvpn.pcap.out +++ b/test/results/flow-info/openvpn.pcap.out @@ -5,28 +5,30 @@ detected: [.....1] [ip4][..tcp] [...192.168.1.77][60140] -> [.46.101.231.218][..443] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....1] [ip4][..tcp] [...192.168.1.77][60140] -> [.46.101.231.218][..443] [OpenVPN][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.998| 0.088| 0.234|54526.591| 0.000] - [PKTLEN......: 66.000| 371.000| 154.300| 75.300| 5671.500| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.998| 0.088| 0.234| 54526.591| 2.700] + [PKTLEN......: 52.000| 357.000| 140.300| 75.300| 5671.500| 4.800] [BINS(c->s)..: 6,5,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,1] [IATS(ms)....: 54.9,55.0,945.3,997.7,0.5,52.9,0.2,76.4,76.2,41.0,2.7,0.1,43.9,0.1,0.2,0.3,40.5,40.5,41.0,41.0,0.1,0.1,0.3,41.0,41.0,40.3,40.3,0.5,0.1,0.6,40.1] - [PKTLENS.....: 74,74,66,110,66,122,66,118,66,371,66,222,210,118,210,210,66,210,222,210,118,210,210,66,210,222,210,118,210,210,66,210] + [PKTLENS.....: 60,60,52,96,52,108,52,104,52,357,52,208,196,104,196,196,52,196,208,196,104,196,196,52,196,208,196,104,196,196,52,196] + [ENTROPIES...: 4.6,5.1,4.9,5.5,5.1,5.6,4.9,5.8,5.1,5.7,5.1,6.0,6.1,5.7,6.5,6.7,5.0,6.6,6.2,6.4,5.7,6.7,6.7,4.8,6.1,6.1,6.4,5.8,6.6,6.8,5.0,6.4] DAEMON-EVENT: [Processed: 95 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] detected: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.196| 0.045| 0.060| 3547.546| 0.000] - [PKTLEN......: 84.000| 345.000| 140.400| 58.600| 3436.100| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.196| 0.045| 0.060| 3547.546| 3.900] + [PKTLEN......: 70.000| 331.000| 126.400| 58.600| 3436.100| 4.900] [BINS(c->s)..: 0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 195.2,195.8,0.8,177.2,176.2,0.5,0.5,0.5,0.4,0.5,0.5,98.5,98.6,29.6,29.6,19.8,19.8,0.4,0.5,50.1,50.0,29.9,30.0,20.3,20.2,9.5,9.5,38.3,38.3,31.9,31.9] - [PKTLENS.....: 84,96,92,345,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92] + [PKTLENS.....: 70,82,78,331,182,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78] + [ENTROPIES...: 5.3,5.5,5.7,5.6,5.9,5.6,6.0,5.7,6.6,5.7,6.7,5.7,6.6,5.7,6.4,5.7,6.6,5.6,6.6,5.7,6.0,5.6,6.4,5.7,6.6,5.6,6.6,5.6,6.3,5.7,6.5,5.7] idle: [.....1] [ip4][..tcp] [...192.168.1.77][60140] -> [.46.101.231.218][..443] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: [Processed: 178 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -35,14 +37,15 @@ detected: [.....3] [ip4][..udp] [..192.168.43.18][13680] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....3] [ip4][..udp] [..192.168.43.18][13680] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.242| 0.188| 0.537|288658.031| 0.000] - [PKTLEN......: 84.000| 345.000| 137.300| 58.900| 3466.400| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.242| 0.188| 0.537| 288658.031| 2.400] + [PKTLEN......: 70.000| 331.000| 123.300| 58.900| 3466.400| 4.900] [BINS(c->s)..: 0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 2195.9,2242.5,46.7,0.1,203.1,15.1,218.1,0.6,0.6,0.5,0.5,3.5,3.5,185.2,185.2,0.4,0.4,39.5,39.5,9.4,9.4,82.3,82.3,3.8,3.8,34.2,34.2,15.7,15.7,74.3,74.3] - [PKTLENS.....: 84,84,96,92,345,92,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92] + [PKTLENS.....: 70,70,82,78,331,78,182,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78] + [ENTROPIES...: 5.2,5.3,5.4,5.5,5.6,5.5,5.8,5.6,6.1,5.5,6.6,5.5,6.7,5.6,6.6,5.5,6.4,5.6,6.7,5.5,6.5,5.6,6.0,5.6,6.3,5.6,6.6,5.6,6.6,5.5,6.4,5.6] idle: [.....2] [ip4][..udp] [..192.168.43.12][41507] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port idle: [.....3] [ip4][..udp] [..192.168.43.18][13680] -> [.139.59.151.137][13680] [OpenVPN][VPN][Acceptable] diff --git a/test/results/flow-info/pgm.pcap.out b/test/results/flow-info/pgm.pcap.out index f9747bd1f..88c56b940 100644 --- a/test/results/flow-info/pgm.pcap.out +++ b/test/results/flow-info/pgm.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] detected: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] [PGM][Network][Acceptable] analyse: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] [PGM][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.841| 0.063| 0.156|24250.839| 0.000] - [PKTLEN......: 70.000| 1344.000| 203.200| 214.800|46132.500| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.841| 0.063| 0.156| 24250.839| 2.900] + [PKTLEN......: 56.000| 1330.000| 189.200| 214.800| 46132.500| 4.500] [BINS(c->s)..: 0,1,9,12,2,1,2,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 840.7,20.8,0.0,36.8,5.6,0.1,6.6,0.0,17.0,0.0,14.9,14.7,0.0,37.3,0.0,168.2,95.0,1.6,67.0,1.6,11.0,51.2,0.0,243.0,25.5,16.0,6.4,15.0,3.5,0.1,240.0] - [PKTLENS.....: 70,129,127,321,1344,206,126,130,170,285,252,333,179,131,227,313,129,141,148,128,129,144,146,145,128,135,133,134,133,135,126,127] + [PKTLENS.....: 56,115,113,307,1330,192,112,116,156,271,238,319,165,117,213,299,115,127,134,114,115,130,132,131,114,121,119,120,119,121,112,113] + [ENTROPIES...: 4.2,3.8,3.7,4.3,4.0,4.3,3.7,3.9,4.1,4.3,4.3,4.2,4.1,3.9,4.2,4.4,3.8,3.8,4.3,3.8,3.9,4.3,4.3,4.2,3.8,3.9,3.9,4.0,4.0,4.0,3.8,3.8] idle: [.....1] [ip4][..113] [..10.244.64.154] -> [.....235.0.1.47] [PGM][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/pinterest.pcap.out b/test/results/flow-info/pinterest.pcap.out index 3d2cbe63f..50fd28000 100644 --- a/test/results/flow-info/pinterest.pcap.out +++ b/test/results/flow-info/pinterest.pcap.out @@ -8,14 +8,15 @@ detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] analyse: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.172| 0.014| 0.033| 1083.758| 0.000] - [PKTLEN......: 86.000| 1134.000| 378.100| 421.400|177613.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.172| 0.014| 0.033| 1083.758| 2.700] + [PKTLEN......: 72.000| 1120.000| 364.100| 421.400| 177613.600| 4.200] [BINS(c->s)..: 10,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,2,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,1,1] [IATS(ms)....: 17.6,17.7,0.5,40.0,1.7,0.0,0.0,41.2,0.0,0.0,0.2,0.0,0.2,0.0,0.0,7.0,0.3,0.4,41.6,0.0,0.0,33.9,0.5,0.0,0.5,0.2,42.0,172.4,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,86,86,86,1134,1134,168,86,86,86,179,185,451,86,86,344,86,152,86,86,124,86,1134,1134,563] + [PKTLENS.....: 80,80,72,589,72,1120,1120,1120,72,72,72,1120,1120,154,72,72,72,165,171,437,72,72,330,72,138,72,72,110,72,1120,1120,549] + [ENTROPIES...: 4.8,5.2,5.2,4.5,5.0,6.8,4.5,6.6,5.2,5.2,5.3,7.1,7.6,6.3,5.2,5.2,5.1,6.1,6.4,7.4,5.1,5.0,7.1,5.3,6.2,5.1,5.2,5.6,5.1,7.8,7.8,7.6] detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33262] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] new: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] new: [.....5] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38514] -> [.......................2a04:4e42:1d::84][..443] @@ -45,14 +46,15 @@ new: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58726] -> [...............2a00:1450:4007:80b::2002][..443] [MIDSTREAM] new: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][34626] -> [.....................64:ff9b::acd9:13e2][..443] [MIDSTREAM] analyse: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38512] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.054| 0.008| 0.015| 223.156| 0.000] - [PKTLEN......: 86.000| 1474.000| 395.000| 486.900|237029.200| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.054| 0.008| 0.015| 223.156| 3.000] + [PKTLEN......: 72.000| 1460.000| 381.000| 486.900| 237029.200| 4.100] [BINS(c->s)..: 9,1,1,1,0,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,1,0,0,1,0] [IATS(ms)....: 29.2,29.3,0.5,30.6,2.1,0.0,0.0,0.0,32.2,0.0,0.0,0.0,7.2,0.3,2.0,0.2,0.1,0.3,0.4,53.9,0.0,0.2,0.0,43.6,1.3,0.0,1.3,0.2,0.8,0.5] - [PKTLENS.....: 94,94,86,603,86,1474,1474,1474,1244,86,86,86,86,179,185,377,397,364,1040,342,86,86,86,344,86,152,86,86,86,124,1474,86] + [PKTLENS.....: 80,80,72,589,72,1460,1460,1460,1230,72,72,72,72,165,171,363,383,350,1026,328,72,72,72,330,72,138,72,72,72,110,1460,72] + [ENTROPIES...: 4.6,5.1,5.1,4.4,4.9,6.4,5.2,7.3,7.6,5.1,5.0,5.1,5.1,6.0,6.2,7.2,7.1,6.9,7.4,6.9,4.9,4.9,4.9,7.1,5.1,6.1,4.9,5.0,5.1,5.6,7.9,5.1] new: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] detected: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][Web][Safe] new: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] @@ -62,48 +64,52 @@ detection-update: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Web][Acceptable] detected: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] analyse: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40694] -> [...............2a00:1450:4007:816::2004][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.044| 0.009| 0.014| 199.945| 0.000] - [PKTLEN......: 86.000| 1294.000| 265.000| 327.800|107441.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.044| 0.009| 0.014| 199.945| 3.400] + [PKTLEN......: 72.000| 1280.000| 251.000| 327.800| 107441.100| 4.100] [BINS(c->s)..: 12,1,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,0,0,0,1,0,0,1] [IATS(ms)....: 26.0,26.0,0.2,34.5,9.5,43.8,0.0,0.1,0.0,2.4,0.1,0.1,39.2,0.0,0.2,0.3,37.1,0.3,3.1,2.9,7.2,0.0,7.1,0.0,0.0,0.7,0.6,0.6,26.3] - [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,303,86,150,178,409,86,86,86,666,86,117,117,86,507,832,281,86,86,86,125,86,125,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,289,72,136,164,395,72,72,72,652,72,103,103,72,493,818,267,72,72,72,111,72,111,72] + [ENTROPIES...: 4.8,5.3,5.2,4.5,5.1,7.8,7.8,5.3,5.3,7.1,5.3,6.2,6.6,7.4,5.1,5.1,5.1,7.7,5.2,5.8,5.8,5.2,7.5,7.8,7.0,5.2,5.3,5.3,5.9,5.3,5.9,5.1] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] new: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] analyse: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47032] -> [......................2600:1901::7a0b::][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.133| 0.017| 0.031| 941.058| 0.000] - [PKTLEN......: 86.000| 1294.000| 323.400| 401.100|160869.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.133| 0.017| 0.031| 941.058| 3.100] + [PKTLEN......: 72.000| 1280.000| 309.400| 401.100| 160869.700| 4.100] [BINS(c->s)..: 11,1,2,0,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0] [IATS(ms)....: 23.5,23.5,0.2,32.3,1.9,0.0,34.0,0.0,0.0,0.3,0.2,0.0,1.7,0.1,0.1,35.1,5.7,3.7,0.0,42.6,0.0,0.1,39.2,93.6,132.7,1.2,0.1,0.1] - [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,86,86,86,1294,187,86,86,150,178,465,86,86,666,117,86,86,86,117,86,344,86,125,243,585] + [PKTLENS.....: 80,80,72,589,72,1280,1280,1280,72,72,72,1280,173,72,72,136,164,451,72,72,652,103,72,72,72,103,72,330,72,111,229,571] + [ENTROPIES...: 4.7,5.1,5.0,4.5,4.9,7.8,7.8,7.8,5.0,5.0,5.0,7.8,6.6,5.0,5.0,6.1,6.3,7.4,4.9,4.8,7.6,5.5,4.9,5.1,5.1,5.7,4.8,7.2,5.0,5.9,6.8,7.6] detected: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Web][Safe] detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Web][Safe] detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Media][Safe] analyse: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.090| 0.016| 0.023| 544.707| 0.000] - [PKTLEN......: 86.000| 1134.000| 314.800| 374.800|140490.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.090| 0.016| 0.023| 544.707| 3.300] + [PKTLEN......: 72.000| 1120.000| 300.800| 374.800| 140490.000| 4.100] [BINS(c->s)..: 11,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,2,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0] [IATS(ms)....: 39.8,39.9,0.4,39.9,1.9,0.0,41.3,0.0,0.1,0.0,0.0,0.6,0.6,0.0,2.9,2.6,0.6,39.8,0.1,1.1,1.9,36.8,0.0,0.2,49.7,40.1,89.6] - [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,1134,86,86,1134,168,86,86,179,185,382,86,86,86,344,152,86,86,124,86,530,260,86] + [PKTLENS.....: 80,80,72,589,72,1120,1120,72,72,1120,1120,72,72,1120,154,72,72,165,171,368,72,72,72,330,138,72,72,110,72,516,246,72] + [ENTROPIES...: 4.8,5.1,5.1,4.6,5.0,6.8,4.4,5.2,5.1,6.6,7.1,5.2,5.2,7.6,6.2,5.2,5.2,6.1,6.3,7.3,5.0,5.0,5.0,7.0,6.2,5.2,5.2,5.6,5.0,7.5,6.9,5.2] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][33280] -> [.....................64:ff9b::9765:7854][..443] [TLS.Pinterest][SocialNetwork][Fun] analyse: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.050| 0.009| 0.016| 268.348| 0.000] - [PKTLEN......: 86.000| 1474.000| 512.700| 595.900|355070.700| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.050| 0.009| 0.016| 268.348| 2.900] + [PKTLEN......: 72.000| 1460.000| 498.700| 595.900| 355070.700| 4.000] [BINS(c->s)..: 12,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,8,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0,0,0,1] [IATS(ms)....: 50.3,50.3,0.2,31.7,3.1,34.6,0.0,0.7,0.7,1.2,0.0,1.2,0.0,2.6,0.1,0.2,32.3,0.0,29.5,0.0,0.5,0.0,0.5,0.0,0.0,0.6] - [PKTLENS.....: 94,94,86,603,86,1474,1474,86,86,1474,86,1474,1219,86,86,179,185,454,86,86,86,344,152,86,86,1474,1474,1474,86,86,86,1474] + [PKTLENS.....: 80,80,72,589,72,1460,1460,72,72,1460,72,1460,1205,72,72,165,171,440,72,72,72,330,138,72,72,1460,1460,1460,72,72,72,1460] + [ENTROPIES...: 4.7,5.1,5.1,4.5,5.0,6.7,4.9,5.1,5.1,7.4,5.1,7.3,7.6,5.1,5.2,5.9,6.3,7.4,5.0,5.0,5.0,7.1,6.2,5.2,5.1,7.9,7.9,7.9,5.1,5.1,5.1,7.8] detection-update: [....16] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57050] -> [......................2a04:4e42:1d::720][..443] [TLS][Media][Safe] new: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] detected: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] [TLS.Google][Web][Acceptable] @@ -115,32 +121,35 @@ detection-update: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54416] -> [...............2a00:1450:4007:806::200e][..443] [TLS.Google][Web][Acceptable] detection-update: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][SocialNetwork][Fun] analyse: [....17] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51582] -> [...............2a00:1450:4007:816::2003][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.077| 0.017| 0.027| 751.406| 0.000] - [PKTLEN......: 86.000| 1294.000| 421.600| 486.000|236213.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.077| 0.017| 0.027| 751.406| 2.800] + [PKTLEN......: 72.000| 1280.000| 407.600| 486.000| 236213.000| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0] [IATS(ms)....: 76.8,76.9,1.8,47.3,30.0,75.4,0.0,0.0,2.1,0.6,1.6,47.9,0.1,0.0,0.0,0.0,0.0,43.7,0.0,0.0,0.0,0.0,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,356,86,86,86,150,178,400,86,86,86,666,117,484,1294,1294,1294,1294,1294,86,86,86,86,86,86,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,342,72,72,72,136,164,386,72,72,72,652,103,470,1280,1280,1280,1280,1280,72,72,72,72,72,72,72] + [ENTROPIES...: 4.8,5.3,5.2,4.5,5.1,7.8,7.8,7.3,5.2,5.2,5.2,6.0,6.5,7.4,5.1,5.1,5.2,7.6,5.7,7.5,7.8,7.8,7.8,7.9,7.8,5.2,5.1,5.2,5.2,5.2,5.2,5.2] analyse: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54416] -> [...............2a00:1450:4007:806::200e][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.079| 0.014| 0.022| 503.587| 0.000] - [PKTLEN......: 86.000| 1294.000| 436.100| 496.100|246097.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.079| 0.014| 0.022| 503.587| 3.300] + [PKTLEN......: 72.000| 1280.000| 422.100| 496.100| 246097.600| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,1,0,0,0,0,1,1] [IATS(ms)....: 51.6,51.7,0.6,28.0,20.5,0.0,47.7,0.0,0.0,3.3,0.2,0.1,70.0,0.0,0.0,13.2,79.5,0.3,8.7,8.4,16.7,0.0,0.0,0.0,16.7,0.0,0.0,0.0,0.2,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,326,86,86,86,150,178,347,86,86,86,666,86,117,117,86,1002,1294,1294,1294,86,86,86,86,1294,1294] + [PKTLENS.....: 80,80,72,589,72,1280,1280,312,72,72,72,136,164,333,72,72,72,652,72,103,103,72,988,1280,1280,1280,72,72,72,72,1280,1280] + [ENTROPIES...: 4.9,5.2,5.2,4.4,5.1,7.8,7.8,7.2,5.2,5.2,5.2,6.2,6.7,7.2,5.1,5.1,5.1,7.6,5.2,5.8,5.7,5.2,7.8,7.8,7.9,7.8,5.2,5.2,5.2,5.2,7.8,7.8] analyse: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51292] -> [.........2a03:2880:f030:13:face:b00c::3][..443] [TLS.Facebook][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.093| 0.012| 0.022| 484.499| 0.000] - [PKTLEN......: 86.000| 1466.000| 285.000| 368.400|135732.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.093| 0.012| 0.022| 484.499| 3.000] + [PKTLEN......: 72.000| 1452.000| 271.000| 368.400| 135732.300| 4.100] [BINS(c->s)..: 12,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1,1,0,0,0,0,0] [IATS(ms)....: 27.0,27.1,0.2,32.3,0.0,32.0,0.0,3.9,0.4,0.1,64.7,93.2,0.0,0.0,0.3,0.0,0.0,0.0,24.3,0.0,0.0,0.0,0.2,0.0,0.0,0.1,0.0,0.0,4.4,39.9] - [PKTLENS.....: 94,94,86,603,86,1466,993,86,86,150,178,344,344,86,86,86,265,166,130,667,86,86,86,86,497,1466,128,86,86,86,117,213] + [PKTLENS.....: 80,80,72,589,72,1452,979,72,72,136,164,330,330,72,72,72,251,152,116,653,72,72,72,72,483,1452,114,72,72,72,103,199] + [ENTROPIES...: 5.1,5.4,5.4,4.6,5.3,7.8,7.8,5.5,5.5,6.2,6.5,7.3,7.3,5.3,5.2,5.3,7.0,6.4,5.9,7.6,5.4,5.4,5.4,5.4,7.5,7.9,6.1,5.4,5.4,5.4,5.9,6.7] new: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] detected: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] [TLS.Facebook][SocialNetwork][Fun] new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47790] -> [...............2a00:1450:4007:816::200a][..443] @@ -150,44 +159,48 @@ new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43562] -> [...............2a00:1450:4007:805::2003][..443] [MIDSTREAM] detected: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43562] -> [...............2a00:1450:4007:805::2003][..443] [TLS][Web][Safe] analyse: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43562] -> [...............2a00:1450:4007:805::2003][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.029| 0.002| 0.007| 49.867| 0.000] - [PKTLEN......: 86.000| 1294.000| 752.800| 578.200|334348.700| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.029| 0.002| 0.007| 49.867| 1.800] + [PKTLEN......: 72.000| 1280.000| 738.800| 578.200| 334348.700| 4.500] [BINS(c->s)..: 7,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,1,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1] [IATS(ms)....: 0.2,23.5,0.2,5.1,0.0,28.6,0.3,0.0,0.0,0.0,0.2,0.0,0.0,0.0,0.4,0.0,0.0,0.4,0.0,1.3,0.0,1.3,0.1,0.0,0.0] - [PKTLENS.....: 244,209,86,86,277,1294,86,1294,1294,1294,1294,86,86,1294,1294,86,1294,1294,1294,1294,86,86,1294,1294,251,125,213,86,1294,1294,1294,1294] + [PKTLENS.....: 230,195,72,72,263,1280,72,1280,1280,1280,1280,72,72,1280,1280,72,1280,1280,1280,1280,72,72,1280,1280,237,111,199,72,1280,1280,1280,1280] + [ENTROPIES...: 6.9,6.7,5.1,5.1,7.0,7.9,5.2,7.8,7.8,7.8,7.8,5.1,5.1,7.8,7.8,5.2,7.9,7.8,7.8,7.9,5.2,5.2,7.8,7.8,6.9,5.8,6.7,5.1,7.8,7.8,7.8,7.8] new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] detected: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Web][Acceptable] detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Web][Acceptable] analyse: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47790] -> [...............2a00:1450:4007:816::200a][..443] [TLS.GoogleServices][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.486| 0.068| 0.273|74793.992| 0.000] - [PKTLEN......: 86.000| 1294.000| 252.100| 317.700|100919.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.486| 0.068| 0.273| 74793.992| 1.600] + [PKTLEN......: 72.000| 1280.000| 238.100| 317.700| 100919.600| 4.100] [BINS(c->s)..: 11,1,2,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,0] [IATS(ms)....: 55.5,55.6,2.6,45.1,17.8,0.0,60.2,0.0,0.3,0.3,9.4,2.5,0.6,42.9,0.2,0.0,30.6,0.2,14.9,14.7,23.0,23.0,0.0,0.1,0.1,1.6,29.4,1485.9] - [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,587,86,150,178,458,86,86,86,666,86,117,117,86,476,149,86,86,125,86,86,125,86,251] + [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,573,72,136,164,444,72,72,72,652,72,103,103,72,462,135,72,72,111,72,72,111,72,237] + [ENTROPIES...: 4.8,5.2,5.1,4.7,5.0,7.8,7.8,5.2,5.2,7.6,5.2,6.1,6.5,7.5,5.1,5.1,5.1,7.6,5.2,5.8,5.7,5.2,7.5,6.2,5.2,5.2,5.9,5.1,5.2,6.0,5.1,6.9] analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40894] -> [...............2a00:1450:4007:816::200d][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.043| 0.009| 0.013| 174.232| 0.000] - [PKTLEN......: 86.000| 1294.000| 432.800| 492.400|242485.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.043| 0.009| 0.013| 174.232| 3.500] + [PKTLEN......: 72.000| 1280.000| 418.800| 492.400| 242485.900| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,0] [IATS(ms)....: 23.4,23.6,0.6,27.8,5.3,0.0,32.3,0.0,0.0,3.2,0.2,0.2,43.0,0.9,0.0,0.2,40.4,0.9,3.4,2.5,21.4,0.0,21.3,0.0,7.8,0.0,0.0,7.8,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,336,86,86,86,150,178,341,86,86,86,666,86,117,117,86,890,1294,86,86,1294,1294,1294,1294,86,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,322,72,72,72,136,164,327,72,72,72,652,72,103,103,72,876,1280,72,72,1280,1280,1280,1280,72,72] + [ENTROPIES...: 4.9,5.4,5.2,4.6,5.1,7.8,7.8,7.2,5.2,5.3,5.3,6.2,6.4,7.2,5.1,5.1,5.1,7.6,5.2,5.8,5.8,5.2,7.8,7.8,5.3,5.3,7.8,7.8,7.9,7.8,5.2,5.2] analyse: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][60340] -> [......2a03:2880:f11f:83:face:b00c::25de][..443] [TLS.Facebook][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.522| 0.133| 0.377|141791.068| 0.000] - [PKTLEN......: 86.000| 1466.000| 273.400| 363.600|132225.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.522| 0.133| 0.377| 141791.068| 2.300] + [PKTLEN......: 72.000| 1452.000| 259.400| 363.600| 132225.800| 4.100] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,1,0,1] [IATS(ms)....: 51.0,51.1,0.7,184.3,0.0,183.7,0.1,7.5,8.6,3.9,48.7,0.0,10.6,0.0,0.0,39.2,0.1,0.0,1.7,5.8,4.0,34.7,42.4,77.0,1489.8,1522.2,0.0,32.5,72.0] - [PKTLENS.....: 94,94,86,603,86,1466,994,86,86,150,178,456,86,86,86,257,166,117,86,86,86,117,121,86,86,506,86,632,86,121,86,1388] + [PKTLENS.....: 80,80,72,589,72,1452,980,72,72,136,164,442,72,72,72,243,152,103,72,72,72,103,107,72,72,492,72,618,72,107,72,1374] + [ENTROPIES...: 5.1,5.4,5.4,4.5,5.3,7.9,7.8,5.4,5.3,6.3,6.5,7.5,5.3,5.3,5.2,6.9,6.5,5.9,5.3,5.3,5.3,5.9,6.0,5.4,5.3,7.6,5.4,7.6,5.3,6.0,5.4,7.8] new: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56940] -> [......................2a04:4e42:1d::720][..443] [MIDSTREAM] new: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51472] -> [...............2a00:1450:4007:816::2003][..443] [MIDSTREAM] new: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54308] -> [...............2a00:1450:4007:806::200e][..443] [MIDSTREAM] @@ -207,37 +220,40 @@ detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][SocialNetwork][Fun] detection-update: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Advertisement][Acceptable] analyse: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][45126] -> [...............2a00:1450:4007:80a::200e][..443] [TLS.Google][Advertisement][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.157| 0.019| 0.038| 1426.179| 0.000] - [PKTLEN......: 86.000| 1294.000| 427.000| 486.700|236885.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.157| 0.019| 0.038| 1426.179| 2.700] + [PKTLEN......: 72.000| 1280.000| 413.000| 486.700| 236885.800| 4.100] [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0] [IATS(ms)....: 46.9,46.9,0.2,112.0,45.4,0.0,157.3,0.0,0.0,2.9,0.3,3.0,37.7,0.0,1.1,0.0,32.6,0.0,0.0,0.6,1.0,0.0,0.3,0.0,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,563,86,86,86,150,178,351,86,86,86,666,500,1294,86,86,86,117,1294,1294,1294,1294,86,86,86,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,549,72,72,72,136,164,337,72,72,72,652,486,1280,72,72,72,103,1280,1280,1280,1280,72,72,72,72] + [ENTROPIES...: 4.9,5.3,5.1,4.6,5.1,7.8,7.8,7.5,5.1,5.1,5.2,6.1,6.6,7.3,5.0,5.1,5.1,7.6,7.5,7.8,5.1,5.1,5.1,5.8,7.8,7.9,7.8,7.9,5.1,5.2,5.1,5.2] analyse: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.136| 0.027| 0.042| 1750.865| 0.000] - [PKTLEN......: 86.000| 1474.000| 444.600| 544.300|296293.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.136| 0.027| 0.042| 1750.865| 3.200] + [PKTLEN......: 72.000| 1460.000| 430.600| 544.300| 296293.800| 4.000] [BINS(c->s)..: 9,1,1,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,1,1] [IATS(ms)....: 46.5,46.6,0.4,49.8,3.6,52.9,0.0,1.3,0.0,1.3,0.0,2.4,0.3,0.5,109.0,0.0,0.0,105.9,0.0,0.0,6.5,35.8,111.1,136.0,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1474,1474,86,86,1474,1244,86,86,179,185,352,86,86,344,152,86,584,86,86,86,124,86,224,86,1474,1474,1474] + [PKTLENS.....: 80,80,72,589,72,1460,1460,72,72,1460,1230,72,72,165,171,338,72,72,330,138,72,570,72,72,72,110,72,210,72,1460,1460,1460] + [ENTROPIES...: 4.7,5.1,5.1,4.5,5.0,6.4,5.2,5.2,5.2,7.3,7.6,5.2,5.1,6.1,6.3,7.2,5.0,5.0,7.1,6.1,4.9,7.5,5.2,5.1,5.2,5.6,5.0,6.7,5.0,7.9,7.8,7.8] detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38546] -> [.......................2a04:4e42:1d::84][..443] [TLS.Pinterest][SocialNetwork][Fun] new: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] detected: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Web][Safe] detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Web][Safe] detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Media][Safe] analyse: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.045| 0.007| 0.012| 147.627| 0.000] - [PKTLEN......: 86.000| 1134.000| 391.700| 441.200|194656.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.045| 0.007| 0.012| 147.627| 3.200] + [PKTLEN......: 72.000| 1120.000| 377.700| 441.200| 194656.500| 4.100] [BINS(c->s)..: 11,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1] [IATS(ms)....: 21.0,21.0,0.5,37.1,8.9,0.0,45.5,0.0,2.0,0.0,0.0,0.0,2.0,0.0,0.0,0.0,0.1,0.0,7.8,0.5,0.4,31.0,0.0,0.4,0.0,22.8,0.0,0.4,8.3,2.6,0.0] - [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,1134,1134,1134,86,86,86,86,127,86,179,185,356,86,86,344,152,86,86,124,86,1134,1134] + [PKTLENS.....: 80,80,72,589,72,1120,1120,72,72,1120,1120,1120,1120,72,72,72,72,113,72,165,171,342,72,72,330,138,72,72,110,72,1120,1120] + [ENTROPIES...: 4.8,5.1,5.2,4.5,5.1,6.9,5.1,5.2,5.2,6.7,7.2,7.3,7.6,5.2,5.1,5.2,5.2,5.6,5.2,6.0,6.4,7.1,5.1,5.1,7.0,6.2,5.2,5.2,5.7,5.0,7.8,7.8] detection-update: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40114] -> [.....................64:ff9b::9765:7a6e][..443] [TLS][Media][Safe] guessed: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40876] -> [...............2a00:1450:4007:807::200a][..443] [TLS][Web][Safe] idle: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40876] -> [...............2a00:1450:4007:807::200a][..443] diff --git a/test/results/flow-info/pop3_stls.pcap.out b/test/results/flow-info/pop3_stls.pcap.out index c24de3787..8965ca3ec 100644 --- a/test/results/flow-info/pop3_stls.pcap.out +++ b/test/results/flow-info/pop3_stls.pcap.out @@ -11,14 +11,15 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Email][Safe] RISK: Known Proto on Non Std Port, Obsolete TLS (v1.1 or older) analyse: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.072| 0.263| 0.525|275477.529| 0.000] - [PKTLEN......: 54.000| 1514.000| 248.500| 417.000|173868.900| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.072| 0.263| 0.525| 275477.529| 3.300] + [PKTLEN......: 40.000| 1500.000| 234.500| 417.000| 173868.900| 3.700] [BINS(c->s)..: 9,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,4,0,0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1] [IATS(ms)....: 68.2,69.0,68.7,120.6,119.8,1003.1,1075.3,72.5,0.5,70.8,70.3,69.5,71.0,0.2,69.9,69.1,0.3,69.2,7.0,114.4,36.0,229.4,154.0,2002.9,2072.1,69.1,0.7,117.2,116.7,68.9,75.8] - [PKTLENS.....: 66,66,54,65,60,60,82,60,60,203,60,91,222,1514,1514,54,1514,414,54,368,60,292,85,60,107,85,60,222,98,103,96,103] + [PKTLENS.....: 52,52,40,51,46,46,68,46,46,189,46,77,208,1500,1500,40,1500,400,40,354,46,278,71,46,93,71,46,208,84,89,82,89] + [ENTROPIES...: 4.5,4.8,4.7,5.2,5.0,4.5,5.4,5.0,4.5,5.5,5.0,5.4,5.5,7.1,7.1,4.7,6.9,7.2,4.8,7.4,4.5,7.0,5.8,4.5,5.8,5.7,4.5,7.0,5.9,6.0,5.7,5.9] detection-update: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Email][Safe] RISK: Known Proto on Non Std Port, Obsolete TLS (v1.1 or older) end: [.....1] [ip4][..tcp] [..192.168.20.18][50583] -> [...72.249.41.52][..110] [POPS][Email][Safe] diff --git a/test/results/flow-info/pps.pcap.out b/test/results/flow-info/pps.pcap.out index 70b216125..acb20cf1e 100644 --- a/test/results/flow-info/pps.pcap.out +++ b/test/results/flow-info/pps.pcap.out @@ -9,47 +9,51 @@ new: [.....6] [ip4][..udp] [..192.168.115.8][22793] -> [.111.249.53.196][32443] new: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] analyse: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.014| 0.003| 0.004| 16.289| 0.000] - [PKTLEN......: 79.000| 1107.000| 400.200| 476.500|227043.400| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.014| 0.003| 0.004| 16.289| 3.700] + [PKTLEN......: 65.000| 1093.000| 386.200| 476.500| 227043.400| 4.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] [IATS(ms)....: 0.3,0.3,3.0,2.0,4.7,0.3,0.1,0.0,0.6,0.6,2.0,0.9,0.2,1.9,1.1,0.1,11.9,11.8,0.1,13.6,13.5,0.1,2.8,2.6,0.2,1.3,1.0,0.1,1.6,1.9,0.3] - [PKTLENS.....: 1107,79,79,1107,1107,79,79,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79] + [PKTLENS.....: 1093,65,65,1093,1093,65,65,65,65,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65] + [ENTROPIES...: 7.8,5.1,5.1,7.8,7.8,5.2,5.1,5.2,5.1,5.2,5.2,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.1,5.1,7.6,5.2,5.2,7.8,5.2,5.2] not-detected: [.....1] [ip4][..udp] [....1.173.5.226][22636] -> [..192.168.115.8][22793] [Unknown][Unrated] analyse: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.013| 0.002| 0.004| 13.731| 0.000] - [PKTLEN......: 79.000| 1107.000| 400.200| 476.500|227043.400| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.013| 0.002| 0.004| 13.731| 3.800] + [PKTLEN......: 65.000| 1093.000| 386.200| 476.500| 227043.400| 4.000] [BINS(c->s)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.3,12.6,12.6,0.2,1.1,0.9,0.1,1.6,1.5,0.2,2.1,1.8,0.3,0.7,0.6,0.3,1.7,1.1,0.1,3.6,5.8,0.4,11.9,9.1,0.1,1.2,1.4,0.1,1.5,1.1,0.1] - [PKTLENS.....: 79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79] + [PKTLENS.....: 65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65] + [ENTROPIES...: 5.1,5.1,7.8,5.2,5.2,7.7,5.0,5.0,7.8,5.2,5.2,7.8,5.1,5.1,7.8,5.1,5.1,7.8,5.1,5.1,7.8,5.1,5.1,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.2,5.2] not-detected: [.....3] [ip4][..udp] [..192.168.115.8][22793] -> [...114.42.0.158][.7716] [Unknown][Unrated] new: [.....8] [ip4][..udp] [.183.228.182.44][13913] -> [..192.168.115.8][22793] analyse: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.027| 0.009| 0.008| 71.240| 0.000] - [PKTLEN......: 79.000| 1107.000| 400.200| 476.500|227043.400| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.027| 0.009| 0.008| 71.240| 4.100] + [PKTLEN......: 65.000| 1093.000| 386.200| 476.500| 227043.400| 4.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,1,0,1,1,0] [IATS(ms)....: 0.4,0.2,4.9,0.2,24.3,18.9,0.1,5.4,6.9,0.2,19.1,17.6,0.1,13.8,13.8,0.1,13.1,15.4,0.1,27.0,24.4,0.2,9.0,11.0,0.4,2.0,0.9,14.1,8.3,0.1,12.1] - [PKTLENS.....: 1107,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107] + [PKTLENS.....: 1093,65,65,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093] + [ENTROPIES...: 7.7,5.1,5.1,5.1,5.1,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.1,5.1,7.8,5.0,5.0,7.8,5.1,5.1,7.8,5.2,5.2,7.8,5.1,5.1,5.0,5.0,7.8,5.1,5.1,7.8] not-detected: [.....2] [ip4][..udp] [..118.171.15.56][.5544] -> [..192.168.115.8][22793] [Unknown][Unrated] new: [.....9] [ip4][..tcp] [..192.168.115.8][50462] -> [.202.108.14.236][...80] [MIDSTREAM] new: [....10] [ip4][..tcp] [...192.168.5.15][65125] -> [.68.233.253.133][...80] [MIDSTREAM] analyse: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.070| 0.024| 0.021| 457.568| 0.000] - [PKTLEN......: 79.000| 1107.000| 336.000| 445.100|198147.000| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.070| 0.024| 0.021| 457.568| 4.200] + [PKTLEN......: 65.000| 1093.000| 322.000| 445.100| 198147.000| 3.900] [BINS(c->s)..: 0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0] [IATS(ms)....: 0.4,29.9,29.7,0.1,32.0,32.8,0.3,45.7,0.3,69.6,23.0,0.1,42.0,41.6,0.1,36.0,0.3,59.5,23.0,0.1,31.8,32.2,0.3,44.4,0.3,68.3,22.7,0.2,30.9,30.8,0.2] - [PKTLENS.....: 79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79] + [PKTLENS.....: 65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65] + [ENTROPIES...: 5.1,5.1,7.8,5.2,5.2,7.8,5.2,5.2,5.2,5.2,7.8,5.3,5.3,7.8,5.1,5.1,5.1,5.1,7.8,5.2,5.2,7.8,5.2,5.2,5.2,5.2,7.8,5.1,5.1,7.8,4.9,4.9] not-detected: [.....7] [ip4][..udp] [..192.168.115.8][22793] -> [219.228.107.156][.1250] [Unknown][Unrated] new: [....11] [ip4][..udp] [..192.168.115.8][22793] -> [..218.61.39.103][17788] new: [....12] [ip4][..udp] [..192.168.115.8][22793] -> [...210.44.171.1][29702] @@ -78,14 +82,15 @@ new: [....35] [ip4][..udp] [..192.168.115.8][22793] -> [119.188.133.182][17788] new: [....36] [ip4][..udp] [..192.168.115.8][22793] -> [.183.61.167.104][17788] analyse: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.108| 0.029| 0.031| 941.853| 0.000] - [PKTLEN......: 61.000| 1107.000| 303.300| 425.300|180865.500| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.108| 0.029| 0.031| 941.853| 4.000] + [PKTLEN......: 47.000| 1093.000| 289.300| 425.300| 180865.500| 3.800] [BINS(c->s)..: 0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1] [IATS(ms)....: 0.9,52.8,52.3,0.3,55.5,0.1,77.7,22.0,0.2,78.3,79.3,0.5,0.4,0.1,46.5,44.4,0.1,18.4,18.5,0.3,36.0,0.1,108.0,71.5,0.7,28.3,0.5,45.9,16.1,0.4,33.5] - [PKTLENS.....: 79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,79,79,1107,79,79,61] + [PKTLENS.....: 65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,65,65,1093,65,65,47] + [ENTROPIES...: 5.3,5.3,7.8,5.3,5.3,5.3,5.3,7.8,5.2,5.2,7.8,5.0,5.0,5.1,5.1,7.8,5.2,5.2,7.7,5.1,5.1,5.1,5.1,7.8,5.1,5.1,5.1,5.1,7.8,5.1,5.1,4.9] not-detected: [.....4] [ip4][..udp] [..192.168.115.8][22793] -> [.222.197.138.12][.6956] [Unknown][Unrated] new: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [MIDSTREAM] detected: [....37] [ip4][..tcp] [..192.168.115.8][50463] -> [.101.227.200.11][...80] [HTTP.PPStream][Streaming][Fun] @@ -219,14 +224,15 @@ new: [....82] [ip4][..tcp] [..192.168.115.8][50504] -> [.202.108.14.236][...80] [MIDSTREAM] detected: [....82] [ip4][..tcp] [..192.168.115.8][50504] -> [.202.108.14.236][...80] [HTTP][Streaming][Acceptable] analyse: [....81] [ip4][..tcp] [..192.168.115.8][50505] -> [..223.26.106.19][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.036| 0.003| 0.009| 84.840| 0.000] - [PKTLEN......: 198.000| 1314.000| 1221.000| 293.900|86398.000| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.036| 0.003| 0.009| 84.840| 1.800] + [PKTLEN......: 184.000| 1300.000| 1207.000| 293.900| 86398.000| 4.900] [BINS(c->s)..: 0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 2.9,35.0,35.8,0.0,0.1,1.0,0.0,0.0,0.0,0.0,0.0,0.0,4.1,0.0,0.0,0.0,0.0,0.6,0.0,0.0,0.0,4.3,0.1,0.0,0.0,0.0,0.0] - [PKTLENS.....: 198,566,202,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314] + [PKTLENS.....: 184,552,188,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300] + [ENTROPIES...: 5.6,5.7,5.6,4.4,0.3,0.3,3.7,6.1,5.9,6.1,6.0,6.2,6.1,6.0,6.1,5.9,6.3,6.2,6.3,6.4,5.8,6.2,6.0,6.1,6.1,6.4,6.3,6.0,6.1,6.0,6.4,6.3] new: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] detected: [....83] [ip4][..udp] [...192.168.5.38][.1900] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] new: [....84] [ip4][..udp] [...192.168.5.41][50374] -> [239.255.255.250][.1900] @@ -268,14 +274,15 @@ new: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [MIDSTREAM] detected: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] analyse: [...102] [ip4][..tcp] [..192.168.115.8][50778] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.061| 0.005| 0.014| 183.828| 0.000] - [PKTLEN......: 303.000| 1314.000| 1282.400| 175.900|30943.100| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.061| 0.005| 0.014| 183.828| 1.800] + [PKTLEN......: 289.000| 1300.000| 1268.400| 175.900| 30943.100| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 61.4,0.0,0.0,0.0,0.0,30.3,0.0,0.0,0.0,25.9,0.0,0.5,0.0,0.0,0.0,0.6,0.0,3.5,0.0,0.8,0.0,0.0,0.0,0.0,0.0,2.2] - [PKTLENS.....: 303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314] + [PKTLENS.....: 289,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300] + [ENTROPIES...: 5.7,7.1,7.8,7.8,7.8,7.8,7.8,7.9,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.7,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8] new: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] detected: [...103] [ip4][..udp] [..192.168.115.1][50945] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] new: [...104] [ip4][..tcp] [..192.168.115.8][50779] -> [..111.206.22.77][...80] [MIDSTREAM] @@ -283,14 +290,15 @@ new: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [MIDSTREAM] detected: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] analyse: [...105] [ip4][..tcp] [..192.168.115.8][50780] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.063| 0.006| 0.016| 268.635| 0.000] - [PKTLEN......: 303.000| 1314.000| 1282.400| 175.900|30943.100| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.063| 0.006| 0.016| 268.635| 1.700] + [PKTLEN......: 289.000| 1300.000| 1268.400| 175.900| 30943.100| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 62.9,0.0,0.0,0.0,0.0,0.0,28.6,0.0,0.0,57.9,0.0,0.0,0.0,0.0,0.0,0.3,0.0,0.3,0.0,3.2,0.0,0.0,0.8,0.0,0.0,0.0,0.0] - [PKTLENS.....: 303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314] + [PKTLENS.....: 289,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300] + [ENTROPIES...: 5.7,7.1,7.8,7.8,7.8,7.8,7.8,7.7,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8] update: [....55] [ip4][..udp] [...192.168.5.57][59648] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] new: [...106] [ip4][..tcp] [..192.168.115.8][50781] -> [..223.26.106.20][...80] [MIDSTREAM] detected: [...106] [ip4][..tcp] [..192.168.115.8][50781] -> [..223.26.106.20][...80] [HTTP.PPStream][Streaming][Fun] diff --git a/test/results/flow-info/psiphon3.pcap.out b/test/results/flow-info/psiphon3.pcap.out index 8637a6bff..184e81107 100644 --- a/test/results/flow-info/psiphon3.pcap.out +++ b/test/results/flow-info/psiphon3.pcap.out @@ -9,14 +9,15 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][VPN][Acceptable] RISK: Missing SNI TLS Extn analyse: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.046| 0.011| 0.012| 137.508| 0.000] - [PKTLEN......: 40.000| 1500.000| 277.500| 421.900|177964.300| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.046| 0.011| 0.012| 137.508| 3.600] + [PKTLEN......: 40.000| 1500.000| 277.500| 421.900| 177964.300| 3.800] [BINS(c->s)..: 10,1,3,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [DIRECTIONS..: 0,0,1,1,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0] [IATS(ms)....: 6.0,17.4,14.4,1.0,16.0,7.0,5.0,3.0,28.0,2.0,3.0,1.0,7.0,25.9,1.4,4.0,20.8,1.0,46.1,1.0] [PKTLENS.....: 60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048] + [ENTROPIES...: 4.6,4.6,4.8,4.8,4.8,5.4,4.8,5.4,4.8,4.8,7.0,7.2,7.0,7.2,4.8,4.8,4.8,4.8,5.9,5.9,4.8,4.8,7.0,6.0,7.0,6.0,4.7,4.7,6.3,7.3,5.4,7.8] detection-update: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][VPN][Acceptable] RISK: Missing SNI TLS Extn end: [.....1] [ip4][..tcp] [..192.168.0.103][40557] -> [.104.18.151.190][..443] [TLS.Psiphon][VPN][Acceptable] diff --git a/test/results/flow-info/quic-28.pcap.out b/test/results/flow-info/quic-28.pcap.out index 455182a57..12c31f6a8 100644 --- a/test/results/flow-info/quic-28.pcap.out +++ b/test/results/flow-info/quic-28.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] detected: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] [QUIC.Cloudflare][Web][Acceptable] analyse: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] [QUIC.Cloudflare][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.021| 0.006| 0.007| 51.479| 0.000] - [PKTLEN......: 85.000| 1242.000| 343.800| 425.600|181138.200| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.021| 0.006| 0.007| 51.479| 3.900] + [PKTLEN......: 71.000| 1228.000| 329.800| 425.600| 181138.200| 4.000] [BINS(c->s)..: 0,6,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,9,3,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,1,0,0,1,1,0,0,1] [IATS(ms)....: 13.6,13.8,13.9,1.1,15.1,1.4,0.0,0.0,2.2,0.3,0.0,0.0,0.0,14.7,0.0,0.0,0.0,0.0,0.0,0.0,0.0,13.8,1.2,10.5,11.8,5.5,19.9,6.5,21.0,4.0,19.1] - [PKTLENS.....: 1242,89,1242,113,203,1242,1238,1239,259,152,103,85,85,168,112,557,85,85,110,85,85,85,85,85,700,85,147,85,859,85,122,86] + [PKTLENS.....: 1228,75,1228,99,189,1228,1224,1225,245,138,89,71,71,154,98,543,71,71,96,71,71,71,71,71,686,71,133,71,845,71,108,72] + [ENTROPIES...: 7.8,5.4,7.8,6.0,6.7,7.8,7.8,7.9,7.1,6.5,6.1,5.9,5.9,6.7,6.1,7.6,5.8,5.7,6.1,5.7,5.7,5.8,5.8,5.8,7.7,5.8,6.6,5.8,7.8,5.9,6.2,5.7] idle: [.....1] [ip4][..udp] [.......10.9.0.2][60106] -> [..104.26.11.240][..443] [QUIC.Cloudflare][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic-33.pcapng.out b/test/results/flow-info/quic-33.pcapng.out index 646aa8f3f..4a698d57a 100644 --- a/test/results/flow-info/quic-33.pcapng.out +++ b/test/results/flow-info/quic-33.pcapng.out @@ -5,14 +5,15 @@ detected: [.....1] [ip6][..udp] [....................................::1][51430] -> [....................................::1][.4443] [QUIC][Web][Acceptable] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn analyse: [.....1] [ip6][..udp] [....................................::1][51430] -> [....................................::1][.4443] [QUIC][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.003| 0.000| 0.001| 0.627| 0.000] - [PKTLEN......: 115.000| 1502.000| 1004.900| 605.000|366070.200| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.003| 0.000| 0.001| 0.627| 3.200] + [PKTLEN......: 101.000| 1488.000| 990.900| 605.000| 366070.200| 4.600] [BINS(c->s)..: 0,4,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,15,0,0] [DIRECTIONS..: 0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 2.8,0.1,0.0,3.4,0.6,0.3,0.0,0.4,0.1,0.4,0.0,1.1,1.4,0.5,0.0,0.3,0.1,0.3,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0] - [PKTLENS.....: 1294,1294,805,1502,115,117,209,117,1294,1294,373,1502,501,245,117,117,117,117,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502] + [PKTLENS.....: 1280,1280,791,1488,101,103,195,103,1280,1280,359,1488,487,231,103,103,103,103,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488] + [ENTROPIES...: 7.8,7.8,7.6,7.8,4.5,4.9,6.0,4.9,7.8,7.8,7.0,7.8,7.4,6.6,4.8,4.9,4.7,4.9,7.8,7.8,7.8,7.8,7.9,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8] idle: [.....1] [ip6][..udp] [....................................::1][51430] -> [....................................::1][.4443] [QUIC][Web][Acceptable] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic-mvfst-22.pcap.out b/test/results/flow-info/quic-mvfst-22.pcap.out index 527383a21..83d6ff0b0 100644 --- a/test/results/flow-info/quic-mvfst-22.pcap.out +++ b/test/results/flow-info/quic-mvfst-22.pcap.out @@ -2,14 +2,15 @@ new: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] detected: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun] analyse: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.091| 0.169| 0.515|264779.547| 0.000] - [PKTLEN......: 66.000| 1294.000| 630.500| 577.000|332915.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.091| 0.169| 0.515| 264779.547| 2.100] + [PKTLEN......: 52.000| 1280.000| 616.500| 577.000| 332915.800| 4.300] [BINS(c->s)..: 1,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,3,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,3,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,1,1,0,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,1,1,1,1] [IATS(ms)....: 6.6,0.2,0.0,0.0,15.8,0.2,0.1,25.7,16.5,24.4,2091.0,2072.8,30.6,212.7,1.8,0.1,243.4,0.0,25.4,21.9,80.7,0.0,0.0,0.0,0.0,96.7,35.8,60.9,0.1,0.0] - [PKTLENS.....: 1274,1294,1294,235,95,1274,120,109,80,275,73,66,1142,70,74,612,1274,1235,70,70,74,66,1294,1294,1294,1294,98,79,66,1294,1294,1294] + [PKTLENS.....: 1260,1280,1280,221,81,1260,106,95,66,261,59,52,1128,56,60,598,1260,1221,56,56,60,52,1280,1280,1280,1280,84,65,52,1280,1280,1280] + [ENTROPIES...: 7.9,7.8,7.9,6.9,5.8,7.8,6.0,6.1,5.4,7.1,5.4,5.2,7.8,5.2,5.4,7.6,7.8,7.8,5.4,5.2,5.4,5.1,7.8,7.8,7.9,7.8,5.9,5.5,5.2,7.9,7.8,7.8] update: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun] idle: [.....1] [ip4][..udp] [......10.0.2.15][35601] -> [.....31.13.86.8][..443] [QUIC.Facebook][SocialNetwork][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out b/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out index bbd353386..7370e5534 100644 --- a/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out +++ b/test/results/flow-info/quic-mvfst-22_decryption_error.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] detected: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] [QUIC][Web][Acceptable] analyse: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] [QUIC][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.003| 0.002| 0.001| 0.889| 0.000] - [PKTLEN......: 60.000| 1280.000| 708.500| 531.100|282057.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.003| 0.002| 0.001| 0.889| 1.400] + [PKTLEN......: 60.000| 1280.000| 708.500| 531.100| 282057.000| 4.500] [BINS(c->s)..: 0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,3,0,0,0,0,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 1.0,3.0,1.0] [PKTLENS.....: 1260,106,106,106,698,698,698,60,60,60,66,66,66,261,261,261,400,400,400,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280] + [ENTROPIES...: 7.9,6.1,6.1,6.2,7.7,7.7,7.7,5.5,5.5,5.5,5.4,5.4,5.5,7.2,7.2,7.2,7.4,7.4,7.4,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.8,7.9] idle: [.....1] [ip4][..udp] [..10.230.40.168][62196] -> [..94.97.225.146][..443] [QUIC][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic-v2-01.pcapng.out b/test/results/flow-info/quic-v2-01.pcapng.out index 020949c60..c1badbb49 100644 --- a/test/results/flow-info/quic-v2-01.pcapng.out +++ b/test/results/flow-info/quic-v2-01.pcapng.out @@ -5,14 +5,15 @@ detected: [.....1] [ip4][..udp] [...192.168.56.1][34229] -> [.192.168.56.198][.4443] [QUIC][Web][Acceptable] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn analyse: [.....1] [ip4][..udp] [...192.168.56.1][34229] -> [.192.168.56.198][.4443] [QUIC][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.003| 0.000| 0.001| 0.343| 0.000] - [PKTLEN......: 97.000| 1482.000| 1045.900| 592.800|351417.000| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.003| 0.000| 0.001| 0.343| 3.200] + [PKTLEN......: 83.000| 1468.000| 1031.900| 592.800| 351417.000| 4.700] [BINS(c->s)..: 0,4,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0] [BINS(s->c)..: 0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,18,0,0] [DIRECTIONS..: 0,1,1,1,0,0,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,0,1] [IATS(ms)....: 2.2,0.0,0.1,2.6,0.0,0.2,0.5,0.1,0.1,0.4,0.5,0.3,0.4,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.3,0.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.4,0.3] - [PKTLENS.....: 1294,1294,766,1482,445,1482,225,97,97,481,97,97,225,1482,1482,1482,1482,1482,1482,1482,1482,97,1482,1482,1482,1482,1482,1482,1482,1482,97,1482] + [PKTLENS.....: 1280,1280,752,1468,431,1468,211,83,83,467,83,83,211,1468,1468,1468,1468,1468,1468,1468,1468,83,1468,1468,1468,1468,1468,1468,1468,1468,83,1468] + [ENTROPIES...: 7.9,7.8,7.7,7.9,7.5,7.9,7.0,5.9,6.0,7.6,6.1,5.9,7.0,7.9,7.9,7.9,7.9,7.9,7.9,7.8,7.8,5.8,7.9,7.9,7.9,7.9,7.9,7.8,7.9,7.9,5.9,7.9] idle: [.....1] [ip4][..udp] [...192.168.56.1][34229] -> [.192.168.56.198][.4443] [QUIC][Web][Acceptable] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic.pcap.out b/test/results/flow-info/quic.pcap.out index 1fe34e397..9ad391e0d 100644 --- a/test/results/flow-info/quic.pcap.out +++ b/test/results/flow-info/quic.pcap.out @@ -4,14 +4,15 @@ new: [.....1] [ip4][..udp] [..192.168.1.109][57833] -> [.216.58.212.101][..443] detected: [.....1] [ip4][..udp] [..192.168.1.109][57833] -> [.216.58.212.101][..443] [QUIC.GMail][Email][Acceptable] analyse: [.....1] [ip4][..udp] [..192.168.1.109][57833] -> [.216.58.212.101][..443] [QUIC.GMail][Email][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.198| 0.584| 0.964|929164.558| 0.000] - [PKTLEN......: 61.000| 1392.000| 323.100| 382.900|146578.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.198| 0.584| 0.964| 929164.558| 3.400] + [PKTLEN......: 47.000| 1378.000| 309.100| 382.900| 146578.800| 4.100] [BINS(c->s)..: 0,8,0,1,1,1,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0] [BINS(s->c)..: 4,4,0,0,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1,0,1,0,0,1,1,0] [IATS(ms)....: 46.0,60.1,14.8,65.4,2.5,93.4,168.1,168.1,622.7,681.3,0.0,58.0,3119.1,3197.6,0.0,0.0,54.1,25.5,1951.1,28.6,2034.7,28.3,0.0,0.0,56.9,470.8,496.4,2190.2,2289.8,44.7,126.0] - [PKTLENS.....: 1392,478,1392,79,74,725,82,725,79,214,508,70,82,194,170,69,101,82,79,255,163,77,71,240,61,88,215,79,1190,77,758,469] + [PKTLENS.....: 1378,464,1378,65,60,711,68,711,65,200,494,56,68,180,156,55,87,68,65,241,149,63,57,226,47,74,201,65,1176,63,744,455] + [ENTROPIES...: 4.8,7.5,7.8,5.7,5.5,7.7,5.7,7.7,5.7,6.9,7.5,5.4,5.8,6.9,6.6,5.4,6.0,5.7,5.6,7.1,6.6,5.5,5.4,7.0,5.1,5.8,6.9,5.6,7.9,5.4,7.8,7.6] DAEMON-EVENT: [Processed: 413 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....2] [ip4][..udp] [.......10.0.0.4][40134] -> [.......10.0.0.3][.6121] @@ -40,14 +41,15 @@ new: [....10] [ip4][..udp] [..192.168.1.109][35236] -> [.216.58.210.206][..443] detected: [....10] [ip4][..udp] [..192.168.1.109][35236] -> [.216.58.210.206][..443] [QUIC.YouTube][Media][Fun] analyse: [....10] [ip4][..udp] [..192.168.1.109][35236] -> [.216.58.210.206][..443] [QUIC.YouTube][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.829| 0.062| 0.199|39440.069| 0.000] - [PKTLEN......: 75.000| 1392.000| 871.800| 620.800|385421.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.829| 0.062| 0.199| 39440.069| 2.000] + [PKTLEN......: 61.000| 1378.000| 857.800| 620.800| 385421.500| 4.500] [BINS(c->s)..: 0,8,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,16,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,1,0,1,1,1,0,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1] [IATS(ms)....: 0.6,35.4,0.0,40.5,0.1,24.0,26.0,16.8,0.1,0.5,35.5,51.7,0.4,0.0,26.6,25.6,828.6,0.0,803.2,0.6,0.4,0.2,0.8,0.2,0.4,0.2,0.3,0.2,0.5,0.3,0.2] - [PKTLENS.....: 1392,387,1392,1392,1392,383,79,82,1392,75,75,85,1392,1392,1188,82,79,1392,1392,82,1392,1392,1392,82,1392,82,1392,1392,1392,82,1392,1392] + [PKTLENS.....: 1378,373,1378,1378,1378,369,65,68,1378,61,61,71,1378,1378,1174,68,65,1378,1378,68,1378,1378,1378,68,1378,68,1378,1378,1378,68,1378,1378] + [ENTROPIES...: 5.1,7.4,7.6,2.6,5.4,7.4,5.3,5.5,7.9,5.5,5.5,5.7,7.9,7.9,7.8,5.6,5.6,7.9,7.9,5.7,7.9,7.9,7.9,5.6,7.9,5.7,7.9,7.8,7.9,5.6,7.9,7.9] idle: [.....7] [ip4][..udp] [..192.168.1.105][40030] -> [.216.58.201.227][..443] [QUIC.Google][Web][Acceptable] guessed: [.....4] [ip4][..udp] [..192.168.1.105][40461] -> [...172.217.16.3][..443] [Google][Web][Acceptable] idle: [.....4] [ip4][..udp] [..192.168.1.105][40461] -> [...172.217.16.3][..443] diff --git a/test/results/flow-info/quic046.pcap.out b/test/results/flow-info/quic046.pcap.out index 02443648f..4a2d54274 100644 --- a/test/results/flow-info/quic046.pcap.out +++ b/test/results/flow-info/quic046.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] detected: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] [QUIC.YouTube][Media][Fun] analyse: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] [QUIC.YouTube][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.029| 0.002| 0.006| 39.230| 0.000] - [PKTLEN......: 62.000| 1392.000| 907.100| 591.600|350034.900| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.029| 0.002| 0.006| 39.230| 2.600] + [PKTLEN......: 48.000| 1378.000| 893.100| 591.600| 350034.900| 4.600] [BINS(c->s)..: 2,0,1,0,5,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1] [IATS(ms)....: 1.0,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.7,21.2,29.5,0.4,0.2,0.2,0.2,0.2,0.2,0.3,0.3,0.3,0.2,0.3,0.2,0.2,0.3,0.3,6.5,0.2,0.5,0.7,0.2] - [PKTLENS.....: 1392,574,128,201,199,199,200,199,205,202,1392,1392,269,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,70,62,1392,70,1392] + [PKTLENS.....: 1378,560,114,187,185,185,186,185,191,188,1378,1378,255,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,56,48,1378,56,1378] + [ENTROPIES...: 4.1,7.6,6.3,6.9,6.9,6.8,6.9,6.9,7.0,6.9,4.1,7.9,7.1,7.9,7.9,7.9,7.8,7.9,7.9,7.9,7.9,7.8,7.9,7.9,7.9,7.9,7.9,5.4,5.1,7.8,5.4,7.9] idle: [.....1] [ip4][..udp] [..192.168.1.236][50587] -> [..216.58.206.86][..443] [QUIC.YouTube][Media][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic_q39.pcap.out b/test/results/flow-info/quic_q39.pcap.out index c09e2f48a..6b9eb32ad 100644 --- a/test/results/flow-info/quic_q39.pcap.out +++ b/test/results/flow-info/quic_q39.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] detected: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] [QUIC.YouTube][Media][Fun] analyse: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] [QUIC.YouTube][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 6.515| 0.578| 1.532|2346988.339| 0.000] - [PKTLEN......: 60.000| 1392.000| 556.200| 603.700|364512.400| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 6.515| 0.578| 1.532| 2346988.339| 2.700] + [PKTLEN......: 46.000| 1378.000| 542.200| 603.700| 364512.400| 4.100] [BINS(c->s)..: 0,4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,9,0,0,0,0,0] [BINS(s->c)..: 4,10,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,1,1,1,0] [IATS(ms)....: 8.9,36.7,89.8,0.0,404.1,1.4,298.3,119.2,0.0,434.8,6185.3,12.8,6514.6,11.4,11.4,22.7,702.6,702.7,435.3,435.2,11.4,11.4,16.0,15.9,397.2,9.2,397.7,33.9,93.4,0.1,499.9] - [PKTLENS.....: 1392,1174,77,1392,73,83,83,72,305,60,83,270,1392,78,1392,1392,75,1392,74,1392,76,1392,76,1392,76,1392,730,76,76,104,60,98] + [PKTLENS.....: 1378,1160,63,1378,59,69,69,58,291,46,69,256,1378,64,1378,1378,61,1378,60,1378,62,1378,62,1378,62,1378,716,62,62,90,46,84] + [ENTROPIES...: 4.2,7.8,5.0,7.8,5.4,5.6,5.7,5.3,7.3,4.8,5.8,7.1,7.9,5.4,7.8,7.9,5.5,7.9,5.4,7.9,5.4,7.9,5.4,7.9,5.5,7.8,7.7,5.5,5.5,6.0,4.8,6.0] idle: [.....1] [ip4][..udp] [.170.216.16.209][38620] -> [.21.157.183.227][..443] [QUIC.YouTube][Media][Fun] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quic_t51.pcap.out b/test/results/flow-info/quic_t51.pcap.out index a59012dfd..a39038c23 100644 --- a/test/results/flow-info/quic_t51.pcap.out +++ b/test/results/flow-info/quic_t51.pcap.out @@ -4,14 +4,15 @@ new: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] detected: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable] analyse: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 19.583| 2.165| 5.210|27140724.621| 0.000] - [PKTLEN......: 67.000| 1392.000| 451.200| 500.300|250315.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 19.583| 2.165| 5.210| 27140724.621| 2.500] + [PKTLEN......: 53.000| 1378.000| 437.200| 500.300| 250315.800| 4.100] [BINS(c->s)..: 0,8,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 7,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,3,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,1,1,1,0,0,0,1,1,1,1,0] [IATS(ms)....: 5.9,69.3,110.8,0.0,0.0,113.6,2.3,5.8,80.0,0.0,46.4,10090.9,10162.3,246.2,1.4,0.0,331.6,26.2,19472.4,19582.6,120.2,0.7,0.2,185.0,26.5,2999.5,3090.0,125.9,1.4,0.1,205.6] - [PKTLENS.....: 1392,1392,1392,1392,1392,1254,83,83,115,68,658,75,1003,67,682,68,313,75,75,511,67,734,68,151,75,75,225,67,470,68,273,75] + [PKTLENS.....: 1378,1378,1378,1378,1378,1240,69,69,101,54,644,61,989,53,668,54,299,61,61,497,53,720,54,137,61,61,211,53,456,54,259,61] + [ENTROPIES...: 7.9,7.9,7.8,7.8,7.9,7.8,5.6,5.7,6.2,5.2,7.7,5.6,7.8,5.2,7.7,5.4,7.3,5.7,5.6,7.5,5.3,7.7,5.3,6.5,5.6,5.6,7.0,5.3,7.5,5.2,7.3,5.6] update: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable] idle: [.....1] [ip4][..udp] [187.227.136.152][55356] -> [.211.247.147.90][..443] [QUIC.Google][Web][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/quickplay.pcap.out b/test/results/flow-info/quickplay.pcap.out index 3955279a4..81e78bb65 100644 --- a/test/results/flow-info/quickplay.pcap.out +++ b/test/results/flow-info/quickplay.pcap.out @@ -34,14 +34,15 @@ detected: [....14] [ip4][..tcp] [..10.54.169.250][42762] -> [203.205.129.101][...80] [HTTP_Proxy.QQ][Chat][Fun] RISK: Known Proto on Non Std Port analyse: [....11] [ip4][..tcp] [..10.54.169.250][52009] -> [...120.28.35.40][...80] [HTTP][Streaming][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.183| 5.871| 2.460| 1.331|1772261.736| 0.000] - [PKTLEN......: 76.000| 1456.000| 656.400| 347.900|121006.600| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.183| 5.871| 2.460| 1.331| 1772261.736| 4.700] + [PKTLEN......: 60.000| 1440.000| 640.400| 347.900| 121006.600| 4.800] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,13,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,1,2,0,0,0,0,0,2,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 2337.9,2470.8,5776.6,5871.2,324.6,2084.5,1689.1,182.6,2170.3,2013.3,645.6,519.6,2223.7,2353.5,480.9,4401.9,3911.8,3909.7,3936.6,2356.5,2338.3,2620.0,2626.5,2264.1,2270.5,2391.5,2349.5,2604.5,2642.0,2224.9,2252.1] - [PKTLENS.....: 500,1456,500,240,585,502,1248,585,502,854,587,76,504,1268,585,502,158,502,658,502,1124,502,1208,502,348,502,1456,502,962,502,580,502] + [PKTLENS.....: 484,1440,484,224,569,486,1232,569,486,838,571,60,488,1252,569,486,142,486,642,486,1108,486,1192,486,332,486,1440,486,946,486,564,486] + [ENTROPIES...: 5.9,7.9,6.0,7.1,5.9,5.9,7.8,5.9,5.9,7.7,6.0,5.0,6.0,7.8,6.0,5.9,6.6,5.9,7.7,6.0,7.8,5.9,7.8,6.0,7.3,5.9,7.9,5.9,7.8,5.9,7.6,5.9] new: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [MIDSTREAM] detected: [....15] [ip4][..tcp] [..10.54.169.250][35670] -> [203.205.147.215][...80] [HTTP_Proxy.QQ][Chat][Fun] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/rdp.pcap.out b/test/results/flow-info/rdp.pcap.out index e23956442..2dccf5fdd 100644 --- a/test/results/flow-info/rdp.pcap.out +++ b/test/results/flow-info/rdp.pcap.out @@ -5,14 +5,15 @@ detected: [.....1] [ip4][..tcp] [...172.16.2.185][52494] -> [..192.168.2.142][.3389] [RDP][RemoteAccess][Acceptable] RISK: Desktop/File Sharing analyse: [.....1] [ip4][..tcp] [...172.16.2.185][52494] -> [..192.168.2.142][.3389] [RDP][RemoteAccess][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.086| 0.035| 0.023| 533.403| 0.000] - [PKTLEN......: 44.000| 1223.000| 157.300| 233.300|54415.100| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.086| 0.035| 0.023| 533.403| 4.500] + [PKTLEN......: 40.000| 1219.000| 153.300| 233.300| 54415.100| 4.100] [BINS(c->s)..: 12,3,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,4,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,0,1,0] [IATS(ms)....: 42.4,42.5,0.4,46.1,45.8,5.9,50.4,44.5,5.2,48.3,43.1,41.5,86.2,44.7,10.2,53.9,43.7,0.3,43.8,43.5,0.3,43.7,43.4,0.3,0.1,43.6,40.3,83.3,0.3,42.5,42.2] - [PKTLENS.....: 68,56,44,63,63,44,217,1223,44,170,95,44,130,335,44,616,132,44,149,77,44,535,199,44,85,81,44,84,44,85,88,44] + [PKTLENS.....: 64,52,40,59,59,40,213,1219,40,166,91,40,126,331,40,612,128,40,145,73,40,531,195,40,81,77,40,80,40,81,84,40] + [ENTROPIES...: 4.4,4.9,4.6,4.3,4.8,4.6,5.3,7.6,4.7,6.6,5.5,4.7,6.4,7.1,4.7,7.7,6.2,4.7,6.7,5.2,4.7,7.5,6.7,4.7,5.8,5.6,4.9,5.4,4.7,5.7,5.5,4.7] end: [.....1] [ip4][..tcp] [...172.16.2.185][52494] -> [..192.168.2.142][.3389] [RDP][RemoteAccess][Acceptable] RISK: Desktop/File Sharing DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/reasm_crash_anon.pcapng.out b/test/results/flow-info/reasm_crash_anon.pcapng.out index 1dda04114..00e0d167c 100644 --- a/test/results/flow-info/reasm_crash_anon.pcapng.out +++ b/test/results/flow-info/reasm_crash_anon.pcapng.out @@ -3,14 +3,15 @@ DAEMON-EVENT: [Flows][active: 0 / 0|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] [MIDSTREAM] analyse: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 30.166| 9.710| 14.065|197823744.180| 0.000] - [PKTLEN......: 68.000| 793.000| 171.000| 234.800|55144.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 30.166| 9.710| 14.065| 197823744.180| 3.300] + [PKTLEN......: 52.000| 777.000| 155.000| 234.800| 55144.500| 4.000] [BINS(c->s)..: 23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,0,1,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0] [IATS(ms)....: 0.0,1.5,1.5,0.0,1.2,1.2,0.0,30097.7,30099.5,1.8,0.0,1.2,1.2,30097.5,0.0,30099.3,1.8,1.2,30097.4,1.8,0.0,30101.7,1.2,30097.5,30165.6,1.3,69.4,30031.1,0.0,30032.8,1.7] - [PKTLENS.....: 81,81,142,68,68,793,68,68,81,122,68,68,781,68,81,81,122,68,68,81,68,68,793,68,81,122,793,68,81,81,122,68] + [PKTLENS.....: 65,65,126,52,52,777,52,52,65,106,52,52,765,52,65,65,106,52,52,65,52,52,777,52,65,106,777,52,65,65,106,52] + [ENTROPIES...: 5.5,5.5,3.0,5.2,5.2,5.3,5.2,5.2,5.4,5.6,5.1,5.1,0.5,5.1,5.4,5.4,5.6,5.2,5.2,5.5,5.1,5.2,5.3,5.1,5.4,5.6,5.3,5.0,5.4,5.4,5.6,5.2] not-detected: [.....1] [ip4][..tcp] [192.168.145.147][51218] -> [...10.209.8.148][21999] [Unknown][Unrated] DAEMON-EVENT: [Processed: 93 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 1|guessed: 0|detection-updates: 0|updates: 0] diff --git a/test/results/flow-info/reasm_segv_anon.pcapng.out b/test/results/flow-info/reasm_segv_anon.pcapng.out index 1c5472ea1..84ceabd8a 100644 --- a/test/results/flow-info/reasm_segv_anon.pcapng.out +++ b/test/results/flow-info/reasm_segv_anon.pcapng.out @@ -13,14 +13,15 @@ ERROR-EVENT: Captured packet size is smaller than expected packet size ERROR-EVENT: Captured packet size is smaller than expected packet size analyse: [.....1] [ip4][..udp] [...145.76.2.236][.2152] -> [...187.96.52.85][.2152] [GTP.GTP_U][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.859| 0.305| 0.564|318078.976| 0.000] - [PKTLEN......: 90.000| 1490.000| 934.200| 651.300|424215.900| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.859| 0.305| 0.564| 318078.976| 3.100] + [PKTLEN......: 76.000| 1476.000| 920.200| 651.300| 424215.900| 4.500] [BINS(c->s)..: 0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,17,0,0] [DIRECTIONS..: 0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1] [IATS(ms)....: 396.0,83.8,1376.2,0.1,0.0,0.0,0.0,0.0,0.0,0.0,0.1,0.1,1859.1,964.9,439.7,439.7,0.1,0.0,0.0,0.0,0.0,0.1,163.9,20.1,1615.4,1799.0,0.1,0.0,155.8,155.6,0.1] - [PKTLENS.....: 106,106,106,1490,1490,1490,1490,1490,1490,1490,1490,1490,1490,114,1490,114,1490,1490,1490,1490,1386,1490,1490,122,122,114,90,402,1178,114,90,402] + [PKTLENS.....: 92,92,92,1476,1476,1476,1476,1476,1476,1476,1476,1476,1476,100,1476,100,1476,1476,1476,1476,1372,1476,1476,108,108,100,76,388,1164,100,76,388] + [ENTROPIES...: 5.4,5.4,5.4,7.9,7.8,7.8,7.9,7.8,7.8,7.8,7.8,7.8,7.8,5.4,7.8,5.4,7.8,7.9,7.8,7.9,7.8,7.9,7.8,5.5,5.5,5.4,5.2,7.3,7.8,5.5,5.2,7.4] ERROR-EVENT: Captured packet size is smaller than expected packet size ERROR-EVENT: Captured packet size is smaller than expected packet size ERROR-EVENT: Captured packet size is smaller than expected packet size diff --git a/test/results/flow-info/reddit.pcap.out b/test/results/flow-info/reddit.pcap.out index 2ded32e29..a9e8a4bf3 100644 --- a/test/results/flow-info/reddit.pcap.out +++ b/test/results/flow-info/reddit.pcap.out @@ -16,23 +16,25 @@ detection-update: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [.....4] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56560] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [.....1] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40028] -> [...............2a00:1450:4007:80a::200a][..443] [TLS.GoogleServices][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.076| 0.015| 0.024| 570.611| 0.000] - [PKTLEN......: 86.000| 1294.000| 295.100| 342.100|117045.100| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.076| 0.015| 0.024| 570.611| 3.200] + [PKTLEN......: 72.000| 1280.000| 281.100| 342.100| 117045.100| 4.200] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0] [IATS(ms)....: 24.9,25.0,0.5,75.6,0.0,0.0,75.2,0.0,0.0,8.8,5.0,0.6,0.7,37.6,3.5,25.9,1.2,0.5,1.6,1.1,59.9,0.0,0.0,0.0,0.0,58.8,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,586,86,86,86,150,178,910,724,86,666,86,86,117,86,117,86,86,398,436,299,125,153,86,86,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,572,72,72,72,136,164,896,710,72,652,72,72,103,72,103,72,72,384,422,285,111,139,72,72,72] + [ENTROPIES...: 4.7,5.2,5.1,4.6,4.9,7.8,7.8,7.5,5.2,5.0,5.1,6.1,6.5,7.8,7.7,5.0,7.6,5.1,5.1,5.7,5.1,5.8,5.1,5.0,7.3,7.4,7.1,6.0,6.2,5.1,5.1,5.1] analyse: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.288| 0.099| 0.316|100085.416| 0.000] - [PKTLEN......: 86.000| 1134.000| 413.800| 437.600|191482.000| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.288| 0.099| 0.316| 100085.416| 1.800] + [PKTLEN......: 72.000| 1120.000| 399.800| 437.600| 191482.000| 4.200] [BINS(c->s)..: 9,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,0,1,1,1,1,1] [IATS(ms)....: 33.2,33.2,0.9,66.6,0.0,0.0,0.0,0.0,65.7,0.0,0.0,0.0,13.2,0.7,0.5,42.1,0.0,27.6,0.5,0.5,1.4,59.9,0.1,1228.9,1287.6,0.9,0.0,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,601,86,86,86,86,179,185,459,86,344,86,86,152,86,124,86,86,1134,86,1134,1134,1134,217,1134] + [PKTLENS.....: 80,80,72,589,72,1120,1120,1120,587,72,72,72,72,165,171,445,72,330,72,72,138,72,110,72,72,1120,72,1120,1120,1120,203,1120] + [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,6.9,7.4,7.3,7.6,5.3,5.2,5.3,5.3,6.1,6.3,7.4,5.1,7.1,5.1,5.2,6.2,5.2,5.7,5.1,5.1,7.8,5.2,7.8,7.8,7.8,6.7,7.8] detection-update: [.....3] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] new: [.....5] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56562] -> [.....................64:ff9b::9765:798c][..443] new: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56564] -> [.....................64:ff9b::9765:798c][..443] @@ -95,61 +97,66 @@ detection-update: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56588] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....18] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56588] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56564] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.042| 0.008| 0.014| 206.884| 0.000] - [PKTLEN......: 86.000| 1474.000| 330.100| 366.700|134435.400| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.042| 0.008| 0.014| 206.884| 3.100] + [PKTLEN......: 72.000| 1460.000| 316.100| 366.700| 134435.400| 4.300] [BINS(c->s)..: 8,1,1,4,2,0,2,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0] [BINS(s->c)..: 4,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,0,0,0] [IATS(ms)....: 29.9,29.9,0.1,38.0,2.3,0.0,40.2,0.0,0.1,0.0,0.0,2.7,0.1,0.6,0.0,0.2,0.0,41.5,1.3,39.1,1.6,0.0,7.3,1.5,7.3,2.1,0.2,0.1,0.0,0.2] - [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,606,86,86,179,185,375,405,1474,283,86,344,86,209,241,86,152,86,231,124,196,197,308] + [PKTLENS.....: 80,80,72,589,72,1120,1120,72,72,1120,592,72,72,165,171,361,391,1460,269,72,330,72,195,227,72,138,72,217,110,182,183,294] + [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,6.9,7.3,5.2,5.2,7.3,7.5,5.2,5.2,5.9,6.4,7.2,7.2,7.6,6.8,5.1,7.1,5.2,6.6,6.5,5.1,6.2,5.2,6.7,5.5,6.5,6.5,6.9] detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56590] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....19] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56590] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56578] -> [.....................64:ff9b::9765:798c][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.048| 0.010| 0.016| 264.552| 0.000] - [PKTLEN......: 86.000| 1134.000| 423.600| 435.500|189657.000| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.048| 0.010| 0.016| 264.552| 3.200] + [PKTLEN......: 72.000| 1120.000| 409.600| 435.500| 189657.000| 4.200] [BINS(c->s)..: 8,2,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1] [IATS(ms)....: 38.7,38.7,0.2,38.5,0.0,38.3,0.0,0.0,0.3,0.3,0.0,2.2,2.8,0.2,0.2,6.5,48.3,2.9,39.3,6.8,2.7,0.0,9.6,0.3,0.8,2.1,0.0] - [PKTLENS.....: 94,94,86,603,86,1134,86,1134,86,1134,616,86,86,179,185,450,482,129,86,344,86,86,86,152,86,124,86,1134,1134,1134,1134,1134] + [PKTLENS.....: 80,80,72,589,72,1120,72,1120,72,1120,602,72,72,165,171,436,468,115,72,330,72,72,72,138,72,110,72,1120,1120,1120,1120,1120] + [ENTROPIES...: 4.7,5.2,5.3,4.6,5.1,6.9,5.3,7.3,5.3,7.4,7.6,5.3,5.3,6.0,6.4,7.4,7.2,5.8,5.1,7.1,5.2,5.1,5.1,6.2,5.2,5.7,5.1,7.8,7.8,7.8,7.8,7.8] detection-update: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56578] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56582] -> [.....................64:ff9b::9765:798c][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.060| 0.011| 0.020| 392.540| 0.000] - [PKTLEN......: 86.000| 1134.000| 311.400| 353.700|125114.100| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.060| 0.011| 0.020| 392.540| 2.700] + [PKTLEN......: 72.000| 1120.000| 297.400| 353.700| 125114.100| 4.200] [BINS(c->s)..: 10,1,1,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,1,1,0,0,0,0] [IATS(ms)....: 36.1,36.1,0.1,41.3,0.0,41.2,0.0,0.0,0.7,0.7,0.0,2.3,1.1,0.2,0.0,0.2,60.3,1.0,57.4,0.0,0.0,0.0,0.0,0.0,0.9] - [PKTLENS.....: 94,94,86,603,86,1134,86,1134,86,1134,590,86,86,179,185,460,373,241,86,344,86,86,152,86,86,86,1134,701,86,86,86,124] + [PKTLENS.....: 80,80,72,589,72,1120,72,1120,72,1120,576,72,72,165,171,446,359,227,72,330,72,72,138,72,72,72,1120,687,72,72,72,110] + [ENTROPIES...: 4.8,5.3,5.3,4.5,5.1,6.9,5.3,7.4,5.3,7.3,7.5,5.3,5.3,6.1,6.5,7.4,7.1,6.8,5.1,7.1,5.1,5.2,6.2,5.0,5.0,5.1,7.8,7.7,5.2,5.2,5.2,5.6] detection-update: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56582] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.052| 0.011| 0.020| 382.734| 0.000] - [PKTLEN......: 86.000| 1134.000| 377.000| 422.800|178733.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.052| 0.011| 0.020| 382.734| 2.800] + [PKTLEN......: 72.000| 1120.000| 363.000| 422.800| 178733.300| 4.100] [BINS(c->s)..: 11,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,1,0,1] [IATS(ms)....: 44.6,44.7,0.3,51.0,1.8,0.0,52.5,0.0,0.0,0.0,2.4,0.7,0.1,0.1,49.0,0.0,45.8,0.1,0.2,1.2,0.0,0.0,1.4,0.0,0.0,0.1,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1134,1134,1134,616,86,86,86,86,179,185,403,167,86,344,86,86,86,152,86,1134,1132,86,86,86,1134,86,1134] + [PKTLENS.....: 80,80,72,589,72,1120,1120,1120,602,72,72,72,72,165,171,389,153,72,330,72,72,72,138,72,1120,1118,72,72,72,1120,72,1120] + [ENTROPIES...: 4.9,5.4,5.3,4.6,5.1,6.9,7.3,7.4,7.5,5.2,5.2,5.2,5.3,6.1,6.4,7.3,6.1,5.1,7.1,5.3,5.1,5.0,6.2,5.1,7.8,7.8,5.3,5.2,5.3,7.8,5.2,7.8] detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56592] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] detected: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.092| 0.013| 0.024| 558.351| 0.000] - [PKTLEN......: 86.000| 1134.000| 377.300| 424.000|179781.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.092| 0.013| 0.024| 558.351| 2.800] + [PKTLEN......: 72.000| 1120.000| 363.300| 424.000| 179781.300| 4.100] [BINS(c->s)..: 12,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0] [IATS(ms)....: 25.8,25.9,0.4,66.4,26.1,92.0,0.8,0.8,0.0,0.0,1.6,0.1,0.3,42.1,0.0,0.0,6.2,0.0,0.0,46.4,0.0,0.0,0.0,0.0,0.0,0.9] - [PKTLENS.....: 94,94,86,603,86,1134,86,1134,1134,637,86,86,86,179,185,417,86,86,86,360,152,1134,1134,1134,1134,86,86,86,86,86,86,124] + [PKTLENS.....: 80,80,72,589,72,1120,72,1120,1120,623,72,72,72,165,171,403,72,72,72,346,138,1120,1120,1120,1120,72,72,72,72,72,72,110] + [ENTROPIES...: 4.9,5.3,5.3,4.6,5.1,7.0,5.3,7.3,7.3,7.6,5.3,5.3,5.3,6.1,6.5,7.3,5.1,5.2,5.2,7.2,6.2,7.8,7.8,7.8,7.8,5.3,5.3,5.3,5.3,5.3,5.3,5.7] detection-update: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56594] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] @@ -161,33 +168,36 @@ detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38320] -> [.....................64:ff9b::6853:b3b6][..443] [TLS][Web][Safe] analyse: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [TLS.GoogleServices][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.044| 0.009| 0.015| 214.376| 0.000] - [PKTLEN......: 86.000| 1294.000| 436.500| 490.000|240053.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.044| 0.009| 0.015| 214.376| 3.100] + [PKTLEN......: 72.000| 1280.000| 422.500| 490.000| 240053.700| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,1,1] [IATS(ms)....: 31.5,31.5,0.2,36.8,7.0,43.6,0.0,0.6,0.6,2.4,0.2,0.1,37.7,0.7,1.1,36.8,0.1,0.1,0.0,0.5,8.6,9.1,0.1,0.1,0.2,0.2,0.0,0.1] - [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,547,86,150,178,347,86,86,666,86,117,86,117,86,792,86,1294,86,1294,1294,86,86,1294,1294] + [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,533,72,136,164,333,72,72,652,72,103,72,103,72,778,72,1280,72,1280,1280,72,72,1280,1280] + [ENTROPIES...: 4.8,5.3,5.1,4.6,5.2,7.8,7.8,5.2,5.2,7.6,5.2,6.2,6.5,7.2,5.1,5.1,7.6,5.2,5.8,5.2,5.9,5.2,7.7,5.2,7.8,5.2,7.8,7.8,5.2,5.2,7.8,7.8] analyse: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.051| 0.009| 0.016| 249.330| 0.000] - [PKTLEN......: 86.000| 1474.000| 475.600| 586.500|343946.100| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.051| 0.009| 0.016| 249.330| 3.000] + [PKTLEN......: 72.000| 1460.000| 461.600| 586.500| 343946.100| 4.000] [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,1,1,0,0,0,0] [IATS(ms)....: 38.5,38.6,0.4,37.3,14.2,0.0,0.0,51.0,0.0,0.0,0.0,0.0,2.4,0.1,0.1,31.3,0.0,1.6,0.0,30.2,0.1,3.4,0.0,3.2,0.0,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1474,1474,1474,1474,401,86,86,86,86,86,150,178,344,86,86,86,157,86,117,1474,1474,1474,1474,86,86,86,86] + [PKTLENS.....: 80,80,72,589,72,1460,1460,1460,1460,387,72,72,72,72,72,136,164,330,72,72,72,143,72,103,1460,1460,1460,1460,72,72,72,72] + [ENTROPIES...: 4.8,5.2,5.2,4.5,5.1,7.8,7.8,7.9,7.8,7.4,5.2,5.2,5.2,5.2,5.1,6.1,6.5,7.3,5.0,5.0,5.1,6.3,5.2,5.9,7.9,7.8,7.9,7.8,5.2,5.2,5.3,5.3] detection-update: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43492] -> [......................64:ff9b::df9:21c6][..443] [TLS.Amazon][Web][Acceptable] analyse: [....24] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38320] -> [.....................64:ff9b::6853:b3b6][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.072| 0.015| 0.019| 374.318| 0.000] - [PKTLEN......: 86.000| 1474.000| 446.900| 553.500|306346.900| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.072| 0.015| 0.019| 374.318| 3.400] + [PKTLEN......: 72.000| 1460.000| 432.900| 553.500| 306346.900| 4.000] [BINS(c->s)..: 11,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,5,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,1,1,1,1,0] [IATS(ms)....: 27.4,27.4,0.3,37.3,35.3,0.0,72.3,0.0,0.0,2.5,0.1,0.1,31.2,2.1,15.1,0.0,45.6,0.0,0.0,0.2,29.8,10.3,39.8,0.7,0.0,0.7] - [PKTLENS.....: 94,94,86,603,86,1474,1474,324,86,86,86,166,178,364,86,86,86,357,357,156,86,86,86,117,86,1474,86,1459,1474,1459,1474,86] + [PKTLENS.....: 80,80,72,589,72,1460,1460,310,72,72,72,152,164,350,72,72,72,343,343,142,72,72,72,103,72,1460,72,1445,1460,1445,1460,72] + [ENTROPIES...: 4.9,5.3,5.2,4.4,5.1,7.8,7.8,7.2,5.3,5.2,5.2,6.3,6.5,7.4,5.1,5.1,5.1,7.2,7.3,6.3,5.2,5.3,5.2,5.9,5.1,7.9,5.2,7.9,7.8,7.9,7.9,5.3] new: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] detected: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] [TLS.Google][Advertisement][Acceptable] new: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] @@ -196,37 +206,40 @@ detection-update: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS.Twitter][SocialNetwork][Fun] detection-update: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS.Twitter][SocialNetwork][Fun] analyse: [....25] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51026] -> [.....................64:ff9b::acd9:12c2][..443] [TLS.Google][Advertisement][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.049| 0.009| 0.015| 230.505| 0.000] - [PKTLEN......: 86.000| 1474.000| 456.600| 558.600|312025.400| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.049| 0.009| 0.015| 230.505| 3.100] + [PKTLEN......: 72.000| 1460.000| 442.600| 558.600| 312025.400| 4.000] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,1] [IATS(ms)....: 27.2,27.2,0.3,32.1,7.5,39.3,0.5,0.5,0.0,1.9,0.1,0.1,39.4,0.3,11.8,49.5,0.0,0.2,1.9,0.0,1.7,0.0,0.0,0.1,0.1,1.6] - [PKTLENS.....: 94,94,86,603,86,1474,86,1474,188,86,86,150,178,360,86,86,86,666,117,86,86,117,522,1474,1474,86,86,86,1474,86,1474,1474] + [PKTLENS.....: 80,80,72,589,72,1460,72,1460,174,72,72,136,164,346,72,72,72,652,103,72,72,103,508,1460,1460,72,72,72,1460,72,1460,1460] + [ENTROPIES...: 4.9,5.2,5.2,4.7,5.1,7.8,5.2,7.8,6.6,5.3,5.2,6.1,6.5,7.2,5.0,5.0,5.0,7.6,5.7,5.1,5.1,5.8,7.5,7.9,7.9,5.2,5.2,5.2,7.9,5.2,7.8,7.8] analyse: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.061| 0.009| 0.016| 263.464| 0.000] - [PKTLEN......: 86.000| 1134.000| 377.200| 425.800|181298.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.061| 0.009| 0.016| 263.464| 2.900] + [PKTLEN......: 72.000| 1120.000| 363.200| 425.800| 181298.700| 4.100] [BINS(c->s)..: 12,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,0,0,0,0] [IATS(ms)....: 30.4,30.4,0.3,47.5,14.0,61.1,0.1,0.0,0.0,0.0,0.0,3.3,0.1,0.1,30.6,2.1,0.1,29.2,1.3,1.3,0.2,0.4,0.0,0.0,0.0,0.2,0.0,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1134,86,1134,1134,718,86,86,86,179,185,351,86,86,86,344,86,152,86,124,1134,1134,1134,1134,86,86,86,86] + [PKTLENS.....: 80,80,72,589,72,1120,72,1120,1120,704,72,72,72,165,171,337,72,72,72,330,72,138,72,110,1120,1120,1120,1120,72,72,72,72] + [ENTROPIES...: 4.9,5.3,5.2,4.5,5.0,6.9,5.1,7.2,7.3,7.6,5.2,5.2,5.1,6.0,6.4,7.2,5.1,5.1,5.1,7.0,5.2,6.3,5.2,5.6,7.8,7.8,7.8,7.8,5.2,5.2,5.2,5.2] detection-update: [....26] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS.Twitter][SocialNetwork][Fun] new: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] detected: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Web][Acceptable] detection-update: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Web][Acceptable] new: [....28] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][32970] -> [.....................64:ff9b::6853:b3d1][..443] analyse: [....27] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39520] -> [...............2a00:1450:4007:816::2008][..443] [TLS.GoogleServices][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.044| 0.009| 0.015| 214.690| 0.000] - [PKTLEN......: 86.000| 1294.000| 429.800| 486.500|236643.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.044| 0.009| 0.015| 214.690| 3.200] + [PKTLEN......: 72.000| 1280.000| 415.800| 486.500| 236643.500| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,1,0,0,1,0,1,1] [IATS(ms)....: 34.3,34.3,1.7,38.1,7.5,0.0,43.9,0.0,0.0,3.0,0.2,0.3,37.3,0.0,0.4,0.0,34.1,0.0,0.2,2.3,6.9,9.1,0.8,0.0,0.9,0.0,0.1,0.0,0.7] - [PKTLENS.....: 94,94,86,603,86,1294,1294,564,86,86,86,150,178,349,86,86,666,117,86,86,117,86,559,86,1294,1294,86,86,1294,86,1294,1294] + [PKTLENS.....: 80,80,72,589,72,1280,1280,550,72,72,72,136,164,335,72,72,652,103,72,72,103,72,545,72,1280,1280,72,72,1280,72,1280,1280] + [ENTROPIES...: 4.8,5.3,5.1,4.6,5.0,7.8,7.8,7.6,5.2,5.2,5.2,6.0,6.6,7.3,5.0,5.0,7.7,5.7,5.2,5.2,5.8,5.1,7.6,5.2,7.8,7.8,5.2,5.2,7.8,5.2,7.8,7.8] detected: [....28] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][32970] -> [.....................64:ff9b::6853:b3d1][..443] [TLS][Web][Safe] new: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] detected: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun] @@ -247,24 +260,26 @@ detection-update: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun] detection-update: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun] analyse: [....32] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48648] -> [...2620:116:800d:21:f916:5049:f87f:108e][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.180| 0.022| 0.040| 1578.121| 0.000] - [PKTLEN......: 86.000| 1474.000| 460.900| 554.600|307585.900| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.180| 0.022| 0.040| 1578.121| 3.300] + [PKTLEN......: 72.000| 1460.000| 446.900| 554.600| 307585.900| 4.000] [BINS(c->s)..: 10,1,0,2,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,1,1,0,0,1,1,1] [IATS(ms)....: 41.3,41.4,0.2,45.6,16.1,0.0,61.5,0.0,0.0,3.9,0.4,0.1,94.0,180.2,10.5,0.0,92.3,0.1,0.4,5.5,8.0,1.9,14.9,15.5,0.0,15.5,0.0,0.3,0.0] - [PKTLENS.....: 94,94,86,603,86,1474,1474,674,86,86,86,212,185,344,344,86,360,155,86,86,124,86,86,124,86,1474,1474,86,86,1474,1474,1474] + [PKTLENS.....: 80,80,72,589,72,1460,1460,660,72,72,72,198,171,330,330,72,346,141,72,72,110,72,72,110,72,1460,1460,72,72,1460,1460,1460] + [ENTROPIES...: 5.3,5.6,5.5,4.7,5.4,6.9,7.4,7.6,5.4,5.4,5.3,6.5,6.4,7.2,7.2,5.4,7.2,6.3,5.5,5.5,5.8,5.4,5.4,6.0,5.4,7.9,7.9,5.5,5.5,7.9,7.9,7.9] detection-update: [....32] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48648] -> [...2620:116:800d:21:f916:5049:f87f:108e][..443] [TLS][Web][Safe] analyse: [....31] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54862] -> [...............2a00:1450:4007:806::200e][..443] [TLS.YouTube][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.169| 0.024| 0.039| 1530.136| 0.000] - [PKTLEN......: 86.000| 1294.000| 408.800| 466.200|217386.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.169| 0.024| 0.039| 1530.136| 3.300] + [PKTLEN......: 72.000| 1280.000| 394.800| 466.200| 217386.300| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,1,0,0,1,0,1] [IATS(ms)....: 34.8,34.8,0.2,53.0,4.9,57.8,0.5,0.4,0.0,0.0,3.6,2.0,0.4,91.7,168.8,1.8,72.8,0.2,1.0,2.0,2.7,14.6,61.7,0.0,76.3,0.0,0.7,0.7,0.1] - [PKTLENS.....: 94,94,86,603,86,1294,86,1294,1294,286,86,86,86,150,178,491,491,86,666,86,117,86,117,86,86,827,1294,86,86,1294,86,1294] + [PKTLENS.....: 80,80,72,589,72,1280,72,1280,1280,272,72,72,72,136,164,477,477,72,652,72,103,72,103,72,72,813,1280,72,72,1280,72,1280] + [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,7.8,5.2,7.8,7.9,7.2,5.2,5.2,5.2,6.1,6.5,7.4,7.4,5.1,7.6,5.1,5.7,5.1,5.7,5.2,5.1,7.7,7.8,5.2,5.2,7.8,5.2,7.8] new: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] new: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51102] -> [.....................64:ff9b::d83a:d1e6][..443] new: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56186] -> [...2600:9000:219c:ee00:6:44e3:f8c0:93a1][..443] @@ -275,23 +290,25 @@ detection-update: [....35] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51102] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Advertisement][Acceptable] detection-update: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56186] -> [...2600:9000:219c:ee00:6:44e3:f8c0:93a1][..443] [TLS][Web][Safe] analyse: [....34] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51100] -> [.....................64:ff9b::d83a:d1e6][..443] [TLS.Google][Advertisement][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.043| 0.011| 0.015| 223.794| 0.000] - [PKTLEN......: 86.000| 1474.000| 264.000| 362.600|131502.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.043| 0.011| 0.015| 223.794| 3.600] + [PKTLEN......: 72.000| 1460.000| 250.000| 362.600| 131502.000| 4.000] [BINS(c->s)..: 11,2,2,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1] [IATS(ms)....: 41.1,41.1,0.2,31.9,11.0,42.7,0.5,0.0,0.5,0.0,2.8,1.3,0.1,34.2,10.2,0.0,40.2,0.5,1.5,0.0,0.9,16.6,0.0,0.0,16.5,0.0,0.0,4.4,0.3,12.7,24.5] - [PKTLENS.....: 94,94,86,603,86,1474,86,1474,186,86,86,150,178,500,86,666,86,86,117,86,117,86,807,117,125,86,86,86,125,121,296,86] + [PKTLENS.....: 80,80,72,589,72,1460,72,1460,172,72,72,136,164,486,72,652,72,72,103,72,103,72,793,103,111,72,72,72,111,107,282,72] + [ENTROPIES...: 4.9,5.3,5.3,4.5,5.1,7.8,5.3,7.9,6.5,5.3,5.3,6.1,6.5,7.4,5.2,7.6,5.1,5.3,5.9,5.1,5.8,5.3,7.7,5.7,6.0,5.3,5.3,5.3,6.1,5.9,7.1,5.2] analyse: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.217| 0.048| 0.068| 4645.676| 0.000] - [PKTLEN......: 86.000| 1474.000| 272.400| 353.400|124913.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.217| 0.048| 0.068| 4645.676| 3.600] + [PKTLEN......: 72.000| 1460.000| 258.400| 353.400| 124913.600| 4.100] [BINS(c->s)..: 9,1,0,3,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,0,1,0,1,1,1,0,1] [IATS(ms)....: 29.2,29.3,0.2,29.5,187.3,216.6,0.3,0.3,0.0,1.8,0.2,0.0,70.3,211.9,6.5,0.0,182.9,58.3,20.2,41.8,0.1,0.0,0.9,11.7,10.9,9.9,6.2,112.5,128.6,76.1] - [PKTLENS.....: 94,94,86,603,86,1474,86,1474,749,86,86,212,185,376,376,86,86,86,186,86,328,86,130,86,124,124,86,86,86,545,86,352] + [PKTLENS.....: 80,80,72,589,72,1460,72,1460,735,72,72,198,171,362,362,72,72,72,172,72,314,72,116,72,110,110,72,72,72,531,72,338] + [ENTROPIES...: 4.8,5.2,5.2,4.6,5.1,6.8,5.2,7.4,7.6,5.2,5.2,6.4,6.3,7.1,7.1,5.1,5.1,5.1,6.4,5.1,7.0,5.2,5.9,5.2,5.6,5.9,5.2,5.1,5.1,7.5,5.2,7.3] detection-update: [....29] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS.Twitter][SocialNetwork][Fun] new: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] detected: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][SocialNetwork][Fun] @@ -301,14 +318,15 @@ detected: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Advertisement][Acceptable] detected: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Web][Acceptable] analyse: [....37] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39736] -> [.....2606:2800:134:1a0d:1429:742:782:b6][..443] [TLS.Twitter][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.051| 0.013| 0.018| 330.361| 0.000] - [PKTLEN......: 86.000| 1294.000| 321.800| 396.400|157103.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.051| 0.013| 0.018| 330.361| 3.500] + [PKTLEN......: 72.000| 1280.000| 307.800| 396.400| 157103.100| 4.100] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,2,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 43.0,43.1,0.3,41.3,10.2,51.1,0.4,38.4,3.5,41.5,0.5,0.0,0.5,0.0,0.1,0.1,2.3,0.2,0.1,38.5,0.0,36.0,0.0,0.0,0.1,5.2,2.2,17.6,0.2] - [PKTLENS.....: 94,94,86,603,86,185,86,609,86,1294,86,1294,1294,86,86,423,86,160,178,473,86,341,341,182,86,86,86,117,86,86,117,1294] + [PKTLENS.....: 80,80,72,589,72,171,72,595,72,1280,72,1280,1280,72,72,409,72,146,164,459,72,327,327,168,72,72,72,103,72,72,103,1280] + [ENTROPIES...: 5.2,5.5,5.4,4.7,5.3,6.2,5.3,5.1,5.3,7.8,5.5,7.8,7.9,5.4,5.4,7.4,5.5,6.4,6.6,7.5,5.4,7.3,7.3,6.5,5.4,5.5,5.4,6.0,5.4,5.4,5.9,7.8] detection-update: [....38] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][54726] -> [...............2a00:1450:4007:808::2006][..443] [TLS.Google][Advertisement][Acceptable] new: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] new: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] @@ -319,59 +337,64 @@ detected: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47304] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable] detected: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Media][Fun] analyse: [....39] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][57282] -> [...............2a00:1450:4007:805::2004][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.062| 0.010| 0.018| 322.960| 0.000] - [PKTLEN......: 86.000| 1294.000| 426.800| 483.300|233579.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.062| 0.010| 0.018| 322.960| 3.000] + [PKTLEN......: 72.000| 1280.000| 412.800| 483.300| 233579.900| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,0,0,1,1] [IATS(ms)....: 37.4,37.4,0.2,47.4,15.0,62.3,0.0,0.4,0.3,2.5,0.2,0.3,39.9,0.1,2.3,39.3,0.2,2.9,2.6,0.8,0.8,0.3,0.0,0.0,0.3,0.0,0.0,0.1,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,303,86,150,178,372,86,86,86,666,86,117,511,86,1294,86,1294,1294,1294,86,86,86,1294,306] + [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,289,72,136,164,358,72,72,72,652,72,103,497,72,1280,72,1280,1280,1280,72,72,72,1280,292] + [ENTROPIES...: 4.7,5.3,5.2,4.4,5.1,7.8,7.8,5.2,5.2,7.2,5.2,6.1,6.5,7.3,5.1,5.1,5.1,7.7,5.1,5.8,7.5,5.2,7.8,5.2,7.8,7.9,7.8,5.1,5.2,5.1,7.8,7.2] detected: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Media][Fun] detection-update: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Media][Fun] detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Media][Fun] detection-update: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47304] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable] analyse: [....40] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58122] -> [...............2a00:1450:4007:805::2001][..443] [TLS.YouTube][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.069| 0.013| 0.024| 573.258| 0.000] - [PKTLEN......: 86.000| 1294.000| 399.700| 459.200|210886.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.069| 0.013| 0.024| 573.258| 2.800] + [PKTLEN......: 72.000| 1280.000| 385.700| 459.200| 210886.500| 4.100] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,1,1] [IATS(ms)....: 63.7,63.8,0.2,68.5,0.7,0.0,0.0,0.0,69.0,0.0,0.0,0.0,0.0,0.0,8.3,2.6,2.5,40.2,1.0,27.8,0.2,1.6,0.0,1.4,0.0,0.1,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,1294,86,86,86,86,483,86,150,178,421,86,666,86,86,86,117,117,517,86,86,1294,1294,342,125] + [PKTLENS.....: 80,80,72,589,72,1280,1280,1280,1280,72,72,72,72,469,72,136,164,407,72,652,72,72,72,103,103,503,72,72,1280,1280,328,111] + [ENTROPIES...: 4.8,5.2,5.1,4.5,5.1,7.8,7.8,7.8,7.8,5.2,5.2,5.2,5.2,7.4,5.2,6.1,6.6,7.5,5.1,7.6,5.0,5.1,5.1,5.8,5.6,7.6,5.2,5.2,7.8,7.9,7.2,5.9] analyse: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47302] -> [...............2a00:1450:4007:80c::2003][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.073| 0.012| 0.021| 448.970| 0.000] - [PKTLEN......: 86.000| 1294.000| 423.500| 484.500|234727.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.073| 0.012| 0.021| 448.970| 3.000] + [PKTLEN......: 72.000| 1280.000| 409.500| 484.500| 234727.200| 4.100] [BINS(c->s)..: 11,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1] [IATS(ms)....: 45.3,45.4,0.4,65.7,8.2,73.5,0.0,0.0,0.0,12.6,0.9,0.2,0.2,41.2,1.6,28.9,0.1,3.3,0.0,3.7,0.0,0.0,7.0,0.0,0.0,0.0,0.1,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,86,1294,355,86,86,150,178,387,167,86,666,86,117,86,86,86,480,1294,1294,1294,86,86,86,86,1294,1294] + [PKTLENS.....: 80,80,72,589,72,1280,72,1280,341,72,72,136,164,373,153,72,652,72,103,72,72,72,466,1280,1280,1280,72,72,72,72,1280,1280] + [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,7.8,5.2,7.9,7.3,5.2,5.1,6.1,6.5,7.4,6.4,5.1,7.6,5.3,5.8,5.1,5.2,5.1,7.5,7.8,7.8,7.8,5.3,5.3,5.3,5.3,7.8,7.8] analyse: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][52296] -> [...............2a00:1450:4007:815::2016][..443] [TLS.YouTube][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.068| 0.014| 0.023| 533.315| 0.000] - [PKTLEN......: 86.000| 1294.000| 434.500| 488.800|238946.400| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.068| 0.014| 0.023| 533.315| 3.200] + [PKTLEN......: 72.000| 1280.000| 420.500| 488.800| 238946.400| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,0,0] [IATS(ms)....: 63.3,63.4,1.1,67.8,0.8,0.0,0.0,67.4,0.0,0.0,11.7,1.8,0.2,41.6,0.4,28.5,0.5,4.2,1.9,5.5,17.9,17.9,0.1,0.1,0.2,0.0,0.2,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,765,86,86,86,150,178,389,86,666,86,117,86,86,117,86,470,86,1294,86,1294,1294,1294,1294,86,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,751,72,72,72,136,164,375,72,652,72,103,72,72,103,72,456,72,1280,72,1280,1280,1280,1280,72,72] + [ENTROPIES...: 4.9,5.3,5.2,4.4,5.1,7.8,7.9,7.7,5.2,5.2,5.3,6.3,6.6,7.4,5.1,7.7,5.1,5.9,5.1,5.1,5.8,5.2,7.5,5.3,7.9,5.3,7.8,7.8,7.8,7.8,5.2,5.3] new: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] analyse: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.144| 0.017| 0.037| 1404.834| 0.000] - [PKTLEN......: 86.000| 1134.000| 277.200| 320.800|102914.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.144| 0.017| 0.037| 1404.834| 2.700] + [PKTLEN......: 72.000| 1120.000| 263.200| 320.800| 102914.800| 4.200] [BINS(c->s)..: 9,1,2,1,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,1,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 25.7,25.8,0.2,144.2,0.0,144.0,0.0,0.1,0.0,0.0,0.0,2.5,0.6,1.3,49.7,0.0,0.0,45.4,0.0,0.1,0.0,0.1,0.7,0.4,0.9,38.4,2.5,1.1,2.2] - [PKTLENS.....: 94,94,86,603,86,1134,1134,86,86,1134,601,86,86,179,185,485,86,86,344,152,86,86,86,453,86,124,580,156,86,86,86,128] + [PKTLENS.....: 80,80,72,589,72,1120,1120,72,72,1120,587,72,72,165,171,471,72,72,330,138,72,72,72,439,72,110,566,142,72,72,72,114] + [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,6.9,7.4,5.2,5.2,7.3,7.5,5.2,5.2,6.1,6.4,7.4,5.2,5.1,7.1,6.2,5.2,5.3,5.1,7.5,5.3,5.6,7.6,6.2,5.1,5.1,5.1,6.0] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56640] -> [.....................64:ff9b::9765:798c][..443] [TLS.Reddit][SocialNetwork][Fun] new: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51006] -> [...............2a00:1450:4007:805::2002][..443] new: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] @@ -387,23 +410,25 @@ detection-update: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46646] -> [.....................64:ff9b::345f:7ca5][..443] [TLS.Amazon][Web][Acceptable] detection-update: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46646] -> [.....................64:ff9b::345f:7ca5][..443] [TLS.Amazon][Web][Acceptable] analyse: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59336] -> [...............2a00:1450:4007:80b::2002][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.046| 0.008| 0.012| 155.374| 0.000] - [PKTLEN......: 86.000| 1294.000| 294.100| 371.700|138197.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.046| 0.008| 0.012| 155.374| 3.400] + [PKTLEN......: 72.000| 1280.000| 280.100| 371.700| 138197.800| 4.100] [BINS(c->s)..: 12,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,1] [IATS(ms)....: 18.5,18.6,0.4,37.2,9.0,0.0,0.0,0.0,45.9,0.0,0.0,0.0,8.7,0.4,0.3,33.6,0.0,0.1,1.2,0.0,25.4,0.0,0.5,7.3,0.0,0.0,6.8,0.0,0.0,3.7,20.5] - [PKTLENS.....: 94,94,86,603,86,1294,1294,1294,287,86,86,86,86,150,178,363,86,86,86,666,117,86,86,117,789,530,125,86,86,86,125,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,1280,273,72,72,72,72,136,164,349,72,72,72,652,103,72,72,103,775,516,111,72,72,72,111,72] + [ENTROPIES...: 4.8,5.3,5.2,4.6,5.1,7.8,7.8,7.8,7.0,5.2,5.2,5.2,5.2,6.3,6.6,7.3,5.1,5.1,5.1,7.6,5.7,5.3,5.3,5.9,7.7,7.6,5.9,5.2,5.2,5.2,6.0,5.0] analyse: [....48] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][59624] -> [...............2a00:1450:4007:80b::2001][..443] [TLS.Google][Advertisement][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.034| 0.007| 0.011| 129.744| 0.000] - [PKTLEN......: 86.000| 1294.000| 337.800| 408.200|166632.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.034| 0.007| 0.011| 129.744| 3.400] + [PKTLEN......: 72.000| 1280.000| 323.800| 408.200| 166632.700| 4.100] [BINS(c->s)..: 13,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,0,1,1,1,1,0,0,0,1,1,0,0] [IATS(ms)....: 28.1,28.1,0.7,33.2,1.6,34.2,0.1,0.0,0.6,0.6,4.6,0.2,0.2,27.0,3.5,25.5,0.2,4.3,1.4,5.5,0.1,6.3,0.0,6.4,0.0,0.0,0.2,0.0,0.2,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,86,1294,86,548,86,150,178,436,86,666,86,117,86,117,86,86,496,1294,1294,86,86,86,718,125,86,86] + [PKTLENS.....: 80,80,72,589,72,1280,72,1280,72,534,72,136,164,422,72,652,72,103,72,103,72,72,482,1280,1280,72,72,72,704,111,72,72] + [ENTROPIES...: 4.8,5.3,5.1,5.0,5.0,7.8,5.2,7.8,5.2,7.6,5.1,6.1,6.6,7.4,5.0,7.7,5.2,5.9,5.0,5.8,5.1,5.1,7.5,7.8,7.8,5.2,5.2,5.1,7.7,5.9,5.2,5.2] new: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] new: [....50] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46808] -> [...............2a00:1450:4007:808::2001][..443] new: [....51] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46810] -> [...............2a00:1450:4007:808::2001][..443] @@ -436,32 +461,35 @@ detection-update: [....58] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36970] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Advertisement][Acceptable] detection-update: [....57] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36968] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Advertisement][Acceptable] analyse: [....49] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][46806] -> [...............2a00:1450:4007:808::2001][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.042| 0.008| 0.012| 152.931| 0.000] - [PKTLEN......: 86.000| 1294.000| 482.500| 513.400|263601.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.042| 0.008| 0.012| 152.931| 3.300] + [PKTLEN......: 72.000| 1280.000| 468.500| 513.400| 263601.800| 4.200] [BINS(c->s)..: 10,0,2,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,0,0] [IATS(ms)....: 25.6,25.6,1.1,31.5,7.2,0.0,37.6,0.0,0.1,0.0,0.0,0.0,0.1,0.0,7.1,13.6,0.6,0.2,42.2,0.0,20.7,0.3,10.1,0.0,0.3,0.0,0.0,0.0,10.1,0.1] - [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,1294,1294,1294,1294,234,86,86,150,178,356,403,86,666,86,117,86,86,86,1076,1294,1294,86,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,1280,1280,1280,1280,220,72,72,136,164,342,389,72,652,72,103,72,72,72,1062,1280,1280,72,72] + [ENTROPIES...: 4.8,5.3,5.1,4.6,5.0,7.8,7.8,5.2,5.2,7.9,7.9,7.8,7.8,6.8,5.1,5.1,6.1,6.4,7.3,7.3,5.0,7.6,5.1,5.7,5.1,5.0,5.1,7.8,7.9,7.8,5.1,5.1] analyse: [....55] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][36964] -> [...............2a00:1450:4007:80f::2001][..443] [TLS.Google][Advertisement][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.046| 0.009| 0.014| 203.864| 0.000] - [PKTLEN......: 86.000| 1294.000| 334.900| 398.400|158685.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.046| 0.009| 0.014| 203.864| 3.400] + [PKTLEN......: 72.000| 1280.000| 320.900| 398.400| 158685.900| 4.100] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,1,1,1,0,0,0,1,1] [IATS(ms)....: 29.5,29.5,0.1,39.8,6.2,0.0,0.0,45.9,0.0,0.0,16.6,7.4,0.9,0.2,45.4,0.2,20.4,0.5,14.7,1.9,0.0,0.0,16.1,2.9,0.0,3.0,0.0,0.0,1.6,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,325,86,86,86,150,178,405,389,86,666,86,117,86,117,86,86,86,565,412,221,86,86,86,1294,1294] + [PKTLENS.....: 80,80,72,589,72,1280,1280,311,72,72,72,136,164,391,375,72,652,72,103,72,103,72,72,72,551,398,207,72,72,72,1280,1280] + [ENTROPIES...: 4.9,5.3,5.2,4.6,5.1,7.8,7.9,7.2,5.2,5.2,5.1,6.1,6.5,7.4,7.3,5.0,7.7,5.2,5.8,5.1,5.8,5.0,5.0,5.1,7.6,7.4,6.7,5.2,5.2,5.1,7.8,7.8] analyse: [....54] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38166] -> [...............2a00:1450:4007:811::200a][..443] [TLS.GoogleServices][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.044| 0.010| 0.014| 184.491| 0.000] - [PKTLEN......: 86.000| 1294.000| 284.100| 336.600|113301.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.044| 0.010| 0.014| 184.491| 3.600] + [PKTLEN......: 72.000| 1280.000| 270.100| 336.600| 113301.500| 4.200] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,1,0,1,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,1,1] [IATS(ms)....: 28.7,28.7,0.2,37.9,6.1,43.8,0.1,0.0,0.6,0.6,16.4,9.8,0.9,43.8,3.9,20.7,0.6,14.9,1.7,16.0,10.5,0.0,0.0,0.0,10.5,0.0,0.0,0.0,0.2,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,86,1294,86,586,86,150,178,369,86,666,86,117,86,117,86,86,545,911,286,371,86,86,86,86,125,86] + [PKTLENS.....: 80,80,72,589,72,1280,72,1280,72,572,72,136,164,355,72,652,72,103,72,103,72,72,531,897,272,357,72,72,72,72,111,72] + [ENTROPIES...: 4.8,5.2,5.1,4.6,5.0,7.8,5.1,7.8,5.0,7.6,5.0,6.0,6.4,7.3,5.0,7.6,5.1,5.8,5.0,5.5,5.0,5.1,7.5,7.7,7.1,7.3,5.1,5.1,5.1,5.1,5.8,5.0] new: [....60] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47006] -> [.....................64:ff9b::34d3:acec][..443] detected: [....60] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47006] -> [.....................64:ff9b::34d3:acec][..443] [TLS][Web][Safe] detection-update: [....60] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47006] -> [.....................64:ff9b::34d3:acec][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/rtsp.pcap.out b/test/results/flow-info/rtsp.pcap.out index 384061bc7..e192cc264 100644 --- a/test/results/flow-info/rtsp.pcap.out +++ b/test/results/flow-info/rtsp.pcap.out @@ -8,78 +8,84 @@ detected: [.....2] [ip4][..tcp] [......10.1.1.10][52472] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....2] [ip4][..tcp] [......10.1.1.10][52472] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.021| 0.002| 0.006| 34.529| 0.000] - [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.021| 0.002| 0.006| 34.529| 2.200] + [PKTLEN......: 40.000| 182.000| 92.600| 58.600| 3438.900| 4.700] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 0.0,0.0,0.1,0.2,0.1,0.0,0.0,0.2,0.0,0.0,0.1,13.1,0.0,0.0,0.1,13.5,0.0,0.0,0.0,20.6,0.0,0.0,0.0,21.1,0.0,0.0,0.1,0.5,0.0,0.0,0.0] - [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62] + [PKTLENS.....: 52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,40,46,46,165,165,165,165,182,182,182,182,46,40,46,46] + [ENTROPIES...: 4.4,4.4,4.5,4.5,4.7,4.7,4.7,4.7,4.4,4.4,4.7,4.4,5.7,5.7,5.7,5.7,4.3,4.6,4.3,4.3,5.7,5.7,5.7,5.7,5.8,5.8,5.8,5.8,4.3,4.7,4.4,4.3] new: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] detected: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.021| 0.002| 0.005| 29.923| 0.000] - [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.021| 0.002| 0.005| 29.923| 2.200] + [PKTLEN......: 40.000| 182.000| 92.600| 58.600| 3438.900| 4.700] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 0.0,0.0,0.1,0.3,0.0,0.0,0.0,0.6,0.0,0.0,0.1,9.3,0.0,0.0,0.1,10.1,0.0,0.0,0.0,20.5,0.0,0.0,0.0,21.2,0.0,0.0,0.4,0.9,0.1,0.0,0.0] - [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,62,56,62] + [PKTLENS.....: 52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,40,46,46,165,165,165,165,182,182,182,182,46,46,40,46] + [ENTROPIES...: 4.4,4.4,4.4,4.4,4.6,4.7,4.7,4.6,4.4,4.4,4.7,4.4,5.8,5.8,5.8,5.8,4.3,4.7,4.4,4.3,5.7,5.7,5.7,5.7,5.8,5.8,5.8,5.8,4.3,4.3,4.6,4.3] new: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] detected: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.021| 0.002| 0.005| 26.106| 0.000] - [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.021| 0.002| 0.005| 26.106| 2.200] + [PKTLEN......: 40.000| 182.000| 92.600| 58.600| 3438.900| 4.700] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 0.0,0.0,0.3,0.3,0.1,0.0,0.1,0.8,0.1,0.0,0.2,4.8,0.0,0.0,0.4,6.2,0.1,0.0,0.1,20.1,0.0,0.1,0.0,21.0,0.0,0.0,0.1,0.9,0.0,0.0,0.1] - [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181,198,198,198,198,62,56,62,62] + [PKTLENS.....: 52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,46,40,46,165,165,165,165,182,182,182,182,46,40,46,46] + [ENTROPIES...: 4.3,4.3,4.4,4.4,4.6,4.6,4.6,4.6,4.3,4.3,4.6,4.3,5.7,5.7,5.7,5.7,4.3,4.3,4.6,4.3,5.7,5.7,5.7,5.7,5.8,5.8,5.8,5.8,4.2,4.5,4.2,4.3] new: [.....5] [ip4][..tcp] [......10.1.1.10][52478] -> [.......10.2.2.2][.8554] detected: [.....5] [ip4][..tcp] [......10.1.1.10][52478] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....5] [ip4][..tcp] [......10.1.1.10][52478] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.505| 0.033| 0.124|15344.430| 0.000] - [PKTLEN......: 56.000| 181.000| 92.300| 48.800| 2380.700| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.505| 0.033| 0.124| 15344.430| 1.200] + [PKTLEN......: 40.000| 165.000| 76.300| 48.800| 2380.700| 4.700] [BINS(c->s)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] [IATS(ms)....: 0.0,0.0,0.1,1.3,0.0,0.0,0.3,505.2,0.0,0.0,0.1,504.5,0.0,0.0,0.1,1.0,0.0,0.0,0.1,0.1,0.0,0.0,0.0,0.6,0.1,0.0,0.0,20.4,0.0,0.0,0.1] - [PKTLENS.....: 68,68,68,68,62,56,62,62,68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181] + [PKTLENS.....: 52,52,52,52,46,40,46,46,52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,46,40,46,165,165,165,165] + [ENTROPIES...: 4.4,4.4,4.4,4.4,3.5,3.8,3.5,3.5,4.4,4.4,4.4,4.4,4.6,4.7,4.6,4.7,4.3,4.3,4.6,4.3,5.7,5.7,5.7,5.7,4.3,4.3,4.6,4.3,5.7,5.7,5.7,5.7] end: [.....1] [ip4][..tcp] [......10.1.1.10][52470] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port new: [.....6] [ip4][..tcp] [......10.1.1.10][52480] -> [.......10.2.2.2][.8554] detected: [.....6] [ip4][..tcp] [......10.1.1.10][52480] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....6] [ip4][..tcp] [......10.1.1.10][52480] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.024| 0.002| 0.006| 34.195| 0.000] - [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.024| 0.002| 0.006| 34.195| 2.400] + [PKTLEN......: 40.000| 182.000| 92.600| 58.600| 3438.900| 4.700] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 0.0,0.0,0.1,0.4,0.0,0.0,0.1,0.6,0.0,0.0,0.1,10.3,0.0,0.0,11.4,0.0,0.8,0.0,0.1,20.3,0.0,0.0,0.1,23.8,0.0,0.0,0.1,3.5,0.0,0.0,0.1] - [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,62,56,172,62,62,181,181,181,181,198,198,198,198,62,56,62,62] + [PKTLENS.....: 52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,46,40,156,46,46,165,165,165,165,182,182,182,182,46,40,46,46] + [ENTROPIES...: 4.3,4.3,4.4,4.4,4.6,4.6,4.6,4.6,4.3,4.3,4.6,4.3,5.7,5.7,5.7,4.2,4.6,5.7,4.2,4.3,5.7,5.7,5.7,5.7,5.8,5.8,5.8,5.8,4.2,4.6,4.2,4.3] end: [.....2] [ip4][..tcp] [......10.1.1.10][52472] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port new: [.....7] [ip4][..tcp] [......10.1.1.10][52482] -> [.......10.2.2.2][.8554] detected: [.....7] [ip4][..tcp] [......10.1.1.10][52482] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port analyse: [.....7] [ip4][..tcp] [......10.1.1.10][52482] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.021| 0.002| 0.005| 26.978| 0.000] - [PKTLEN......: 56.000| 198.000| 108.600| 58.600| 3438.900| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.021| 0.002| 0.005| 26.978| 2.200] + [PKTLEN......: 40.000| 182.000| 92.600| 58.600| 3438.900| 4.700] [BINS(c->s)..: 8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 0.0,0.0,0.1,0.4,0.0,0.0,0.1,0.6,0.0,0.0,0.1,6.6,0.0,0.0,0.1,7.5,0.0,0.1,0.1,20.0,0.0,0.1,0.1,21.0,0.0,0.0,0.1,0.8,0.0,0.0,0.1] - [PKTLENS.....: 68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62] + [PKTLENS.....: 52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,40,46,46,165,165,165,165,182,182,182,182,46,40,46,46] + [ENTROPIES...: 4.3,4.3,4.3,4.3,4.4,4.5,4.4,4.5,4.3,4.3,4.5,4.3,5.7,5.7,5.7,5.7,4.2,4.5,4.2,4.3,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,4.3,4.6,4.3,4.3] end: [.....3] [ip4][..tcp] [......10.1.1.10][52474] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] RISK: Known Proto on Non Std Port end: [.....4] [ip4][..tcp] [......10.1.1.10][52476] -> [.......10.2.2.2][.8554] [RTSP][Media][Fun] diff --git a/test/results/flow-info/rx.pcap.out b/test/results/flow-info/rx.pcap.out index d92547a7d..2823af8e3 100644 --- a/test/results/flow-info/rx.pcap.out +++ b/test/results/flow-info/rx.pcap.out @@ -12,14 +12,15 @@ new: [.....5] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.124][.7000] detected: [.....5] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.124][.7000] [RX][RPC][Acceptable] analyse: [.....4] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.241][.7000] [RX][RPC][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.105| 0.029| 0.034| 1128.030| 0.000] - [PKTLEN......: 70.000| 782.000| 176.700| 165.900|27529.200| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.105| 0.029| 0.034| 1128.030| 4.000] + [PKTLEN......: 56.000| 768.000| 162.700| 165.900| 27529.200| 4.500] [BINS(c->s)..: 1,4,7,0,1,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,6,5,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,1] [IATS(ms)....: 77.5,77.6,57.0,57.2,38.2,1.3,39.5,65.7,0.3,65.9,103.2,105.3,2.1,9.0,9.1,3.0,1.8,4.8,61.4,65.2,3.8,0.1,6.8,6.7,0.1,3.7,3.7,4.9,8.0,3.0,2.8] - [PKTLENS.....: 74,108,107,74,510,107,118,70,107,78,107,94,86,435,74,510,107,198,107,174,782,107,94,198,107,110,214,107,94,86,435,74] + [PKTLENS.....: 60,94,93,60,496,93,104,56,93,64,93,80,72,421,60,496,93,184,93,160,768,93,80,184,93,96,200,93,80,72,421,60] + [ENTROPIES...: 4.1,3.4,3.5,4.0,4.3,3.5,3.9,4.1,3.5,3.9,3.6,5.3,3.8,7.1,4.1,4.3,3.5,6.5,3.6,6.4,7.7,3.6,5.2,6.5,3.6,5.6,6.7,3.6,5.2,3.9,7.1,4.1] idle: [.....1] [ip4][..udp] [131.114.219.168][41559] -> [192.167.206.124][.7002] [RX][RPC][Acceptable] idle: [.....5] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.124][.7000] [RX][RPC][Acceptable] idle: [.....4] [ip4][..udp] [131.114.219.168][.7001] -> [192.167.206.241][.7000] [RX][RPC][Acceptable] diff --git a/test/results/flow-info/s7comm.pcap.out b/test/results/flow-info/s7comm.pcap.out index 588cbf3f8..293476066 100644 --- a/test/results/flow-info/s7comm.pcap.out +++ b/test/results/flow-info/s7comm.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [s7comm][Network][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [s7comm][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.009| 0.005| 0.003| 11.033| 0.000] - [PKTLEN......: 61.000| 275.000| 91.200| 40.300| 1625.500| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.009| 0.005| 0.003| 11.033| 4.500] + [PKTLEN......: 47.000| 261.000| 77.200| 40.300| 1625.500| 4.900] [BINS(c->s)..: 17,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,5,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0] [IATS(ms)....: 3.7,3.9,3.1,3.1,0.1,7.0,6.9,4.6,9.0,4.4,0.6,7.0,6.4,0.3,6.0,5.7,0.3,9.0,8.7,0.2,9.0,8.8,0.2,9.0,8.8,0.2,9.0,8.8,0.2,5.0,4.7] - [PKTLENS.....: 76,76,79,81,61,87,135,61,87,135,61,87,275,61,87,135,61,83,115,61,83,115,61,83,115,61,83,115,61,85,91,61] + [PKTLENS.....: 62,62,65,67,47,73,121,47,73,121,47,73,261,47,73,121,47,69,101,47,69,101,47,69,101,47,69,101,47,71,77,47] + [ENTROPIES...: 4.4,4.3,4.3,3.9,4.5,4.6,3.9,4.5,4.4,3.5,4.5,4.5,2.4,4.4,4.5,3.9,4.5,4.4,4.4,4.5,4.4,4.4,4.4,4.4,4.4,4.5,4.4,4.4,4.4,4.7,4.4,4.5] idle: [.....1] [ip4][..tcp] [...192.168.1.10][.4185] -> [...192.168.1.40][..102] [s7comm][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/safari.pcap.out b/test/results/flow-info/safari.pcap.out index 76335848d..9ad62237d 100644 --- a/test/results/flow-info/safari.pcap.out +++ b/test/results/flow-info/safari.pcap.out @@ -11,14 +11,15 @@ new: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] new: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] analyse: [.....1] [ip4][..tcp] [..192.168.1.178][55262] -> [...146.48.58.18][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.579| 0.077| 0.167|27833.076| 0.000] - [PKTLEN......: 66.000| 1506.000| 569.500| 644.500|415419.900| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.579| 0.077| 0.167| 27833.076| 2.800] + [PKTLEN......: 52.000| 1492.000| 555.500| 644.500| 415419.900| 4.000] [BINS(c->s)..: 11,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,1,1,1,0] [IATS(ms)....: 28.3,28.4,0.6,28.7,7.0,0.1,0.0,35.1,0.0,52.7,82.0,0.0,29.3,0.9,28.1,550.6,1.2,579.0,0.2,0.3,0.1,0.1,0.1,0.1,0.1,0.1,428.1,455.0,4.4,1.2,32.6] - [PKTLENS.....: 78,74,66,301,66,1506,1506,641,66,66,159,66,117,66,425,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,445,66,1506,1506,66] + [PKTLENS.....: 64,60,52,287,52,1492,1492,627,52,52,145,52,103,52,411,52,1492,1492,52,1492,52,1492,52,1492,52,1492,52,431,52,1492,1492,52] + [ENTROPIES...: 4.4,5.3,5.0,5.6,5.0,7.1,7.3,7.6,5.0,4.9,6.1,5.0,5.9,5.0,7.4,5.0,7.9,7.9,4.9,7.9,4.8,7.9,5.0,7.9,4.9,7.9,5.0,7.4,5.1,7.9,7.9,5.1] detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][55262] -> [...146.48.58.18][..443] [TLS][Web][Safe] detected: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS @@ -41,50 +42,55 @@ detection-update: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....4] [ip4][..tcp] [..192.168.1.178][55267] -> [...146.48.58.18][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.119| 0.018| 0.029| 823.374| 0.000] - [PKTLEN......: 66.000| 1506.000| 632.000| 660.500|436248.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.119| 0.018| 0.029| 823.374| 3.500] + [PKTLEN......: 52.000| 1492.000| 618.000| 660.500| 436248.100| 4.100] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,0,0,1,1] [IATS(ms)....: 29.6,29.7,2.4,30.5,0.0,28.2,51.9,8.9,77.9,8.5,0.6,1.2,27.4,0.1,0.1,0.2,0.1,0.1,0.3,0.1,0.1,0.2,0.5,0.1,0.6,24.0,24.0,84.5,7.8,118.9,0.9] - [PKTLENS.....: 78,74,66,277,66,207,66,117,508,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1043,66,66,497,66,1506] + [PKTLENS.....: 64,60,52,263,52,193,52,103,494,52,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1029,52,52,483,52,1492] + [ENTROPIES...: 4.4,5.2,4.9,5.8,5.0,6.4,4.9,5.5,7.5,5.0,4.8,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,4.9,7.9,7.9,5.0,7.9,7.9,4.9,7.8,5.0,4.8,7.5,5.1,7.9] analyse: [.....2] [ip4][..tcp] [..192.168.1.178][55265] -> [...146.48.58.18][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.140| 0.019| 0.033| 1086.908| 0.000] - [PKTLEN......: 66.000| 1506.000| 616.100| 656.600|431150.100| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.140| 0.019| 0.033| 1086.908| 3.400] + [PKTLEN......: 52.000| 1492.000| 602.100| 656.600| 431150.100| 4.100] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1] [IATS(ms)....: 30.4,30.4,2.4,30.7,1.7,30.1,50.3,8.6,78.3,9.2,5.0,0.1,33.7,0.1,0.7,0.9,0.1,0.1,0.0,0.3,0.0,104.0,6.6,140.4,1.5,0.5,31.8,0.1,0.1,0.2,0.4] - [PKTLENS.....: 78,74,66,277,66,207,66,117,472,66,66,1506,1506,66,1506,1506,66,1506,1506,565,66,66,66,500,66,1506,1506,66,1506,1506,66,1506] + [PKTLENS.....: 64,60,52,263,52,193,52,103,458,52,52,1492,1492,52,1492,1492,52,1492,1492,551,52,52,52,486,52,1492,1492,52,1492,1492,52,1492] + [ENTROPIES...: 4.4,5.2,4.9,5.8,5.1,6.5,4.9,5.5,7.4,5.0,5.0,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,7.5,4.9,5.0,4.9,7.5,5.1,7.9,7.9,4.9,7.9,7.9,4.9,7.9] analyse: [.....3] [ip4][..tcp] [..192.168.1.178][55266] -> [...146.48.58.18][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.144| 0.020| 0.034| 1135.493| 0.000] - [PKTLEN......: 66.000| 1506.000| 624.000| 657.100|431734.900| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.144| 0.020| 0.034| 1135.493| 3.400] + [PKTLEN......: 52.000| 1492.000| 610.000| 657.100| 431734.900| 4.100] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1] [IATS(ms)....: 31.3,31.4,1.4,32.4,1.0,32.0,49.5,8.2,77.5,8.4,0.6,1.2,30.1,0.1,0.0,0.1,0.1,0.1,106.8,7.1,144.0,5.8,0.1,35.9,0.1,0.1,0.2,0.1,0.1,0.2,0.1] - [PKTLENS.....: 78,74,66,277,66,207,66,117,503,66,66,1506,1506,66,1506,1506,66,791,66,66,497,66,1506,1506,66,1506,1506,66,1506,1506,66,1506] + [PKTLENS.....: 64,60,52,263,52,193,52,103,489,52,52,1492,1492,52,1492,1492,52,777,52,52,483,52,1492,1492,52,1492,1492,52,1492,1492,52,1492] + [ENTROPIES...: 4.3,5.2,4.9,5.8,5.0,6.4,4.8,5.4,7.5,5.0,5.0,7.9,7.9,4.9,7.9,7.9,5.0,7.8,4.9,4.8,7.4,5.1,7.9,7.9,4.8,7.9,7.9,4.9,7.9,7.9,4.9,7.9] analyse: [.....6] [ip4][..tcp] [..192.168.1.178][55269] -> [...146.48.58.18][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.147| 0.020| 0.034| 1161.612| 0.000] - [PKTLEN......: 66.000| 1506.000| 604.800| 660.800|436665.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.147| 0.020| 0.034| 1161.612| 3.300] + [PKTLEN......: 52.000| 1492.000| 590.800| 660.800| 436665.800| 4.100] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0] [IATS(ms)....: 33.6,33.6,1.2,33.6,0.0,32.4,46.9,8.3,78.2,6.3,1.0,0.3,30.4,0.9,0.0,0.9,105.4,6.5,147.0,2.1,0.1,37.3,0.1,0.1,0.2,0.1,0.6,0.8,0.1,0.1,0.2] - [PKTLENS.....: 78,74,66,277,66,207,66,117,495,66,66,1506,1506,66,1506,181,66,66,500,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66] + [PKTLENS.....: 64,60,52,263,52,193,52,103,481,52,52,1492,1492,52,1492,167,52,52,486,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52] + [ENTROPIES...: 4.4,5.3,5.0,5.8,5.0,6.4,4.9,5.7,7.5,5.0,5.1,7.9,7.9,5.1,7.9,6.8,4.9,4.9,7.5,5.0,7.9,7.8,5.1,7.9,7.9,5.0,7.9,7.9,5.0,7.9,7.9,5.1] analyse: [.....5] [ip4][..tcp] [..192.168.1.178][55268] -> [...146.48.58.18][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.146| 0.022| 0.035| 1194.506| 0.000] - [PKTLEN......: 66.000| 1506.000| 533.000| 616.900|380607.300| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.146| 0.022| 0.035| 1194.506| 3.500] + [PKTLEN......: 52.000| 1492.000| 519.000| 616.900| 380607.300| 4.000] [BINS(c->s)..: 10,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,8,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0] [IATS(ms)....: 30.4,30.5,1.4,31.3,0.1,30.0,50.7,8.3,78.2,9.2,0.2,28.7,116.2,146.0,0.5,0.1,30.4,0.1,0.4,0.5,0.1,0.1,0.0,0.2,0.0,0.9,5.5,36.2,1.5,0.1,31.5] - [PKTLENS.....: 78,74,66,277,66,207,66,117,494,66,66,1413,66,497,66,1506,1506,66,1506,1506,66,1506,1506,425,66,66,66,503,66,1506,1506,66] + [PKTLENS.....: 64,60,52,263,52,193,52,103,480,52,52,1399,52,483,52,1492,1492,52,1492,1492,52,1492,1492,411,52,52,52,489,52,1492,1492,52] + [ENTROPIES...: 4.4,5.2,4.9,5.9,4.9,6.5,4.8,5.6,7.5,5.0,5.0,7.9,5.0,7.4,4.9,7.9,7.9,4.8,7.9,7.9,4.9,7.9,7.9,7.5,4.9,4.9,4.8,7.5,5.1,7.9,7.9,5.1] new: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] detected: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Web][Safe] detection-update: [.....7] [ip4][..tcp] [..192.168.1.178][55285] -> [...146.48.58.18][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/signal.pcap.out b/test/results/flow-info/signal.pcap.out index e03441b8d..123390a31 100644 --- a/test/results/flow-info/signal.pcap.out +++ b/test/results/flow-info/signal.pcap.out @@ -19,14 +19,15 @@ detected: [.....7] [ip4][..tcp] [...192.168.2.17][57021] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun] detected: [.....6] [ip4][..tcp] [...192.168.2.17][57020] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun] analyse: [.....4] [ip4][..tcp] [...192.168.2.17][57018] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.052| 0.012| 0.020| 399.390| 0.000] - [PKTLEN......: 66.000| 1506.000| 427.300| 522.500|272968.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.052| 0.012| 0.020| 399.390| 3.200] + [PKTLEN......: 52.000| 1492.000| 413.300| 522.500| 272968.600| 4.000] [BINS(c->s)..: 10,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,1,1,1,1] [IATS(ms)....: 44.2,46.0,0.1,45.6,0.8,0.2,0.3,0.2,47.8,0.0,0.1,46.0,44.7,7.8,1.7,0.1,0.4,0.1,52.3,0.0,1.1,0.0,42.6,0.1,0.7,0.5,0.1,0.9,0.1,0.4,0.0] - [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,1506,66,66,66,673,66,146,112,109,101,207,337,337,66,136,66,66,66,66,97,1112,1112,1506,427] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1268,1492,52,52,52,659,52,132,98,95,87,193,323,323,52,122,52,52,52,52,83,1098,1098,1492,413] + [ENTROPIES...: 4.5,5.3,5.1,4.4,5.2,7.8,7.9,7.8,7.9,5.1,5.1,5.0,7.6,5.2,6.3,5.8,5.9,5.8,6.9,7.3,7.4,5.1,6.4,5.1,5.1,5.0,5.0,5.6,7.8,7.8,7.9,7.5] detection-update: [.....3] [ip4][..tcp] [...192.168.2.17][49226] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun] RISK: TLS (probably) Not Carrying HTTPS detection-update: [.....3] [ip4][..tcp] [...192.168.2.17][49226] -> [.34.225.240.173][..443] [TLS.Signal][Chat][Fun] @@ -59,14 +60,15 @@ detected: [....14] [ip4][..tcp] [...192.168.2.17][57024] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] detected: [....15] [ip4][..tcp] [...192.168.2.17][57025] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] analyse: [....11] [ip4][..tcp] [...192.168.2.17][57022] -> [....23.57.24.16][..443] [TLS.AppleiTunes][Streaming][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.101| 0.015| 0.025| 625.062| 0.000] - [PKTLEN......: 66.000| 1506.000| 445.700| 520.400|270842.400| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.101| 0.015| 0.025| 625.062| 3.300] + [PKTLEN......: 52.000| 1492.000| 431.700| 520.400| 270842.400| 4.100] [BINS(c->s)..: 9,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1] [IATS(ms)....: 34.9,37.7,0.1,37.4,0.8,0.2,0.3,0.2,37.0,0.2,34.8,100.7,83.3,17.6,1.1,2.5,0.1,0.4,0.1,36.0,0.0,31.6,0.5,2.4,0.0,0.5,2.2,1.1,0.2,0.2,0.0] - [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,1506,66,66,673,66,673,78,146,112,109,101,207,337,337,66,66,66,136,66,66,1112,1112,1506,427] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1268,1492,52,52,659,52,659,64,132,98,95,87,193,323,323,52,52,52,122,52,52,1098,1098,1492,413] + [ENTROPIES...: 4.5,5.2,5.1,4.4,5.2,7.9,7.9,7.8,7.9,5.1,5.1,7.7,5.1,7.7,5.0,6.4,6.0,5.9,5.8,6.8,7.3,7.3,5.2,5.1,5.2,6.3,5.1,5.1,7.8,7.8,7.9,7.5] detection-update: [....10] [ip4][..tcp] [...192.168.2.17][49227] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....10] [ip4][..tcp] [...192.168.2.17][49227] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] @@ -82,14 +84,15 @@ detection-update: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] detection-update: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] analyse: [....17] [ip4][..tcp] [...192.168.2.17][57026] -> [....35.169.3.40][..443] [TLS.Signal][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.115| 0.033| 0.050| 2490.513| 0.000] - [PKTLEN......: 66.000| 1506.000| 533.200| 606.200|367455.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.115| 0.033| 0.050| 2490.513| 3.300] + [PKTLEN......: 52.000| 1492.000| 519.200| 606.200| 367455.800| 4.100] [BINS(c->s)..: 4,3,1,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] [BINS(s->c)..: 7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,1,1] [IATS(ms)....: 108.9,110.6,0.1,110.4,2.1,0.0,112.4,5.0,114.9,0.0,109.6,1.9,0.0,0.0,0.1,0.8,0.1,0.2,0.1,111.4,0.2,108.4,1.8,0.6,1.7,0.2,0.2,0.3,0.1,109.4,1.5] - [PKTLENS.....: 78,74,66,583,66,1506,1104,66,192,117,135,66,119,116,108,312,1506,1506,1506,378,66,104,848,66,66,1506,1506,1506,1506,151,66,66] + [PKTLENS.....: 64,60,52,569,52,1492,1090,52,178,103,121,52,105,102,94,298,1492,1492,1492,364,52,90,834,52,52,1492,1492,1492,1492,137,52,52] + [ENTROPIES...: 4.4,5.2,5.1,4.6,5.2,7.1,7.7,5.0,6.5,5.8,6.4,5.1,5.7,5.6,5.6,7.1,7.9,7.9,7.9,7.4,5.2,5.9,7.7,5.1,5.1,7.9,7.9,7.9,7.9,6.1,5.2,5.0] new: [....18] [ip4][..tcp] [....23.57.24.16][..443] -> [...192.168.2.17][57016] [MIDSTREAM] detected: [....18] [ip4][..tcp] [....23.57.24.16][..443] -> [...192.168.2.17][57016] [TLS][Web][Safe] new: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] @@ -97,14 +100,15 @@ detection-update: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] [TLS.Signal][Chat][Fun] detection-update: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] [TLS.Signal][Chat][Fun] analyse: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.043| 0.012| 0.016| 257.340| 0.000] - [PKTLEN......: 66.000| 1506.000| 512.200| 608.000|369644.200| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.043| 0.012| 0.016| 257.340| 3.700] + [PKTLEN......: 52.000| 1492.000| 498.200| 608.000| 369644.200| 4.000] [BINS(c->s)..: 5,4,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0] [BINS(s->c)..: 7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,1] [IATS(ms)....: 32.9,39.8,0.1,40.0,2.7,0.0,39.4,7.8,43.4,0.4,0.0,34.7,0.1,7.5,0.5,0.0,0.1,0.4,5.9,0.1,0.4,42.2,0.0,0.5,26.8,7.6,10.7,0.1,0.3,0.3,26.1] - [PKTLENS.....: 78,74,66,583,66,1506,1009,66,192,66,117,135,66,66,119,116,108,257,104,1506,1506,1506,66,104,66,685,66,1506,1506,1506,1506,66] + [PKTLENS.....: 64,60,52,569,52,1492,995,52,178,52,103,121,52,52,105,102,94,243,90,1492,1492,1492,52,90,52,671,52,1492,1492,1492,1492,52] + [ENTROPIES...: 4.4,5.2,5.0,4.3,5.1,7.1,7.7,5.1,6.3,5.1,6.0,6.4,5.1,5.1,5.7,5.6,5.5,7.0,5.4,7.9,7.9,7.9,4.9,5.9,5.1,7.6,5.1,7.9,7.9,7.9,7.9,5.1] detection-update: [....19] [ip4][..tcp] [...192.168.2.17][57027] -> [...13.35.253.42][..443] [TLS.Signal][Chat][Fun] idle: [.....1] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] end: [.....8] [ip4][..tcp] [...192.168.2.17][56996] -> [.17.248.146.144][..443] [TLS.Apple][Web][Safe] diff --git a/test/results/flow-info/simple-dnscrypt.pcap.out b/test/results/flow-info/simple-dnscrypt.pcap.out index 4040b7b84..366191b95 100644 --- a/test/results/flow-info/simple-dnscrypt.pcap.out +++ b/test/results/flow-info/simple-dnscrypt.pcap.out @@ -6,14 +6,15 @@ detection-update: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS][Web][Safe] detection-update: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] analyse: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.222| 0.043| 0.053| 2772.255| 0.000] - [PKTLEN......: 54.000| 1364.000| 397.400| 516.900|267229.700| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.222| 0.043| 0.053| 2772.255| 3.900] + [PKTLEN......: 40.000| 1350.000| 383.400| 516.900| 267229.700| 3.900] [BINS(c->s)..: 7,4,1,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,6,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1] [IATS(ms)....: 110.6,111.2,27.9,119.6,18.5,5.2,114.9,3.0,7.5,0.0,0.0,10.6,4.9,14.9,0.1,0.1,0.4,91.8,0.0,71.5,3.1,28.8,26.8,76.4,36.0,32.6,95.2,61.6,222.0,0.0] - [PKTLENS.....: 66,66,54,260,54,1364,1364,54,1364,1364,1364,360,54,180,107,110,96,272,312,123,54,92,54,92,54,54,54,415,54,119,1364,1324] + [PKTLENS.....: 52,52,40,246,40,1350,1350,40,1350,1350,1350,346,40,166,93,96,82,258,298,109,40,78,40,78,40,40,40,401,40,105,1350,1310] + [ENTROPIES...: 4.7,5.1,4.9,5.6,4.9,7.3,7.2,4.7,7.6,7.5,7.6,7.3,4.8,6.4,5.7,5.8,5.5,7.1,7.1,6.1,4.9,5.4,4.9,5.8,4.9,4.9,4.9,7.3,4.9,6.0,7.8,7.8] detection-update: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] new: [.....2] [ip4][..tcp] [.192.168.43.167][50253] -> [..134.119.26.24][..443] new: [.....3] [ip4][..tcp] [.192.168.43.167][50258] -> [..134.119.26.24][..443] @@ -28,14 +29,15 @@ detection-update: [.....3] [ip4][..tcp] [.192.168.43.167][50258] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] detection-update: [.....3] [ip4][..tcp] [.192.168.43.167][50258] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] analyse: [.....4] [ip4][..tcp] [.192.168.43.167][50259] -> [..134.119.26.24][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.106| 0.026| 0.036| 1310.829| 0.000] - [PKTLEN......: 54.000| 1364.000| 333.100| 456.800|208637.000| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.106| 0.026| 0.036| 1310.829| 3.600] + [PKTLEN......: 40.000| 1350.000| 319.100| 456.800| 208637.000| 3.900] [BINS(c->s)..: 7,4,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,0,1,1,1,0] [IATS(ms)....: 76.9,77.0,0.2,75.5,27.7,2.5,105.6,0.6,0.0,0.6,1.3,0.0,1.6,3.3,3.7,0.1,0.1,3.1,0.1,0.0,84.7,0.0,74.1,4.3,9.6,25.1,23.4,82.0,4.1,98.4] - [PKTLENS.....: 66,66,54,264,54,1364,1364,54,1364,1364,54,1364,360,54,180,107,110,96,334,133,132,312,123,54,54,92,54,92,54,416,415,54] + [PKTLENS.....: 52,52,40,250,40,1350,1350,40,1350,1350,40,1350,346,40,166,93,96,82,320,119,118,298,109,40,40,78,40,78,40,402,401,40] + [ENTROPIES...: 4.7,5.0,4.8,5.5,4.8,7.3,7.3,4.8,7.6,7.5,4.7,7.6,7.4,4.8,6.3,5.6,5.8,5.5,7.3,6.0,6.1,7.2,6.3,4.9,4.9,5.8,4.8,5.4,4.9,7.5,7.4,4.9] detection-update: [.....4] [ip4][..tcp] [.192.168.43.167][50259] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] idle: [.....1] [ip4][..tcp] [.192.168.43.167][50233] -> [..134.119.26.24][..443] [TLS.DNScrypt][Network][Safe] idle: [.....2] [ip4][..tcp] [.192.168.43.167][50253] -> [..134.119.26.24][..443] diff --git a/test/results/flow-info/sip.pcap.out b/test/results/flow-info/sip.pcap.out index 772d7c99d..e91efb687 100644 --- a/test/results/flow-info/sip.pcap.out +++ b/test/results/flow-info/sip.pcap.out @@ -19,14 +19,15 @@ update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][VoIP][Acceptable] update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][VoIP][Acceptable] analyse: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.026| 279.042| 42.751| 57.874|3349363405.357| 0.000] - [PKTLEN......: 47.000| 867.000| 429.300| 273.000|74531.700| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.026| 279.042| 42.751| 57.874| 3349363405.357| 4.000] + [PKTLEN......: 33.000| 853.000| 415.300| 273.000| 74531.700| 4.600] [BINS(c->s)..: 9,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,0,0,0,0,4,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,2,1,0,0,0,1,6,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0] [IATS(ms)....: 136.8,17415.6,17425.0,49.8,89928.6,89874.9,17280.7,17290.4,150200.0,150188.2,17325.2,17335.8,73916.0,73902.7,17325.0,17333.2,25.9,17725.0,29031.8,29092.7,34118.2,34119.1,29272.4,29031.8,29031.6,29031.5,17105.0,497.7,1001.8,279041.8,227.1] - [PKTLENS.....: 509,528,722,348,388,509,528,722,533,509,528,722,533,509,528,722,348,512,47,47,47,47,47,47,47,47,47,867,867,867,635,382] + [PKTLENS.....: 495,514,708,334,374,495,514,708,519,495,514,708,519,495,514,708,334,498,33,33,33,33,33,33,33,33,33,853,853,853,621,368] + [ENTROPIES...: 5.7,5.7,5.7,5.7,5.7,5.7,5.8,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.6,4.1,4.1,4.1,4.1,4.1,4.1,4.0,4.1,4.1,5.7,5.7,5.7,5.8,5.7] update: [.....1] [ip4][..udp] [....192.168.1.2][.5060] -> [..212.242.33.35][.5060] [SIP][VoIP][Acceptable] update: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][VoIP][Acceptable] idle: [.....2] [ip4][..udp] [....192.168.1.2][.5060] -> [..200.68.120.81][.5060] [SIP][VoIP][Acceptable] diff --git a/test/results/flow-info/sites.pcapng.out b/test/results/flow-info/sites.pcapng.out index 00720c07a..9f8f04c91 100644 --- a/test/results/flow-info/sites.pcapng.out +++ b/test/results/flow-info/sites.pcapng.out @@ -23,14 +23,15 @@ detected: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe] detection-update: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe] analyse: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.053| 0.020| 0.024| 571.173| 0.000] - [PKTLEN......: 66.000| 1514.000| 613.800| 646.400|417856.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.053| 0.020| 0.024| 571.173| 2.800] + [PKTLEN......: 52.000| 1500.000| 599.800| 646.400| 417856.700| 4.100] [BINS(c->s)..: 10,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,1,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0] [IATS(ms)....: 46.8,50.1,2.2,52.9,0.2,52.2,1.5,0.6,2.4,52.4,0.8,3.1,0.2,0.2,47.9,0.2] - [PKTLENS.....: 74,74,66,583,66,1514,1514,1266,166,66,66,66,66,146,236,304,369,109,97,1514,1514,1514,1514,1514,1514,1514,1514,388,66,66,66,97] + [PKTLENS.....: 60,60,52,569,52,1500,1500,1252,152,52,52,52,52,132,222,290,355,95,83,1500,1500,1500,1500,1500,1500,1500,1500,374,52,52,52,83] + [ENTROPIES...: 4.7,5.2,5.0,5.4,5.1,7.8,7.9,7.8,6.5,5.0,5.0,5.1,5.1,6.3,6.9,7.1,7.4,6.0,5.7,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.4,5.1,5.0,5.1,5.6] detection-update: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe] end: [.....3] [ip4][..tcp] [..192.168.1.227][50071] -> [...52.73.71.226][..443] DAEMON-EVENT: [Processed: 118 pkts][ZLib][compressions: 0|diff: 0 / 0] @@ -38,14 +39,15 @@ new: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] detected: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] [HTTP.Likee][SocialNetwork][Fun] analyse: [.....5] [ip4][..tcp] [..192.168.1.250][39890] -> [...45.82.241.51][...80] [HTTP.Likee][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.031| 0.138| 0.327|107215.077| 0.000] - [PKTLEN......: 60.000| 1514.000| 659.100| 701.200|491744.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.031| 0.138| 0.327| 107215.077| 1.600] + [PKTLEN......: 46.000| 1500.000| 645.100| 701.200| 491744.000| 4.000] [BINS(c->s)..: 15,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,12,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0] [IATS(ms)....: 27.9,29.1,9.5,39.2,3.0,0.2,59.9,0.3,0.3,974.3,1031.1,29.6,0.5,2.0,0.5,0.7] - [PKTLENS.....: 74,66,60,244,60,1514,1514,1514,1514,1514,1514,1396,60,60,60,60,60,60,60,244,1514,1514,1514,1514,60,60,1514,1514,60,60,60,60] + [PKTLENS.....: 60,52,46,230,46,1500,1500,1500,1500,1500,1500,1382,46,46,46,46,46,46,46,230,1500,1500,1500,1500,46,46,1500,1500,46,46,46,46] + [ENTROPIES...: 4.7,4.9,4.3,5.7,4.3,7.7,7.9,7.8,7.9,7.9,7.9,7.9,4.3,4.3,4.3,4.3,4.3,4.3,4.3,5.7,7.7,7.9,7.9,7.9,4.3,4.3,7.9,7.9,4.3,4.3,4.3,4.3] end: [.....4] [ip4][..tcp] [..192.168.1.128][50620] -> [.91.198.174.208][..443] [TLS.Wikipedia][Web][Safe] DAEMON-EVENT: [Processed: 230 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 5|skipped: 0|!detected: 0|guessed: 0|detection-updates: 6|updates: 0] diff --git a/test/results/flow-info/skinny.pcap.out b/test/results/flow-info/skinny.pcap.out index df08b2382..d1e9b2246 100644 --- a/test/results/flow-info/skinny.pcap.out +++ b/test/results/flow-info/skinny.pcap.out @@ -6,14 +6,15 @@ new: [.....2] [ip4][..tcp] [.192.168.193.12][.2000] -> [.192.168.195.50][51532] [MIDSTREAM] detected: [.....2] [ip4][..tcp] [.192.168.193.12][.2000] -> [.192.168.195.50][51532] [CiscoSkinny][VoIP][Acceptable] analyse: [.....1] [ip4][..tcp] [.192.168.195.58][49399] -> [.192.168.193.12][.2000] [CiscoSkinny][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.610| 0.245| 0.877|769437.794| 0.000] - [PKTLEN......: 60.000| 378.000| 114.200| 74.300| 5521.700| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.610| 0.245| 0.877| 769437.794| 1.500] + [PKTLEN......: 46.000| 364.000| 100.200| 74.300| 5521.700| 4.700] [BINS(c->s)..: 9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,2,0,0,5,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,1,0,1,1,1,1,0,1,0,1,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,0,1,0] [IATS(ms)....: 2.2,0.0,0.0,6.0,3.8,0.3,0.0,0.0,20.0,19.7,10.4,48.8,3559.6,0.0,0.1,3609.8,11.7,20.1,16.5,36.5,7.0,23.4,32.8,20.0,11.7,0.0,20.0,11.5,27.3,50.7,26.7] - [PKTLENS.....: 78,82,70,78,60,378,82,90,82,60,214,74,60,78,194,90,60,266,60,102,60,198,60,198,60,198,186,60,106,106,60,106] + [PKTLENS.....: 64,68,56,64,46,364,68,76,68,46,200,60,46,64,180,76,46,252,46,88,46,184,46,184,46,184,172,46,92,92,46,92] + [ENTROPIES...: 3.9,4.0,4.5,4.3,4.4,3.7,4.4,4.2,4.6,4.4,4.5,4.3,4.7,4.5,2.6,4.2,4.4,4.3,4.5,4.0,4.7,2.7,4.5,2.7,4.5,2.6,4.7,4.4,4.0,4.0,4.6,4.0] new: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] detected: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] [RTP][Media][Acceptable] new: [.....4] [ip4][..udp] [.192.168.195.58][32144] -> [.192.168.195.50][17718] @@ -25,61 +26,67 @@ new: [.....7] [ip4][..udp] [.192.168.195.50][17732] -> [.192.168.193.24][.9400] detected: [.....7] [ip4][..udp] [.192.168.195.50][17732] -> [.192.168.193.24][.9400] [RTP][Media][Acceptable] analyse: [.....4] [ip4][..udp] [.192.168.195.58][32144] -> [.192.168.195.50][17718] [RTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.026| 0.010| 0.010| 104.356| 0.000] - [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.026| 0.010| 0.010| 104.356| 3.900] + [PKTLEN......: 200.000| 200.000| 200.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0] [IATS(ms)....: 0.0,19.9,0.0,25.6,0.0,20.0,0.0,19.9,0.0,19.9,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0,20.0,0.0] - [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] + [PKTLENS.....: 200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200] + [ENTROPIES...: 4.2,4.2,4.8,4.8,4.4,4.4,5.1,5.1,4.4,4.4,4.9,4.9,5.5,5.5,5.1,5.1,5.2,5.2,5.1,5.1,5.3,5.3,5.2,5.2,5.6,5.6,5.8,5.8,5.2,5.2,5.2,5.2] analyse: [.....3] [ip4][..udp] [.192.168.195.58][32150] -> [.192.168.193.24][.9395] [RTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 0.000] - [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 5.000] + [PKTLEN......: 200.000| 200.000| 200.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 20.0,20.0,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.1,20.0,20.0,20.0,20.1,19.9,20.0,20.0,20.0,19.9,20.0,20.1,20.0,20.0,20.0] - [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] + [PKTLENS.....: 200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200] + [ENTROPIES...: 4.3,4.8,5.1,4.9,5.1,5.1,5.2,5.9,5.3,4.8,5.1,5.2,4.8,4.8,4.9,4.7,4.5,4.6,4.6,4.5,4.5,4.3,4.4,4.6,4.4,4.4,4.5,4.8,4.7,4.8,3.9,4.3] analyse: [.....5] [ip4][..udp] [.192.168.195.50][17726] -> [.192.168.193.24][.9399] [RTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 0.000] - [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 5.000] + [PKTLEN......: 200.000| 200.000| 200.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 20.0,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0] - [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] + [PKTLENS.....: 200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200] + [ENTROPIES...: 4.4,4.4,5.6,5.2,5.4,5.6,5.3,5.1,4.8,4.5,4.8,4.4,4.1,3.9,3.8,3.3,3.4,3.4,3.6,4.3,4.6,4.8,4.8,4.6,4.4,6.2,4.9,6.3,6.5,6.2,6.5,6.5] analyse: [.....6] [ip4][..udp] [.192.168.195.58][32152] -> [.192.168.193.24][.9396] [RTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.019| 0.021| 0.020| 0.000| 0.020| 0.000] - [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.019| 0.021| 0.020| 0.000| 0.020| 5.000] + [PKTLEN......: 200.000| 200.000| 200.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 19.8,20.0,20.1,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.0,19.9,20.0,20.0,20.0,20.0,20.0,20.0,20.5,19.5,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0] - [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] + [PKTLENS.....: 200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200] + [ENTROPIES...: 4.4,4.4,5.6,5.2,5.4,5.7,5.3,5.1,4.8,4.4,4.8,4.4,4.1,3.8,3.8,3.2,3.4,3.4,3.5,4.3,4.6,4.8,4.8,4.5,4.4,6.2,4.9,6.4,6.4,6.2,6.5,6.5] analyse: [.....7] [ip4][..udp] [.192.168.195.50][17732] -> [.192.168.193.24][.9400] [RTP][Media][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 0.000] - [PKTLEN......: 214.000| 214.000| 214.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.020| 0.020| 0.020| 0.000| 0.001| 5.000] + [PKTLEN......: 200.000| 200.000| 200.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 20.0,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.0,20.1,20.0,20.0,20.0,20.1,19.9,20.0,19.9,20.0,19.9,20.0,20.1,20.0,20.0,20.0,20.0,20.0,20.0] - [PKTLENS.....: 214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214] + [PKTLENS.....: 200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200] + [ENTROPIES...: 4.9,5.0,5.1,5.2,5.8,5.2,4.8,5.0,5.2,4.8,4.8,4.9,4.7,4.5,4.6,4.6,4.5,4.5,4.3,4.4,4.6,4.4,4.4,4.5,4.8,4.7,4.7,3.9,4.3,5.2,5.6,5.5] new: [.....8] [ip4][..tcp] [.192.168.195.58][50917] -> [.....10.16.2.25][.2000] [MIDSTREAM] detected: [.....8] [ip4][..tcp] [.192.168.195.58][50917] -> [.....10.16.2.25][.2000] [CiscoSkinny][VoIP][Acceptable] analyse: [.....2] [ip4][..tcp] [.192.168.193.12][.2000] -> [.192.168.195.50][51532] [CiscoSkinny][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 7.046| 0.705| 1.877|3523893.789| 0.000] - [PKTLEN......: 60.000| 546.000| 110.900| 93.800| 8793.000| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 7.046| 0.705| 1.877| 3523893.789| 2.200] + [PKTLEN......: 46.000| 532.000| 96.900| 93.800| 8793.000| 4.600] [BINS(c->s)..: 10,2,0,0,4,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,0,1,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,1,1,1,0,1,0,0,0,0,1] [IATS(ms)....: 0.0,0.1,0.7,0.7,19.9,3583.0,19.3,3622.2,2.1,0.0,0.0,18.0,15.9,20.1,36.3,2.1,20.0,30.9,40.0,6.9,19.1,13.1,64.1,28.3,103.9,42.3,80.4,6999.6,0.0,5.8,7045.9] - [PKTLENS.....: 90,82,86,60,266,60,74,74,60,82,70,78,60,546,60,198,198,60,198,60,102,186,60,106,106,60,106,60,82,82,78,60] + [PKTLENS.....: 76,68,72,46,252,46,60,60,46,68,56,64,46,532,46,184,184,46,184,46,88,172,46,92,92,46,92,46,68,68,64,46] + [ENTROPIES...: 4.2,4.7,4.6,4.6,4.3,4.5,4.2,4.5,4.6,4.1,4.5,4.3,4.4,3.3,4.4,2.7,2.6,4.4,2.7,4.4,3.8,4.8,4.5,4.0,3.9,4.6,4.0,4.6,4.5,4.6,4.4,4.6] new: [.....9] [ip4][.icmp] [.192.168.195.50] -> [.192.168.195.58] detected: [.....9] [ip4][.icmp] [.192.168.195.50] -> [.192.168.195.58] [ICMP][Network][Acceptable] idle: [.....9] [ip4][.icmp] [.192.168.195.50] -> [.192.168.195.58] [ICMP][Network][Acceptable] diff --git a/test/results/flow-info/skype-conference-call.pcap.out b/test/results/flow-info/skype-conference-call.pcap.out index e435ba487..6038cbb81 100644 --- a/test/results/flow-info/skype-conference-call.pcap.out +++ b/test/results/flow-info/skype-conference-call.pcap.out @@ -5,14 +5,15 @@ detected: [.....1] [ip4][..udp] [...192.168.2.20][49282] -> [...104.46.40.49][60642] [STUN.Skype_TeamsCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....1] [ip4][..udp] [...192.168.2.20][49282] -> [...104.46.40.49][60642] [STUN.Skype_TeamsCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.100| 0.011| 0.022| 503.840| 0.000] - [PKTLEN......: 77.000| 957.000| 299.500| 317.000|100457.800| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.100| 0.011| 0.022| 503.840| 3.000] + [PKTLEN......: 63.000| 943.000| 285.500| 317.000| 100457.800| 4.300] [BINS(c->s)..: 0,1,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,2,12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 7.3,44.5,54.5,0.2,54.9,0.3,10.3,20.1,24.4,100.1,0.3,0.1,0.2,0.1,0.2,0.2,0.1,0.2,0.2,0.2,0.1,2.8,14.7,0.4,0.2,0.2,0.3,0.2,0.2,0.2,3.7] - [PKTLENS.....: 146,146,114,114,146,114,150,152,145,137,209,77,169,169,169,169,169,169,169,169,169,169,114,85,957,957,957,957,957,957,169,135] + [PKTLENS.....: 132,132,100,100,132,100,136,138,131,123,195,63,155,155,155,155,155,155,155,155,155,155,100,71,943,943,943,943,943,943,155,121] + [ENTROPIES...: 5.5,5.4,5.7,5.6,5.4,5.7,5.6,6.5,6.5,6.4,6.8,5.2,6.5,6.5,6.6,6.6,6.5,6.5,6.4,6.6,6.5,6.5,5.6,5.6,7.8,7.8,7.8,7.8,7.8,7.8,6.6,6.3] idle: [.....1] [ip4][..udp] [...192.168.2.20][49282] -> [...104.46.40.49][60642] [STUN.Skype_TeamsCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/skype.pcap.out b/test/results/flow-info/skype.pcap.out index b4057120d..7949b425c 100644 --- a/test/results/flow-info/skype.pcap.out +++ b/test/results/flow-info/skype.pcap.out @@ -45,14 +45,15 @@ detected: [....18] [ip4][..tcp] [...192.168.1.34][50029] -> [..23.206.33.166][..443] [TLS.Skype_Teams][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [....15] [ip4][..tcp] [...192.168.1.34][50028] -> [.157.56.126.211][..443] [TLS.Skype_Teams][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.301| 0.083| 0.084| 7113.901| 0.000] - [PKTLEN......: 66.000| 1506.000| 371.800| 468.900|219872.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.301| 0.083| 0.084| 7113.901| 4.200] + [PKTLEN......: 52.000| 1492.000| 357.800| 468.900| 219872.600| 4.000] [BINS(c->s)..: 10,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,1,0,0,0,1,0,1,1,0] [IATS(ms)....: 75.2,75.2,28.8,111.2,0.2,82.6,77.2,0.2,77.4,12.7,300.9,288.2,83.4,83.5,0.3,86.7,86.3,3.1,96.5,93.4,0.3,253.9,0.0,253.6,0.0,0.4,87.2,86.8,115.8,0.0,115.7] - [PKTLENS.....: 78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,279,66,66,631,167,1383,1506,71,66] + [PKTLENS.....: 64,56,52,146,1492,72,52,1492,850,52,159,52,111,111,52,281,233,52,681,233,52,249,745,265,52,52,617,153,1369,1492,57,52] + [ENTROPIES...: 4.6,5.4,5.2,5.8,7.0,5.6,5.2,7.5,7.7,5.2,6.7,5.2,6.0,6.1,5.1,7.2,7.1,5.2,7.7,7.0,5.2,7.0,7.7,7.2,5.2,5.1,7.7,6.7,7.9,7.9,5.3,5.1] new: [....19] [ip4][..tcp] [...192.168.1.34][50030] -> [...65.55.223.33][..443] new: [....20] [ip4][..udp] [...192.168.1.34][60288] -> [....192.168.1.1][...53] detected: [....20] [ip4][..udp] [...192.168.1.34][60288] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] @@ -448,14 +449,15 @@ new: [...225] [ip4][..tcp] [...192.168.1.34][50102] -> [...65.55.223.15][..443] new: [...226] [ip4][..tcp] [...192.168.1.34][50103] -> [....64.4.23.166][..443] analyse: [....22] [ip4][..udp] [..192.168.0.254][.1025] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.015| 19.851| 1.938| 5.863|34377878.733| 0.000] - [PKTLEN......: 327.000| 405.000| 372.000| 29.200| 851.500| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.015| 19.851| 1.938| 5.863| 34377878.733| 1.700] + [PKTLEN......: 313.000| 391.000| 358.000| 29.200| 851.500| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,3,10,6,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 15.9,16.7,17.0,17.1,15.8,17.0,16.6,16.4,16.8,19850.7,15.7,18.8,14.7,83.2,16.8,19850.7,16.1,16.6,16.9,16.9,16.2,17.0,16.5,16.5,16.9,19850.6,16.3,16.4,16.7,16.7,16.5] - [PKTLENS.....: 333,351,405,397,327,369,401,347,399,393,333,351,405,397,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369] + [PKTLENS.....: 319,337,391,383,313,355,387,333,385,379,319,337,391,383,385,379,319,337,391,383,313,355,387,333,385,379,319,337,391,383,313,355] + [ENTROPIES...: 5.8,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.8,5.7,5.7,5.7,5.7,5.7,5.8,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.8,5.7,5.7,5.8,5.7,5.7] update: [....69] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.24][40001] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [....76] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.21][40004] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [....42] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.33][40011] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] @@ -521,14 +523,15 @@ detected: [...231] [ip4][.icmp] [....192.168.1.1] -> [...192.168.1.34] [ICMP][Network][Acceptable] new: [...232] [ip4][..tcp] [...192.168.1.34][50109] -> [.91.190.216.125][12350] analyse: [...227] [ip4][..tcp] [...192.168.1.34][50108] -> [...157.56.52.28][40009] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.965| 0.176| 0.204|41803.604| 0.000] - [PKTLEN......: 66.000| 1506.000| 178.600| 286.000|81813.500| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.965| 0.176| 0.204| 41803.604| 4.200] + [PKTLEN......: 52.000| 1492.000| 164.600| 286.000| 81813.500| 3.900] [BINS(c->s)..: 10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,1] [IATS(ms)....: 244.0,244.1,0.5,204.3,761.0,964.7,0.5,202.0,201.5,40.2,40.2,162.2,162.2,40.2,40.2,200.9,0.0,201.0,204.1,204.1,0.1,240.8,240.6,207.5,0.0,207.6,3.0,4.5,199.6,198.0,41.6] - [PKTLENS.....: 78,74,66,138,66,123,66,74,74,66,66,102,134,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,619,549,66] + [PKTLENS.....: 64,60,52,124,52,109,52,60,60,52,52,88,120,52,52,91,52,55,52,196,52,56,52,661,52,56,52,1492,106,605,535,52] + [ENTROPIES...: 4.7,5.2,5.1,6.4,5.1,6.1,5.1,5.5,5.4,5.2,5.1,6.1,6.4,5.1,5.2,6.0,5.1,5.1,5.2,6.8,5.1,5.3,5.1,7.7,5.1,5.2,5.1,7.9,6.3,7.7,7.6,5.0] not-detected: [...227] [ip4][..tcp] [...192.168.1.34][50108] -> [...157.56.52.28][40009] [Unknown][Unrated] new: [...233] [ip4][..tcp] [...192.168.1.34][50110] -> [.91.190.216.125][12350] new: [...234] [ip4][..udp] [...192.168.1.34][13021] -> [..176.26.55.167][63773] @@ -559,14 +562,15 @@ new: [...251] [ip4][..tcp] [...192.168.1.34][50121] -> [...81.83.77.141][17639] new: [...252] [ip4][..tcp] [...192.168.1.34][50122] -> [..81.133.19.185][44431] analyse: [...250] [ip4][..tcp] [...192.168.1.34][50119] -> [....86.31.35.30][59621] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.200| 0.063| 0.061| 3703.968| 0.000] - [PKTLEN......: 66.000| 1249.000| 173.800| 252.000|63524.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.200| 0.063| 0.061| 3703.968| 4.200] + [PKTLEN......: 52.000| 1235.000| 159.800| 252.000| 63524.500| 4.000] [BINS(c->s)..: 14,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,1,1,0,0] [IATS(ms)....: 83.4,83.5,0.1,64.1,64.0,0.4,68.5,68.1,2.9,71.2,68.2,199.8,199.7,154.2,154.1,2.6,133.8,131.2,0.2,0.1,0.1,64.3,8.4,55.5,127.9,0.2,0.2,70.5,0.0,70.1,0.2] - [PKTLENS.....: 78,74,66,126,113,66,83,80,66,820,80,66,66,70,1249,66,623,166,144,94,133,123,66,66,146,66,94,87,361,66,66,93] + [PKTLENS.....: 64,60,52,112,99,52,69,66,52,806,66,52,52,56,1235,52,609,152,130,80,119,109,52,52,132,52,80,73,347,52,52,79] + [ENTROPIES...: 4.7,5.3,5.2,6.3,6.2,5.2,5.5,5.4,5.1,7.7,5.5,5.1,5.1,5.3,7.9,5.1,7.6,6.6,6.4,5.7,6.4,6.3,5.2,5.2,6.4,5.2,5.9,5.7,7.3,5.2,5.1,5.7] not-detected: [...250] [ip4][..tcp] [...192.168.1.34][50119] -> [....86.31.35.30][59621] [Unknown][Unrated] new: [...253] [ip4][..tcp] [...192.168.1.34][50123] -> [...80.14.46.121][.4415] new: [...254] [ip4][..tcp] [...192.168.1.34][50124] -> [..81.133.19.185][44431] @@ -586,14 +590,15 @@ RISK: TLS (probably) Not Carrying HTTPS new: [...261] [ip4][..tcp] [...192.168.1.34][50129] -> [.91.190.218.125][12350] analyse: [...260] [ip4][..tcp] [...192.168.1.34][50128] -> [..17.172.100.36][..443] [TLS.AppleiCloud][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.605| 0.068| 0.136|18472.737| 0.000] - [PKTLEN......: 54.000| 1494.000| 248.900| 350.900|123149.100| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.605| 0.068| 0.136| 18472.737| 3.000] + [PKTLEN......: 40.000| 1480.000| 234.900| 350.900| 123149.100| 3.900] [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,3,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1] [IATS(ms)....: 148.7,148.8,0.8,151.6,0.0,0.0,150.8,0.0,0.2,0.0,31.5,0.1,153.3,0.7,32.6,5.2,16.8,0.0,176.7,0.1,2.1,1.5,0.0,3.5,0.0,449.5,0.1,604.7,5.5,16.5,0.0] - [PKTLENS.....: 78,60,54,287,60,146,91,54,54,60,91,680,620,60,60,60,60,387,90,54,54,1494,1221,80,54,54,673,632,60,60,387,90] + [PKTLENS.....: 64,46,40,273,46,132,77,40,40,46,77,666,606,46,46,46,46,373,76,40,40,1480,1207,66,40,40,659,618,46,46,373,76] + [ENTROPIES...: 4.6,5.0,4.8,6.0,4.6,6.1,5.8,4.8,4.8,4.8,5.7,7.7,7.7,4.6,4.6,4.7,4.5,7.4,5.7,4.7,4.8,7.9,7.8,5.5,4.8,4.8,7.7,7.6,4.6,4.6,7.4,5.8] update: [...108] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.26][40026] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [...111] [ip4][..udp] [...192.168.1.34][13021] -> [...157.56.52.47][40029] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [...104] [ip4][..udp] [...192.168.1.34][13021] -> [....64.4.23.146][33033] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] @@ -635,14 +640,15 @@ new: [...263] [ip4][..udp] [...192.168.1.34][56387] -> [....192.168.1.1][...53] detected: [...263] [ip4][..udp] [...192.168.1.34][56387] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] analyse: [...251] [ip4][..tcp] [...192.168.1.34][50121] -> [...81.83.77.141][17639] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.782| 0.325| 0.510|259840.393| 0.000] - [PKTLEN......: 66.000| 1190.000| 157.300| 243.100|59118.200| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.782| 0.325| 0.510| 259840.393| 3.600] + [PKTLEN......: 52.000| 1176.000| 143.300| 243.100| 59118.200| 3.900] [BINS(c->s)..: 14,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,1,0] [IATS(ms)....: 60.8,60.9,0.1,60.1,60.0,0.4,72.4,72.0,2.9,63.2,60.3,262.3,262.3,157.4,157.5,3.6,187.8,184.1,1.9,62.9,110.0,171.0,0.2,63.7,63.5,1468.1,1782.0,746.1,1060.0,1410.3,1410.3] - [PKTLENS.....: 78,74,66,111,127,66,82,80,66,819,80,66,66,70,1190,66,623,111,102,86,66,109,66,95,94,66,103,66,104,66,105,66] + [PKTLENS.....: 64,60,52,97,113,52,68,66,52,805,66,52,52,56,1176,52,609,97,88,72,52,95,52,81,80,52,89,52,90,52,91,52] + [ENTROPIES...: 4.7,5.3,5.2,6.0,6.4,5.2,5.6,5.5,5.2,7.8,5.6,5.2,5.2,5.3,7.8,5.2,7.6,6.1,5.9,5.6,5.2,5.9,5.2,5.7,5.8,5.2,5.9,5.2,6.0,5.1,6.0,5.2] not-detected: [...251] [ip4][..tcp] [...192.168.1.34][50121] -> [...81.83.77.141][17639] [Unknown][Unrated] new: [...264] [ip4][..udp] [...192.168.1.34][52714] -> [....192.168.1.1][...53] detected: [...264] [ip4][..udp] [...192.168.1.34][52714] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] @@ -729,14 +735,15 @@ update: [....11] [ip4][..udp] [...192.168.1.34][65045] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] update: [...206] [ip4][..udp] [...192.168.1.34][13021] -> [213.199.179.145][40027] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] analyse: [...248] [ip4][..tcp] [...192.168.1.34][50117] -> [...71.238.7.203][18767] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 25.524| 1.927| 6.197|38401982.071| 0.000] - [PKTLEN......: 66.000| 1090.000| 156.500| 232.300|53983.100| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 25.524| 1.927| 6.197| 38401982.071| 2.000] + [PKTLEN......: 52.000| 1076.000| 142.500| 232.300| 53983.100| 4.000] [BINS(c->s)..: 14,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,1,0] [IATS(ms)....: 228.1,228.2,0.1,219.6,219.5,0.4,214.5,214.2,209.7,209.7,0.1,381.8,2061.0,2011.7,148.2,480.5,212.1,212.2,3.6,275.2,271.5,0.2,220.2,0.0,220.1,0.1,216.1,216.0,136.2,25387.6,25523.8] - [PKTLENS.....: 78,78,66,123,101,66,83,80,66,80,66,70,66,843,66,1090,66,156,66,623,108,134,93,66,112,66,95,122,66,66,81,66] + [PKTLENS.....: 64,64,52,109,87,52,69,66,52,66,52,56,52,829,52,1076,52,142,52,609,94,120,79,52,98,52,81,108,52,52,67,52] + [ENTROPIES...: 4.6,4.7,4.9,6.2,5.9,5.3,5.7,5.6,5.3,5.7,5.3,5.3,5.2,7.8,5.1,7.8,5.2,6.5,5.1,7.7,5.9,6.4,5.9,5.2,6.1,5.2,5.9,6.1,5.3,5.3,5.8,5.3] not-detected: [...248] [ip4][..tcp] [...192.168.1.34][50117] -> [...71.238.7.203][18767] [Unknown][Unrated] new: [...274] [ip4][..udp] [...192.168.1.34][56886] -> [239.255.255.250][.1900] detected: [...274] [ip4][..udp] [...192.168.1.34][56886] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] @@ -984,14 +991,15 @@ update: [....25] [ip4][..udp] [...192.168.1.34][13021] -> [.157.55.130.155][40020] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] update: [....32] [ip4][..udp] [...192.168.1.34][13021] -> [.157.55.235.176][40022] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] analyse: [...283] [ip4][..tcp] [...192.168.1.34][50138] -> [...71.238.7.203][18767] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 30.126| 1.349| 5.301|28102044.418| 0.000] - [PKTLEN......: 66.000| 1090.000| 155.400| 232.500|54056.900| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 30.126| 1.349| 5.301| 28102044.418| 1.900] + [PKTLEN......: 52.000| 1076.000| 141.400| 232.500| 54056.900| 4.000] [BINS(c->s)..: 15,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,0,1,1,0,1,0,0] [IATS(ms)....: 214.7,214.8,0.1,223.5,223.4,0.4,217.5,217.2,213.6,213.7,0.1,315.3,2988.5,3022.2,145.3,494.2,215.9,215.9,3.6,275.6,272.1,0.2,291.4,291.1,0.2,75.0,137.0,211.9,164.3,30125.6,821.1] - [PKTLENS.....: 78,78,66,106,101,66,83,80,66,80,66,70,66,842,66,1090,66,156,66,622,101,146,95,111,66,95,66,114,66,66,66,66] + [PKTLENS.....: 64,64,52,92,87,52,69,66,52,66,52,56,52,828,52,1076,52,142,52,608,87,132,81,97,52,81,52,100,52,52,52,52] + [ENTROPIES...: 4.7,4.7,4.9,6.0,6.0,5.3,5.7,5.7,5.3,5.7,5.3,5.3,5.3,7.7,5.4,7.8,5.1,6.6,5.2,7.6,6.1,6.5,5.9,6.2,5.2,5.8,5.2,6.2,5.2,5.3,5.2,5.3] not-detected: [...283] [ip4][..tcp] [...192.168.1.34][50138] -> [...71.238.7.203][18767] [Unknown][Unrated] not-detected: [...221] [ip4][..tcp] [...192.168.1.34][50098] -> [...65.55.223.15][40026] [Unknown][Unrated] end: [...221] [ip4][..tcp] [...192.168.1.34][50098] -> [...65.55.223.15][40026] diff --git a/test/results/flow-info/skype_no_unknown.pcap.out b/test/results/flow-info/skype_no_unknown.pcap.out index 02fbc6224..a057e2974 100644 --- a/test/results/flow-info/skype_no_unknown.pcap.out +++ b/test/results/flow-info/skype_no_unknown.pcap.out @@ -46,14 +46,15 @@ detected: [....19] [ip4][..tcp] [.17.143.160.149][.5223] -> [...192.168.1.34][50407] [TLS.Apple][Web][Safe] RISK: Known Proto on Non Std Port analyse: [....13] [ip4][..tcp] [...192.168.1.34][51230] -> [.157.56.126.211][..443] [TLS.Skype_Teams][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.302| 0.085| 0.091| 8331.101| 0.000] - [PKTLEN......: 66.000| 1506.000| 371.800| 468.900|219872.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.302| 0.085| 0.091| 8331.101| 4.100] + [PKTLEN......: 52.000| 1492.000| 357.800| 468.900| 219872.600| 4.000] [BINS(c->s)..: 9,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,1] [IATS(ms)....: 75.6,75.7,27.5,108.8,0.2,81.5,75.6,0.8,76.4,15.4,302.2,286.8,74.7,74.7,0.5,91.1,90.5,1.7,83.6,81.9,0.3,247.1,246.9,0.3,0.2,0.3,92.3,92.0,289.8,38.7,0.0] - [PKTLENS.....: 78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,66,279,66,631,167,1383,66,1506,71] + [PKTLENS.....: 64,56,52,146,1492,72,52,1492,850,52,159,52,111,111,52,281,233,52,681,233,52,249,745,52,265,52,617,153,1369,52,1492,57] + [ENTROPIES...: 4.6,5.2,5.2,5.7,7.0,5.6,5.1,7.5,7.7,5.1,6.7,5.2,6.0,6.1,5.1,7.3,7.0,5.1,7.7,7.0,5.1,7.2,7.7,5.2,7.2,5.2,7.7,6.6,7.9,5.2,7.9,5.3] new: [....20] [ip4][..udp] [...192.168.1.34][50055] -> [....192.168.1.1][...53] detected: [....20] [ip4][..udp] [...192.168.1.34][50055] -> [....192.168.1.1][...53] [DNS.Skype_Teams][VoIP][Acceptable] new: [....21] [ip4][..udp] [...192.168.1.34][51753] -> [....192.168.1.1][...53] @@ -62,14 +63,15 @@ new: [....23] [ip4][..tcp] [...192.168.1.34][51227] -> [..17.172.100.36][..443] [MIDSTREAM] detected: [....23] [ip4][..tcp] [...192.168.1.34][51227] -> [..17.172.100.36][..443] [TLS.Apple][Web][Safe] analyse: [....23] [ip4][..tcp] [...192.168.1.34][51227] -> [..17.172.100.36][..443] [TLS.Apple][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.077| 0.169| 0.340|115831.161| 0.000] - [PKTLEN......: 54.000| 680.000| 238.900| 252.700|63877.700| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.077| 0.169| 0.340| 115831.161| 2.700] + [PKTLEN......: 40.000| 666.000| 224.900| 252.700| 63877.700| 4.200] [BINS(c->s)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,3,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,0,1,0] [IATS(ms)....: 0.1,141.8,4.6,11.8,0.0,158.2,1.4,0.0,1.4,933.1,0.1,1077.4,3.9,16.1,0.0,164.2,1.9,0.0,1.8,866.4,0.1,1010.6,5.0,11.8,160.8,0.2,0.1] - [PKTLENS.....: 680,622,60,60,387,90,54,54,656,80,54,54,673,630,60,60,387,90,54,54,661,80,54,54,677,556,60,60,387,54,90,54] + [PKTLENS.....: 666,608,46,46,373,76,40,40,642,66,40,40,659,616,46,46,373,76,40,40,647,66,40,40,663,542,46,46,373,40,76,40] + [ENTROPIES...: 7.7,7.7,4.7,4.5,7.4,5.7,4.8,4.9,7.6,5.6,4.8,4.8,7.7,7.7,4.6,4.6,7.5,5.7,4.8,4.8,7.7,5.6,4.8,4.9,7.7,7.6,4.6,4.5,7.4,4.8,5.8,4.8] new: [....24] [ip4][..udp] [...192.168.1.34][..137] -> [..192.168.1.255][..137] detected: [....24] [ip4][..udp] [...192.168.1.34][..137] -> [..192.168.1.255][..137] [NetBIOS][System][Acceptable] new: [....25] [ip4][..udp] [....192.168.1.1][..137] -> [...192.168.1.34][..137] @@ -464,14 +466,15 @@ new: [...227] [ip4][..tcp] [...192.168.1.34][51284] -> [.91.190.218.125][12350] new: [...228] [ip4][..tcp] [...192.168.1.34][51285] -> [.91.190.218.125][12350] analyse: [...210] [ip4][..tcp] [...192.168.1.34][51279] -> [..111.221.74.48][40008] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.297| 0.245| 0.278|77244.252| 0.000] - [PKTLEN......: 66.000| 1506.000| 180.600| 288.600|83264.900| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.297| 0.245| 0.278| 77244.252| 4.100] + [PKTLEN......: 52.000| 1492.000| 166.600| 288.600| 83264.900| 3.900] [BINS(c->s)..: 11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0] [IATS(ms)....: 1006.2,1296.9,290.8,0.6,292.8,2.2,294.3,0.5,293.3,292.8,39.6,39.6,253.3,253.3,40.1,40.1,350.4,0.0,350.4,293.9,293.9,0.1,334.3,334.2,300.0,0.0,300.0,2.1,4.2,292.4,290.3] - [PKTLENS.....: 78,78,74,66,116,66,169,66,74,74,66,66,112,95,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,617,609] + [PKTLENS.....: 64,64,60,52,102,52,155,52,60,60,52,52,98,81,52,52,91,52,55,52,196,52,56,52,661,52,56,52,1492,106,603,595] + [ENTROPIES...: 4.6,4.7,5.4,5.2,6.1,5.3,6.7,5.2,5.4,5.4,5.2,5.2,6.3,6.0,5.2,5.1,6.2,5.3,5.2,5.3,6.9,5.2,5.3,5.2,7.7,5.2,5.3,5.2,7.9,6.2,7.7,7.6] not-detected: [...210] [ip4][..tcp] [...192.168.1.34][51279] -> [..111.221.74.48][40008] [Unknown][Unrated] new: [...229] [ip4][..tcp] [...192.168.1.34][51286] -> [.91.190.218.125][..443] new: [...230] [ip4][..udp] [...192.168.1.34][13021] -> [.174.49.171.224][32011] @@ -531,14 +534,15 @@ new: [...251] [ip4][..tcp] [...192.168.1.34][51302] -> [.91.190.216.125][..443] new: [...252] [ip4][..tcp] [...192.168.1.34][51303] -> [...80.121.84.93][62381] analyse: [...242] [ip4][..tcp] [...192.168.1.34][51294] -> [...81.83.77.141][17639] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.004| 0.281| 0.501|251090.993| 0.000] - [PKTLEN......: 66.000| 1190.000| 157.200| 243.000|59065.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.004| 0.281| 0.501| 251090.993| 3.500] + [PKTLEN......: 52.000| 1176.000| 143.200| 243.000| 59065.600| 3.900] [BINS(c->s)..: 13,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1] [IATS(ms)....: 69.8,69.9,0.1,64.1,63.9,0.4,65.4,65.0,2.0,66.7,64.9,268.0,267.9,126.5,126.5,3.7,173.4,169.7,0.2,68.9,95.7,164.4,0.2,67.0,66.9,198.4,1936.2,2004.1,795.9,1062.3,592.6] - [PKTLENS.....: 78,74,66,131,94,66,82,80,66,818,80,66,66,70,1190,66,622,109,110,92,66,109,66,93,87,66,66,104,66,105,66,111] + [PKTLENS.....: 64,60,52,117,80,52,68,66,52,804,66,52,52,56,1176,52,608,95,96,78,52,95,52,79,73,52,52,90,52,91,52,97] + [ENTROPIES...: 4.6,5.3,5.2,6.3,5.7,5.2,5.6,5.6,5.2,7.7,5.6,5.2,5.2,5.3,7.8,5.2,7.7,6.1,6.2,5.7,5.1,6.0,5.1,5.9,5.7,5.2,5.2,6.0,5.2,6.0,5.2,6.1] not-detected: [...242] [ip4][..tcp] [...192.168.1.34][51294] -> [...81.83.77.141][17639] [Unknown][Unrated] new: [...253] [ip4][..tcp] [...192.168.1.34][51305] -> [...149.13.32.15][13392] new: [...254] [ip4][..tcp] [...192.168.1.34][51306] -> [...80.121.84.93][62381] @@ -619,14 +623,15 @@ new: [...266] [ip4][..udp] [...192.168.1.34][13021] -> [..133.236.67.25][49195] detected: [...266] [ip4][..udp] [...192.168.1.34][13021] -> [..133.236.67.25][49195] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] analyse: [....49] [ip4][..udp] [..192.168.0.254][.1025] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 19.857| 1.935| 5.865|34398418.239| 0.000] - [PKTLEN......: 327.000| 405.000| 370.700| 29.100| 844.300| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 19.857| 1.935| 5.865| 34398418.239| 1.700] + [PKTLEN......: 313.000| 391.000| 356.700| 29.100| 844.300| 5.000] [BINS(c->s)..: 0,0,0,0,0,0,0,0,4,9,7,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 0.6,0.6,0.5,0.5,0.5,99.7,0.6,0.6,0.6,19856.6,16.2,17.0,16.6,16.5,16.7,19850.6,16.2,16.5,16.7,16.7,16.6,17.0,16.6,16.7,16.6,19850.6,16.0,16.7,16.8,16.7,16.6] - [PKTLENS.....: 333,351,405,397,327,369,401,347,399,393,327,369,401,347,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369] + [PKTLENS.....: 319,337,391,383,313,355,387,333,385,379,313,355,387,333,385,379,319,337,391,383,313,355,387,333,385,379,319,337,391,383,313,355] + [ENTROPIES...: 5.8,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.8,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.7,5.8,5.7,5.7,5.7,5.7,5.7] new: [...267] [ip4][..tcp] [...192.168.1.34][51319] -> [...212.161.8.36][13392] idle: [...233] [ip4][..udp] [...192.168.1.34][13021] -> [189.188.134.174][22436] [Skype_Teams.Skype_TeamsCall][VoIP][Acceptable] guessed: [....75] [ip4][..tcp] [...192.168.1.34][51240] -> [..111.221.74.45][..443] [TLS][Web][Safe] diff --git a/test/results/flow-info/smb_deletefile.pcap.out b/test/results/flow-info/smb_deletefile.pcap.out index ba7c7efd1..01666965f 100644 --- a/test/results/flow-info/smb_deletefile.pcap.out +++ b/test/results/flow-info/smb_deletefile.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [NetBIOS.SMBv23][System][Acceptable] analyse: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [NetBIOS.SMBv23][System][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.158| 0.143| 0.529|280112.169| 0.000] - [PKTLEN......: 54.000| 554.000| 266.600| 190.900|36432.900| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.158| 0.143| 0.529| 280112.169| 1.200] + [PKTLEN......: 40.000| 540.000| 252.600| 190.900| 36432.900| 4.500] [BINS(c->s)..: 10,0,0,2,0,0,0,1,0,0,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,1,2,0,0,0,0,0,1,0,1,1,0,1,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1] [IATS(ms)....: 1.2,1.2,2157.3,2158.4,1.2,0.1,1.3,1.2,7.5,9.4,1.9,0.1,0.1,0.1,0.0,0.5,0.2,0.6,5.6,5.6,4.7,5.9,1.1,0.1,1.2,1.1,0.1,1.0,0.9,26.0,26.9] - [PKTLENS.....: 434,554,54,378,522,54,394,538,54,466,180,54,554,54,158,154,60,158,54,130,54,394,538,54,434,410,54,298,370,54,402,466] + [PKTLENS.....: 420,540,40,364,508,40,380,524,40,452,166,40,540,40,144,140,46,144,40,116,40,380,524,40,420,396,40,284,356,40,388,452] + [ENTROPIES...: 3.1,3.4,4.5,2.7,3.0,4.5,2.9,3.2,4.5,3.0,3.5,4.5,2.9,4.5,3.5,3.2,4.4,3.7,4.5,3.4,4.5,2.9,3.2,4.5,3.1,2.8,4.5,2.8,3.0,4.5,2.6,3.0] idle: [.....1] [ip4][..tcp] [..192.168.1.118][56848] -> [..192.168.1.187][..445] [NetBIOS.SMBv23][System][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/smtp-starttls.pcap.out b/test/results/flow-info/smtp-starttls.pcap.out index 545966bd0..2c1fefa27 100644 --- a/test/results/flow-info/smtp-starttls.pcap.out +++ b/test/results/flow-info/smtp-starttls.pcap.out @@ -11,14 +11,15 @@ detection-update: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Email][Acceptable] RISK: Obsolete TLS (v1.1 or older) analyse: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Email][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.157| 0.030| 0.035| 1204.841| 0.000] - [PKTLEN......: 66.000| 1484.000| 254.300| 368.100|135468.500| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.157| 0.030| 0.035| 1204.841| 4.200] + [PKTLEN......: 52.000| 1470.000| 240.300| 368.100| 135468.500| 4.000] [BINS(c->s)..: 9,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,3,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,0,1] [IATS(ms)....: 11.2,11.2,11.9,11.8,0.1,11.2,39.2,67.1,28.2,11.5,12.2,0.3,12.3,0.0,24.8,37.9,13.5,11.9,11.6,11.6,11.8,51.4,103.7,157.0,13.6,11.5,11.1,16.4,67.3,42.9,94.1] - [PKTLENS.....: 74,74,66,117,66,94,66,220,76,96,178,1484,1484,66,919,380,276,119,231,127,131,127,66,172,752,66,94,66,142,66,97,147] + [PKTLENS.....: 60,60,52,103,52,80,52,206,62,82,164,1470,1470,52,905,366,262,105,217,113,117,113,52,158,738,52,80,52,128,52,83,133] + [ENTROPIES...: 4.5,5.2,4.9,5.7,4.9,4.9,5.0,5.8,5.1,5.4,5.2,6.6,7.4,4.9,7.2,7.3,6.9,6.0,6.9,6.1,6.2,6.2,4.9,6.5,7.7,4.9,5.6,4.9,6.3,4.8,5.6,6.3] DAEMON-EVENT: [Processed: 36 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 4|updates: 0] new: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] @@ -28,14 +29,15 @@ detection-update: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Email][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS analyse: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Email][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.203| 0.019| 0.049| 2372.381| 0.000] - [PKTLEN......: 78.000| 1218.000| 198.500| 257.100|66086.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.203| 0.019| 0.049| 2372.381| 2.800] + [PKTLEN......: 60.000| 1200.000| 180.500| 257.100| 66086.800| 4.200] [BINS(c->s)..: 7,4,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,4,2,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0] [IATS(ms)....: 0.7,1.0,19.0,29.5,11.1,0.1,1.2,1.0,1.0,6.1,12.8,0.6,8.6,202.0,202.9,1.0,7.3,6.8,7.3,7.3,1.2,2.1,3.0,0.4,21.0,21.8,1.0,6.8,0.0,6.8,0.7] - [PKTLENS.....: 90,90,78,136,128,78,230,88,108,260,1218,204,157,336,245,78,167,121,141,121,113,144,78,1112,78,143,113,122,109,78,109,78] + [PKTLENS.....: 72,72,60,118,110,60,212,70,90,242,1200,186,139,318,227,60,149,103,123,103,95,126,60,1094,60,125,95,104,91,60,91,60] + [ENTROPIES...: 4.3,5.0,4.6,5.6,5.4,4.8,5.6,4.9,5.2,5.4,7.6,6.2,5.9,7.2,6.9,4.7,6.1,5.7,5.6,5.7,5.2,6.1,4.8,7.8,4.8,6.1,5.1,5.8,5.0,4.6,5.5,4.4] end: [.....2] [ip6][..tcp] [...2003:de:2016:125:fc36:8317:4e86:cb72][.7562] -> [...............2003:de:2016:120::a08:53][...25] [SMTPS][Email][Safe] RISK: Self-signed Cert, TLS (probably) Not Carrying HTTPS end: [.....1] [ip4][..tcp] [.......10.0.0.1][57406] -> [..173.194.68.26][...25] [SMTPS.Google][Email][Acceptable] diff --git a/test/results/flow-info/smtp.pcap.out b/test/results/flow-info/smtp.pcap.out index 05b638bd4..1f2f6a83f 100644 --- a/test/results/flow-info/smtp.pcap.out +++ b/test/results/flow-info/smtp.pcap.out @@ -4,13 +4,14 @@ new: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] detected: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] [SMTP][Email][Acceptable] analyse: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] [SMTP][Email][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.055| 0.006| 0.012| 143.094| 0.000] - [PKTLEN......: 60.000| 138.000| 87.600| 15.200| 230.100| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.055| 0.006| 0.012| 143.094| 3.200] + [PKTLEN......: 46.000| 124.000| 73.600| 15.200| 230.100| 5.000] [BINS(c->s)..: 5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,12,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 0.3,1.1,19.7,31.1,24.6,55.1,2.2,21.4,1.1,1.2,1.1,1.2,1.2,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.1,1.0,1.0,1.1,1.1,1.1,1.1] - [PKTLENS.....: 60,60,60,138,60,76,60,80,76,98,90,97,93,92,93,92,94,93,93,92,93,92,94,93,92,91,91,90,94,93,92,91] + [PKTLENS.....: 46,46,46,124,46,62,46,66,62,84,76,83,79,78,79,78,80,79,79,78,79,78,80,79,78,77,77,76,80,79,78,77] + [ENTROPIES...: 4.2,5.0,4.4,5.6,4.4,5.4,4.4,5.4,5.4,5.5,5.5,5.5,5.5,5.6,5.5,5.6,5.6,5.6,5.5,5.6,5.5,5.6,5.5,5.5,5.5,5.5,5.5,5.5,5.5,5.6,5.5,5.5] end: [.....1] [ip4][..tcp] [..194.7.248.153][.2127] -> [.172.16.114.207][...25] [SMTP][Email][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/snapchat_call.pcapng.out b/test/results/flow-info/snapchat_call.pcapng.out index ec0741abf..4750e02ce 100644 --- a/test/results/flow-info/snapchat_call.pcapng.out +++ b/test/results/flow-info/snapchat_call.pcapng.out @@ -7,14 +7,15 @@ detection-update: [.....1] [ip4][..udp] [.192.168.12.169][42083] -> [.18.184.138.142][..443] [QUIC.SnapchatCall][VoIP][Acceptable] RISK: Missing SNI TLS Extn analyse: [.....1] [ip4][..udp] [.192.168.12.169][42083] -> [.18.184.138.142][..443] [QUIC.SnapchatCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.447| 0.221| 0.397|157833.134| 0.000] - [PKTLEN......: 62.000| 1392.000| 345.900| 468.500|219532.900| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.447| 0.221| 0.397| 157833.134| 3.200] + [PKTLEN......: 48.000| 1378.000| 331.900| 468.500| 219532.900| 3.900] [BINS(c->s)..: 4,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 4,4,0,0,0,0,0,0,2,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,0,0,0,1,0,0,1,1] [IATS(ms)....: 16.8,0.1,30.4,0.1,24.2,5.1,0.0,0.0,20.3,29.1,5.5,0.1,0.0,0.2,2.1,54.4,0.0,0.0,507.6,1447.3,48.7,53.5,57.9,1172.7,3.3,7.5,379.7,803.5,440.1,1155.7,589.8] - [PKTLENS.....: 1392,1392,1392,1392,625,78,1392,62,428,70,86,80,80,80,201,100,62,62,62,86,351,303,351,303,86,70,70,86,70,86,86,86] + [PKTLENS.....: 1378,1378,1378,1378,611,64,1378,48,414,56,72,66,66,66,187,86,48,48,48,72,337,289,337,289,72,56,56,72,56,72,72,72] + [ENTROPIES...: 2.2,7.7,4.7,4.0,7.7,5.2,7.8,5.4,7.4,5.4,5.7,5.6,5.7,5.6,6.8,6.0,5.3,5.3,5.2,5.5,7.4,7.2,7.4,7.2,5.6,5.4,5.3,5.7,5.1,5.6,5.6,5.7] idle: [.....1] [ip4][..udp] [.192.168.12.169][42083] -> [.18.184.138.142][..443] [QUIC.SnapchatCall][VoIP][Acceptable] RISK: Missing SNI TLS Extn DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/softether.pcap.out b/test/results/flow-info/softether.pcap.out index c7d46b532..395625caf 100644 --- a/test/results/flow-info/softether.pcap.out +++ b/test/results/flow-info/softether.pcap.out @@ -72,14 +72,15 @@ DAEMON-EVENT: [Processed: 130 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 6|skipped: 0|!detected: 0|guessed: 0|detection-updates: 6|updates: 29] analyse: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.257| 1566.080| 36.711| 451.865|204182401654.456| 0.000] - [PKTLEN......: 43.000| 522.000| 104.300| 132.500|17556.200| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.257| 1566.080| 36.711| 451.865|204182401654.456| 2.700] + [PKTLEN......: 29.000| 508.000| 90.300| 132.500| 17556.200| 4.100] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1] [IATS(ms)....: 257.0,27676.0,27674.0,26195.0,26194.0,26159.0,26161.0,10299.0,10301.0,14858.0,14853.0,27814.0,27815.0,25788.0,1540291.2,1566080.2,18689.0,18689.0,5427.0,5426.0,27856.0,27856.0,26072.0,26072.0,26524.0,26524.0,24993.0,24993.0,25093.0,862645.0,887738.0] - [PKTLENS.....: 43,70,43,70,43,70,43,70,522,370,43,70,43,70,43,43,70,522,370,43,70,43,70,43,70,43,70,43,70,43,43,70] + [PKTLENS.....: 29,56,29,56,29,56,29,56,508,356,29,56,29,56,29,29,56,508,356,29,56,29,56,29,56,29,56,29,56,29,29,56] + [ENTROPIES...: 4.5,5.1,4.6,5.1,4.6,5.0,4.6,5.1,5.0,4.5,4.6,5.1,4.5,5.0,4.6,4.6,5.0,5.0,4.5,4.6,5.0,4.6,5.1,4.5,5.1,4.6,5.1,4.6,5.1,4.6,4.6,5.0] update: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable] update: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable] update: [.....6] [ip4][..udp] [..192.168.2.100][51381] -> [..130.158.6.113][.5004] [Softether][VPN][Acceptable] diff --git a/test/results/flow-info/ssh.pcap.out b/test/results/flow-info/ssh.pcap.out index 8764b9f0e..950e8406e 100644 --- a/test/results/flow-info/ssh.pcap.out +++ b/test/results/flow-info/ssh.pcap.out @@ -13,14 +13,15 @@ detection-update: [.....1] [ip4][..tcp] [...172.16.238.1][58395] -> [.172.16.238.168][...22] [SSH][RemoteAccess][Acceptable] RISK: SSH Obsolete Cli Vers/Cipher, SSH Obsolete Ser Vers/Cipher analyse: [.....1] [ip4][..tcp] [...172.16.238.1][58395] -> [.172.16.238.168][...22] [SSH][RemoteAccess][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.907| 0.395| 0.889|789856.780| 0.000] - [PKTLEN......: 66.000| 970.000| 172.700| 230.100|52961.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.907| 0.395| 0.889| 789856.780| 2.500] + [PKTLEN......: 52.000| 956.000| 158.700| 230.100| 52961.800| 4.100] [BINS(c->s)..: 12,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0] [IATS(ms)....: 0.0,0.0,8.1,8.1,0.3,0.8,0.5,0.1,1.5,1.6,0.3,1.8,1.6,1.6,14.7,13.1,1.8,42.3,40.5,0.2,0.3,0.4,0.3,40.6,51.2,91.6,2632.3,2632.6,1868.8,1869.1,2907.1] - [PKTLENS.....: 78,74,66,87,66,87,66,970,66,850,66,90,218,66,210,786,66,82,66,114,66,114,66,130,66,146,66,210,66,146,66,210] + [PKTLENS.....: 64,60,52,73,52,73,52,956,52,836,52,76,204,52,196,772,52,68,52,100,52,100,52,116,52,132,52,196,52,132,52,196] + [ENTROPIES...: 4.5,5.0,4.9,5.4,4.9,5.4,4.9,5.1,4.9,5.2,4.9,4.4,6.5,5.0,6.7,7.5,4.9,4.5,4.8,6.0,4.9,6.0,4.9,6.3,4.9,6.4,4.9,6.8,4.9,6.3,4.9,6.8] end: [.....1] [ip4][..tcp] [...172.16.238.1][58395] -> [.172.16.238.168][...22] [SSH][RemoteAccess][Acceptable] RISK: SSH Obsolete Cli Vers/Cipher, SSH Obsolete Ser Vers/Cipher DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/starcraft_battle.pcap.out b/test/results/flow-info/starcraft_battle.pcap.out index 5202c90d9..f8ddecc44 100644 --- a/test/results/flow-info/starcraft_battle.pcap.out +++ b/test/results/flow-info/starcraft_battle.pcap.out @@ -42,14 +42,15 @@ detection-update: [....15] [ip4][..tcp] [..192.168.1.100][.3508] -> [.87.248.221.254][...80] [HTTP][Download][Acceptable] RISK: Binary App Transfer, Suspicious DGA Domain name analyse: [....15] [ip4][..tcp] [..192.168.1.100][.3508] -> [.87.248.221.254][...80] [HTTP][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.072| 0.012| 0.024| 562.008| 0.000] - [PKTLEN......: 54.000| 1514.000| 699.500| 719.000|516967.300| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.072| 0.012| 0.024| 562.008| 2.800] + [PKTLEN......: 40.000| 1500.000| 685.500| 719.000| 516967.300| 4.100] [BINS(c->s)..: 15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 58.1,58.1,0.1,58.2,14.3,72.4,0.1,0.1,0.2,0.2,0.1,0.2,0.2,0.2,0.2,0.2,0.1,0.1,0.2,0.2,56.8,56.9,0.2,0.2,0.2,0.2,0.2,0.1,0.1,0.1,0.2] - [PKTLENS.....: 66,66,54,241,60,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514] + [PKTLENS.....: 52,52,40,227,46,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500] + [ENTROPIES...: 4.6,4.9,4.7,5.8,4.5,5.3,4.7,5.1,4.6,5.2,4.7,5.1,4.7,5.1,4.6,5.2,4.6,5.2,4.6,5.1,4.7,5.2,4.7,5.1,4.7,5.1,4.7,5.2,4.7,5.2,4.7,5.1] new: [....16] [ip4][..tcp] [..192.168.1.100][.3512] -> [..12.129.222.54][...80] detected: [....16] [ip4][..tcp] [..192.168.1.100][.3512] -> [..12.129.222.54][...80] [HTTP.WorldOfWarcraft][Game][Fun] new: [....17] [ip4][..tcp] [..192.168.1.100][.3492] -> [...2.228.46.104][..443] [MIDSTREAM] @@ -86,14 +87,15 @@ detected: [....31] [ip4][..tcp] [..192.168.1.100][.3517] -> [213.248.127.130][.1119] [Starcraft][Game][Fun] detected: [....33] [ip4][..tcp] [..192.168.1.100][.3519] -> [..80.239.186.21][...80] [HTTP][Web][Acceptable] analyse: [....31] [ip4][..tcp] [..192.168.1.100][.3517] -> [213.248.127.130][.1119] [Starcraft][Game][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.166| 0.038| 0.053| 2837.592| 0.000] - [PKTLEN......: 54.000| 797.000| 116.400| 136.000|18494.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.166| 0.038| 0.053| 2837.592| 3.600] + [PKTLEN......: 40.000| 783.000| 102.400| 136.000| 18494.500| 4.300] [BINS(c->s)..: 23,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 52.5,52.6,94.6,145.7,24.3,95.1,95.9,166.3,70.9,49.6,160.3,31.2,128.6,15.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0] - [PKTLENS.....: 66,60,54,156,60,797,54,234,317,54,249,60,122,56,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77] + [PKTLENS.....: 52,46,40,142,46,783,40,220,303,40,235,46,108,42,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63] + [ENTROPIES...: 4.5,4.6,4.7,5.4,4.5,7.8,5.0,7.1,7.2,4.9,6.2,4.7,5.0,4.8,5.6,5.5,5.6,5.6,5.6,5.7,5.5,5.5,5.5,5.7,5.7,5.7,5.5,5.6,5.6,5.7,5.6,5.6] new: [....34] [ip4][..udp] [..192.168.1.100][53146] -> [...5.42.180.154][.1119] new: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] new: [....36] [ip4][..udp] [..192.168.1.100][.6113] -> [213.248.127.212][.1119] @@ -129,14 +131,15 @@ detected: [....50] [ip4][..tcp] [..192.168.1.100][.3532] -> [...2.228.46.112][...80] [HTTP][Web][Acceptable] detected: [....51] [ip4][..tcp] [..192.168.1.100][.3533] -> [...2.228.46.112][...80] [HTTP][Web][Acceptable] analyse: [....45] [ip4][..tcp] [..192.168.1.100][.3527] -> [...2.228.46.112][...80] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.034| 0.007| 0.013| 169.003| 0.000] - [PKTLEN......: 54.000| 1514.000| 880.800| 718.400|516058.300| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.034| 0.007| 0.013| 169.003| 2.900] + [PKTLEN......: 40.000| 1500.000| 866.800| 718.400| 516058.300| 4.300] [BINS(c->s)..: 11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0] [IATS(ms)....: 32.5,32.5,1.6,34.3,1.1,0.1,33.9,0.2,0.1,0.3,0.1,0.3,0.4,0.2,0.1,0.3,0.1,0.1,0.2,0.1,0.6,0.7,0.1,0.1,0.2,0.1,0.1,0.3,32.9,0.3,33.2] - [PKTLENS.....: 66,66,54,203,60,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54] + [PKTLENS.....: 52,52,40,189,46,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40] + [ENTROPIES...: 4.5,4.8,4.7,5.8,4.5,5.9,7.7,4.7,7.8,7.8,4.7,7.8,7.7,4.7,7.7,7.8,4.7,7.8,7.8,4.7,7.8,7.8,4.7,7.7,7.8,4.7,7.8,7.7,4.7,7.8,7.8,4.7] guessed: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] [Starcraft][Game][Fun] idle: [....35] [ip4][..udp] [..192.168.1.100][53146] -> [..62.115.246.51][.1119] guessed: [....11] [ip4][..tcp] [..192.168.1.100][.2759] -> [.64.233.184.188][.5228] [Google][Web][Acceptable] diff --git a/test/results/flow-info/stun.pcap.out b/test/results/flow-info/stun.pcap.out index e6bd50f82..ca430e2e9 100644 --- a/test/results/flow-info/stun.pcap.out +++ b/test/results/flow-info/stun.pcap.out @@ -6,14 +6,15 @@ update: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] update: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] analyse: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.003| 10.359| 9.105| 2.980|8880623.976| 0.000] - [PKTLEN......: 82.000| 106.000| 94.000| 12.000| 144.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.003| 10.359| 9.105| 2.980| 8880623.976| 4.800] + [PKTLEN......: 68.000| 92.000| 80.000| 12.000| 144.000| 5.000] [BINS(c->s)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 6.9,10132.2,10132.3,10358.5,2.9,10358.5,2.9,10055.4,10055.5,10056.9,10056.9,10057.2,10057.2,10053.9,10054.0,10069.5,10069.5,10027.1,10027.1,10027.3,10027.3,10064.0,10063.9,10098.3,10098.4,10035.5,10035.4,10061.4,10061.4,10028.4,10028.3] - [PKTLENS.....: 82,106,82,106,82,82,106,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106] + [PKTLENS.....: 68,92,68,92,68,68,92,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92] + [ENTROPIES...: 5.4,5.5,5.4,5.5,5.5,5.5,5.5,5.5,5.5,5.6,5.5,5.6,5.4,5.6,5.5,5.6,5.4,5.5,5.5,5.5,5.4,5.6,5.4,5.5,5.5,5.6,5.5,5.6,5.5,5.5,5.4,5.5] update: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] DAEMON-EVENT: [Processed: 42 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 3] @@ -21,14 +22,15 @@ detected: [.....2] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] [STUN.FacebookVoip][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....2] [ip4][..udp] [.192.168.12.169][38123] -> [....31.13.86.54][40003] [STUN.FacebookVoip][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 6.004| 0.447| 1.463|2139022.033| 0.000] - [PKTLEN......: 70.000| 182.000| 153.600| 32.100| 1033.400| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 6.004| 0.447| 1.463| 2139022.033| 1.900] + [PKTLEN......: 56.000| 168.000| 139.600| 32.100| 1033.400| 5.000] [BINS(c->s)..: 1,0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,3,1,6,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,1,0,1] [IATS(ms)....: 11.5,15.6,15.9,6004.4,4.7,5997.4,4.5,7.5,7.1,108.4,344.5,499.2,68.5,0.2,19.7,29.0,92.2,23.6,96.4,1.6,50.3,48.3,0.3,50.1,3.3,0.0,52.9,0.4,9.7,44.9,232.2] - [PKTLENS.....: 70,146,178,118,182,182,154,182,154,86,178,178,174,182,142,86,178,142,174,142,178,174,142,178,142,174,142,182,142,86,174,174] + [PKTLENS.....: 56,132,164,104,168,168,140,168,140,72,164,164,160,168,128,72,164,128,160,128,164,160,128,164,128,160,128,168,128,72,160,160] + [ENTROPIES...: 4.9,5.6,5.9,5.8,5.9,6.0,5.6,5.8,5.5,5.6,5.9,6.0,6.0,5.9,5.8,5.5,6.0,5.9,6.0,5.9,5.9,6.0,5.8,6.0,5.9,6.0,5.9,5.9,5.8,5.6,6.1,6.0] idle: [.....1] [ip6][..udp] [3516:bf0b:fc53:75e7:70af:f67f:8e49:f603][56880] -> [....2a38:e156:8167:a333:face:b00c::24d9][.3478] [STUN][Network][Acceptable] DAEMON-EVENT: [Processed: 117 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 3] @@ -41,14 +43,15 @@ new: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] detected: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleHangoutDuo][VoIP][Acceptable] analyse: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleHangoutDuo][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.836| 0.131| 0.227|51553.292| 0.000] - [PKTLEN......: 76.000| 1240.000| 193.200| 221.300|48965.100| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.836| 0.131| 0.227| 51553.292| 3.400] + [PKTLEN......: 62.000| 1226.000| 179.200| 221.300| 48965.100| 4.400] [BINS(c->s)..: 0,0,9,5,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,0] [IATS(ms)....: 22.9,25.6,18.8,27.0,9.0,16.5,8.2,0.0,96.0,9.4,96.1,13.9,9.7,14.0,0.0,0.0,28.4,12.0,233.2,17.4,835.9,625.3,352.7,699.8,203.7,550.7,72.1,9.0,20.6,28.1,14.7] - [PKTLENS.....: 150,134,195,154,1240,588,134,123,612,123,154,159,175,134,155,107,111,107,127,76,107,154,134,76,124,154,134,108,108,109,109,109] + [PKTLENS.....: 136,120,181,140,1226,574,120,109,598,109,140,145,161,120,141,93,97,93,113,62,93,140,120,62,110,140,120,94,94,95,95,95] + [ENTROPIES...: 5.9,5.9,5.0,5.9,7.3,6.7,5.8,5.7,7.4,5.7,6.0,6.2,6.4,5.9,6.1,5.4,5.4,5.6,5.9,5.3,5.2,5.9,5.8,5.2,6.1,5.9,6.0,6.1,6.0,5.9,6.1,5.9] idle: [.....4] [ip4][..udp] [.192.168.12.169][49153] -> [..142.250.82.99][.3478] [STUN.GoogleHangoutDuo][VoIP][Acceptable] idle: [.....3] [ip4][..tcp] [...87.47.100.17][.3478] -> [....54.1.57.155][37257] [STUN][Network][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/stun_signal.pcapng.out b/test/results/flow-info/stun_signal.pcapng.out index 53949adcf..9d4189dff 100644 --- a/test/results/flow-info/stun_signal.pcapng.out +++ b/test/results/flow-info/stun_signal.pcapng.out @@ -33,28 +33,30 @@ detected: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] [STUN.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port analyse: [....14] [ip4][..udp] [.192.168.12.169][43068] -> [.18.195.131.143][61156] [STUN.AmazonAWS][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.679| 0.149| 0.201|40331.911| 0.000] - [PKTLEN......: 70.000| 146.000| 105.900| 24.900| 621.500| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.679| 0.149| 0.201| 40331.911| 3.900] + [PKTLEN......: 56.000| 132.000| 91.900| 24.900| 621.500| 4.900] [BINS(c->s)..: 4,3,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,4,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,1,0,0,1,0,0,1] [IATS(ms)....: 83.9,0.0,92.5,7.8,46.1,91.4,0.0,37.9,40.0,9.1,41.9,367.7,0.1,441.0,0.0,600.8,610.2,117.9,49.9,49.8,64.2,212.9,679.4,8.7,0.0,503.8,102.9,201.0,101.8,9.3,62.2] - [PKTLENS.....: 138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,98,98,138,106,70,98,70,70,70,138,106,98,70,98] + [PKTLENS.....: 124,92,124,92,132,132,92,124,92,92,124,92,84,56,84,56,124,92,84,84,124,92,56,84,56,56,56,124,92,84,56,84] + [ENTROPIES...: 5.8,5.8,5.9,5.8,5.7,5.6,5.9,5.9,5.8,5.8,5.9,5.8,5.7,5.1,5.8,5.3,5.9,5.8,5.8,5.7,5.9,5.8,5.1,5.8,5.2,5.2,5.1,5.8,5.8,5.6,5.1,5.8] update: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][Network][Acceptable] detected: [....10] [ip4][..udp] [.192.168.12.169][43068] -> [172.253.121.127][19302] [STUN.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port detected: [....11] [ip4][..udp] [.192.168.12.169][39950] -> [172.253.121.127][19302] [STUN.GoogleHangoutDuo][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....7] [ip4][.icmp] [.35.158.183.167] -> [.192.168.12.169] [ICMP][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 17.079| 1.597| 3.547|12584568.750| 0.000] - [PKTLEN......: 90.000| 138.000| 95.500| 11.600| 133.800| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 17.079| 1.597| 3.547| 12584568.750| 2.800] + [PKTLEN......: 76.000| 124.000| 81.500| 11.600| 133.800| 5.000] [BINS(c->s)..: 0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 4.1,63.0,0.0,180.8,3.5,1499.2,2002.8,0.0,4842.0,0.1,17079.4,30.0,28.1,10.0,178.6,30.7,1472.4,2000.5,31.0,3968.8,29.9,37.3,7.8,7927.3,28.5,35.4,6.5,7931.2,29.2,34.6,5.1] - [PKTLENS.....: 90,90,98,98,90,90,90,90,90,138,138,90,90,98,98,90,90,90,90,90,90,90,98,98,90,90,98,98,90,90,98,98] + [PKTLENS.....: 76,76,84,84,76,76,76,76,76,124,124,76,76,84,84,76,76,76,76,76,76,76,84,84,76,76,84,84,76,76,84,84] + [ENTROPIES...: 5.0,5.2,5.1,5.0,5.1,5.1,5.0,5.0,5.1,5.5,5.7,5.0,5.0,5.0,5.0,4.9,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.0,5.1,5.1,5.0,5.0,5.0,5.0,5.1] update: [.....3] [ip4][..udp] [.192.168.12.169][47204] -> [.35.158.183.167][..443] [STUN.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port update: [.....2] [ip4][..udp] [.192.168.12.169][47204] -> [172.253.121.127][19302] @@ -89,14 +91,15 @@ detected: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] [STUN.SignalVoip][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....23] [ip4][..udp] [.192.168.12.169][47767] -> [.18.195.131.143][61498] [STUN.SignalVoip][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.665| 0.153| 0.189|35784.253| 0.000] - [PKTLEN......: 70.000| 146.000| 108.200| 24.600| 605.900| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.665| 0.153| 0.189| 35784.253| 4.000] + [PKTLEN......: 56.000| 132.000| 94.200| 24.600| 605.900| 4.900] [BINS(c->s)..: 3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,1,1,0,1,1,0,0,0,1,1,0] [IATS(ms)....: 68.5,0.1,70.3,29.3,44.7,113.4,0.0,43.2,26.5,8.5,31.0,313.6,0.3,410.7,0.0,665.0,630.5,122.5,190.5,61.6,378.1,7.9,325.5,42.2,76.0,424.9,96.8,5.4,434.3,47.7,66.2] - [PKTLENS.....: 138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,138,106,98,98,70,70,70,98,138,98,70,106,138,106] + [PKTLENS.....: 124,92,124,92,132,132,92,124,92,92,124,92,84,56,84,56,124,92,124,92,84,84,56,56,56,84,124,84,56,92,124,92] + [ENTROPIES...: 5.9,5.8,5.9,5.7,5.9,5.8,5.8,6.0,5.8,5.8,5.9,5.8,5.8,5.2,5.7,5.1,5.8,5.8,5.9,5.7,5.7,5.9,5.2,5.1,5.1,5.8,5.9,5.8,5.1,5.8,5.8,5.8] update: [....13] [ip4][..udp] [.192.168.12.169][39950] -> [.35.158.183.167][.3478] [STUN.SignalVoip][VoIP][Acceptable] update: [.....9] [ip4][..udp] [.192.168.12.169][43068] -> [.35.158.183.167][..443] [STUN.AmazonAWS][Cloud][Acceptable] RISK: Known Proto on Non Std Port diff --git a/test/results/flow-info/teams.pcap.out b/test/results/flow-info/teams.pcap.out index ab743f6de..844619d2d 100644 --- a/test/results/flow-info/teams.pcap.out +++ b/test/results/flow-info/teams.pcap.out @@ -20,14 +20,15 @@ detected: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.030| 0.006| 0.009| 77.930| 0.000] - [PKTLEN......: 54.000| 1506.000| 407.900| 548.100|300365.600| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.030| 0.006| 0.009| 77.930| 3.700] + [PKTLEN......: 40.000| 1492.000| 393.900| 548.100| 300365.600| 3.900] [BINS(c->s)..: 10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0] [IATS(ms)....: 12.5,12.6,1.4,13.9,1.6,0.2,14.3,0.3,0.2,0.1,0.0,0.1,4.9,16.5,1.1,12.8,0.3,0.3,11.4,0.4,0.2,23.0,0.0,11.1,0.4,29.3,29.8,0.5,0.1,0.0,0.5] - [PKTLENS.....: 78,66,54,264,60,1506,1506,54,1506,54,1506,271,54,212,60,380,54,123,54,147,92,312,92,60,54,60,570,54,1506,1506,685,54] + [PKTLENS.....: 64,52,40,250,46,1492,1492,40,1492,40,1492,257,40,198,46,366,40,109,40,133,78,298,78,46,40,46,556,40,1492,1492,671,40] + [ENTROPIES...: 4.4,4.9,4.5,5.4,4.6,7.4,7.4,4.7,7.5,4.6,7.6,7.1,4.6,6.6,4.6,7.2,4.7,6.0,4.6,6.2,5.1,7.0,5.4,4.6,4.7,4.6,7.6,4.7,7.8,7.8,7.7,4.7] detection-update: [.....5] [ip4][..tcp] [....192.168.1.6][60533] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS @@ -36,14 +37,15 @@ detected: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Collaborative][Acceptable] detection-update: [.....6] [ip4][..tcp] [....192.168.1.6][60534] -> [.....40.126.9.5][..443] [TLS.Microsoft365][Collaborative][Acceptable] analyse: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.221| 0.032| 0.054| 2931.592| 0.000] - [PKTLEN......: 66.000| 1506.000| 921.900| 687.500|472618.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.221| 0.032| 0.054| 2931.592| 3.400] + [PKTLEN......: 52.000| 1492.000| 907.900| 687.500| 472618.500| 4.400] [BINS(c->s)..: 5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0] [BINS(s->c)..: 5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0] [IATS(ms)....: 43.2,43.3,94.0,139.8,0.2,45.9,0.1,0.1,1.4,46.8,45.4,177.2,0.0,0.0,221.2,44.0,0.0,0.0,0.0,21.3,21.2,0.0,23.0,23.0,0.0,0.0,0.0,1.2,1.2,0.0,0.0] - [PKTLENS.....: 78,74,66,240,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494] + [PKTLENS.....: 64,60,52,226,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480] + [ENTROPIES...: 4.4,5.2,4.9,5.6,7.3,7.3,4.9,7.7,4.9,5.9,5.5,4.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9] detection-update: [.....4] [ip4][..tcp] [....192.168.1.6][60532] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS new: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] @@ -53,23 +55,25 @@ detected: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] analyse: [.....7] [ip4][..tcp] [....192.168.1.6][60535] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.050| 0.018| 0.021| 449.200| 0.000] - [PKTLEN......: 66.000| 1506.000| 694.600| 673.100|453031.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.050| 0.018| 0.021| 449.200| 3.900] + [PKTLEN......: 52.000| 1492.000| 680.600| 673.100| 453031.800| 4.200] [BINS(c->s)..: 7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0] [IATS(ms)....: 45.3,45.4,0.3,49.2,0.0,48.8,0.2,0.2,1.3,46.5,45.3,1.9,0.0,0.0,47.7,45.8,0.0,0.0,0.0,37.7,37.7,0.0,8.0,8.1,0.0,0.7,37.0,7.8,4.3,49.8,1.3] - [PKTLENS.....: 78,74,66,272,1506,1389,78,1506,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,839,66,66,66,511,66,97] + [PKTLENS.....: 64,60,52,258,1492,1375,64,1492,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,825,52,52,52,497,52,83] + [ENTROPIES...: 4.3,5.2,5.0,6.0,7.3,7.7,5.1,7.3,5.0,6.0,5.7,5.1,7.8,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,7.8,5.1,5.2,5.2,7.5,5.0,5.3] analyse: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.050| 0.005| 0.010| 94.878| 0.000] - [PKTLEN......: 54.000| 1506.000| 430.000| 569.700|324516.500| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.050| 0.005| 0.010| 94.878| 3.300] + [PKTLEN......: 40.000| 1492.000| 416.000| 569.700| 324516.500| 3.800] [BINS(c->s)..: 8,1,2,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 7,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,0,0,0,0,1,1,0,1,1,1,1,1] [IATS(ms)....: 11.4,11.5,0.2,11.3,2.8,0.1,13.8,0.1,0.1,0.1,0.0,0.1,4.8,15.5,11.8,1.3,0.0,0.2,0.0,0.3,0.2,0.0,0.1,10.9,0.0,10.4,1.7,0.2,0.0,50.4,0.0] - [PKTLENS.....: 78,66,54,268,60,1506,1506,54,1506,54,1506,271,54,212,60,147,380,123,54,54,92,1494,1061,138,60,92,54,60,60,60,1506,1069] + [PKTLENS.....: 64,52,40,254,46,1492,1492,40,1492,40,1492,257,40,198,46,133,366,109,40,40,78,1480,1047,124,46,78,40,46,46,46,1492,1055] + [ENTROPIES...: 4.4,4.9,4.6,5.5,4.5,7.3,7.4,4.7,7.5,4.6,7.6,7.1,4.7,6.5,4.5,6.1,7.2,5.9,4.7,4.6,5.1,7.9,7.8,6.1,4.5,5.4,4.6,4.6,4.6,4.5,7.8,7.8] detection-update: [.....8] [ip4][..tcp] [....192.168.1.6][60536] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type @@ -143,14 +147,15 @@ detected: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Collaborative][Safe] detection-update: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Collaborative][Safe] analyse: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.153| 0.028| 0.040| 1626.047| 0.000] - [PKTLEN......: 66.000| 1506.000| 833.700| 699.200|488828.900| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.153| 0.028| 0.040| 1626.047| 3.600] + [PKTLEN......: 52.000| 1492.000| 819.700| 699.200| 488828.900| 4.300] [BINS(c->s)..: 5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0] [IATS(ms)....: 50.5,50.6,0.3,64.6,72.0,0.2,136.5,0.1,0.1,1.4,68.0,86.2,152.9,2.3,0.0,0.0,46.4,44.1,0.0,0.0,0.0,23.6,23.6,0.0,20.9,20.9,0.0,0.0,0.0,0.8,0.8] - [PKTLENS.....: 78,74,66,272,66,1506,1506,66,1389,66,159,66,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494] + [PKTLENS.....: 64,60,52,258,52,1492,1492,52,1375,52,145,52,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480] + [ENTROPIES...: 4.4,5.3,5.0,5.9,5.1,7.3,7.3,5.0,7.7,5.0,5.9,5.2,5.6,5.0,7.9,7.8,7.9,5.2,7.9,7.9,7.9,7.9,5.2,7.9,7.9,5.2,7.9,7.9,7.8,7.9,5.2,7.9] detection-update: [....25] [ip4][..tcp] [....192.168.1.6][60543] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS new: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] @@ -159,14 +164,15 @@ detection-update: [....30] [ip4][..tcp] [....192.168.1.6][60546] -> [.167.99.215.164][.4434] [TLS.ntop][Network][Safe] RISK: Known Proto on Non Std Port analyse: [....28] [ip4][..tcp] [....192.168.1.6][60545] -> [...52.114.77.58][..443] [TLS.Teams][Collaborative][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.201| 0.025| 0.047| 2215.159| 0.000] - [PKTLEN......: 54.000| 1506.000| 354.200| 510.300|260451.700| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.201| 0.025| 0.047| 2215.159| 3.200] + [PKTLEN......: 40.000| 1492.000| 340.200| 510.300| 260451.700| 3.800] [BINS(c->s)..: 11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1] [IATS(ms)....: 45.7,45.8,0.2,47.9,0.0,47.7,0.0,0.1,0.2,0.1,0.2,9.9,9.9,3.5,10.4,0.4,51.4,37.1,0.2,0.2,0.2,7.1,7.0,1.3,1.2,79.2,201.4,0.0,0.0,167.5,0.2] - [PKTLENS.....: 78,66,54,273,1506,1506,66,54,54,1506,1506,54,467,54,212,147,517,105,54,123,54,92,92,54,493,54,60,1494,164,220,60,96] + [PKTLENS.....: 64,52,40,259,1492,1492,52,40,40,1492,1492,40,453,40,198,133,503,91,40,109,40,78,78,40,479,40,46,1480,150,206,46,82] + [ENTROPIES...: 4.4,5.0,4.6,5.4,7.1,7.4,4.7,4.7,4.5,7.6,7.6,4.7,7.5,4.7,6.6,6.1,7.6,5.4,4.6,6.0,4.5,5.2,5.4,4.7,7.5,4.7,4.5,7.9,6.6,6.7,4.5,5.4] new: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] detected: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Collaborative][Safe] detection-update: [....31] [ip4][..udp] [....192.168.1.6][57504] -> [....192.168.1.1][...53] [DNS.Teams][Collaborative][Safe] @@ -179,14 +185,15 @@ detection-update: [....33] [ip4][..tcp] [....192.168.1.6][60548] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....32] [ip4][..tcp] [....192.168.1.6][60547] -> [...52.114.88.59][..443] [TLS.Teams][Collaborative][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.115| 0.021| 0.031| 968.681| 0.000] - [PKTLEN......: 66.000| 1506.000| 391.200| 521.700|272149.200| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.115| 0.021| 0.031| 968.681| 3.500] + [PKTLEN......: 52.000| 1492.000| 377.200| 521.700| 272149.200| 3.900] [BINS(c->s)..: 11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0] [BINS(s->c)..: 3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1] [IATS(ms)....: 34.2,34.3,0.3,36.9,0.0,36.6,0.0,0.2,0.2,0.1,0.0,0.1,1.0,12.0,0.3,36.0,22.7,0.2,0.2,0.1,10.4,10.3,0.6,0.6,77.1,91.7,0.0,49.1,80.4,115.1,0.2] - [PKTLENS.....: 78,74,66,287,1506,1506,78,66,1506,66,1506,316,66,192,159,547,117,66,135,66,104,104,66,428,66,66,1494,261,66,241,66,1153] + [PKTLENS.....: 64,60,52,273,1492,1492,64,52,1492,52,1492,302,52,178,145,533,103,52,121,52,90,90,52,414,52,52,1480,247,52,227,52,1139] + [ENTROPIES...: 4.3,5.1,4.7,5.5,7.4,7.3,4.8,4.8,7.5,4.7,7.6,7.4,4.8,6.3,6.2,7.5,5.6,4.9,6.0,4.9,5.4,5.5,4.8,7.4,4.9,5.1,7.8,7.0,5.0,6.8,4.7,7.8] ERROR-EVENT: Unknown packet type new: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] detected: [....34] [ip4][..udp] [....192.168.1.6][59403] -> [....192.168.1.1][...53] [DNS.Microsoft365][Collaborative][Acceptable] @@ -195,25 +202,27 @@ detected: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Collaborative][Acceptable] detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Collaborative][Acceptable] analyse: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.010| 0.146| 0.490|239614.050| 0.000] - [PKTLEN......: 54.000| 1506.000| 319.200| 468.100|219152.800| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.010| 0.146| 0.490| 239614.050| 1.700] + [PKTLEN......: 40.000| 1492.000| 305.200| 468.100| 219152.800| 3.800] [BINS(c->s)..: 9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1] [IATS(ms)....: 12.7,12.8,0.2,12.4,2.5,0.3,14.9,0.5,0.5,0.2,0.0,0.8,4.9,17.1,1.4,0.0,13.1,0.0,0.2,0.3,0.1,11.8,0.0,11.2,0.1,0.6,112.9,113.7,1998.1,2009.8,174.6] - [PKTLENS.....: 78,66,54,271,60,1506,1506,54,1506,54,1506,195,54,212,60,380,123,54,54,147,92,575,60,92,54,60,60,454,54,356,60,359] + [PKTLENS.....: 64,52,40,257,46,1492,1492,40,1492,40,1492,181,40,198,46,366,109,40,40,133,78,561,46,78,40,46,46,440,40,342,46,345] + [ENTROPIES...: 4.4,5.0,4.6,5.5,4.5,7.3,7.5,4.6,7.5,4.6,7.7,6.8,4.7,6.5,4.5,7.2,6.0,4.6,4.6,6.2,5.2,7.6,4.4,5.4,4.6,4.5,4.5,7.5,4.7,7.2,4.5,7.3] detection-update: [....23] [ip4][..tcp] [....192.168.1.6][60542] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] ERROR-EVENT: Unknown packet type analyse: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.540| 0.024| 0.095| 8949.939| 0.000] - [PKTLEN......: 54.000| 1506.000| 345.500| 473.500|224192.200| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.540| 0.024| 0.095| 8949.939| 1.900] + [PKTLEN......: 40.000| 1492.000| 331.500| 473.500| 224192.200| 3.900] [BINS(c->s)..: 9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0] [IATS(ms)....: 11.5,11.6,0.3,11.9,32.5,0.1,44.2,0.2,0.0,0.2,3.8,7.7,0.3,0.1,14.6,1.5,0.0,4.2,0.0,0.3,6.5,0.5,6.7,4.3,9.9,14.2,10.7,10.7,539.6,0.0,0.3] - [PKTLENS.....: 78,66,54,265,60,1506,1506,54,1506,94,54,212,147,592,186,60,380,123,54,54,92,60,92,54,60,703,54,373,54,1494,708,262] + [PKTLENS.....: 64,52,40,251,46,1492,1492,40,1492,80,40,198,133,578,172,46,366,109,40,40,78,46,78,40,46,689,40,359,40,1480,694,248] + [ENTROPIES...: 4.4,4.9,4.5,5.4,4.5,6.7,7.5,4.6,7.6,5.7,4.7,6.5,6.2,7.6,6.5,4.5,7.2,5.8,4.6,4.6,5.3,4.5,5.4,4.6,4.5,7.7,4.7,7.3,4.7,7.8,7.7,7.0] detection-update: [....35] [ip4][..tcp] [....192.168.1.6][60549] -> [...13.107.18.11][..443] [TLS.Microsoft365][Collaborative][Acceptable] new: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] detected: [....36] [ip4][..udp] [....192.168.1.6][61245] -> [....192.168.1.1][...53] [DNS.Teams][Collaborative][Safe] @@ -259,14 +268,15 @@ detection-update: [....40] [ip4][..tcp] [....192.168.1.6][60551] -> [...52.114.15.45][..443] [TLS.Teams][Collaborative][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.154| 0.015| 0.036| 1274.324| 0.000] - [PKTLEN......: 54.000| 1506.000| 599.700| 671.400|450756.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.154| 0.015| 0.036| 1274.324| 2.800] + [PKTLEN......: 40.000| 1492.000| 585.700| 671.400| 450756.000| 4.000] [BINS(c->s)..: 10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1] [IATS(ms)....: 12.9,13.0,0.5,12.4,2.0,1.5,15.4,0.1,0.1,0.1,0.0,0.1,21.6,33.0,11.5,11.7,0.1,11.8,0.6,13.4,140.4,0.7,154.0,0.2,0.2,0.2,0.2,0.5,0.0,0.1,0.2] - [PKTLENS.....: 78,66,54,240,60,1506,1506,54,1506,54,1506,182,54,161,60,105,60,105,54,1136,60,1506,1506,54,1331,54,1506,1506,54,54,1506,1506] + [PKTLENS.....: 64,52,40,226,46,1492,1492,40,1492,40,1492,168,40,147,46,91,46,91,40,1122,46,1492,1492,40,1317,40,1492,1492,40,40,1492,1492] + [ENTROPIES...: 4.4,4.9,4.5,5.5,4.4,7.3,7.5,4.6,7.5,4.5,7.7,6.7,4.6,6.5,4.5,5.7,4.5,5.6,4.6,7.8,4.6,7.9,7.9,4.6,7.9,4.6,7.9,7.9,4.6,4.5,7.9,7.9] detection-update: [....43] [ip4][..tcp] [....192.168.1.6][60554] -> [.52.113.194.132][..443] [TLS.Teams][Collaborative][Safe] RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type @@ -281,14 +291,15 @@ detection-update: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....48] [ip4][..tcp] [....192.168.1.6][60559] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.053| 0.020| 0.022| 492.470| 0.000] - [PKTLEN......: 66.000| 1506.000| 654.900| 667.900|446080.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.053| 0.020| 0.022| 492.470| 3.900] + [PKTLEN......: 52.000| 1492.000| 640.900| 667.900| 446080.700| 4.100] [BINS(c->s)..: 9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0] [IATS(ms)....: 48.6,48.7,0.3,51.0,0.1,50.7,0.0,0.3,0.3,1.7,49.8,48.1,1.4,0.0,0.0,50.5,49.1,0.0,0.0,0.0,37.2,37.2,0.0,11.5,11.5,1.0,36.0,16.0,53.0,0.7,0.1] - [PKTLENS.....: 78,74,66,272,1506,1506,78,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,999,66,66,511,66,97,66] + [PKTLENS.....: 64,60,52,258,1492,1492,64,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,985,52,52,497,52,83,52] + [ENTROPIES...: 4.4,5.3,4.9,6.0,7.3,7.3,5.1,4.9,7.6,5.0,5.9,5.7,5.0,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.2,7.8,7.9,5.1,7.8,5.1,5.2,7.6,5.1,5.3,5.0] ERROR-EVENT: Unknown packet type new: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] detected: [....49] [ip4][..udp] [..192.168.1.112][57621] -> [..192.168.1.255][57621] [Spotify][Music][Acceptable] @@ -308,27 +319,29 @@ RISK: TLS (probably) Not Carrying HTTPS ERROR-EVENT: Unknown packet type analyse: [....53] [ip4][..tcp] [....192.168.1.6][60562] -> [.104.40.187.151][..443] [TLS.Azure][Cloud][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.126| 0.019| 0.032| 1006.354| 0.000] - [PKTLEN......: 66.000| 1506.000| 359.200| 499.900|249913.200| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.126| 0.019| 0.032| 1006.354| 3.400] + [PKTLEN......: 52.000| 1492.000| 345.200| 499.900| 249913.200| 3.900] [BINS(c->s)..: 12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [BINS(s->c)..: 2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0] [IATS(ms)....: 29.5,29.6,0.2,45.7,0.2,45.7,0.1,0.1,0.1,0.1,0.0,0.1,0.6,23.2,0.2,30.2,0.0,6.1,0.0,0.2,22.9,22.6,1.5,1.4,2.9,0.0,32.7,0.2,30.1,125.5,125.6] - [PKTLENS.....: 78,74,66,280,1506,1506,78,1506,66,66,1506,295,66,159,159,438,117,135,66,66,104,104,66,562,66,1379,149,66,108,66,524,66] + [PKTLENS.....: 64,60,52,266,1492,1492,64,1492,52,52,1492,281,52,145,145,424,103,121,52,52,90,90,52,548,52,1365,135,52,94,52,510,52] + [ENTROPIES...: 4.4,5.2,4.9,5.6,7.4,7.5,4.9,7.4,4.9,4.8,7.6,7.1,5.0,5.9,6.3,7.4,5.6,6.1,4.9,4.9,5.4,5.6,4.9,7.5,5.0,7.9,6.1,5.1,5.7,5.0,7.5,4.9] new: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] detected: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] detection-update: [....54] [ip4][..udp] [....192.168.1.6][62735] -> [....192.168.1.1][...53] [DNS][Network][Acceptable] new: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] analyse: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.162| 0.032| 0.044| 1964.919| 0.000] - [PKTLEN......: 66.000| 1506.000| 750.700| 694.000|481656.100| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.162| 0.032| 0.044| 1964.919| 3.600] + [PKTLEN......: 52.000| 1492.000| 736.700| 694.000| 481656.100| 4.200] [BINS(c->s)..: 5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0] [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1] [IATS(ms)....: 48.4,48.5,0.5,88.2,136.5,113.7,0.2,161.8,0.1,0.1,1.1,74.6,73.5,1.1,0.0,0.0,50.1,49.0,0.0,0.0,0.0,48.4,48.4,0.0,0.0,0.0,1.6,1.5,46.9,1.1,1.7] - [PKTLENS.....: 78,74,66,272,272,78,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494,1494,66,1476,66,66,66] + [PKTLENS.....: 64,60,52,258,258,64,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480,1480,52,1462,52,52,52] + [ENTROPIES...: 4.4,5.3,4.9,6.0,6.0,5.1,7.3,7.3,5.0,7.7,5.0,6.0,5.6,5.0,7.9,7.9,7.9,5.2,7.9,7.9,7.9,7.9,5.1,7.9,7.9,7.9,7.9,5.2,7.9,5.2,5.2,5.2] detection-update: [....51] [ip4][..tcp] [....192.168.1.6][60561] -> [...52.114.77.33][..443] [TLS.Microsoft][Cloud][Safe] RISK: TLS (probably) Not Carrying HTTPS detected: [....55] [ip4][..tcp] [....192.168.1.6][60563] -> [.52.169.186.119][..443] [TLS.Azure][Cloud][Acceptable] @@ -350,24 +363,26 @@ detection-update: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Collaborative][Safe] ERROR-EVENT: Unknown packet type analyse: [....59] [ip4][..tcp] [....192.168.1.6][60565] -> [...52.114.108.8][..443] [TLS.Teams][Collaborative][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.277| 0.019| 0.049| 2449.644| 0.000] - [PKTLEN......: 66.000| 1506.000| 384.200| 512.100|262257.700| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.277| 0.019| 0.049| 2449.644| 2.900] + [PKTLEN......: 52.000| 1492.000| 370.200| 512.100| 262257.700| 3.900] [BINS(c->s)..: 11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1] [IATS(ms)....: 19.2,19.3,0.2,22.0,0.0,21.8,0.0,0.2,0.2,0.2,0.0,0.2,1.1,12.3,0.3,19.9,0.0,6.3,0.0,0.6,12.0,11.4,1.5,1.4,55.0,62.1,0.0,25.5,0.0,18.4,276.9] - [PKTLENS.....: 78,74,66,288,1506,1506,78,66,1506,66,1506,485,66,192,159,539,117,135,66,66,104,104,66,525,66,66,1060,148,66,108,66,1349] + [PKTLENS.....: 64,60,52,274,1492,1492,64,52,1492,52,1492,471,52,178,145,525,103,121,52,52,90,90,52,511,52,52,1046,134,52,94,52,1335] + [ENTROPIES...: 4.4,5.3,4.9,5.6,7.1,7.3,5.0,5.0,7.5,4.9,7.6,7.5,4.9,6.3,6.3,7.6,5.6,5.9,5.0,4.9,5.4,5.7,5.0,7.5,5.0,5.2,7.8,6.2,5.2,5.6,5.0,7.8] ERROR-EVENT: Unknown packet type analyse: [....26] [ip4][..tcp] [....192.168.1.6][60544] -> [...52.114.76.48][..443] [TLS.Teams][Collaborative][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 8.978| 0.329| 1.582|2503841.415| 0.000] - [PKTLEN......: 54.000| 1506.000| 353.200| 486.100|236250.500| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 8.978| 0.329| 1.582| 2503841.415| 0.800] + [PKTLEN......: 40.000| 1492.000| 339.200| 486.100| 236250.500| 3.900] [BINS(c->s)..: 10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1] [IATS(ms)....: 47.1,47.2,0.5,44.4,0.0,43.9,0.0,0.0,0.2,0.1,0.0,0.2,0.0,4.4,9.7,0.3,46.5,32.1,0.5,0.4,0.1,18.9,1.4,20.2,62.9,403.2,425.0,8978.2,0.0,0.0,0.0] - [PKTLENS.....: 78,66,54,290,1506,1506,66,54,54,1506,1506,323,54,54,212,147,582,105,54,123,54,92,60,423,54,60,1114,60,425,429,100,92] + [PKTLENS.....: 64,52,40,276,1492,1492,52,40,40,1492,1492,309,40,40,198,133,568,91,40,109,40,78,46,409,40,46,1100,46,411,415,86,78] + [ENTROPIES...: 4.3,4.9,4.6,5.6,7.4,7.3,4.7,4.6,4.6,7.5,7.6,7.1,4.7,4.6,6.5,6.1,7.6,5.4,4.6,5.9,4.6,5.2,4.5,7.4,4.7,4.5,7.8,4.6,7.4,7.5,5.6,5.5] new: [....60] [ip4][..tcp] [..151.11.50.139][.2222] -> [....192.168.1.6][54750] [MIDSTREAM] ERROR-EVENT: Unknown packet type new: [....61] [ip4][..tcp] [....192.168.1.6][60566] -> [.167.99.215.164][.4434] @@ -442,14 +457,15 @@ detected: [....81] [ip4][..udp] [...52.114.252.8][.3479] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Collaborative][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.567| 0.072| 0.275|75449.426| 0.000] - [PKTLEN......: 54.000| 1506.000| 270.900| 427.000|182315.300| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.567| 0.072| 0.275| 75449.426| 1.900] + [PKTLEN......: 40.000| 1492.000| 256.900| 427.000| 182315.300| 3.700] [BINS(c->s)..: 15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1] [IATS(ms)....: 45.0,45.1,0.2,47.4,47.2,0.2,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.1,0.0,0.0,8.0,0.0,0.0,52.4,1.2,45.6,48.6,92.2,43.7,69.1,0.3,113.5,1566.9] - [PKTLENS.....: 78,66,54,241,1506,66,1506,602,66,66,1506,602,66,54,602,180,54,54,54,161,60,99,60,105,54,155,238,54,85,54,60,60] + [PKTLENS.....: 64,52,40,227,1492,52,1492,588,52,52,1492,588,52,40,588,166,40,40,40,147,46,85,46,91,40,141,224,40,71,40,46,46] + [ENTROPIES...: 4.4,4.9,4.5,5.4,7.5,4.6,7.4,6.2,4.7,4.7,7.7,7.0,4.7,4.5,7.6,6.6,4.4,4.5,4.5,6.4,4.5,5.8,4.6,5.4,4.6,6.4,6.9,4.5,5.4,4.4,4.6,4.6] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type new: [....82] [ip4][..tcp] [....192.168.1.6][60568] -> [...40.79.138.41][..443] @@ -460,14 +476,15 @@ new: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] detected: [....83] [ip4][.icmp] [..93.71.110.205] -> [....192.168.1.6] [ICMP][Network][Acceptable] analyse: [....78] [ip4][..udp] [..93.71.110.205][16332] -> [....192.168.1.6][50016] [STUN.Skype_TeamsCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.168| 0.160| 0.366|133702.353| 0.000] - [PKTLEN......: 80.000| 1256.000| 267.400| 374.400|140199.200| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.168| 0.160| 0.366| 133702.353| 2.700] + [PKTLEN......: 66.000| 1242.000| 253.400| 374.400| 140199.200| 4.000] [BINS(c->s)..: 0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 24.8,0.2,101.3,1168.2,1167.0,967.1,50.8,1119.2,0.0,0.0,51.0,80.3,2.0,2.7,3.7,0.0,0.0,0.0,10.7,24.2,9.3,21.5,4.5,19.9,25.3,9.2,24.4,24.6,9.5,26.0,24.3] - [PKTLENS.....: 154,130,154,130,158,130,152,150,80,1256,1256,150,115,80,1256,1256,84,208,140,108,110,117,122,124,116,112,126,120,117,115,116,116] + [PKTLENS.....: 140,116,140,116,144,116,138,136,66,1242,1242,136,101,66,1242,1242,70,194,126,94,96,103,108,110,102,98,112,106,103,101,102,102] + [ENTROPIES...: 5.4,5.4,5.6,5.5,5.5,5.5,6.4,5.5,5.3,7.8,7.8,5.4,6.1,5.3,7.8,7.8,5.4,6.9,6.4,5.9,6.0,6.1,5.4,6.3,6.1,6.0,6.3,6.0,6.1,6.2,6.1,6.2] idle: [....72] [ip4][..tcp] [....192.168.1.6][50014] -> [.52.114.250.152][..443] end: [....64] [ip4][..tcp] [....192.168.1.6][50018] -> [.52.114.250.123][..443] [TLS.Teams][Collaborative][Safe] RISK: TLS (probably) Not Carrying HTTPS diff --git a/test/results/flow-info/teamviewer.pcap.out b/test/results/flow-info/teamviewer.pcap.out index ca632c8eb..aeb82583c 100644 --- a/test/results/flow-info/teamviewer.pcap.out +++ b/test/results/flow-info/teamviewer.pcap.out @@ -2,26 +2,28 @@ new: [.....1] [ip4][..tcp] [......10.0.2.15][35732] -> [..162.250.2.170][.5938] detected: [.....1] [ip4][..tcp] [......10.0.2.15][35732] -> [..162.250.2.170][.5938] [TeamViewer][RemoteAccess][Acceptable] analyse: [.....1] [ip4][..tcp] [......10.0.2.15][35732] -> [..162.250.2.170][.5938] [TeamViewer][RemoteAccess][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.274| 0.067| 0.088| 7794.386| 0.000] - [PKTLEN......: 54.000| 1514.000| 383.000| 516.400|266637.300| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.274| 0.067| 0.088| 7794.386| 3.800] + [PKTLEN......: 40.000| 1500.000| 369.000| 516.400| 266637.300| 3.800] [BINS(c->s)..: 5,3,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 11,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,0,1,1] [IATS(ms)....: 136.3,137.2,0.6,1.8,12.1,11.9,35.7,0.1,35.8,0.0,88.3,88.6,11.6,11.6,151.9,0.1,152.0,35.7,35.9,255.8,274.4,18.6,256.5,257.6,1.1,0.3,0.3,28.9,0.0,29.1,0.0] - [PKTLENS.....: 74,58,60,91,54,120,54,1514,432,54,54,102,60,201,60,1514,1290,60,1132,54,1143,1155,54,494,110,54,102,54,1514,429,54,54] + [PKTLENS.....: 60,44,46,77,40,106,40,1500,418,40,40,88,46,187,46,1500,1276,46,1118,40,1129,1141,40,480,96,40,88,40,1500,415,40,40] + [ENTROPIES...: 4.6,4.7,4.3,4.6,4.6,4.0,4.6,7.6,7.3,4.5,4.5,4.9,4.3,3.9,4.4,7.7,7.8,4.4,7.7,4.7,7.5,7.7,4.7,6.5,4.6,4.7,3.8,4.6,7.6,7.4,4.7,4.7] new: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] detected: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] [TeamViewer][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing analyse: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] [TeamViewer][RemoteAccess][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.443| 0.037| 0.097| 9363.771| 0.000] - [PKTLEN......: 58.000| 1066.000| 452.800| 450.400|202865.500| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.443| 0.037| 0.097| 9363.771| 2.600] + [PKTLEN......: 44.000| 1052.000| 438.800| 450.400| 202865.500| 4.200] [BINS(c->s)..: 0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,7,4,1,2,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 12.3,12.3,0.1,40.7,3.9,3.2,6.6,81.8,9.0,0.1,7.4,9.2,442.9,41.9,345.1,0.1,0.0,0.0,0.0,0.0,0.0,2.0,0.1,0.0,9.6,0.1,0.0,51.0,58.8,0.1,0.0] - [PKTLENS.....: 138,138,506,1066,62,98,90,90,90,191,118,66,66,90,90,1066,1066,1066,1066,1066,1066,1066,1066,1066,1066,182,118,118,58,239,131,85] + [PKTLENS.....: 124,124,492,1052,48,84,76,76,76,177,104,52,52,76,76,1052,1052,1052,1052,1052,1052,1052,1052,1052,1052,168,104,104,44,225,117,71] + [ENTROPIES...: 2.7,2.7,0.8,0.4,3.9,2.8,3.1,3.0,3.3,4.1,4.0,4.0,3.9,3.1,3.2,0.4,0.4,0.4,0.4,0.4,0.4,0.4,0.4,0.4,0.4,4.1,3.9,5.5,4.0,3.9,4.2,4.7] update: [.....2] [ip4][..udp] [......10.0.2.15][34417] -> [..93.47.224.241][36037] [TeamViewer][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing DAEMON-EVENT: [Processed: 1282 pkts][ZLib][compressions: 0|diff: 0 / 0] diff --git a/test/results/flow-info/telegram.pcap.out b/test/results/flow-info/telegram.pcap.out index 42e1e5e45..b84d51f5a 100644 --- a/test/results/flow-info/telegram.pcap.out +++ b/test/results/flow-info/telegram.pcap.out @@ -28,23 +28,25 @@ new: [....12] [ip4][..udp] [...192.168.1.77][.5353] -> [...192.168.1.53][.5353] detected: [....12] [ip4][..udp] [...192.168.1.77][.5353] -> [...192.168.1.53][.5353] [MDNS][Network][Acceptable] analyse: [.....5] [ip4][..udp] [...192.168.1.75][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.089| 0.260| 0.238|56779.682| 0.000] - [PKTLEN......: 142.000| 308.000| 198.700| 56.400| 3176.800| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.089| 0.260| 0.238| 56779.682| 4.400] + [PKTLEN......: 128.000| 294.000| 184.700| 56.400| 3176.800| 4.900] [BINS(c->s)..: 0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 549.4,0.8,252.8,249.2,102.8,152.8,104.9,141.4,2.6,102.2,252.5,506.2,1089.0,524.5,0.5,254.5,249.1,108.9,146.8,101.0,145.2,2.4,102.1,256.0,497.9,504.7,600.2,564.9,0.4,248.3,249.2] - [PKTLENS.....: 142,233,308,169,153,169,153,211,184,308,153,167,275,142,233,308,169,153,169,153,211,184,308,153,167,211,167,142,233,308,169,153] + [PKTLENS.....: 128,219,294,155,139,155,139,197,170,294,139,153,261,128,219,294,155,139,155,139,197,170,294,139,153,197,153,128,219,294,155,139] + [ENTROPIES...: 5.1,5.4,5.2,5.2,4.7,5.2,4.7,5.2,5.2,5.2,4.7,4.8,5.1,5.1,5.4,5.2,5.2,4.7,5.2,4.7,5.2,5.2,5.2,4.7,4.8,5.2,4.7,5.1,5.4,5.2,5.2,4.7] analyse: [.....6] [ip6][..udp] [................fe80::4ba:91a:7817:e318][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.089| 0.260| 0.238|56762.626| 0.000] - [PKTLEN......: 162.000| 328.000| 218.700| 56.400| 3176.800| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.089| 0.260| 0.238| 56762.626| 4.400] + [PKTLEN......: 148.000| 314.000| 204.700| 56.400| 3176.800| 4.900] [BINS(c->s)..: 0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 549.6,0.4,252.7,249.3,102.6,153.3,104.8,140.9,2.6,102.6,252.5,506.2,1088.5,524.6,0.5,254.5,249.4,109.0,147.1,100.8,145.2,1.9,102.6,256.1,498.0,504.7,600.4,564.2,0.4,249.0,248.4] - [PKTLENS.....: 162,253,328,189,173,189,173,231,204,328,173,187,295,162,253,328,189,173,189,173,231,204,328,173,187,231,187,162,253,328,189,173] + [PKTLENS.....: 148,239,314,175,159,175,159,217,190,314,159,173,281,148,239,314,175,159,175,159,217,190,314,159,173,217,173,148,239,314,175,159] + [ENTROPIES...: 4.9,5.3,5.1,5.1,4.5,5.1,4.5,5.1,5.0,5.1,4.5,4.5,5.0,4.9,5.3,5.1,5.1,4.5,5.1,4.5,5.0,5.0,5.1,4.5,4.5,5.0,4.5,4.9,5.3,5.1,5.1,4.5] detection-update: [.....3] [ip4][..udp] [...192.168.1.53][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] detection-update: [....11] [ip6][..udp] [..............fe80::18a0:a412:8935:c01b][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] new: [....13] [ip4][..udp] [...192.168.1.77][52118] -> [....192.168.1.1][...53] @@ -78,27 +80,29 @@ detected: [....26] [ip4][..udp] [...192.168.1.77][23174] -> [..87.11.205.195][60723] [OpenVPN][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [....19] [ip4][..udp] [...192.168.1.77][23174] -> [.....91.108.8.7][..521] [Telegram][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 0.501| 0.118| 0.112|12556.351| 0.000] - [PKTLEN......: 74.000| 234.000| 158.000| 57.300| 3288.000| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 0.501| 0.118| 0.112| 12556.351| 4.400] + [PKTLEN......: 60.000| 220.000| 144.000| 57.300| 3288.000| 4.900] [BINS(c->s)..: 0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1] [IATS(ms)....: 33.7,303.8,500.9,195.8,135.7,308.4,212.1,0.7,38.9,154.1,154.5,74.5,133.7,63.7,29.9,38.6,63.9,177.4,37.8,26.0,43.6,64.2,189.8,58.8,4.5,63.5,64.5,43.0,64.5,315.9,64.4] - [PKTLENS.....: 82,106,138,82,106,138,138,74,138,90,82,106,234,138,234,138,234,218,138,138,218,234,218,82,106,218,218,202,218,218,138,234] + [PKTLENS.....: 68,92,124,68,92,124,124,60,124,76,68,92,220,124,220,124,220,204,124,124,204,220,204,68,92,204,204,188,204,204,124,220] + [ENTROPIES...: 4.9,5.1,6.5,4.9,5.1,6.6,6.5,4.6,6.6,5.1,4.9,5.1,7.1,6.4,7.0,6.5,7.0,7.0,6.5,6.4,7.0,7.1,7.0,4.9,5.1,6.9,6.8,6.9,7.0,7.0,6.4,7.0] new: [....27] [ip4][..udp] [...192.168.1.77][47127] -> [....192.168.1.1][...53] detected: [....27] [ip4][..udp] [...192.168.1.77][47127] -> [....192.168.1.1][...53] [DNS.GoogleServices][Web][Acceptable] detection-update: [....27] [ip4][..udp] [...192.168.1.77][47127] -> [....192.168.1.1][...53] [DNS.GoogleServices][Web][Acceptable] RISK: Suspicious DNS Traffic analyse: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.042| 1.999| 0.261| 0.473|223426.380| 0.000] - [PKTLEN......: 90.000| 282.000| 205.500| 54.500| 2971.800| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.042| 1.999| 0.261| 0.473| 223426.380| 3.600] + [PKTLEN......: 76.000| 268.000| 191.500| 54.500| 2971.800| 4.900] [BINS(c->s)..: 0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 176.6,505.7,492.8,1175.3,327.6,331.9,1681.3,64.2,63.5,64.3,42.3,63.9,1998.8,63.8,58.3,64.1,69.6,64.4,57.8,43.1,58.1,62.2,58.1,63.8,58.2,64.2,58.2,62.0,69.6,66.6,57.7] - [PKTLENS.....: 122,122,122,90,106,90,106,234,266,282,266,266,250,218,234,234,234,218,202,234,218,218,218,234,218,218,218,218,234,218,234,234] + [PKTLENS.....: 108,108,108,76,92,76,92,220,252,268,252,252,236,204,220,220,220,204,188,220,204,204,204,220,204,204,204,204,220,204,220,220] + [ENTROPIES...: 6.4,6.1,6.3,5.8,6.0,5.8,6.0,6.9,7.1,7.2,7.1,7.1,7.1,7.0,7.0,7.1,7.0,6.9,6.8,7.0,7.0,7.0,6.9,6.9,6.9,6.9,6.9,6.9,7.0,6.9,7.0,7.1] not-detected: [....25] [ip4][..udp] [...192.168.1.77][23174] -> [...192.168.1.52][31480] [Unknown][Unrated] new: [....28] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] detected: [....28] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] @@ -139,24 +143,26 @@ new: [....43] [ip4][..udp] [...192.168.1.77][52127] -> [239.255.255.250][.1900] detected: [....43] [ip4][..udp] [...192.168.1.77][52127] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] analyse: [....37] [ip4][..udp] [...192.168.1.77][28150] -> [.....91.108.8.8][..529] [Telegram][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.008| 0.505| 0.099| 0.138|18965.475| 0.000] - [PKTLEN......: 74.000| 234.000| 158.000| 55.400| 3064.000| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.008| 0.505| 0.099| 0.138| 18965.475| 4.000] + [PKTLEN......: 60.000| 220.000| 144.000| 55.400| 3064.000| 4.900] [BINS(c->s)..: 0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1] [IATS(ms)....: 38.7,504.7,472.2,31.4,48.8,83.1,90.1,75.5,57.5,58.0,58.1,58.1,52.0,386.6,9.5,8.5,27.3,36.0,21.7,40.2,58.1,58.0,58.2,57.9,70.0,57.9,58.0,8.2,436.3,11.3,25.6] - [PKTLENS.....: 82,106,82,138,106,138,138,74,218,218,218,234,218,82,138,138,218,106,138,218,90,218,218,202,218,202,218,218,82,138,138,106] + [PKTLENS.....: 68,92,68,124,92,124,124,60,204,204,204,220,204,68,124,124,204,92,124,204,76,204,204,188,204,188,204,204,68,124,124,92] + [ENTROPIES...: 4.8,5.0,4.8,6.4,4.9,6.5,6.5,4.5,7.0,6.9,6.9,7.0,6.9,4.9,6.5,6.5,7.0,5.0,6.4,6.9,5.1,6.9,6.9,6.8,7.0,6.8,6.8,7.0,4.9,6.4,6.5,5.0] new: [....44] [ip4][..udp] [...192.168.1.77][28150] -> [..87.11.205.195][59772] analyse: [....40] [ip4][..udp] [...192.168.1.77][28150] -> [.....91.108.8.1][..533] [Telegram][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.007| 0.505| 0.113| 0.151|22855.887| 0.000] - [PKTLEN......: 74.000| 218.000| 157.000| 54.200| 2943.000| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.007| 0.505| 0.113| 0.151| 22855.887| 4.100] + [PKTLEN......: 60.000| 204.000| 143.000| 54.200| 2943.000| 4.900] [BINS(c->s)..: 0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1] [IATS(ms)....: 34.1,504.9,476.9,26.3,48.6,90.1,359.3,474.9,22.9,54.0,44.1,48.8,32.7,70.5,63.7,63.7,64.6,42.0,447.9,51.4,12.5,7.1,54.2,56.0,36.2,28.9,63.9,41.9,63.9,64.6,64.6] - [PKTLENS.....: 82,106,82,138,106,138,74,82,138,106,138,90,138,218,218,202,218,218,218,82,138,218,106,138,218,138,218,218,202,218,202,218] + [PKTLENS.....: 68,92,68,124,92,124,60,68,124,92,124,76,124,204,204,188,204,204,204,68,124,204,92,124,204,124,204,204,188,204,188,204] + [ENTROPIES...: 5.0,5.1,4.9,6.5,5.0,6.5,4.6,4.9,6.5,5.1,6.3,5.1,6.5,6.9,7.0,6.9,7.0,6.9,7.0,4.9,6.5,7.0,5.0,6.3,6.9,6.4,6.9,6.9,6.9,7.0,6.9,7.0] new: [....45] [ip4][..udp] [...192.168.1.53][50698] -> [239.255.255.250][.1900] detected: [....45] [ip4][..udp] [...192.168.1.53][50698] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] update: [.....1] [ip4][..udp] [....192.168.0.1][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] diff --git a/test/results/flow-info/telnet.pcap.out b/test/results/flow-info/telnet.pcap.out index 1e8b35279..c2b739860 100644 --- a/test/results/flow-info/telnet.pcap.out +++ b/test/results/flow-info/telnet.pcap.out @@ -9,14 +9,15 @@ detection-update: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][RemoteAccess][Unsafe] RISK: Unsafe Protocol analyse: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.233| 0.125| 0.337|113396.253| 0.000] - [PKTLEN......: 66.000| 151.000| 77.200| 18.800| 354.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.233| 0.125| 0.337| 113396.253| 2.200] + [PKTLEN......: 52.000| 137.000| 63.200| 18.800| 354.000| 4.900] [BINS(c->s)..: 15,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0] [IATS(ms)....: 2.5,2.6,1.6,147.8,146.2,0.2,1.6,1.7,3.3,1.3,0.6,1.8,1.1,2.4,3.6,0.6,1.2,22.3,20.4,1.2,13.8,15.0,1.2,0.8,12.8,12.2,20.0,1107.3,1100.0,1232.8,1.4] - [PKTLENS.....: 74,74,66,93,69,66,69,66,91,130,66,84,75,66,90,66,151,66,69,69,66,78,72,66,81,66,98,66,73,66,72,66] + [PKTLENS.....: 60,60,52,79,55,52,55,52,77,116,52,70,61,52,76,52,137,52,55,55,52,64,58,52,67,52,84,52,59,52,58,52] + [ENTROPIES...: 4.3,4.8,4.8,5.0,4.8,4.8,4.9,4.7,5.1,5.3,4.6,5.0,5.0,4.8,4.8,4.8,5.6,4.9,4.9,4.9,4.8,4.9,4.9,4.7,4.9,4.8,5.5,4.8,5.0,4.7,5.0,4.8] detection-update: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][RemoteAccess][Unsafe] RISK: Unsafe Protocol end: [.....1] [ip4][..tcp] [....192.168.0.2][.1550] -> [....192.168.0.1][...23] [Telnet][RemoteAccess][Unsafe] diff --git a/test/results/flow-info/tftp.pcap.out b/test/results/flow-info/tftp.pcap.out index cb8c8a3c4..256702d99 100644 --- a/test/results/flow-info/tftp.pcap.out +++ b/test/results/flow-info/tftp.pcap.out @@ -13,14 +13,15 @@ detected: [.....4] [ip4][..udp] [...192.168.0.10][.3445] -> [..192.168.0.253][50618] [TFTP][DataTransfer][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....4] [ip4][..udp] [...192.168.0.10][.3445] -> [..192.168.0.253][50618] [TFTP][DataTransfer][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] - [PKTLEN......: 60.000| 558.000| 309.000| 249.000|62001.000| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.000| 0.000| 0.000| 0.000| 0.000] + [PKTLEN......: 46.000| 544.000| 295.000| 249.000| 62001.000| 4.400] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: ] - [PKTLENS.....: 558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60] + [PKTLENS.....: 544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46] + [ENTROPIES...: 4.3,3.0,4.6,3.0,4.9,3.0,4.9,2.9,4.4,3.0,4.6,3.0,4.6,3.0,4.6,3.0,4.5,3.0,4.4,2.9,4.4,3.0,4.5,2.9,4.7,2.9,4.6,3.0,4.5,3.0,4.3,3.0] DAEMON-EVENT: [Processed: 101 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 4 / 4|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] new: [.....5] [ip4][..udp] [....172.28.4.53][54627] -> [...172.16.5.170][...69] diff --git a/test/results/flow-info/tinc.pcap.out b/test/results/flow-info/tinc.pcap.out index 41b85ae11..4b823bea2 100644 --- a/test/results/flow-info/tinc.pcap.out +++ b/test/results/flow-info/tinc.pcap.out @@ -14,23 +14,25 @@ detected: [.....4] [ip4][..udp] [.185.83.218.112][55656] -> [.131.114.168.27][55656] [TINC][VPN][Acceptable] RISK: Known Proto on Non Std Port analyse: [.....3] [ip4][..udp] [.131.114.168.27][55655] -> [.185.83.218.112][55655] [TINC][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.070| 0.172| 0.377|142420.984| 0.000] - [PKTLEN......: 190.000| 1510.000| 1149.200| 450.400|202833.500| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.070| 0.172| 0.377| 142420.984| 2.500] + [PKTLEN......: 176.000| 1496.000| 1135.200| 450.400| 202833.500| 4.900] [BINS(c->s)..: 0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,2,6,0,0] [BINS(s->c)..: 0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,0,6,0,0] [DIRECTIONS..: 0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,0,0] [IATS(ms)....: 0.2,27.5,0.0,0.0,27.5,0.2,0.1,0.2,0.2,0.1,15.4,0.0,41.8,0.0,0.0,1058.0,0.3,0.3,1003.7,0.1,1.8,0.2,45.3,0.1,0.0,1024.1,0.1,1069.5,0.1,1001.4,0.3] - [PKTLENS.....: 686,734,238,1486,782,230,1270,190,1310,1478,774,686,734,1278,190,1310,1358,1478,1374,1486,1502,1486,1494,1358,1486,1374,1502,1502,1502,1494,1510,1494] + [PKTLENS.....: 672,720,224,1472,768,216,1256,176,1296,1464,760,672,720,1264,176,1296,1344,1464,1360,1472,1488,1472,1480,1344,1472,1360,1488,1488,1488,1480,1496,1480] + [ENTROPIES...: 7.7,7.7,7.1,7.8,7.8,6.9,7.9,6.8,7.9,7.8,7.7,7.7,7.7,7.9,6.8,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.8,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9] analyse: [.....4] [ip4][..udp] [.185.83.218.112][55656] -> [.131.114.168.27][55656] [TINC][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.412| 0.291| 0.559|312123.949| 0.000] - [PKTLEN......: 118.000| 1494.000| 1025.000| 450.300|202783.000| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.412| 0.291| 0.559| 312123.949| 2.900] + [PKTLEN......: 104.000| 1480.000| 1011.000| 450.300| 202783.000| 4.800] [BINS(c->s)..: 0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,2,1,0,0,1,0,0] [BINS(s->c)..: 0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,1,2,2,2,0,0,2,3,0,0] [DIRECTIONS..: 0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,0] [IATS(ms)....: 0.1,0.0,0.6,0.5,0.2,0.1,1049.1,0.0,0.0,1048.0,0.1,0.2,0.1,0.1,0.1,44.1,0.0,0.0,1044.7,0.3,1022.0,20.6,1001.5,0.3,0.2,363.6,1001.2,0.1,0.1,2412.5,0.0] - [PKTLENS.....: 766,1486,958,734,1270,1486,958,1070,670,334,1062,190,1310,526,670,334,190,1310,526,1478,1374,1374,1374,1486,1350,1318,118,1494,1478,1342,1390,1374] + [PKTLENS.....: 752,1472,944,720,1256,1472,944,1056,656,320,1048,176,1296,512,656,320,176,1296,512,1464,1360,1360,1360,1472,1336,1304,104,1480,1464,1328,1376,1360] + [ENTROPIES...: 7.7,7.9,7.8,7.7,7.9,7.9,7.8,7.8,7.7,7.3,7.8,6.7,7.8,7.6,7.7,7.2,7.0,7.9,7.6,7.9,7.9,7.9,7.8,7.8,7.9,7.8,6.2,7.9,7.9,7.9,7.9,7.9] end: [.....2] [ip4][..tcp] [.131.114.168.27][49290] -> [.185.83.218.112][55656] [TINC][VPN][Acceptable] RISK: Known Proto on Non Std Port idle: [.....3] [ip4][..udp] [.131.114.168.27][55655] -> [.185.83.218.112][55655] [TINC][VPN][Acceptable] diff --git a/test/results/flow-info/tls-appdata.pcap.out b/test/results/flow-info/tls-appdata.pcap.out index a87dbcf3c..3e352ae5e 100644 --- a/test/results/flow-info/tls-appdata.pcap.out +++ b/test/results/flow-info/tls-appdata.pcap.out @@ -9,14 +9,15 @@ detected: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] [TLS.Twitch][Video][Fun] end: [.....1] [ip4][..tcp] [.179.60.195.173][..443] -> [..192.168.2.100][60636] analyse: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 15.956| 2.459| 5.752|33086771.298| 0.000] - [PKTLEN......: 54.000| 2958.000| 1143.200| 1252.100|1567845.500| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 15.956| 2.459| 5.752| 33086771.298| 1.000] + [PKTLEN......: 40.000| 2944.000| 1129.200| 1252.100| 1567845.600| 4.000] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,9] [DIRECTIONS..: 0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,1,1,1,0,1,0] [IATS(ms)....: 2.0,15.0,3.0,16.0,1.0,1.0,15941.0,1.0,15956.0,5.0,19.0,1.0,1.0] - [PKTLENS.....: 1506,74,60,1506,2958,54,2958,54,54,2958,2885,54,54,54,54,1506,74,60,1506,2958,54,2958,54,2958,1506,74,60,1506,2958,54,2958,54] + [PKTLENS.....: 1492,60,46,1492,2944,40,2944,40,40,2944,2871,40,40,40,40,1492,60,46,1492,2944,40,2944,40,2944,1492,60,46,1492,2944,40,2944,40] + [ENTROPIES...: 7.9,5.5,4.7,7.9,7.9,5.0,7.9,4.9,4.9,7.9,7.9,5.0,4.9,4.9,5.0,7.9,5.5,4.6,7.9,7.9,4.9,7.9,4.9,7.9,7.9,5.6,4.5,7.9,7.9,4.9,7.9,4.9] detection-update: [.....2] [ip4][..tcp] [..192.168.2.100][58976] -> [...52.223.198.7][..443] [TLS.Twitch][Video][Fun] DAEMON-EVENT: [Processed: 45 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 2|skipped: 0|!detected: 0|guessed: 0|detection-updates: 1|updates: 0] diff --git a/test/results/flow-info/tls_certificate_too_long.pcap.out b/test/results/flow-info/tls_certificate_too_long.pcap.out index 10e2d288b..9827d9d0a 100644 --- a/test/results/flow-info/tls_certificate_too_long.pcap.out +++ b/test/results/flow-info/tls_certificate_too_long.pcap.out @@ -70,23 +70,25 @@ detected: [....25] [ip4][..tcp] [..192.168.1.121][53428] -> [...52.98.163.18][..443] [TLS.Outlook][Email][Acceptable] detection-update: [....23] [ip4][..udp] [..192.168.1.121][51998] -> [........8.8.8.8][...53] [DNS.Google][Web][Acceptable] analyse: [....24] [ip4][..tcp] [..192.168.1.121][53429] -> [...52.98.163.18][..443] [TLS.Outlook][Email][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.067| 0.005| 0.015| 217.103| 0.000] - [PKTLEN......: 54.000| 1502.000| 423.600| 443.800|196953.100| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.067| 0.005| 0.015| 217.103| 1.700] + [PKTLEN......: 40.000| 1488.000| 409.600| 443.800| 196953.100| 4.300] [BINS(c->s)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0] [BINS(s->c)..: 2,3,0,1,0,0,11,6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1] [IATS(ms)....: 1.3,0.0,22.7,2.8,42.2,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,66.6,0.0,0.2,0.0,0.0,0.0] - [PKTLENS.....: 1502,936,1502,1502,1020,54,54,1372,166,112,269,281,285,281,267,273,287,273,275,275,271,281,273,283,273,114,54,54,254,275,341,96] + [PKTLENS.....: 1488,922,1488,1488,1006,40,40,1358,152,98,255,267,271,267,253,259,273,259,261,261,257,267,259,269,259,100,40,40,240,261,327,82] + [ENTROPIES...: 7.8,7.8,7.8,7.9,7.8,4.9,4.9,7.9,6.6,5.9,7.1,7.1,7.1,7.1,7.1,7.1,7.1,7.1,7.2,7.0,7.1,7.1,7.1,7.0,7.0,5.9,4.7,4.7,7.0,7.1,7.3,5.7] analyse: [....25] [ip4][..tcp] [..192.168.1.121][53428] -> [...52.98.163.18][..443] [TLS.Outlook][Email][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.048| 0.009| 0.014| 206.122| 0.000] - [PKTLEN......: 54.000| 1502.000| 453.200| 490.600|240677.500| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.048| 0.009| 0.014| 206.122| 3.300] + [PKTLEN......: 40.000| 1488.000| 439.200| 490.600| 240677.500| 4.200] [BINS(c->s)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 4,6,1,0,2,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,0,1,1,1,1,1,1,0,1,0,1,0,0,0,1,0,1,1,0,1,1,1,1,1,1,1,0,1] [IATS(ms)....: 0.0,1.1,23.2,47.6,37.0,0.0,0.0,0.0,0.0,0.0,11.7,0.4,0.5,9.9,10.2,0.0,0.6,25.3,48.0,32.2,0.0,8.7,0.4,0.0,0.0,0.0,0.0,0.0,0.0,0.5,13.0] - [PKTLENS.....: 1502,936,1292,54,1292,1366,189,273,452,96,99,54,88,54,66,1502,935,708,54,708,1003,445,54,193,253,295,137,96,99,88,54,66] + [PKTLENS.....: 1488,922,1278,40,1278,1352,175,259,438,82,85,40,74,40,52,1488,921,694,40,694,989,431,40,179,239,281,123,82,85,74,40,52] + [ENTROPIES...: 7.9,7.8,7.9,4.9,7.9,7.8,6.6,7.1,7.5,5.7,5.6,4.7,5.4,4.7,4.9,7.9,7.8,7.6,4.9,7.6,7.8,7.5,4.6,6.6,7.0,7.2,6.2,5.6,5.8,5.5,4.7,5.0] new: [....26] [ip4][..tcp] [..192.168.1.121][53914] -> [...40.113.10.47][..443] new: [....27] [ip4][..tcp] [..192.168.1.121][53915] -> [...40.113.10.47][..443] detected: [....26] [ip4][..tcp] [..192.168.1.121][53914] -> [...40.113.10.47][..443] [TLS.Microsoft][Cloud][Safe] diff --git a/test/results/flow-info/tls_long_cert.pcap.out b/test/results/flow-info/tls_long_cert.pcap.out index dffce61ca..f68c6570f 100644 --- a/test/results/flow-info/tls_long_cert.pcap.out +++ b/test/results/flow-info/tls_long_cert.pcap.out @@ -6,13 +6,14 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe] detection-update: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe] analyse: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.034| 0.008| 0.011| 130.013| 0.000] - [PKTLEN......: 66.000| 1514.000| 546.900| 584.900|342142.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.034| 0.008| 0.011| 130.013| 3.600] + [PKTLEN......: 52.000| 1500.000| 532.900| 584.900| 342142.300| 4.100] [BINS(c->s)..: 11,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,6,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,1] [IATS(ms)....: 25.2,25.3,0.3,30.1,3.3,1.1,34.2,0.8,0.7,1.9,1.9,0.8,8.4,0.4,28.1,18.6,6.5,0.6,7.1,0.1,26.0,0.0,0.0,25.9,0.0,0.1,0.2,0.2,0.7,0.0,0.0] - [PKTLENS.....: 78,74,66,583,66,1514,1514,66,1266,66,855,66,192,159,902,308,66,66,143,66,104,1119,1119,1514,66,66,66,724,66,1514,1514,1514] + [PKTLENS.....: 64,60,52,569,52,1500,1500,52,1252,52,841,52,178,145,888,294,52,52,129,52,90,1105,1105,1500,52,52,52,710,52,1500,1500,1500] + [ENTROPIES...: 4.5,5.4,5.1,4.4,5.2,6.5,6.8,5.1,7.3,5.1,7.7,5.2,6.4,6.2,7.7,7.1,5.2,5.3,6.4,5.2,5.5,7.8,7.8,7.9,5.2,5.2,5.0,7.7,5.2,7.9,7.9,7.9] end: [.....1] [ip4][..tcp] [..192.168.2.126][60174] -> [.104.111.215.93][..443] [TLS][Web][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tls_verylong_certificate.pcap.out b/test/results/flow-info/tls_verylong_certificate.pcap.out index f1f2b5af4..b3787f9c9 100644 --- a/test/results/flow-info/tls_verylong_certificate.pcap.out +++ b/test/results/flow-info/tls_verylong_certificate.pcap.out @@ -6,14 +6,15 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Web][Safe] detection-update: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Media][Safe] analyse: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.022| 0.005| 0.007| 43.853| 0.000] - [PKTLEN......: 66.000| 1434.000| 532.600| 615.300|378610.900| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.022| 0.005| 0.007| 43.853| 3.500] + [PKTLEN......: 52.000| 1420.000| 518.600| 615.300| 378610.900| 4.000] [BINS(c->s)..: 12,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,1,0,1,1] [IATS(ms)....: 11.6,11.7,5.7,17.7,3.1,0.2,15.2,0.1,0.1,0.1,0.0,0.1,10.6,21.7,11.2,0.3,14.9,0.0,0.0,14.6,0.0,0.0,0.3,0.3,0.0,0.6,0.0,0.5,0.5,0.1,0.0] - [PKTLENS.....: 78,74,66,583,66,1434,1434,66,1434,66,1434,276,66,192,117,66,236,1434,1434,118,66,66,66,1434,1434,118,66,66,1434,66,1434,118] + [PKTLENS.....: 64,60,52,569,52,1420,1420,52,1420,52,1420,262,52,178,103,52,222,1420,1420,104,52,52,52,1420,1420,104,52,52,1420,52,1420,104] + [ENTROPIES...: 4.4,5.1,4.9,4.4,5.0,6.8,4.9,5.0,6.6,4.9,7.4,7.0,5.0,6.3,6.0,5.0,6.9,7.9,7.9,6.1,4.9,4.8,4.7,7.9,7.9,6.0,4.9,4.9,7.9,4.8,7.9,6.2] detection-update: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Media][Safe] end: [.....1] [ip4][..tcp] [..192.168.1.160][54804] -> [..151.101.66.49][..443] [TLS][Media][Safe] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tor.pcap.out b/test/results/flow-info/tor.pcap.out index 20561d889..fa3dc4acc 100644 --- a/test/results/flow-info/tor.pcap.out +++ b/test/results/flow-info/tor.pcap.out @@ -45,23 +45,25 @@ ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type analyse: [.....3] [ip4][..tcp] [..192.168.1.252][51112] -> [...38.229.70.53][..443] [TLS.Tor][VPN][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 31.166| 2.329| 7.550|56997495.964| 0.000] - [PKTLEN......: 54.000| 1514.000| 369.800| 354.900|125974.500| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 31.166| 2.329| 7.550| 56997495.964| 1.900] + [PKTLEN......: 40.000| 1500.000| 355.800| 354.900| 125974.500| 4.300] [BINS(c->s)..: 4,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1] [IATS(ms)....: 143.8,144.2,0.4,152.7,0.2,159.6,171.7,164.7,190.9,0.1,190.7,0.6,185.1,185.5,145.1,5.7,151.7,184.2,104.7,290.0,146.6,2536.0,2930.5,30770.7,31166.0,0.9,147.0,185.7,696.5,885.2,147.1] - [PKTLENS.....: 66,66,60,278,54,983,252,113,128,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54] + [PKTLENS.....: 52,52,46,264,40,969,238,99,114,1500,126,46,626,40,626,40,626,626,40,626,626,40,626,46,626,40,626,626,40,626,626,40] + [ENTROPIES...: 4.5,4.8,4.4,5.4,4.8,7.6,6.9,5.9,6.1,7.9,6.5,4.3,7.7,4.8,7.7,4.8,7.6,7.7,4.7,7.7,7.6,4.8,7.7,4.3,7.6,4.6,7.6,7.7,4.8,7.6,7.6,4.7] analyse: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 37.996| 2.549| 9.274|86002509.021| 0.000] - [PKTLEN......: 54.000| 1514.000| 462.800| 476.200|226793.400| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 37.996| 2.549| 9.274| 86002509.021| 1.400] + [PKTLEN......: 40.000| 1500.000| 448.800| 476.200| 226793.400| 4.200] [BINS(c->s)..: 5,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,0,1,0,1,1,1,0,1,1] [IATS(ms)....: 71.0,71.3,6.7,104.3,10.8,112.6,88.6,84.6,73.7,0.1,73.7,0.8,108.4,107.7,67.8,2.3,74.6,103.6,101.8,113.4,368.7,686.5,37720.4,37995.8,68.2,67.5,104.0,189.0,360.8,68.7,0.2] - [PKTLENS.....: 66,66,60,269,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,640,640,54,640,60,640,54,640,54,640,1514,60,1514,1514] + [PKTLENS.....: 52,52,46,255,40,788,174,99,114,1500,142,46,626,40,626,40,626,626,626,626,40,626,46,626,40,626,40,626,1500,46,1500,1500] + [ENTROPIES...: 4.5,4.9,4.5,5.4,4.9,7.4,6.6,6.0,6.1,7.9,6.5,4.5,7.7,4.9,7.6,4.9,7.6,7.6,7.7,7.7,4.8,7.7,4.4,7.7,4.9,7.7,4.9,7.7,7.9,4.5,7.9,7.9] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type @@ -102,14 +104,15 @@ ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type analyse: [.....2] [ip4][..tcp] [..192.168.1.252][51111] -> [....46.59.52.31][..443] [TLS.Tor][VPN][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 71.328| 4.658| 14.789|218716025.389| 0.000] - [PKTLEN......: 54.000| 1514.000| 344.600| 347.100|120444.200| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 71.328| 4.658| 14.789| 218716025.389| 1.800] + [PKTLEN......: 40.000| 1500.000| 330.600| 347.100| 120444.200| 4.200] [BINS(c->s)..: 6,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,0,0] [IATS(ms)....: 73.4,74.4,0.4,74.1,3.2,80.2,86.1,83.2,77.3,0.1,76.2,0.8,117.2,116.3,75.2,24.0,101.9,114.5,465.6,429.3,3.5,80.8,117.0,388.8,507.3,75.9,393.9,666.2,34353.1,34399.0,71328.4] - [PKTLENS.....: 66,66,60,276,54,803,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,54,640,640,54,640,640,54,640,60,640,60,60] + [PKTLENS.....: 52,52,46,262,40,789,174,99,114,1500,142,46,626,40,626,40,626,626,40,626,40,626,626,40,626,626,40,626,46,626,46,46] + [ENTROPIES...: 4.5,4.9,4.4,5.5,4.7,7.3,6.7,5.9,6.2,7.9,6.5,4.4,7.6,4.8,7.6,4.8,7.7,7.7,4.8,7.7,4.8,7.6,7.7,4.8,7.7,7.7,4.8,7.6,4.5,7.6,4.3,4.5] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type @@ -136,24 +139,26 @@ detection-update: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Web][Safe] RISK: Obsolete TLS (v1.1 or older) analyse: [.....8] [ip4][..tcp] [..192.168.1.252][51175] -> [..91.143.93.242][..443] [TLS.Tor][VPN][Potentially Dangerous] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.991| 0.147| 0.220|48576.569| 0.000] - [PKTLEN......: 54.000| 1514.000| 362.200| 347.100|120448.800| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.991| 0.147| 0.220| 48576.569| 3.900] + [PKTLEN......: 40.000| 1500.000| 348.200| 347.100| 120448.800| 4.300] [BINS(c->s)..: 4,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1] [IATS(ms)....: 64.4,65.8,9.5,82.1,4.2,79.8,91.0,88.4,79.6,0.1,78.2,0.9,110.0,109.4,69.1,1.5,80.2,113.6,35.7,145.8,70.8,343.7,637.5,693.9,990.9,1.6,72.0,109.0,69.0,180.1,69.9] - [PKTLENS.....: 66,66,60,267,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54] + [PKTLENS.....: 52,52,46,253,40,788,174,99,114,1500,142,46,626,40,626,40,626,626,40,626,626,40,626,46,626,40,626,626,40,626,626,40] + [ENTROPIES...: 4.5,4.9,4.4,5.4,4.8,7.4,6.7,5.9,6.1,7.8,6.6,4.4,7.7,4.8,7.7,4.7,7.7,7.6,4.7,7.6,7.6,4.7,7.7,4.4,7.7,4.8,7.6,7.7,4.8,7.7,7.7,4.7] ERROR-EVENT: Unknown packet type analyse: [.....9] [ip4][..tcp] [..192.168.1.252][51176] -> [...38.229.70.53][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.755| 0.186| 0.164|26767.544| 0.000] - [PKTLEN......: 54.000| 1514.000| 351.400| 355.400|126324.200| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.755| 0.186| 0.164| 26767.544| 4.500] + [PKTLEN......: 40.000| 1500.000| 337.400| 355.400| 126324.200| 4.200] [BINS(c->s)..: 5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,0] [IATS(ms)....: 143.9,144.3,0.7,149.5,37.2,196.0,163.6,154.0,192.3,56.2,0.2,255.1,2.1,152.8,143.9,143.9,44.6,192.1,147.6,608.5,755.3,145.5,149.4,149.8,132.7,281.6,155.0,87.8,477.2,367.8,127.5] - [PKTLENS.....: 66,66,60,264,54,983,252,113,128,54,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,54,640,640,54,640,60,640,66] + [PKTLENS.....: 52,52,46,250,40,969,238,99,114,40,1500,126,46,626,40,626,40,626,626,40,626,626,40,626,40,626,626,40,626,46,626,52] + [ENTROPIES...: 4.6,4.8,4.4,5.3,4.8,7.6,6.9,5.9,6.1,4.9,7.9,6.4,4.3,7.7,4.7,7.7,4.8,7.6,7.7,4.8,7.6,7.6,4.9,7.6,4.8,7.7,7.6,4.9,7.6,4.5,7.6,4.7] end: [.....1] [ip4][..tcp] [..192.168.1.252][51110] -> [..91.143.93.242][..443] [TLS][Web][Safe] RISK: Obsolete TLS (v1.1 or older) idle: [.....5] [ip4][..udp] [..192.168.1.252][..138] -> [..192.168.1.255][..138] [NetBIOS.SMBv1][System][Dangerous] @@ -243,14 +248,15 @@ ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type analyse: [.....7] [ip4][..tcp] [..192.168.1.252][51174] -> [.212.83.155.250][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 72.890| 8.727| 22.569|509351076.823| 0.000] - [PKTLEN......: 54.000| 1514.000| 326.000| 345.900|119666.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 72.890| 8.727| 22.569| 509351076.823| 2.100] + [PKTLEN......: 40.000| 1500.000| 312.000| 345.900| 119666.800| 4.200] [BINS(c->s)..: 9,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0] [IATS(ms)....: 59.4,61.6,13.8,72.1,2.1,62.9,63.5,60.0,79.4,0.3,78.8,1.7,98.3,96.6,56.5,4.5,61.8,64.9,64.0,73.7,275.7,252.8,50.8,9.7,261.4,61538.3,61491.4,72591.4,72890.0,4.0,98.0] - [PKTLENS.....: 66,66,60,263,54,797,188,113,128,1514,140,60,640,54,640,54,640,640,640,640,640,60,640,66,640,60,640,60,60,54,54,60] + [PKTLENS.....: 52,52,46,249,40,783,174,99,114,1500,126,46,626,40,626,40,626,626,626,626,626,46,626,52,626,46,626,46,46,40,40,46] + [ENTROPIES...: 4.5,4.9,4.4,5.3,4.8,7.4,6.7,6.0,6.2,7.9,6.5,4.4,7.7,4.8,7.6,4.9,7.7,7.7,7.6,7.7,7.6,4.5,7.7,4.9,7.6,4.5,7.7,4.5,4.5,4.7,4.7,4.5] ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type ERROR-EVENT: Unknown packet type diff --git a/test/results/flow-info/trickbot.pcap.out b/test/results/flow-info/trickbot.pcap.out index 92b72e29b..59b60456c 100644 --- a/test/results/flow-info/trickbot.pcap.out +++ b/test/results/flow-info/trickbot.pcap.out @@ -7,14 +7,15 @@ detection-update: [.....1] [ip4][..tcp] [...10.12.29.101][61318] -> [.82.118.225.196][.7080] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address, HTTP Suspicious Content analyse: [.....1] [ip4][..tcp] [...10.12.29.101][61318] -> [.82.118.225.196][.7080] [HTTP][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.931| 0.157| 0.258|66793.452| 0.000] - [PKTLEN......: 54.000| 1514.000| 944.000| 662.500|438885.500| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.931| 0.157| 0.258| 66793.452| 3.300] + [PKTLEN......: 40.000| 1500.000| 930.000| 662.500| 438885.500| 4.500] [BINS(c->s)..: 7,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,3,0,0,14,0,0] [DIRECTIONS..: 0,1,0,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1] [IATS(ms)....: 245.7,245.9,0.2,0.1,0.5,0.0,931.1,931.3,2.3,2.3,480.2,0.0,480.3,297.6,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,0.0,297.7,227.9,227.9,482.9,0.0,0.0] - [PKTLENS.....: 66,58,54,403,982,54,54,1412,54,1412,54,1514,1337,54,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,290,54,1412,54,1514,1514,1208] + [PKTLENS.....: 52,44,40,389,968,40,40,1398,40,1398,40,1500,1323,40,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,276,40,1398,40,1500,1500,1194] + [ENTROPIES...: 4.8,4.9,4.8,5.8,6.0,4.8,4.8,7.8,4.9,7.8,4.9,7.9,7.9,4.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.3,4.9,7.9,4.9,7.9,7.9,7.9] end: [.....1] [ip4][..tcp] [...10.12.29.101][61318] -> [.82.118.225.196][.7080] [HTTP][Web][Acceptable] RISK: Known Proto on Non Std Port, HTTP Numeric IP Address, HTTP Suspicious Content DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/tumblr.pcap.out b/test/results/flow-info/tumblr.pcap.out index 2d30b88e6..e986aca55 100644 --- a/test/results/flow-info/tumblr.pcap.out +++ b/test/results/flow-info/tumblr.pcap.out @@ -12,53 +12,57 @@ detected: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][42908] -> [.....................64:ff9b::98c7:1593][..443] [TLS][Web][Safe] new: [.....7] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [MIDSTREAM] analyse: [.....6] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][42908] -> [.....................64:ff9b::98c7:1593][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.701| 0.084| 0.189|35694.846| 0.000] - [PKTLEN......: 86.000| 1486.000| 463.500| 576.400|332266.900| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.701| 0.084| 0.189| 35694.846| 2.600] + [PKTLEN......: 72.000| 1472.000| 449.500| 576.400| 332266.900| 4.000] [BINS(c->s)..: 11,3,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0] [IATS(ms)....: 0.9,91.7,194.1,0.0,0.0,2.8,104.4,700.9,700.8,1.3,5.8,45.0,0.4,357.1,395.3,1.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0,1.5,0.0,0.0,0.0,0.0,0.0,0.0,0.0] - [PKTLENS.....: 468,125,125,86,86,86,125,86,958,86,121,198,86,86,1474,86,98,1486,1486,1486,1486,849,1486,1486,86,86,86,86,86,86,86,86] + [PKTLENS.....: 454,111,111,72,72,72,111,72,944,72,107,184,72,72,1460,72,84,1472,1472,1472,1472,835,1472,1472,72,72,72,72,72,72,72,72] + [ENTROPIES...: 7.5,6.0,6.0,5.1,5.1,5.1,5.8,5.2,7.8,5.2,5.9,6.7,5.0,5.1,7.9,5.2,5.4,7.9,7.9,7.9,7.8,7.7,7.8,7.9,5.2,5.2,5.2,5.2,5.2,5.2,5.2,5.2] new: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [MIDSTREAM] detected: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe] new: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] [MIDSTREAM] detected: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe] new: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] analyse: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.037| 0.003| 0.008| 65.352| 0.000] - [PKTLEN......: 86.000| 1486.000| 472.500| 599.100|358951.000| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.037| 0.003| 0.008| 65.352| 2.700] + [PKTLEN......: 72.000| 1472.000| 458.500| 599.100| 358951.000| 3.900] [BINS(c->s)..: 14,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0] [DIRECTIONS..: 0,0,1,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0] [IATS(ms)....: 0.5,25.9,1.1,10.6,37.1,1.9,0.0,1.9,0.0,0.7,0.7,9.9,9.9,0.1,0.0,0.1,0.0,0.2,0.2,0.1,0.1,0.3,0.3,0.1,0.1,0.5,0.0,0.5,0.0,0.1,0.1] - [PKTLENS.....: 246,237,86,86,905,86,125,1474,86,86,98,86,1486,86,1486,1474,86,86,98,86,1486,86,1486,86,1474,86,98,1474,86,86,98,86] + [PKTLENS.....: 232,223,72,72,891,72,111,1460,72,72,84,72,1472,72,1472,1460,72,72,84,72,1472,72,1472,72,1460,72,84,1460,72,72,84,72] + [ENTROPIES...: 7.0,6.8,5.0,5.0,7.7,5.3,5.9,7.9,5.3,5.3,5.4,5.3,7.9,5.3,7.9,7.8,5.2,5.3,5.4,5.3,7.9,5.2,7.9,5.2,7.9,5.2,5.3,7.8,5.3,5.3,5.4,5.3] detection-update: [.....8] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43420] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe] detected: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] analyse: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.045| 0.004| 0.009| 88.667| 0.000] - [PKTLEN......: 86.000| 1486.000| 622.300| 669.700|448506.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.045| 0.004| 0.009| 88.667| 2.800] + [PKTLEN......: 72.000| 1472.000| 608.300| 669.700| 448506.000| 4.100] [BINS(c->s)..: 12,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0] [IATS(ms)....: 0.4,4.8,0.4,27.2,3.0,0.3,2.7,17.3,45.1,0.5,0.5,0.6,0.0,0.6,0.0,7.3,0.0,7.3,0.0,0.3,0.0,0.2,0.0,0.2,0.0,0.2,0.0,1.0,0.0,1.0,0.0] - [PKTLENS.....: 198,125,197,186,86,86,86,86,1486,86,1486,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86] + [PKTLENS.....: 184,111,183,172,72,72,72,72,1472,72,1472,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72] + [ENTROPIES...: 6.6,5.9,6.6,6.5,5.0,5.0,4.9,5.0,7.9,5.1,7.9,5.1,7.9,7.8,5.1,5.1,7.9,7.8,5.1,5.1,7.9,7.9,5.1,5.1,7.9,7.8,5.1,5.1,7.9,7.9,5.1,5.1] detection-update: [.....9] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43434] -> [.....................64:ff9b::c000:4d28][..443] [TLS][Web][Safe] new: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] detection-update: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] detected: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] detection-update: [....11] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58382] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] analyse: [....10] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][58380] -> [..2606:2800:135:155a:23ba:b2a:25ff:122d][..443] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.048| 0.012| 0.017| 287.486| 0.000] - [PKTLEN......: 86.000| 1294.000| 314.700| 381.900|145812.800| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.048| 0.012| 0.017| 287.486| 3.200] + [PKTLEN......: 72.000| 1280.000| 300.700| 381.900| 145812.800| 4.100] [BINS(c->s)..: 10,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,2,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,0,0,0,0,1,1,1,1,1,1,1,0,0] [IATS(ms)....: 33.2,33.2,0.5,47.7,47.2,1.2,37.7,2.1,38.6,0.0,0.0,0.8,0.7,0.8,0.8,2.6,0.2,0.2,0.1,26.3,0.6,0.0,0.1,1.4,25.2,0.0] - [PKTLENS.....: 94,94,86,603,86,185,86,609,86,1294,1294,1294,86,86,86,558,86,1069,86,160,178,343,142,86,86,86,86,341,341,182,86,86] + [PKTLENS.....: 80,80,72,589,72,171,72,595,72,1280,1280,1280,72,72,72,544,72,1055,72,146,164,329,128,72,72,72,72,327,327,168,72,72] + [ENTROPIES...: 5.3,5.6,5.6,4.6,5.5,6.2,5.5,5.0,5.5,7.8,7.9,7.8,5.6,5.5,5.6,7.6,5.6,7.8,5.6,6.6,6.7,7.3,6.3,5.5,5.5,5.4,5.5,7.3,7.3,6.5,5.6,5.6] new: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] new: [....13] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][47118] -> [.................2001:4998:14:800::1001][..443] detected: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] [TLS][Advertisement][Safe] @@ -67,14 +71,15 @@ new: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] [MIDSTREAM] detected: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] [TLS][Web][Safe] analyse: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.037| 0.004| 0.009| 82.581| 0.000] - [PKTLEN......: 86.000| 1486.000| 449.700| 586.000|343353.700| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.037| 0.004| 0.009| 82.581| 2.400] + [PKTLEN......: 72.000| 1472.000| 435.700| 586.000| 343353.700| 3.900] [BINS(c->s)..: 8,2,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,7,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,1,1,1,1,1,1,0,1,0,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0] [IATS(ms)....: 0.4,0.1,0.4,0.2,26.4,36.6,2.2,0.4,10.0,21.7,0.2,0.2,0.2,0.2,0.4,0.0,0.2,0.5,0.0,0.6,0.1,0.1,0.1,0.2,0.5,0.0,0.6] - [PKTLENS.....: 206,125,215,216,157,122,86,86,86,86,86,1486,86,1486,86,1474,98,1486,86,86,1474,98,1341,117,86,86,125,1474,86,98,1474,86] + [PKTLENS.....: 192,111,201,202,143,108,72,72,72,72,72,1472,72,1472,72,1460,84,1472,72,72,1460,84,1327,103,72,72,111,1460,72,84,1460,72] + [ENTROPIES...: 6.8,5.7,6.6,6.7,6.3,5.8,5.0,5.0,5.0,5.0,5.0,7.8,5.1,7.9,5.1,7.8,5.3,7.9,5.1,5.0,7.9,5.3,7.9,5.6,5.1,5.1,5.7,7.9,5.1,5.3,7.9,5.1] detection-update: [....14] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56794] -> [.....................64:ff9b::c000:4d03][..443] [TLS][Web][Safe] new: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51874] -> [.....................64:ff9b::c000:4c03][..443] [MIDSTREAM] detected: [....15] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][51874] -> [.....................64:ff9b::c000:4c03][..443] [TLS][Web][Safe] @@ -87,14 +92,15 @@ detected: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56842] -> [.....................64:ff9b::c000:4d03][..443] [TLS.Tumblr][SocialNetwork][Fun] detection-update: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56842] -> [.....................64:ff9b::c000:4d03][..443] [TLS.Tumblr][SocialNetwork][Fun] analyse: [....20] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56842] -> [.....................64:ff9b::c000:4d03][..443] [TLS.Tumblr][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.070| 0.013| 0.021| 430.743| 0.000] - [PKTLEN......: 86.000| 1486.000| 377.800| 486.500|236637.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.070| 0.013| 0.021| 430.743| 3.100] + [PKTLEN......: 72.000| 1472.000| 363.800| 486.500| 236637.800| 4.000] [BINS(c->s)..: 11,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,4,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,0,1,1,1,1,1,0,0,0] [IATS(ms)....: 22.6,22.7,0.4,30.7,24.8,0.0,0.0,54.9,0.0,0.0,0.0,0.0,0.0,1.5,0.2,0.1,59.7,70.2,0.0,28.6,37.1,0.5,0.0,0.0,0.5,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1486,1486,1382,1486,86,86,86,86,207,86,150,178,417,417,86,86,86,357,86,357,148,117,1486,422,86,86,86] + [PKTLENS.....: 80,80,72,589,72,1472,1472,1368,1472,72,72,72,72,193,72,136,164,403,403,72,72,72,343,72,343,134,103,1472,408,72,72,72] + [ENTROPIES...: 4.8,5.2,5.1,4.5,5.0,7.8,7.9,7.8,7.9,5.1,5.1,5.2,5.1,6.6,5.1,6.0,6.5,7.4,7.4,5.0,5.0,5.0,7.1,5.2,7.2,6.1,5.6,7.9,7.3,5.2,5.2,5.2] new: [....21] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56558] -> [.....................64:ff9b::9765:798c][..443] [MIDSTREAM] new: [....22] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][50960] -> [...............2a00:1450:4007:805::2002][..443] [MIDSTREAM] new: [....23] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49496] -> [...............2a00:1450:4007:815::2003][..443] [MIDSTREAM] @@ -121,50 +127,54 @@ detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] [TLS.Tumblr][SocialNetwork][Fun] detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] [TLS.Tumblr][SocialNetwork][Fun] analyse: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.189| 0.029| 0.050| 2509.587| 0.000] - [PKTLEN......: 86.000| 1486.000| 468.000| 568.300|322990.400| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.189| 0.029| 0.050| 2509.587| 3.200] + [PKTLEN......: 72.000| 1472.000| 454.000| 568.300| 322990.400| 4.000] [BINS(c->s)..: 12,0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,6,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,0,1,0,1] [IATS(ms)....: 21.4,21.5,0.5,29.5,160.4,189.4,0.2,0.2,0.0,0.8,0.8,3.8,0.1,0.2,28.7,0.0,1.0,78.0,0.0,103.6,0.1,0.7,29.8,79.1,108.2,0.1,0.1,0.4,0.4,0.1] - [PKTLENS.....: 94,94,86,603,86,1486,86,1486,1382,86,86,1087,86,171,177,537,86,86,86,352,156,86,86,116,86,1486,86,1486,86,1486,86,1486] + [PKTLENS.....: 80,80,72,589,72,1472,72,1472,1368,72,72,1073,72,157,163,523,72,72,72,338,142,72,72,102,72,1472,72,1472,72,1472,72,1472] + [ENTROPIES...: 4.8,5.3,5.3,4.6,5.1,7.2,5.2,7.3,7.6,5.2,5.2,7.6,5.2,6.2,6.5,7.6,5.1,5.1,5.1,7.0,6.3,5.2,5.2,5.7,5.1,7.9,5.2,7.9,5.2,7.9,5.2,7.9] detection-update: [....41] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][43328] -> [.....................64:ff9b::4a72:9a16][..443] [TLS.Tumblr][SocialNetwork][Fun] new: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] detected: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS][Web][Safe] detected: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Web][Acceptable] new: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] analyse: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 19.514| 1.561| 5.288|27962124.534| 0.000] - [PKTLEN......: 86.000| 1134.000| 614.100| 520.100|270533.200| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 19.514| 1.561| 5.288| 27962124.534| 1.000] + [PKTLEN......: 72.000| 1120.000| 600.100| 520.100| 270533.200| 4.400] [BINS(c->s)..: 13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1] [IATS(ms)....: 19473.3,0.3,19513.6,40.0,0.1,0.0,0.0,0.0,0.0,0.6,0.6,1.1,0.0,0.0,0.0,1.1,0.0,0.1,0.0,0.0,0.0,0.0,0.1,0.0,0.0] - [PKTLENS.....: 86,172,132,86,1134,86,1134,1134,86,86,1134,86,1134,86,1134,1134,1134,1134,1134,1134,1134,86,86,86,86,86,86,86,1134,1134,1134,1134] + [PKTLENS.....: 72,158,118,72,1120,72,1120,1120,72,72,1120,72,1120,72,1120,1120,1120,1120,1120,1120,1120,72,72,72,72,72,72,72,1120,1120,1120,1120] + [ENTROPIES...: 5.3,6.2,5.8,5.1,7.8,5.2,7.8,7.8,5.2,5.2,7.8,5.2,7.8,5.3,7.8,7.8,7.8,7.8,7.8,7.8,7.8,5.3,5.2,5.3,5.3,5.2,5.2,5.3,7.8,7.8,7.8,7.8] detection-update: [.....2] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48240] -> [.....................64:ff9b::9765:789d][..443] [TLS][Web][Safe] detected: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Web][Acceptable] detection-update: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Web][Acceptable] detection-update: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Web][Acceptable] analyse: [....44] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][38608] -> [...............2a00:1450:4007:80b::200a][..443] [TLS.GoogleServices][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.067| 0.012| 0.020| 413.573| 0.000] - [PKTLEN......: 86.000| 1294.000| 392.400| 464.300|215557.600| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.067| 0.012| 0.020| 413.573| 3.200] + [PKTLEN......: 72.000| 1280.000| 378.400| 464.300| 215557.600| 4.100] [BINS(c->s)..: 13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1,1,0,0,0] [IATS(ms)....: 67.4,67.5,0.3,44.1,5.3,0.0,49.1,0.0,0.1,0.1,18.6,10.2,0.7,42.4,12.9,0.2,14.3,2.0,0.0,16.1,2.6,0.0,2.6,0.0,0.1,0.0,0.0,0.0,0.0] - [PKTLENS.....: 94,94,86,603,86,1294,1294,86,86,586,86,150,178,364,86,666,86,117,86,117,86,86,535,1294,86,86,1294,1294,1294,86,86,86] + [PKTLENS.....: 80,80,72,589,72,1280,1280,72,72,572,72,136,164,350,72,652,72,103,72,103,72,72,521,1280,72,72,1280,1280,1280,72,72,72] + [ENTROPIES...: 4.9,5.3,5.2,4.5,5.1,7.8,7.8,5.3,5.2,7.5,5.2,6.2,6.5,7.3,5.0,7.7,5.2,5.9,5.0,5.8,5.1,5.2,7.5,7.8,5.1,5.1,7.8,7.8,7.8,5.2,5.1,5.2] analyse: [....43] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][49548] -> [...............2a00:1450:4007:809::200e][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.083| 0.015| 0.021| 439.399| 0.000] - [PKTLEN......: 86.000| 1294.000| 398.200| 474.800|225406.500| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.083| 0.015| 0.021| 439.399| 3.600] + [PKTLEN......: 72.000| 1280.000| 384.200| 474.800| 225406.500| 4.100] [BINS(c->s)..: 12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1] [IATS(ms)....: 30.3,30.3,0.2,70.7,12.6,0.0,0.0,83.0,0.1,0.0,0.9,32.4,31.5,5.9,16.3,0.1,34.6,1.9,14.2,7.2,10.7,16.9,0.0,0.0,34.7,0.0,0.0,0.0,0.9] - [PKTLENS.....: 94,94,86,603,86,1294,1294,325,86,86,86,150,86,666,86,178,117,344,86,117,86,86,86,999,1294,1294,1294,86,86,86,86,1294] + [PKTLENS.....: 80,80,72,589,72,1280,1280,311,72,72,72,136,72,652,72,164,103,330,72,103,72,72,72,985,1280,1280,1280,72,72,72,72,1280] + [ENTROPIES...: 4.8,5.3,5.2,4.5,5.1,7.8,7.8,7.2,5.2,5.2,5.2,6.2,5.2,7.6,5.2,6.5,5.8,7.2,5.1,5.7,5.2,5.1,5.2,7.8,7.8,7.8,7.8,5.2,5.2,5.2,5.2,7.8] detected: [....42] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][55560] -> [...............2a00:1450:4007:817::200a][..443] [TLS][Web][Safe] detected: [.....7] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][56782] -> [.....................64:ff9b::68f4:2ac8][..443] [TLS][Web][Safe] new: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39164] -> [......................64:ff9b::6006:749][..443] @@ -172,14 +182,15 @@ new: [....46] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][42674] -> [.....................64:ff9b::4a72:9a15][..443] [MIDSTREAM] detection-update: [....45] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39164] -> [......................64:ff9b::6006:749][..443] [TLS][Advertisement][Safe] analyse: [....12] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][39152] -> [......................64:ff9b::6006:749][..443] [TLS][Advertisement][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 16.589| 1.119| 4.059|16477581.214| 0.000] - [PKTLEN......: 86.000| 1365.000| 364.400| 367.900|135349.600| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 16.589| 1.119| 4.059| 16477581.214| 1.400] + [PKTLEN......: 72.000| 1351.000| 350.400| 367.900| 135349.600| 4.300] [BINS(c->s)..: 9,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,1,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0] [IATS(ms)....: 29.5,29.5,0.2,37.9,9.0,46.8,0.7,0.1,31.0,1.8,7.0,39.1,52.6,52.7,371.9,406.4,20.7,55.2,2.5,32.9,9.3,39.7,16556.7,16588.7,11.4,43.4,16.9,58.4,9.8,93.2,46.8] - [PKTLENS.....: 94,94,86,706,86,356,86,166,503,86,86,373,86,1273,86,838,86,869,86,850,86,356,86,514,86,1365,86,658,86,686,86,670] + [PKTLENS.....: 80,80,72,692,72,342,72,152,489,72,72,359,72,1259,72,824,72,855,72,836,72,342,72,500,72,1351,72,644,72,672,72,656] + [ENTROPIES...: 4.8,5.2,5.2,7.0,5.0,6.8,5.1,6.3,7.5,5.1,5.1,7.3,5.2,7.8,5.2,7.7,5.0,7.7,5.1,7.7,5.0,7.3,5.2,7.6,5.0,7.9,5.2,7.7,5.0,7.6,5.1,7.6] new: [....47] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][40190] -> [...............2a00:1450:4007:80a::200a][..443] [MIDSTREAM] guessed: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48988] -> [...............2a00:1450:4007:811::2004][..443] [TLS][Web][Safe] idle: [....36] [ip6][..tcp] [2a01:cb01:2049:8b07:991d:ec85:28df:f629][48988] -> [...............2a00:1450:4007:811::2004][..443] diff --git a/test/results/flow-info/tunnelbear.pcap.out b/test/results/flow-info/tunnelbear.pcap.out index 581124cef..0c13187ee 100644 --- a/test/results/flow-info/tunnelbear.pcap.out +++ b/test/results/flow-info/tunnelbear.pcap.out @@ -20,14 +20,15 @@ detected: [.....6] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS][Web][Safe] detection-update: [.....6] [ip4][..tcp] [.......10.8.0.1][47496] -> [162.247.243.188][..443] [TLS][Web][Safe] analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][45104] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.266| 0.037| 0.060| 3626.297| 0.000] - [PKTLEN......: 54.000| 3711.000| 440.000| 812.300|659832.900| 3.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.266| 0.037| 0.060| 3626.297| 3.500] + [PKTLEN......: 40.000| 3697.000| 426.000| 812.300| 659832.900| 3.500] [BINS(c->s)..: 7,1,1,1,0,0,0,0,1,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1] [IATS(ms)....: 4.8,10.8,0.0,6.0,71.1,71.7,62.5,63.1,0.2,0.1,0.1,0.1,2.3,2.2,58.3,58.8,0.5,0.2,0.2,0.1,0.2,0.1,0.6,0.8,214.5,265.9,52.4,51.4,53.8,54.6,51.8] - [PKTLENS.....: 74,54,54,571,54,3711,54,147,54,590,54,590,54,319,54,390,375,54,590,54,164,54,54,92,54,1646,54,705,54,366,54,2885] + [PKTLENS.....: 60,40,40,557,40,3697,40,133,40,576,40,576,40,305,40,376,361,40,576,40,150,40,40,78,40,1632,40,691,40,352,40,2871] + [ENTROPIES...: 4.5,4.5,4.6,6.1,4.5,7.2,4.5,5.9,4.5,7.4,4.5,7.6,4.6,7.4,4.5,7.1,7.4,4.5,7.6,4.5,6.5,4.5,4.6,5.3,4.5,7.9,4.6,7.6,4.6,7.1,4.6,7.9] new: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] new: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] detected: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] @@ -35,14 +36,15 @@ detection-update: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] detection-update: [.....7] [ip4][..tcp] [.......10.8.0.1][45124] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] analyse: [.....8] [ip4][..tcp] [.......10.8.0.1][45126] -> [..104.17.115.40][..443] [TLS.TunnelBear][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.234| 0.036| 0.055| 3015.001| 0.000] - [PKTLEN......: 54.000| 803.000| 163.700| 198.300|39337.400| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.234| 0.036| 0.055| 3015.001| 3.600] + [PKTLEN......: 40.000| 789.000| 149.700| 198.300| 39337.400| 4.100] [BINS(c->s)..: 9,2,0,0,0,0,0,0,1,0,1,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0] [IATS(ms)....: 3.4,3.9,2.0,2.9,57.3,108.0,0.8,51.4,0.3,0.1,0.1,0.1,0.1,0.1,50.9,51.9,1.0,50.4,50.8,196.8,233.7,37.7,51.5,50.9,51.1,0.1,51.0,0.5,0.2,0.4,1.0] - [PKTLENS.....: 74,54,54,571,54,210,54,105,54,590,54,590,54,317,54,132,377,54,92,54,803,54,227,54,92,54,85,54,54,54,54,54] + [PKTLENS.....: 60,40,40,557,40,196,40,91,40,576,40,576,40,303,40,118,363,40,78,40,789,40,213,40,78,40,71,40,40,40,40,40] + [ENTROPIES...: 4.5,4.6,4.6,6.1,4.5,6.1,4.7,5.4,4.5,7.4,4.6,7.6,4.5,7.2,4.5,5.9,7.4,4.6,5.3,4.6,7.7,4.7,6.8,4.7,5.3,4.6,5.1,4.5,4.5,4.4,4.5,4.5] new: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [MIDSTREAM] detected: [.....9] [ip4][..tcp] [..10.158.132.91][38398] -> [..104.17.114.40][..443] [TLS.TunnelBear][VPN][Acceptable] new: [....10] [ip4][..tcp] [..10.158.132.91][51120] -> [........8.8.8.8][...53] [MIDSTREAM] @@ -91,14 +93,15 @@ detection-update: [....15] [ip4][..tcp] [.......10.8.0.1][50904] -> [.104.17.154.236][..443] [TLS.TunnelBear][VPN][Acceptable] detection-update: [....20] [ip4][..tcp] [.......10.8.0.1][48222] -> [162.247.243.188][..443] [TLS][Web][Safe] analyse: [....14] [ip4][..tcp] [.......10.8.0.1][33830] -> [..104.17.114.40][..443] [TLS.TunnelBear][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.340| 0.040| 0.084| 7024.527| 0.000] - [PKTLEN......: 54.000| 2954.000| 254.400| 516.400|266681.900| 3.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.340| 0.040| 0.084| 7024.527| 3.000] + [PKTLEN......: 40.000| 2940.000| 240.400| 516.400| 266681.900| 3.500] [BINS(c->s)..: 3,3,1,2,0,0,0,0,0,0,2,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,0,1,0,1,1] [IATS(ms)....: 4.1,5.3,2.0,3.4,237.7,240.1,0.0,2.4,9.3,9.4,0.2,0.1,1.4,1.5,0.1,0.1,0.1,0.1,100.5,152.6,52.3,7.0,20.6,16.0,10.0,8.0,0.8,1.3,7.0,6.2,340.4] - [PKTLENS.....: 74,54,54,571,54,210,54,105,54,107,54,140,54,590,54,590,54,179,54,123,92,54,92,375,54,590,54,162,54,377,54,2954] + [PKTLENS.....: 60,40,40,557,40,196,40,91,40,93,40,126,40,576,40,576,40,165,40,109,78,40,78,361,40,576,40,148,40,363,40,2940] + [ENTROPIES...: 4.5,4.5,4.5,6.1,4.6,6.0,4.6,5.4,4.6,5.5,4.6,5.9,4.5,7.6,4.5,7.6,4.6,6.8,4.5,5.9,5.3,4.6,5.3,7.2,4.6,7.6,4.6,6.5,4.6,7.3,4.5,7.9] new: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] detected: [....21] [ip4][..tcp] [.......10.8.0.1][33858] -> [..104.17.114.40][..443] [TLS.TunnelBear][VPN][Acceptable] idle: [....13] [ip4][..tcp] [.......10.8.0.1][47046] -> [.74.125.200.188][.5228] diff --git a/test/results/flow-info/ultrasurf.pcap.out b/test/results/flow-info/ultrasurf.pcap.out index 7bbe734e6..4cddce789 100644 --- a/test/results/flow-info/ultrasurf.pcap.out +++ b/test/results/flow-info/ultrasurf.pcap.out @@ -4,42 +4,45 @@ new: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [MIDSTREAM] detected: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [UltraSurf][VPN][Acceptable] analyse: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [UltraSurf][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.150| 0.021| 0.036| 1271.455| 0.000] - [PKTLEN......: 98.000| 2646.000| 1366.500| 1007.200|1014474.800| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.150| 0.021| 0.036| 1271.455| 3.600] + [PKTLEN......: 80.000| 2628.000| 1348.500| 1007.200| 1014474.800| 4.500] [BINS(c->s)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,10] [BINS(s->c)..: 10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,1,1,1,1,0,1,0,0,0,1,1,0,0,0,0,0] [IATS(ms)....: 0.0,21.3,0.0,11.0,29.1,61.5,0.0,10.8,0.0,9.2,30.8,10.8,0.0,20.0,0.0,29.3,0.0,0.0,0.0,9.3,30.6,150.5,0.0,11.9,141.8,0.0,17.9,20.0,0.0,20.0,10.1] - [PKTLENS.....: 2646,2646,1358,1358,2646,2646,98,98,1358,1358,2646,98,1358,1358,1350,2646,98,98,98,98,1358,98,1358,1358,2646,98,98,2646,1358,1358,2646,2646] + [PKTLENS.....: 2628,2628,1340,1340,2628,2628,80,80,1340,1340,2628,80,1340,1340,1332,2628,80,80,80,80,1340,80,1340,1340,2628,80,80,2628,1340,1340,2628,2628] + [ENTROPIES...: 7.9,7.9,7.8,7.8,7.9,7.9,5.5,5.4,7.9,7.9,7.9,5.5,7.9,7.9,7.8,7.9,5.5,5.3,5.4,5.4,7.8,5.5,7.8,7.9,7.9,5.5,5.5,7.9,7.9,7.9,7.9,7.9] new: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] detected: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn detection-update: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn analyse: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.271| 0.063| 0.099| 9897.855| 0.000] - [PKTLEN......: 70.000| 1418.000| 367.300| 449.600|202163.000| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.271| 0.063| 0.099| 9897.855| 3.400] + [PKTLEN......: 52.000| 1400.000| 349.300| 449.600| 202163.000| 4.000] [BINS(c->s)..: 7,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0] [BINS(s->c)..: 4,8,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,0,0,0,1,1,1,1,1,1] [IATS(ms)....: 211.2,260.4,0.0,269.6,0.0,10.1,9.9,260.4,0.0,20.0,20.0,10.9,0.0,270.8,9.7,0.0,10.3,229.5,0.0,20.0,40.1,29.9,0.0,10.1,29.9,210.9,0.0,0.0,0.0,9.4,0.0] - [PKTLENS.....: 78,78,70,587,70,1358,1358,1274,70,70,70,134,156,708,125,105,101,126,101,70,112,1418,104,1166,698,668,70,105,262,205,105,131] + [PKTLENS.....: 60,60,52,569,52,1340,1340,1256,52,52,52,116,138,690,107,87,83,108,83,52,94,1400,86,1148,680,650,52,87,244,187,87,113] + [ENTROPIES...: 4.7,5.2,5.3,6.1,5.1,7.8,7.8,7.8,5.2,5.2,5.2,6.1,6.4,7.7,6.3,5.9,5.7,6.1,5.8,5.2,6.0,7.9,5.9,7.8,7.7,7.7,5.2,5.9,6.9,6.8,5.9,6.2] new: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] detected: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn detection-update: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn analyse: [.....3] [ip4][..tcp] [....10.132.0.23][38152] -> [....65.49.68.25][50053] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.269| 0.059| 0.101|10170.351| 0.000] - [PKTLEN......: 70.000| 1418.000| 403.600| 479.700|230117.000| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.269| 0.059| 0.101| 10170.351| 3.100] + [PKTLEN......: 52.000| 1400.000| 385.600| 479.700| 230117.000| 4.100] [BINS(c->s)..: 7,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 3,5,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1] [IATS(ms)....: 209.5,239.7,0.0,251.1,0.0,11.4,0.0,260.7,0.0,9.6,20.0,20.0,269.1,20.0,0.0,231.0,0.0,20.0,0.0,0.0,0.0,0.0,0.0,249.6,0.0,0.0,0.0,0.0,10.1,0.0,0.0] - [PKTLENS.....: 78,78,70,587,70,1358,1358,1274,70,70,70,134,386,125,105,157,70,101,1418,446,1418,498,268,252,70,105,131,218,262,105,205,1358] + [PKTLENS.....: 60,60,52,569,52,1340,1340,1256,52,52,52,116,368,107,87,139,52,83,1400,428,1400,480,250,234,52,87,113,200,244,87,187,1340] + [ENTROPIES...: 4.7,5.2,5.0,6.1,5.2,7.8,7.9,7.9,5.2,5.2,5.1,6.0,7.4,6.0,5.8,6.3,5.1,5.7,7.9,7.4,7.8,7.6,7.1,7.0,5.1,5.9,6.1,6.8,6.9,5.9,6.8,7.9] end: [.....1] [ip4][..tcp] [....65.49.68.25][50053] -> [....10.132.0.23][37898] [UltraSurf][VPN][Acceptable] end: [.....2] [ip4][..tcp] [....10.132.0.23][38120] -> [....65.49.68.25][50053] [TLS][Web][Safe] RISK: Known Proto on Non Std Port, Missing SNI TLS Extn diff --git a/test/results/flow-info/viber.pcap.out b/test/results/flow-info/viber.pcap.out index dfa723c25..49b65212a 100644 --- a/test/results/flow-info/viber.pcap.out +++ b/test/results/flow-info/viber.pcap.out @@ -33,14 +33,15 @@ detection-update: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][Chat][Acceptable] detection-update: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][Chat][Acceptable] analyse: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.048| 0.009| 0.015| 217.133| 0.000] - [PKTLEN......: 66.000| 1514.000| 728.100| 673.400|453425.200| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.048| 0.009| 0.015| 217.133| 3.300] + [PKTLEN......: 52.000| 1500.000| 714.100| 673.400| 453425.200| 4.300] [BINS(c->s)..: 11,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0] [IATS(ms)....: 19.5,21.7,1.0,22.3,3.2,0.2,0.0,0.2,39.4,0.1,0.6,0.3,10.8,47.8,22.3,40.8,0.3,0.1,0.2,0.3,0.0,0.2,0.3,0.2,0.2,0.5,41.2,0.1,0.0,0.0,1.1] - [PKTLENS.....: 74,74,66,249,66,1514,1514,1514,411,66,66,66,66,192,308,774,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,808,66,66,66,66,66] + [PKTLENS.....: 60,60,52,235,52,1500,1500,1500,397,52,52,52,52,178,294,760,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,794,52,52,52,52,52] + [ENTROPIES...: 4.6,5.2,5.2,5.6,5.1,7.2,7.5,7.5,7.3,5.1,5.2,5.2,5.2,6.4,7.2,7.7,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.7,5.2,5.2,5.1,5.2,5.1] detection-update: [....10] [ip4][..tcp] [...192.168.0.17][53934] -> [...54.230.93.53][..443] [TLS.Viber][Chat][Acceptable] new: [....11] [ip4][..udp] [...192.168.0.17][41993] -> [.172.217.23.106][..443] new: [....12] [ip4][..udp] [...192.168.0.17][35331] -> [...192.168.0.15][...53] @@ -60,14 +61,15 @@ detected: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Web][Safe] detection-update: [....17] [ip4][..tcp] [...192.168.0.17][55746] -> [..151.101.1.130][..443] [TLS][Web][Safe] analyse: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.702| 1.934| 2.902|8424002.683| 0.000] - [PKTLEN......: 66.000| 596.000| 155.700| 133.200|17739.800| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.702| 1.934| 2.902| 8424002.683| 3.500] + [PKTLEN......: 52.000| 582.000| 141.700| 133.200| 17739.800| 4.500] [BINS(c->s)..: 4,1,6,2,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,0,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,1,1,0,1,0] [IATS(ms)....: 54.2,95.9,0.3,44.0,41.8,57.0,16.1,92.1,91.6,10563.9,10701.7,4192.1,4152.7,4422.1,4422.1,309.5,309.6,21.6,197.0,0.1,215.0,3974.5,3934.9,3635.3,52.6,3635.3,52.6,12.7,140.8,167.5,4361.2] - [PKTLENS.....: 167,122,66,142,66,508,130,66,134,66,163,66,160,66,160,66,405,66,164,66,150,66,160,66,160,424,66,66,164,150,66,596] + [PKTLENS.....: 153,108,52,128,52,494,116,52,120,52,149,52,146,52,146,52,391,52,150,52,136,52,146,52,146,410,52,52,150,136,52,582] + [ENTROPIES...: 6.4,6.0,4.8,6.2,5.0,7.6,6.1,5.0,6.1,4.9,6.3,4.9,6.4,5.0,6.5,4.9,7.4,5.0,6.5,5.0,6.3,5.0,6.5,5.0,6.4,7.4,5.0,5.0,6.5,6.4,5.0,7.6] guessed: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][VoIP][Acceptable] detected: [.....1] [ip4][..tcp] [...192.168.0.17][33208] -> [...52.0.253.101][.4244] [Viber][VoIP][Acceptable] new: [....18] [ip4][..tcp] [...192.168.0.17][45424] -> [....18.201.4.32][..443] @@ -80,14 +82,15 @@ detection-update: [....21] [ip4][..tcp] [...192.168.0.17][49048] -> [..54.187.91.182][..443] [TLS.AmazonAWS][Cloud][Acceptable] detection-update: [....21] [ip4][..tcp] [...192.168.0.17][49048] -> [..54.187.91.182][..443] [TLS.AmazonAWS][Cloud][Acceptable] analyse: [....19] [ip4][..udp] [...192.168.0.17][47171] -> [....18.201.4.32][.7985] [Viber][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.525| 0.329| 0.210|44226.417| 0.000] - [PKTLEN......: 62.000| 299.000| 163.200| 100.400|10086.100| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.525| 0.329| 0.210| 44226.417| 4.600] + [PKTLEN......: 48.000| 285.000| 149.200| 100.400| 10086.100| 4.700] [BINS(c->s)..: 6,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 0.1,33.1,500.3,500.3,503.5,15.2,503.2,15.3,516.1,515.7,477.7,477.6,36.8,36.8,525.0,525.0,440.4,440.7,68.1,67.8,523.1,523.2,412.0,411.8,84.1,84.2,517.8,517.8,399.8,399.7,114.8] - [PKTLENS.....: 299,62,118,299,118,62,299,76,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299] + [PKTLENS.....: 285,48,104,285,104,48,285,62,104,285,104,48,62,285,104,285,104,48,62,285,104,285,104,48,62,285,104,285,104,48,62,285] + [ENTROPIES...: 6.4,5.1,3.4,6.5,3.5,5.1,6.5,4.0,3.5,6.5,3.5,5.1,4.0,6.4,3.5,6.5,3.4,5.0,4.0,6.4,3.5,6.4,3.5,5.1,4.0,6.5,3.5,6.4,3.5,5.1,4.0,6.5] new: [....22] [ip4][..tcp] [...192.168.0.17][33744] -> [.....18.201.4.3][..443] new: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] detected: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] [Viber][VoIP][Acceptable] @@ -95,14 +98,15 @@ detected: [....24] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7987] [Viber][VoIP][Acceptable] update: [....15] [ip6][icmp6] [..............fe80::3207:4dff:fea3:5fa7] -> [................................ff02::2] [ICMPV6][Network][Acceptable] analyse: [....23] [ip4][..udp] [...192.168.0.17][38190] -> [.....18.201.4.3][.7985] [Viber][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.531| 0.262| 0.245|59968.385| 0.000] - [PKTLEN......: 54.000| 299.000| 143.800| 99.700| 9932.100| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.531| 0.262| 0.245| 59968.385| 4.100] + [PKTLEN......: 40.000| 285.000| 129.800| 99.700| 9932.100| 4.600] [BINS(c->s)..: 10,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,5,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,1,0] [IATS(ms)....: 2.5,0.1,31.7,2.3,505.5,505.7,496.9,2.1,6.7,496.6,8.7,505.3,505.4,490.8,0.1,15.0,490.7,15.1,513.2,513.2,531.4,0.1,0.0,531.4,0.2,492.9,493.0,448.2,0.1,448.1,58.4] - [PKTLENS.....: 299,60,62,118,76,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,76,299] + [PKTLENS.....: 285,46,48,104,62,285,104,48,40,285,62,104,285,104,48,40,285,62,104,285,104,48,40,285,62,104,285,104,48,40,62,285] + [ENTROPIES...: 6.3,4.5,5.0,3.5,4.0,6.4,3.5,5.1,4.4,6.4,4.0,3.5,6.3,3.5,5.0,4.4,6.3,3.9,3.4,6.4,3.5,5.0,4.4,6.3,3.9,3.5,6.4,3.5,5.0,4.4,4.0,6.4] new: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] detected: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] [DNS.Google][Web][Acceptable] detection-update: [....25] [ip4][..udp] [...192.168.0.17][50097] -> [...192.168.0.15][...53] [DNS.Google][Web][Acceptable] diff --git a/test/results/flow-info/vnc.pcap.out b/test/results/flow-info/vnc.pcap.out index 4b435b887..f92c0b3b6 100644 --- a/test/results/flow-info/vnc.pcap.out +++ b/test/results/flow-info/vnc.pcap.out @@ -5,26 +5,28 @@ detected: [.....1] [ip4][..tcp] [..95.237.48.208][59791] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing analyse: [.....1] [ip4][..tcp] [..95.237.48.208][59791] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.545| 0.058| 0.113|12857.595| 0.000] - [PKTLEN......: 54.000| 89.000| 70.600| 12.800| 163.200| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.545| 0.058| 0.113| 12857.595| 3.200] + [PKTLEN......: 40.000| 75.000| 56.600| 12.800| 163.200| 5.000] [BINS(c->s)..: 12,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 13,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,1,1,1,0,0,0,1] [IATS(ms)....: 0.5,38.8,49.9,50.3,38.8,37.1,157.8,7.0,164.5,0.7,37.5,0.2,0.0,36.4,0.0,37.3,1.2,0.0,0.2,0.7,0.0,0.7,0.5,199.0,310.3,0.0,0.1,545.3,0.7,22.3,59.5] - [PKTLENS.....: 66,66,60,66,66,62,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,54,77,54,84,82,86,60,60,81,54] + [PKTLENS.....: 52,52,46,52,52,48,46,40,59,46,69,74,74,62,46,75,40,74,72,40,68,72,40,63,40,70,68,72,46,46,67,40] + [ENTROPIES...: 4.6,4.9,4.6,5.0,5.1,5.0,4.8,4.7,5.3,4.6,5.6,5.6,5.9,5.4,4.6,5.8,4.7,5.8,5.7,4.7,5.7,5.7,4.6,5.6,4.7,5.6,5.6,5.5,4.5,4.5,5.6,4.7] new: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] detected: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing analyse: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.539| 0.054| 0.125|15641.482| 0.000] - [PKTLEN......: 54.000| 89.000| 70.800| 12.600| 158.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.539| 0.054| 0.125| 15641.482| 3.000] + [PKTLEN......: 40.000| 75.000| 56.800| 12.600| 158.000| 5.000] [BINS(c->s)..: 13,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,0,1,1,1,1,0,0,0] [IATS(ms)....: 0.1,37.5,48.7,49.6,38.3,36.9,46.4,48.5,45.7,1.7,45.5,0.2,37.4,0.5,0.4,36.8,3.0,39.9,0.8,0.2,0.8,0.8,0.2,0.0,1.0,501.8,0.0,0.7,538.8,0.0,97.7] - [PKTLENS.....: 66,66,60,66,66,62,60,54,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,77,54,84,82,86,60,60,81] + [PKTLENS.....: 52,52,46,52,52,48,46,40,46,40,59,46,69,74,74,62,46,75,40,74,72,40,68,72,63,40,70,68,72,46,46,67] + [ENTROPIES...: 4.5,4.9,4.7,5.0,5.2,5.0,4.7,4.7,4.6,4.7,5.2,4.7,5.6,5.7,5.7,5.5,4.6,5.7,4.7,5.8,5.7,4.6,5.5,5.6,5.4,4.6,5.6,5.5,5.5,4.5,4.6,5.6] idle: [.....2] [ip4][..tcp] [..95.237.48.208][51559] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] RISK: Known Proto on Non Std Port, Desktop/File Sharing end: [.....1] [ip4][..tcp] [..95.237.48.208][59791] -> [..192.168.2.110][.6900] [VNC][RemoteAccess][Acceptable] diff --git a/test/results/flow-info/vxlan.pcap.out b/test/results/flow-info/vxlan.pcap.out index 42f7c2f34..25d4bb6c7 100644 --- a/test/results/flow-info/vxlan.pcap.out +++ b/test/results/flow-info/vxlan.pcap.out @@ -20,23 +20,25 @@ new: [.....9] [ip4][..udp] [...192.168.22.4][60230] -> [...192.168.22.5][.4789] detected: [.....9] [ip4][..udp] [...192.168.22.4][60230] -> [...192.168.22.5][.4789] [VXLAN][Network][Acceptable] analyse: [.....8] [ip4][..udp] [...192.168.22.5][36286] -> [...192.168.22.4][.4789] [VXLAN][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.141| 0.010| 0.031| 963.930| 0.000] - [PKTLEN......: 120.000| 1500.000| 1169.700| 546.600|298767.600| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.141| 0.010| 0.031| 963.930| 2.200] + [PKTLEN......: 102.000| 1482.000| 1151.700| 546.600| 298767.600| 4.800] [BINS(c->s)..: 0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 10.5,1.4,0.1,0.0,11.4,0.5,9.5,113.3,10.6,140.6,0.1,0.1,3.1,0.2,0.6,0.2,1.3,0.2,1.3,3.6,0.2,0.4,0.2,2.3,0.2,0.3,0.2,0.8,0.2,0.7,0.2] - [PKTLENS.....: 128,120,1500,1500,588,120,289,120,572,120,1500,1500,874,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500] + [PKTLENS.....: 110,102,1482,1482,570,102,271,102,554,102,1482,1482,856,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482] + [ENTROPIES...: 5.6,5.7,7.8,7.9,7.6,5.6,7.1,5.6,7.6,5.6,7.9,7.9,7.8,7.9,7.9,7.9,7.9,7.9,7.9,7.8,7.9,7.9,7.9,7.8,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9] analyse: [.....7] [ip4][..udp] [...192.168.22.4][40646] -> [...192.168.22.5][.4789] [VXLAN][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.151| 0.011| 0.030| 901.957| 0.000] - [PKTLEN......: 120.000| 438.000| 143.100| 68.200| 4655.600| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.151| 0.011| 0.030| 901.957| 2.500] + [PKTLEN......: 102.000| 420.000| 125.100| 68.200| 4655.600| 4.800] [BINS(c->s)..: 0,0,28,0,1,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 10.3,0.3,11.5,0.2,0.0,1.3,10.0,41.8,81.5,0.4,150.8,3.1,0.8,1.5,1.4,3.8,0.6,2.5,0.5,1.0,0.9,0.8,0.7,0.8,0.7,2.1,0.3,0.4,2.3,0.4,0.2] - [PKTLENS.....: 128,120,438,120,120,120,184,285,120,120,303,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120] + [PKTLENS.....: 110,102,420,102,102,102,166,267,102,102,285,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102] + [ENTROPIES...: 5.3,5.6,6.2,5.6,5.6,5.6,6.3,6.9,5.6,5.6,7.0,5.6,5.6,5.6,5.6,5.6,5.6,5.6,5.6,5.6,5.6,5.6,5.5,5.6,5.6,5.6,5.6,5.6,5.6,5.6,5.6,5.7] idle: [.....5] [ip4][..udp] [...192.168.22.4][60351] -> [...192.168.22.5][.4789] [VXLAN][Network][Acceptable] idle: [.....6] [ip4][..udp] [...192.168.22.5][50251] -> [...192.168.22.4][.4789] [VXLAN][Network][Acceptable] idle: [.....8] [ip4][..udp] [...192.168.22.5][36286] -> [...192.168.22.4][.4789] [VXLAN][Network][Acceptable] diff --git a/test/results/flow-info/wa_video.pcap.out b/test/results/flow-info/wa_video.pcap.out index 4fefc2819..5ab984b25 100644 --- a/test/results/flow-info/wa_video.pcap.out +++ b/test/results/flow-info/wa_video.pcap.out @@ -17,25 +17,27 @@ new: [.....8] [ip4][..udp] [...192.168.2.12][51277] -> [239.255.255.250][.1900] detected: [.....8] [ip4][..udp] [...192.168.2.12][51277] -> [239.255.255.250][.1900] [SSDP][System][Acceptable] analyse: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.404| 0.182| 0.481|231053.525| 0.000] - [PKTLEN......: 66.000| 1454.000| 282.400| 335.200|112371.900| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.404| 0.182| 0.481| 231053.525| 2.400] + [PKTLEN......: 52.000| 1440.000| 268.400| 335.200| 112371.900| 4.200] [BINS(c->s)..: 11,0,0,0,5,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,0,0,1,1,4,0,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] [DIRECTIONS..: 0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0] [IATS(ms)....: 51.7,176.8,0.0,439.6,1227.8,0.8,306.1,108.9,2404.5,0.2,0.0,0.3,0.0,0.0,0.3,133.1,0.6,40.7,0.3,7.7,7.9,1.7,1.6,528.8,1.1,0.7,0.7,0.7,2.7,2.6] - [PKTLENS.....: 614,66,1454,169,522,522,346,203,239,1454,66,66,78,66,66,66,78,242,242,66,66,242,66,418,66,228,226,220,220,220,220,220] + [PKTLENS.....: 600,52,1440,155,508,508,332,189,225,1440,52,52,64,52,52,52,64,228,228,52,52,228,52,404,52,214,212,206,206,206,206,206] + [ENTROPIES...: 7.6,5.1,7.9,6.7,7.6,7.6,7.3,6.7,7.0,7.9,5.0,5.1,5.1,5.1,5.1,5.1,5.2,7.0,7.0,5.1,5.1,7.0,5.1,7.5,5.1,6.9,6.9,6.9,6.9,6.9,6.8,7.0] guessed: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable] detected: [.....2] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable] analyse: [.....3] [ip4][..udp] [...192.168.2.12][53688] -> [....31.13.86.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.550| 0.064| 0.136|18373.693| 0.000] - [PKTLEN......: 44.000| 514.000| 345.600| 205.800|42355.100| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.550| 0.064| 0.136| 18373.693| 3.100] + [PKTLEN......: 30.000| 500.000| 331.600| 205.800| 42355.100| 4.700] [BINS(c->s)..: 3,0,0,4,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,4,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0] [IATS(ms)....: 0.1,13.1,1.1,548.2,0.8,550.1,16.2,0.1,20.3,0.1,23.6,0.6,14.5,1.0,0.1,79.3,29.6,0.1,23.2,0.2,20.0,0.3,24.4,3.5,104.4,150.5,15.9,197.6,75.4,2.5,68.2] - [PKTLENS.....: 168,168,86,86,168,514,86,514,514,514,514,514,514,48,514,514,44,514,514,514,514,514,514,514,168,86,62,514,62,514,514,62] + [PKTLENS.....: 154,154,72,72,154,500,72,500,500,500,500,500,500,34,500,500,30,500,500,500,500,500,500,500,154,72,48,500,48,500,500,48] + [ENTROPIES...: 6.5,6.5,5.2,5.3,6.5,7.4,5.3,7.5,7.5,7.5,7.5,7.4,7.5,4.6,7.5,7.5,4.5,7.5,7.5,7.5,7.4,7.5,7.4,7.4,6.5,5.3,3.8,7.3,3.8,7.4,7.4,4.2] new: [.....9] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] detected: [.....9] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] new: [....10] [ip4][..udp] [...192.168.2.12][53688] -> [.....1.60.78.64][59491] @@ -45,14 +47,15 @@ detected: [....11] [ip4][..udp] [...192.168.2.12][53688] -> [...91.252.56.51][32641] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....11] [ip4][..udp] [...192.168.2.12][53688] -> [...91.252.56.51][32641] [STUN.WhatsAppCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.979| 0.150| 0.383|146861.081| 0.000] - [PKTLEN......: 86.000| 1160.000| 537.500| 432.000|186635.800| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.979| 0.150| 0.383| 146861.081| 2.700] + [PKTLEN......: 72.000| 1146.000| 523.500| 432.000| 186635.800| 4.500] [BINS(c->s)..: 0,6,0,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,7,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,0,2,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,1,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1] [IATS(ms)....: 707.1,619.8,619.1,1979.4,36.3,69.7,132.0,26.4,100.1,1.5,36.5,24.6,0.1,0.2,0.3,0.3,10.7,26.1,102.4,15.1,0.3,0.6,0.5,0.9,0.2,0.8,7.6,0.9,0.1,0.6,131.2] - [PKTLENS.....: 86,86,86,86,86,86,86,170,86,179,164,144,913,913,913,912,1160,208,157,212,1036,1036,1036,1036,1036,1034,164,934,934,934,1062,224] + [PKTLENS.....: 72,72,72,72,72,72,72,156,72,165,150,130,899,899,899,898,1146,194,143,198,1022,1022,1022,1022,1022,1020,150,920,920,920,1048,210] + [ENTROPIES...: 5.6,5.7,5.5,5.6,5.4,5.5,5.6,6.6,5.7,6.7,6.5,6.4,7.7,7.8,7.8,7.8,7.8,6.7,6.4,6.9,7.8,7.8,7.8,7.8,7.8,7.8,6.6,7.8,7.8,7.8,7.8,7.0] new: [....12] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] detected: [....12] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable] new: [....13] [ip4][..udp] [...192.168.2.12][65025] -> [239.255.255.250][.1900] diff --git a/test/results/flow-info/wa_voice.pcap.out b/test/results/flow-info/wa_voice.pcap.out index 7dd27a4da..2d1869450 100644 --- a/test/results/flow-info/wa_voice.pcap.out +++ b/test/results/flow-info/wa_voice.pcap.out @@ -14,14 +14,15 @@ new: [.....5] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] detected: [.....5] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable] analyse: [.....5] [ip4][..tcp] [...192.168.2.12][49355] -> [..157.240.20.53][.5222] [WhatsApp][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.304| 0.044| 0.076| 5836.115| 0.000] - [PKTLEN......: 66.000| 1454.000| 309.400| 467.500|218553.500| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.304| 0.044| 0.076| 5836.115| 3.200] + [PKTLEN......: 52.000| 1440.000| 295.400| 467.500| 218553.500| 3.800] [BINS(c->s)..: 11,3,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1] [IATS(ms)....: 40.7,137.0,170.4,304.1,130.2,0.1,31.0,5.3,0.0,0.4,0.0,0.2,0.0,1.2,210.1,0.3,0.0,0.0,0.2,0.0,0.3,41.4,129.9,0.1,0.0,0.0,0.0,1.0,24.3,131.9,0.0] - [PKTLENS.....: 78,74,66,322,66,123,117,151,1454,106,1454,169,1454,178,1454,66,66,66,66,66,66,66,1059,98,112,133,96,125,66,352,66,66] + [PKTLENS.....: 64,60,52,308,52,109,103,137,1440,92,1440,155,1440,164,1440,52,52,52,52,52,52,52,1045,84,98,119,82,111,52,338,52,52] + [ENTROPIES...: 4.5,5.1,5.0,7.2,5.1,6.1,6.0,6.5,7.9,5.9,7.9,6.7,7.9,6.7,7.9,5.0,5.0,5.0,5.1,5.1,5.1,5.0,7.8,5.6,5.9,6.2,5.7,6.2,5.0,7.3,5.0,5.0] new: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] detected: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] [DNS.WhatsAppFiles][Download][Acceptable] detection-update: [.....6] [ip4][..udp] [...192.168.2.12][55296] -> [....192.168.2.1][...53] [DNS.WhatsAppFiles][Download][Acceptable] @@ -29,14 +30,15 @@ detected: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][Download][Acceptable] detection-update: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][Download][Acceptable] analyse: [.....7] [ip4][..tcp] [...192.168.2.12][50503] -> [....31.13.86.51][..443] [TLS.WhatsAppFiles][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.163| 0.021| 0.048| 2262.349| 0.000] - [PKTLEN......: 66.000| 1454.000| 357.600| 489.700|239839.300| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.163| 0.021| 0.048| 2262.349| 2.500] + [PKTLEN......: 52.000| 1440.000| 343.600| 489.700| 239839.300| 3.900] [BINS(c->s)..: 10,3,1,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0] [IATS(ms)....: 19.7,127.7,2.8,126.3,2.9,0.0,0.0,21.0,0.2,145.2,0.0,0.0,0.0,0.0,0.0,163.3,0.0,0.0,0.2,0.0,0.0,17.5,0.3,0.0,0.0,2.4,0.3,0.1,0.4,0.6] - [PKTLENS.....: 78,74,66,583,66,1454,1454,349,66,66,130,112,109,101,402,325,66,237,140,97,66,114,498,66,66,66,66,1454,66,1454,1454,97] + [PKTLENS.....: 64,60,52,569,52,1440,1440,335,52,52,116,98,95,87,388,311,52,223,126,83,52,100,484,52,52,52,52,1440,52,1440,1440,83] + [ENTROPIES...: 4.5,5.2,5.0,5.0,5.1,7.8,7.9,7.4,5.0,5.1,6.0,6.0,6.0,5.7,7.3,7.2,5.1,7.0,6.3,5.8,5.0,6.0,7.5,4.9,5.0,5.0,4.9,7.9,5.0,7.9,7.9,5.7] new: [.....8] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] detected: [.....8] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable] new: [.....9] [ip4][..tcp] [...17.171.47.85][..443] -> [...192.168.2.12][50502] [MIDSTREAM] @@ -68,40 +70,43 @@ detected: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][Chat][Acceptable] detection-update: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][Chat][Acceptable] analyse: [....21] [ip4][..tcp] [...192.168.2.12][50504] -> [..157.240.20.52][..443] [TLS.WhatsApp][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.129| 0.020| 0.031| 949.768| 0.000] - [PKTLEN......: 66.000| 1454.000| 388.400| 526.300|277041.400| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.129| 0.020| 0.031| 949.768| 3.500] + [PKTLEN......: 52.000| 1440.000| 374.400| 526.300| 277041.400| 3.900] [BINS(c->s)..: 10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,1,0,1,1,0,1,1,1,1] [IATS(ms)....: 37.2,39.0,11.1,51.5,1.0,0.1,0.0,42.8,0.1,34.6,3.8,0.4,0.2,0.3,76.2,0.0,34.9,0.4,0.3,3.6,0.0,2.9,1.3,3.4,77.4,53.7,129.1,1.4,0.0,0.2,0.1] - [PKTLENS.....: 78,74,66,583,66,1454,1454,347,66,66,130,112,109,101,258,237,140,66,66,97,66,97,66,101,66,66,516,66,1454,1454,1454,1454] + [PKTLENS.....: 64,60,52,569,52,1440,1440,333,52,52,116,98,95,87,244,223,126,52,52,83,52,83,52,87,52,52,502,52,1440,1440,1440,1440] + [ENTROPIES...: 4.4,5.1,4.9,4.8,5.0,7.8,7.9,7.3,4.9,4.9,6.1,5.9,5.9,5.8,7.0,7.0,6.4,4.9,4.9,5.6,5.1,5.8,5.0,5.9,4.9,5.0,7.6,4.9,7.9,7.9,7.8,7.8] new: [....22] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] detected: [....22] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] [DHCP][Network][Acceptable] new: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] detected: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....14] [ip4][..udp] [...192.168.2.12][56328] -> [....31.13.86.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 12.196| 1.588| 3.050|9304956.469| 0.000] - [PKTLEN......: 44.000| 320.000| 124.000| 87.200| 7598.900| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 12.196| 1.588| 3.050| 9304956.469| 3.200] + [PKTLEN......: 30.000| 306.000| 110.000| 87.200| 7598.900| 4.600] [BINS(c->s)..: 6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,6,0,1,0,0,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,0,1,0,0,1] [IATS(ms)....: 0.1,13.4,0.1,12194.2,12196.2,104.4,0.1,105.1,0.0,108.6,104.6,3043.3,3048.9,3100.9,3096.0,3015.3,3016.6,2001.9,2.2,107.1,164.0,190.1,88.5,28.8,198.6,134.0,3008.1,91.0,35.6,0.3,36.5] - [PKTLENS.....: 168,168,86,86,48,44,168,168,86,86,48,44,48,44,48,44,48,44,88,68,246,275,254,164,320,248,316,48,44,168,168,86] + [PKTLENS.....: 154,154,72,72,34,30,154,154,72,72,34,30,34,30,34,30,34,30,74,54,232,261,240,150,306,234,302,34,30,154,154,72] + [ENTROPIES...: 6.5,6.5,5.3,5.3,4.6,4.5,6.5,6.5,5.2,5.1,4.6,4.5,4.6,4.5,4.6,4.5,4.6,4.5,5.7,5.2,7.0,7.1,7.1,6.6,7.3,7.0,7.2,4.6,4.5,6.5,6.5,5.2] new: [....24] [ip4][..udp] [...192.168.2.12][56328] -> [.....1.60.78.64][64282] detected: [....24] [ip4][..udp] [...192.168.2.12][56328] -> [.....1.60.78.64][64282] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....23] [ip4][..udp] [...91.252.56.51][32704] -> [...192.168.2.12][56328] [STUN.WhatsAppCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.204| 0.182| 0.229|52393.320| 0.000] - [PKTLEN......: 68.000| 315.000| 158.900| 51.700| 2672.500| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.204| 0.182| 0.229| 52393.320| 4.200] + [PKTLEN......: 54.000| 301.000| 144.900| 51.700| 2672.500| 4.900] [BINS(c->s)..: 1,4,0,8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,2,0,4,6,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0,1,0,0,1] [IATS(ms)....: 578.2,623.6,1203.7,72.5,167.2,11.6,115.7,158.4,0.0,172.8,173.6,169.8,156.2,136.6,155.3,179.8,99.3,157.4,38.3,163.4,181.3,166.6,142.4,3.0,26.0,115.3,6.1,171.8,106.3,56.2,143.4] - [PKTLENS.....: 86,86,86,86,86,86,213,274,164,175,315,151,173,173,147,163,150,164,186,178,169,173,178,184,164,68,164,164,170,164,153,193] + [PKTLENS.....: 72,72,72,72,72,72,199,260,150,161,301,137,159,159,133,149,136,150,172,164,155,159,164,170,150,54,150,150,156,150,139,179] + [ENTROPIES...: 5.5,5.6,5.5,5.6,5.5,5.6,6.9,7.1,6.7,6.6,7.3,6.5,6.7,6.6,6.5,6.6,6.5,6.6,6.7,6.8,6.7,6.7,6.7,6.7,6.5,5.2,6.6,6.6,6.7,6.6,6.6,6.8] detection-update: [....12] [ip4][..udp] [...192.168.2.12][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] detection-update: [....13] [ip6][..udp] [...............fe80::414:409d:8afd:9f05][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] new: [....25] [ip4][..tcp] [...192.168.2.12][49352] -> [169.254.162.244][49159] [MIDSTREAM] diff --git a/test/results/flow-info/waze.pcap.out b/test/results/flow-info/waze.pcap.out index ec2ec66fb..50b1e5d3d 100644 --- a/test/results/flow-info/waze.pcap.out +++ b/test/results/flow-info/waze.pcap.out @@ -65,23 +65,25 @@ detected: [....17] [ip4][..tcp] [.......10.8.0.1][45554] -> [.54.230.227.172][...80] [HTTP.Waze][Web][Acceptable] detection-update: [....17] [ip4][..tcp] [.......10.8.0.1][45554] -> [.54.230.227.172][...80] [HTTP.Waze][Web][Acceptable] analyse: [.....3] [ip4][..tcp] [.......10.8.0.1][54915] -> [..65.39.128.135][...80] [HTTP][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.002| 3.681| 0.340| 0.885|782653.260| 0.000] - [PKTLEN......: 54.000|11833.000| 1966.700| 3090.500|9551439.000| 3.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.002| 3.681| 0.340| 0.885| 782653.260| 2.800] + [PKTLEN......: 40.000|11819.000| 1952.700| 3090.500| 9551440.000| 3.500] [BINS(c->s)..: 15,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,10] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 3.7,3.9,21.8,22.4,3678.0,3680.6,286.1,284.3,338.9,393.5,330.3,329.4,54.6,2.0,179.3,179.5,2.6,51.2,50.7,3.1,28.5,76.3,51.1,51.3,122.7,73.5,10.2,59.1,52.6,58.3,56.5] - [PKTLENS.....: 74,54,54,317,54,1422,54,2790,54,5526,54,8262,54,2687,54,1422,54,1422,54,9630,54,2790,54,5526,54,5526,54,2790,54,11833,54,54] + [PKTLENS.....: 60,40,40,303,40,1408,40,2776,40,5512,40,8248,40,2673,40,1408,40,1408,40,9616,40,2776,40,5512,40,5512,40,2776,40,11819,40,40] + [ENTROPIES...: 4.4,4.7,4.7,5.5,4.6,7.0,4.6,6.9,4.6,5.6,4.7,6.8,4.7,7.0,4.6,3.0,4.6,7.0,4.7,6.2,4.7,6.6,4.7,1.7,4.7,1.7,4.7,1.4,4.6,1.7,4.7,4.7] analyse: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.659| 0.289| 0.505|255075.107| 0.000] - [PKTLEN......: 54.000| 5515.000| 567.800| 1270.800|1615041.000| 3.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.659| 0.289| 0.505| 255075.107| 3.300] + [PKTLEN......: 40.000| 5501.000| 553.800| 1270.800| 1615041.000| 3.000] [BINS(c->s)..: 5,2,0,0,3,1,0,0,0,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1] [IATS(ms)....: 1.2,10.9,357.2,367.1,474.4,475.3,8.1,9.0,265.9,317.7,52.0,0.9,0.6,0.3,0.3,1430.1,1483.3,119.5,172.8,51.4,51.9,1.4,0.9,0.5,0.4,0.3,0.4,1601.9,1658.8,0.2,57.1] - [PKTLENS.....: 74,54,54,236,54,3201,54,380,54,288,203,54,590,54,115,54,5515,54,203,54,590,54,590,54,590,54,115,54,4411,54,203,54] + [PKTLENS.....: 60,40,40,222,40,3187,40,366,40,274,189,40,576,40,101,40,5501,40,189,40,576,40,576,40,576,40,101,40,4397,40,189,40] + [ENTROPIES...: 4.3,4.7,4.7,5.2,4.7,7.4,4.6,7.3,4.7,7.0,6.9,4.6,7.6,4.7,6.1,4.6,8.0,4.7,6.8,4.6,7.6,4.6,7.7,4.6,7.6,4.7,6.2,4.7,8.0,4.6,6.8,4.6] detection-update: [.....5] [ip4][..tcp] [.......10.8.0.1][36100] -> [..46.51.173.182][..443] [TLS.Waze][Web][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher detection-update: [....12] [ip4][..tcp] [.......10.8.0.1][51050] -> [.176.34.103.105][..443] [TLS.AmazonAWS][Cloud][Acceptable] @@ -128,34 +130,37 @@ new: [....29] [ip4][..tcp] [.......10.8.0.1][43089] -> [..200.160.4.198][..443] [MIDSTREAM] new: [....30] [ip4][..tcp] [.......10.8.0.1][60479] -> [...200.160.4.49][..443] [MIDSTREAM] analyse: [....18] [ip4][..tcp] [.......10.8.0.1][39021] -> [..52.17.114.219][..443] [TLS.Waze][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.416| 0.170| 0.135|18249.146| 0.000] - [PKTLEN......: 54.000|21942.000| 1838.800| 4660.800|21723254.000| 2.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.416| 0.170| 0.135| 18249.146| 4.400] + [PKTLEN......: 40.000|21928.000| 1824.800| 4660.800| 21723256.000| 2.600] [BINS(c->s)..: 12,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,5] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,1] [IATS(ms)....: 1.3,1.6,226.9,227.5,336.5,387.2,51.3,1.2,297.2,297.8,252.5,309.4,358.7,415.9,0.8,0.5,0.5,0.6,254.3,305.5,51.8,52.5,211.3,161.3,248.0,249.1,81.3,79.5,208.7,209.7,0.6] - [PKTLENS.....: 74,54,54,236,54,1422,54,2177,54,188,54,288,54,203,54,590,54,77,54,1422,54,12366,54,5526,54,21942,54,11359,54,54,54,54] + [PKTLENS.....: 60,40,40,222,40,1408,40,2163,40,174,40,274,40,189,40,576,40,63,40,1408,40,12352,40,5512,40,21928,40,11345,40,40,40,40] + [ENTROPIES...: 4.4,4.8,4.7,5.3,4.7,7.2,4.7,7.6,4.7,6.5,4.8,7.1,4.7,6.9,4.8,7.6,4.7,5.6,4.7,7.9,4.7,8.0,4.7,8.0,4.6,8.0,4.7,8.0,4.7,4.7,4.7,4.7] analyse: [....19] [ip4][..tcp] [.......10.8.0.1][36312] -> [.176.34.186.180][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.449| 0.192| 0.280|78147.936| 0.000] - [PKTLEN......: 54.000|11186.000| 1394.300| 2994.000|8963944.000| 3.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.449| 0.192| 0.280| 78147.936| 3.800] + [PKTLEN......: 40.000|11172.000| 1380.300| 2994.000| 8963944.000| 2.900] [BINS(c->s)..: 12,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0] [IATS(ms)....: 2.4,2.8,291.8,292.5,279.8,332.4,52.7,50.7,425.1,475.7,259.9,310.7,0.7,51.4,0.6,0.7,0.5,0.3,293.9,546.0,252.8,1.5,20.2,21.2,56.9,56.8,156.2,205.9,52.7,4.2,1449.2] - [PKTLENS.....: 74,54,54,236,54,1066,54,2533,54,188,54,288,54,590,54,403,54,91,54,10174,54,8150,54,1066,54,11186,54,1066,54,6590,54,54] + [PKTLENS.....: 60,40,40,222,40,1052,40,2519,40,174,40,274,40,576,40,389,40,77,40,10160,40,8136,40,1052,40,11172,40,1052,40,6576,40,40] + [ENTROPIES...: 4.4,4.8,4.8,5.2,4.7,7.0,4.8,7.6,4.6,6.6,4.7,7.0,4.7,7.6,4.8,7.4,4.7,5.7,4.7,8.0,4.8,8.0,4.7,7.8,4.7,8.0,4.8,7.8,4.8,8.0,4.7,4.8] detection-update: [....19] [ip4][..tcp] [.......10.8.0.1][36312] -> [.176.34.186.180][..443] [TLS.Waze][Web][Acceptable] RISK: Obsolete TLS (v1.1 or older) analyse: [.....6] [ip4][..tcp] [.......10.8.0.1][36102] -> [..46.51.173.182][..443] [TLS.Waze][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 5.891| 1.026| 1.779|3164212.036| 0.000] - [PKTLEN......: 54.000| 3660.000| 366.100| 731.900|535720.000| 3.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 5.891| 1.026| 1.779| 3164212.036| 3.400] + [PKTLEN......: 40.000| 3646.000| 352.100| 731.900| 535720.000| 3.400] [BINS(c->s)..: 10,0,0,0,1,2,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,2,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1] [IATS(ms)....: 9.1,9.5,461.2,462.1,319.2,370.8,51.5,0.6,58.7,59.3,267.3,318.5,5838.7,5890.9,1.9,3.1,232.7,285.9,1892.6,1892.4,50.9,52.2,293.0,345.1,0.6,0.4,1258.6,1310.0,5014.8,5014.5,51.5] - [PKTLENS.....: 74,54,54,236,54,1066,54,2189,54,380,54,288,54,235,54,555,54,107,54,1066,54,3660,54,203,54,315,54,331,54,91,54,54] + [PKTLENS.....: 60,40,40,222,40,1052,40,2175,40,366,40,274,40,221,40,541,40,93,40,1052,40,3646,40,189,40,301,40,317,40,77,40,40] + [ENTROPIES...: 4.3,4.7,4.7,5.2,4.6,7.0,4.7,7.5,4.6,7.3,4.7,7.0,4.7,7.0,4.7,7.5,4.7,6.1,4.7,7.8,4.7,7.9,4.7,6.8,4.7,7.2,4.7,7.3,4.7,5.7,4.6,4.7] new: [....31] [ip4][..tcp] [.......10.8.0.1][36134] -> [..46.51.173.182][..443] detected: [....31] [ip4][..tcp] [.......10.8.0.1][36134] -> [..46.51.173.182][..443] [TLS.AmazonAWS][Cloud][Acceptable] RISK: Obsolete TLS (v1.1 or older) diff --git a/test/results/flow-info/webex.pcap.out b/test/results/flow-info/webex.pcap.out index aed878e15..6f601de5c 100644 --- a/test/results/flow-info/webex.pcap.out +++ b/test/results/flow-info/webex.pcap.out @@ -7,14 +7,15 @@ detection-update: [.....1] [ip4][..tcp] [.......10.8.0.1][41346] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....1] [ip4][..tcp] [.......10.8.0.1][41346] -> [..64.68.105.103][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.557| 0.113| 0.156|24421.341| 0.000] - [PKTLEN......: 54.000| 2774.000| 401.900| 588.900|346810.600| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.557| 0.113| 0.156| 24421.341| 3.700] + [PKTLEN......: 40.000| 2760.000| 387.900| 588.900| 346810.600| 3.800] [BINS(c->s)..: 9,0,1,0,0,0,1,0,1,1,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0] [IATS(ms)....: 6.5,6.7,0.2,0.6,505.7,557.3,57.9,60.1,0.9,55.6,257.5,309.3,10.1,61.4,0.8,0.7,299.2,351.3,56.0,56.2,0.8,52.9,0.4,2.8,268.6,322.3,52.3,51.9,18.4,69.5,0.5] - [PKTLENS.....: 74,54,54,249,54,2774,54,1273,54,364,54,97,54,590,54,138,54,1414,54,823,54,590,54,328,54,1414,54,762,54,590,54,518] + [PKTLENS.....: 60,40,40,235,40,2760,40,1259,40,350,40,83,40,576,40,124,40,1400,40,809,40,576,40,314,40,1400,40,748,40,576,40,504] + [ENTROPIES...: 4.4,4.7,4.7,5.5,4.7,7.3,4.8,7.1,4.7,7.2,4.6,5.6,4.6,7.7,4.5,6.3,4.6,7.9,4.7,7.8,4.8,7.6,4.6,7.3,4.7,7.9,4.7,7.7,4.7,7.6,4.5,7.6] detection-update: [.....1] [ip4][..tcp] [.......10.8.0.1][41346] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS new: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] @@ -33,14 +34,15 @@ detection-update: [.....4] [ip4][..tcp] [.......10.8.0.1][41351] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....2] [ip4][..tcp] [.......10.8.0.1][41348] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.455| 0.115| 0.126|15828.845| 0.000] - [PKTLEN......: 54.000|18020.000| 1588.700| 3700.100|13691056.000| 2.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.455| 0.115| 0.126| 15828.845| 4.100] + [PKTLEN......: 40.000|18006.000| 1574.700| 3700.100| 13691057.000| 2.900] [BINS(c->s)..: 10,1,0,0,0,0,0,1,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,5] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 5.6,6.8,0.2,1.5,404.7,455.3,0.6,51.3,245.8,245.9,0.4,0.3,223.3,274.8,51.6,0.4,0.3,283.1,286.1,84.1,131.8,50.9,51.2,56.8,56.7,181.0,181.0,56.1,58.6,54.5,58.4] - [PKTLENS.....: 74,54,54,281,54,183,54,97,54,590,54,533,54,1658,590,54,503,54,6854,54,1414,54,9477,54,1414,54,1414,54,18020,54,6871,54] + [PKTLENS.....: 60,40,40,267,40,169,40,83,40,576,40,519,40,1644,576,40,489,40,6840,40,1400,40,9463,40,1400,40,1400,40,18006,40,6857,40] + [ENTROPIES...: 4.4,4.7,4.6,5.9,4.7,6.4,4.7,5.6,4.6,7.6,4.7,7.6,4.7,7.9,7.6,4.6,7.6,4.7,8.0,4.6,7.9,4.6,8.0,4.6,7.9,4.7,7.9,4.6,8.0,4.6,8.0,4.7] new: [.....5] [ip4][..tcp] [..10.133.206.47][54651] -> [..185.63.147.10][..443] [MIDSTREAM] new: [.....6] [ip4][..tcp] [..10.133.206.47][59447] -> [..107.20.242.44][..443] [MIDSTREAM] new: [.....7] [ip4][..tcp] [.......10.8.0.1][41354] -> [..64.68.105.103][..443] @@ -59,14 +61,15 @@ detection-update: [.....9] [ip4][..tcp] [.......10.8.0.1][41358] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher analyse: [.....9] [ip4][..tcp] [.......10.8.0.1][41358] -> [..64.68.105.103][..443] [TLS.Webex][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.031| 0.154| 0.247|61096.366| 0.000] - [PKTLEN......: 54.000| 8901.000| 1122.500| 2294.900|5266404.000| 3.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.031| 0.154| 0.247| 61096.366| 3.800] + [PKTLEN......: 40.000| 8887.000| 1108.500| 2294.900| 5266403.500| 3.100] [BINS(c->s)..: 12,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,4] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 3.1,3.2,1.9,2.2,397.0,448.1,52.0,52.1,0.4,52.4,209.8,261.8,51.8,1.3,1.0,979.9,1031.5,52.6,53.5,94.1,93.8,53.1,53.9,119.1,117.5,148.4,147.8,51.4,51.4,96.7,96.6] - [PKTLENS.....: 74,54,54,117,54,1414,54,2633,54,380,54,113,590,54,88,54,1414,54,8171,54,1414,54,8901,54,187,54,1414,54,6731,54,1414,54] + [PKTLENS.....: 60,40,40,103,40,1400,40,2619,40,366,40,99,576,40,74,40,1400,40,8157,40,1400,40,8887,40,173,40,1400,40,6717,40,1400,40] + [ENTROPIES...: 4.4,4.7,4.7,5.3,4.6,7.2,4.7,7.2,4.6,7.3,4.6,6.0,7.6,4.5,5.7,4.6,7.9,4.7,8.0,4.7,7.9,4.7,8.0,4.7,6.8,4.6,7.9,4.6,8.0,4.7,7.9,4.7] new: [....10] [ip4][..tcp] [.......10.8.0.1][41726] -> [.114.29.213.212][..443] new: [....11] [ip4][..tcp] [.......10.8.0.1][51646] -> [..114.29.204.49][..443] detected: [....10] [ip4][..tcp] [.......10.8.0.1][41726] -> [.114.29.213.212][..443] [TLS.Webex][VoIP][Acceptable] @@ -192,25 +195,27 @@ detected: [....39] [ip4][..tcp] [.......10.8.0.1][55665] -> [..173.243.0.110][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older) analyse: [....37] [ip4][..tcp] [.......10.8.0.1][51155] -> [.62.109.224.120][..443] [TLS.Webex][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.215| 0.340| 0.548|300050.219| 0.000] - [PKTLEN......: 54.000|10581.000| 633.600| 1915.700|3669828.500| 2.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.215| 0.340| 0.548| 300050.219| 3.700] + [PKTLEN......: 40.000|10567.000| 619.600| 1915.700| 3669828.500| 2.500] [BINS(c->s)..: 13,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,1,1,0,1,1,1,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0] [IATS(ms)....: 14.2,16.6,0.1,3.2,966.8,968.2,50.6,52.1,160.0,217.3,56.9,151.8,203.4,506.4,456.2,506.1,506.2,258.0,307.3,51.0,1.8,210.7,261.7,55.5,54.3,51.9,51.3,2214.6,2165.1,3.2,2.9] - [PKTLENS.....: 74,54,54,117,54,3961,54,380,54,113,528,54,272,54,1024,54,10581,54,171,54,288,54,123,54,219,54,399,54,560,54,602,54] + [PKTLENS.....: 60,40,40,103,40,3947,40,366,40,99,514,40,258,40,1010,40,10567,40,157,40,274,40,109,40,205,40,385,40,546,40,588,40] + [ENTROPIES...: 4.5,4.8,4.8,5.4,4.7,7.3,4.8,7.2,4.7,5.9,7.5,4.7,7.2,4.7,7.7,4.8,8.0,4.8,6.6,4.8,7.2,4.8,6.1,4.8,6.9,4.8,7.3,4.7,7.5,4.8,7.6,4.8] detection-update: [....39] [ip4][..tcp] [.......10.8.0.1][55665] -> [..173.243.0.110][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older), Weak TLS Cipher analyse: [....36] [ip4][..tcp] [.......10.8.0.1][51154] -> [.62.109.224.120][..443] [TLS.Webex][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.270| 0.347| 0.598|357673.959| 0.000] - [PKTLEN......: 54.000| 3961.000| 324.600| 685.400|469733.500| 3.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.270| 0.347| 0.598| 357673.959| 3.300] + [PKTLEN......: 40.000| 3947.000| 310.600| 685.400| 469733.500| 3.500] [BINS(c->s)..: 3,1,1,1,0,0,1,0,0,0,3,0,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 9.1,24.1,0.4,16.5,915.3,917.4,50.7,52.7,154.6,206.6,52.4,7.9,9.4,3.3,2.1,963.3,962.0,0.5,0.4,0.4,0.3,562.0,562.1,368.6,368.5,0.7,0.6,2270.1,2270.1,1.0,1.0] - [PKTLENS.....: 74,54,54,117,54,3961,54,380,54,113,560,54,590,54,136,54,590,54,590,54,400,54,400,54,590,54,168,54,590,54,264,54] + [PKTLENS.....: 60,40,40,103,40,3947,40,366,40,99,546,40,576,40,122,40,576,40,576,40,386,40,386,40,576,40,154,40,576,40,250,40] + [ENTROPIES...: 4.4,4.7,4.6,5.4,4.7,7.3,4.8,7.3,4.8,6.0,7.6,4.8,7.6,4.8,6.5,4.8,7.6,4.8,7.6,4.8,7.4,4.8,7.4,4.7,7.6,4.7,6.5,4.7,7.6,4.7,7.0,4.8] new: [....40] [ip4][..tcp] [.......10.8.0.1][51833] -> [.62.109.229.158][..443] detected: [....40] [ip4][..tcp] [.......10.8.0.1][51833] -> [.62.109.229.158][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older) @@ -273,14 +278,15 @@ new: [....53] [ip4][..udp] [.......10.8.0.1][51772] -> [.62.109.229.158][.9000] new: [....54] [ip4][..tcp] [.......10.8.0.1][51859] -> [.62.109.229.158][..443] analyse: [....52] [ip4][..tcp] [.......10.8.0.1][51857] -> [.62.109.229.158][..443] [TLS.Webex][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.367| 0.190| 0.352|124124.103| 0.000] - [PKTLEN......: 54.000| 3961.000| 248.000| 677.200|458632.100| 3.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.367| 0.190| 0.352| 124124.103| 3.400] + [PKTLEN......: 40.000| 3947.000| 234.000| 677.200| 458632.100| 3.100] [BINS(c->s)..: 7,0,2,3,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 10,2,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,1] [IATS(ms)....: 4.2,5.0,6.4,7.6,1312.6,1366.7,17.5,71.4,145.7,199.0,0.3,53.7,129.5,180.9,0.2,51.5,121.2,172.3,51.5,51.2,125.5,176.2,50.8,50.8,0.5,1.0,264.3,263.8,0.8,0.9,1006.9] - [PKTLENS.....: 74,54,54,241,54,3961,54,380,54,113,54,128,54,91,54,432,54,123,54,543,54,144,54,208,54,176,54,176,54,160,54,123] + [PKTLENS.....: 60,40,40,227,40,3947,40,366,40,99,40,114,40,77,40,418,40,109,40,529,40,130,40,194,40,162,40,162,40,146,40,109] + [ENTROPIES...: 4.5,4.8,4.8,5.2,4.7,7.3,4.8,7.3,4.8,6.0,4.8,6.2,4.8,5.7,4.8,7.5,4.8,6.2,4.8,7.4,4.8,6.4,4.8,6.8,4.7,6.6,4.6,6.6,4.8,6.4,4.7,6.2] new: [....55] [ip4][..tcp] [.......10.8.0.1][51190] -> [.62.109.224.120][..443] detected: [....55] [ip4][..tcp] [.......10.8.0.1][51190] -> [.62.109.224.120][..443] [TLS.Webex][VoIP][Acceptable] RISK: Obsolete TLS (v1.1 or older) diff --git a/test/results/flow-info/wechat.pcap.out b/test/results/flow-info/wechat.pcap.out index da440c010..68bc9f13d 100644 --- a/test/results/flow-info/wechat.pcap.out +++ b/test/results/flow-info/wechat.pcap.out @@ -41,14 +41,15 @@ detection-update: [....17] [ip4][..tcp] [..192.168.1.103][54090] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detected: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] analyse: [....16] [ip4][..tcp] [..192.168.1.103][54089] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.411| 0.155| 0.181|32640.860| 0.000] - [PKTLEN......: 66.000| 5892.000| 729.500| 1101.200|1212669.500| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.411| 0.155| 0.181| 32640.860| 3.800] + [PKTLEN......: 52.000| 5878.000| 715.500| 1101.200| 1212669.600| 3.900] [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,1,0,1,0] [IATS(ms)....: 361.6,361.6,0.4,378.1,3.6,381.3,56.9,56.9,0.3,0.3,2.7,376.6,375.0,3.3,373.8,38.3,2.8,410.6,21.2,3.3,393.4,30.9,401.1,383.7,0.8,383.1,2.9,2.9,5.8,1.1,1.1] - [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,233,66,1239,443,66,264,1154,1494,1494,66,1494,1494,66,5892,66] + [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1292,527,52,1480,219,52,1225,429,52,250,1140,1480,1480,52,1480,1480,52,5878,52] + [ENTROPIES...: 4.7,5.2,5.0,5.8,5.2,6.8,5.0,7.5,5.0,7.3,5.0,6.3,5.8,7.8,7.6,5.1,7.9,7.0,5.0,7.8,7.4,5.2,7.1,7.8,7.9,7.9,4.9,7.9,7.9,5.0,8.0,5.1] detection-update: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detection-update: [....18] [ip4][..tcp] [..192.168.1.103][54091] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detected: [.....6] [ip4][..tcp] [..192.168.1.103][47627] -> [..216.58.205.78][..443] [TLS.Google][Web][Acceptable] @@ -73,32 +74,35 @@ detection-update: [....24] [ip4][..tcp] [..192.168.1.103][54096] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] new: [....25] [ip4][..tcp] [..192.168.1.103][40740] -> [203.205.151.211][..443] [MIDSTREAM] analyse: [....22] [ip4][..tcp] [..192.168.1.103][54094] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 4.544| 0.482| 1.044|1090167.570| 0.000] - [PKTLEN......: 66.000| 1754.000| 537.200| 556.000|309130.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 4.544| 0.482| 1.044| 1090167.570| 3.200] + [PKTLEN......: 52.000| 1740.000| 523.200| 556.000| 309130.700| 4.200] [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0] [IATS(ms)....: 359.2,359.3,0.4,360.6,1.9,362.1,0.5,0.5,3.6,359.7,357.1,3.3,369.2,32.8,2.8,400.5,15.0,3.3,382.0,38.0,403.1,2.4,369.1,37.0,438.8,4139.7,3.3,4544.3,34.1,398.8,1152.6] - [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,235,66,1239,443,66,264,1306,541,66,1002,66,1306,541,66,1003,66,1234] + [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1292,527,52,1480,221,52,1225,429,52,250,1292,527,52,988,52,1292,527,52,989,52,1220] + [ENTROPIES...: 4.6,5.1,5.0,5.9,5.1,6.8,5.1,7.6,5.0,6.3,6.0,7.8,7.5,5.2,7.9,7.1,5.1,7.8,7.4,5.2,7.1,7.8,7.5,5.2,7.8,5.0,7.9,7.6,5.2,7.8,5.0,7.9] analyse: [....23] [ip4][..tcp] [..192.168.1.103][54095] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.384| 0.466| 0.827|684250.497| 0.000] - [PKTLEN......: 66.000| 8291.000| 760.100| 1463.300|2141136.500| 3.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.384| 0.466| 0.827| 684250.497| 3.400] + [PKTLEN......: 52.000| 8277.000| 746.100| 1463.300| 2141136.500| 3.600] [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,1] [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,0,0,0] [IATS(ms)....: 353.8,353.8,953.1,1178.1,225.0,127.7,4.4,132.2,0.5,0.4,0.6,0.6,1.5,362.2,361.1,371.0,4.6,375.1,3.3,3.3,3017.9,3.3,3383.9,31.2,409.0,7.4,382.2,34.6,434.3,1926.0,3.4] - [PKTLENS.....: 74,74,66,304,74,66,66,1494,66,1494,66,326,66,192,117,1153,1494,1494,66,8291,66,1306,541,66,1377,1239,443,66,264,66,1306,541] + [PKTLENS.....: 60,60,52,290,60,52,52,1480,52,1480,52,312,52,178,103,1139,1480,1480,52,8277,52,1292,527,52,1363,1225,429,52,250,52,1292,527] + [ENTROPIES...: 4.7,5.2,5.0,5.9,5.2,5.0,5.2,6.8,5.0,7.5,5.0,7.2,5.0,6.4,6.0,7.8,7.9,7.9,5.0,8.0,5.0,7.8,7.6,5.1,7.9,7.8,7.5,5.1,7.0,5.0,7.8,7.5] analyse: [....13] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54058] [TLS][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 11.774| 2.195| 3.338|11139408.724| 0.000] - [PKTLEN......: 66.000| 1254.000| 412.500| 492.500|242574.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 11.774| 2.195| 3.338| 11139408.724| 3.800] + [PKTLEN......: 52.000| 1240.000| 398.500| 492.500| 242574.800| 4.000] [BINS(c->s)..: 8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0] [IATS(ms)....: 0.1,1713.3,2033.8,5.9,326.4,805.5,1165.4,11414.5,11774.4,393.6,716.6,9325.0,9648.0,1906.3,2225.8,6.4,325.8,425.7,784.5,2983.4,3342.3,487.8,806.7,9.2,328.1,421.5,782.1,1181.7,1542.3,420.6,740.0] - [PKTLENS.....: 264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66] + [PKTLENS.....: 250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52] + [ENTROPIES...: 7.2,5.1,7.8,5.2,7.1,5.0,7.8,5.1,7.1,5.1,7.8,5.1,7.2,5.2,7.8,5.1,7.1,5.0,7.8,5.1,7.0,5.1,7.8,5.1,7.1,5.1,7.8,5.1,7.0,5.1,7.9,5.1] update: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] update: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] update: [.....4] [ip4][..udp] [..192.168.1.103][53734] -> [..192.168.1.254][...53] [DNS.Google][Web][Acceptable] @@ -116,32 +120,35 @@ detection-update: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detection-update: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] analyse: [....26] [ip4][..tcp] [..192.168.1.103][54097] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 6.862| 1.014| 1.948|3793749.017| 0.000] - [PKTLEN......: 66.000| 1754.000| 510.000| 523.800|274414.800| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 6.862| 1.014| 1.948| 3793749.017| 3.100] + [PKTLEN......: 52.000| 1740.000| 496.000| 523.800| 274414.800| 4.200] [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0] [IATS(ms)....: 362.7,362.7,0.7,359.8,0.7,359.7,1.8,1.8,3.2,360.0,358.1,7.2,373.9,64.6,431.4,4.5,369.6,40.0,442.3,4042.2,3.3,4448.9,74.4,439.2,6493.5,3.3,6862.2,32.1,397.5,4719.1,3.2] - [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1234,535,66,297,1306,541,66,1002,66,1234,525,66,297,66,1306,541,66,1003,66,1234,530] + [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1220,521,52,283,1292,527,52,988,52,1220,511,52,283,52,1292,527,52,989,52,1220,516] + [ENTROPIES...: 4.7,5.2,5.1,5.9,5.1,6.8,5.0,7.6,4.9,6.4,6.0,7.8,7.6,5.1,7.2,7.8,7.6,5.0,7.8,5.1,7.8,7.5,4.9,7.2,5.0,7.8,7.6,5.2,7.8,5.0,7.8,7.5] analyse: [....27] [ip4][..tcp] [..192.168.1.103][54098] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.001| 6.095| 1.335| 2.042|4168801.845| 0.000] - [PKTLEN......: 66.000| 1754.000| 451.700| 521.000|271486.500| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.001| 6.095| 1.335| 2.042| 4168801.845| 3.500] + [PKTLEN......: 52.000| 1740.000| 437.700| 521.000| 271486.500| 4.100] [BINS(c->s)..: 9,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1] [DIRECTIONS..: 0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1] [IATS(ms)....: 346.8,346.9,899.5,1092.8,193.2,160.5,1.8,162.3,0.6,0.5,2.9,351.9,387.2,4178.9,3.3,4577.7,29.2,386.6,5733.7,3.7,6095.0,83.0,440.7,5485.5,3.3,5845.9,30.2,387.3,1889.1,2.7,2250.0] - [PKTLENS.....: 74,74,66,304,74,66,66,1494,66,1754,66,192,117,66,1306,541,66,1003,66,1234,522,66,297,66,1306,541,66,1003,66,1234,527,66] + [PKTLENS.....: 60,60,52,290,60,52,52,1480,52,1740,52,178,103,52,1292,527,52,989,52,1220,508,52,283,52,1292,527,52,989,52,1220,513,52] + [ENTROPIES...: 4.8,5.2,5.0,5.9,5.3,5.1,5.1,6.8,5.0,7.6,4.9,6.4,5.9,5.0,7.8,7.6,5.0,7.8,5.0,7.8,7.6,5.1,7.2,5.1,7.8,7.5,5.1,7.8,5.1,7.8,7.6,5.1] analyse: [.....5] [ip4][..tcp] [..192.168.1.103][38657] -> [..172.217.22.14][..443] [TLS.Google][Web][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 45.056| 5.827| 15.097|227916113.773| 0.000] - [PKTLEN......: 66.000| 1484.000| 267.200| 422.200|178253.900| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 45.056| 5.827| 15.097| 227916113.773| 2.000] + [PKTLEN......: 52.000| 1470.000| 253.200| 422.200| 178253.900| 3.700] [BINS(c->s)..: 10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 8,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1] [IATS(ms)....: 48.2,48.2,0.2,52.5,0.7,53.0,2.4,2.4,0.5,0.5,4.5,7.9,13.6,51.2,2.8,0.1,28.0,0.3,26.1,2.8,10.1,38.9,0.4,0.8,0.2,45.4,2.8,45043.9,45047.5,45056.0,45052.9] - [PKTLENS.....: 74,74,66,288,66,1484,66,1484,66,1442,66,151,111,895,336,114,100,66,96,66,96,572,66,104,104,100,66,66,66,66,66,66] + [PKTLENS.....: 60,60,52,274,52,1470,52,1470,52,1428,52,137,97,881,322,100,86,52,82,52,82,558,52,90,90,86,52,52,52,52,52,52] + [ENTROPIES...: 4.6,5.3,4.9,5.7,5.0,6.4,4.9,7.1,4.9,7.4,4.9,6.1,5.9,7.7,7.1,6.0,5.8,4.9,5.7,5.0,5.6,7.6,4.9,5.9,5.7,5.6,5.0,5.0,4.9,5.0,4.9,5.0] new: [....28] [ip4][....2] [..192.168.1.254] -> [......224.0.0.1] detected: [....28] [ip4][....2] [..192.168.1.254] -> [......224.0.0.1] [IGMP][Network][Acceptable] new: [....29] [ip4][....2] [..192.168.1.100] -> [.....224.0.0.22] @@ -176,36 +183,39 @@ detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] new: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] analyse: [....31] [ip4][..tcp] [..192.168.1.103][54099] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.469| 0.183| 0.190|36094.243| 0.000] - [PKTLEN......: 66.000| 1754.000| 605.500| 612.000|374517.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.469| 0.183| 0.190| 36094.243| 4.000] + [PKTLEN......: 52.000| 1740.000| 591.500| 612.000| 374517.100| 4.200] [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,0] [IATS(ms)....: 366.1,366.2,0.5,368.6,0.8,368.9,8.2,8.2,3.1,367.9,365.6,3.2,378.7,92.7,2.0,469.4,27.8,1.7,407.1,30.0,408.6,3.8,397.8,10.9,404.7,396.0,0.8,396.2,0.5,1.2,1.8] - [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,344,66,1239,443,66,264,1239,443,66,264,1154,1494,1494,66,1494,1494,66] + [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1292,527,52,1480,330,52,1225,429,52,250,1225,429,52,250,1140,1480,1480,52,1480,1480,52] + [ENTROPIES...: 4.7,5.1,4.8,5.8,5.2,6.8,5.1,7.6,5.0,6.2,6.0,7.8,7.5,5.1,7.9,7.3,5.0,7.8,7.4,5.0,7.0,7.8,7.4,5.1,7.1,7.8,7.9,7.8,4.9,7.9,7.9,5.0] detected: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detection-update: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] detection-update: [....36] [ip4][..tcp] [..192.168.1.103][54104] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] analyse: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.647| 0.130| 0.182|33080.510| 0.000] - [PKTLEN......: 66.000| 3134.000| 831.600| 861.600|742326.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.647| 0.130| 0.182| 33080.510| 3.500] + [PKTLEN......: 52.000| 3120.000| 817.600| 861.600| 742326.200| 4.200] [BINS(c->s)..: 11,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,2] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,1,1,0,1,1,0,1] [IATS(ms)....: 360.8,360.9,1.1,320.2,2.0,321.1,0.8,0.8,0.5,0.5,2.5,331.8,329.8,339.6,0.8,339.8,0.5,4.5,5.1,2.5,2.5,1.1,1.1,271.4,646.7,0.8,376.1,0.5,0.9,1.5,0.5] - [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1154,1494,1494,66,1494,1494,66,2922,66,3134,66,1154,1494,1494,66,1494,1494,66,1494] + [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1140,1480,1480,52,1480,1480,52,2908,52,3120,52,1140,1480,1480,52,1480,1480,52,1480] + [ENTROPIES...: 4.7,5.2,5.0,5.9,5.1,6.8,5.1,7.5,5.0,7.3,5.0,6.4,5.8,7.9,7.9,7.9,5.1,7.9,7.9,5.0,7.9,5.0,7.9,5.0,7.8,7.9,7.9,5.0,7.9,7.9,5.1,7.9] detection-update: [....35] [ip4][..tcp] [..192.168.1.103][54103] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] analyse: [....33] [ip4][..tcp] [..192.168.1.103][54101] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.952| 0.213| 0.233|54375.543| 0.000] - [PKTLEN......: 66.000| 1754.000| 557.300| 599.100|358890.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.952| 0.213| 0.233| 54375.543| 4.000] + [PKTLEN......: 52.000| 1740.000| 543.300| 599.100| 358890.200| 4.100] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,1,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,1,0,0,1,0,1,0,1] [IATS(ms)....: 378.9,379.0,0.4,354.0,2.4,356.0,2.8,2.8,1.0,367.4,367.3,4.4,365.8,31.1,394.9,3.2,367.9,55.9,2.8,420.1,17.9,0.8,381.3,34.8,434.3,543.1,951.7,371.6,0.5,0.5,1.3] - [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1239,443,66,264,1306,541,66,1494,230,66,1239,443,66,264,66,1154,1494,66,1494,66,1494] + [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1225,429,52,250,1292,527,52,1480,216,52,1225,429,52,250,52,1140,1480,52,1480,52,1480] + [ENTROPIES...: 4.7,5.2,5.1,5.9,5.1,6.8,5.0,7.6,5.0,6.4,6.1,7.8,7.4,5.1,7.1,7.8,7.6,5.1,7.9,7.0,5.0,7.8,7.4,5.1,7.1,5.0,7.8,7.9,5.1,7.9,5.1,7.9] guessed: [.....1] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54084] [TLS][Web][Safe] end: [.....1] [ip4][..tcp] [203.205.151.162][..443] -> [..192.168.1.103][54084] guessed: [....15] [ip4][..tcp] [..192.168.1.103][54085] -> [203.205.151.162][..443] [TLS][Web][Safe] @@ -262,14 +272,15 @@ new: [....46] [ip4][..tcp] [..192.168.1.103][43851] -> [.203.205.158.34][..443] detected: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Chat][Fun] analyse: [....42] [ip4][..tcp] [..192.168.1.103][54113] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 6.615| 0.560| 1.552|2408711.979| 0.000] - [PKTLEN......: 66.000| 1494.000| 492.200| 547.100|299293.400| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 6.615| 0.560| 1.552| 2408711.979| 2.600] + [PKTLEN......: 52.000| 1480.000| 478.200| 547.100| 299293.400| 4.100] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1] [IATS(ms)....: 315.2,315.3,0.4,318.4,1.9,319.8,0.5,0.5,1.1,1.1,2.6,316.6,315.1,4.6,327.3,29.7,2.7,353.9,21.7,4.6,350.0,32.2,392.6,18.0,3.3,380.6,36.9,359.5,6259.0,6615.4,265.6] - [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,264,66,1306,541,66,1003,66,1127,66,1494] + [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1292,527,52,1480,112,52,1225,429,52,250,52,1292,527,52,989,52,1113,52,1480] + [ENTROPIES...: 4.7,5.2,5.0,5.9,5.2,6.8,5.1,7.5,5.1,7.3,5.1,6.3,6.0,7.8,7.6,5.1,7.9,6.3,5.0,7.8,7.4,5.1,7.0,5.0,7.8,7.6,5.2,7.8,5.1,7.8,5.1,7.9] detection-update: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Chat][Fun] RISK: Weak TLS Cipher detection-update: [....45] [ip4][..tcp] [..192.168.1.103][43850] -> [.203.205.158.34][..443] [TLS.QQ][Chat][Fun] @@ -296,32 +307,35 @@ update: [....47] [ip4][..udp] [..192.168.1.103][60562] -> [..192.168.1.254][...53] [DNS.Google][Web][Acceptable] update: [....48] [ip4][..udp] [..192.168.1.103][35601] -> [..172.217.23.67][..443] [QUIC.Google][Web][Acceptable] analyse: [....50] [ip4][..tcp] [..192.168.1.103][54117] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 7.807| 0.648| 1.839|3381034.746| 0.000] - [PKTLEN......: 66.000| 1494.000| 459.300| 494.600|244586.200| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 7.807| 0.648| 1.839| 3381034.746| 2.500] + [PKTLEN......: 52.000| 1480.000| 445.300| 494.600| 244586.200| 4.200] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0] [IATS(ms)....: 325.2,325.3,0.5,328.0,0.7,328.2,0.4,0.4,3.9,3.9,2.7,325.9,324.6,3.2,337.6,77.1,411.9,3.8,340.3,28.0,402.7,7430.7,3.8,7807.0,79.9,412.5,2.9,0.4,340.1,30.3,405.8] - [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1234,538,66,297,1306,541,66,1002,66,1234,533,66,297,66,1306,541,66,1003,66] + [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1220,524,52,283,1292,527,52,988,52,1220,519,52,283,52,1292,527,52,989,52] + [ENTROPIES...: 4.7,5.2,4.9,5.8,5.1,6.8,5.0,7.5,5.1,7.2,5.0,6.4,5.9,7.8,7.5,5.1,7.2,7.8,7.6,5.1,7.8,5.0,7.8,7.5,5.1,7.1,5.1,7.8,7.5,5.1,7.8,5.0] analyse: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 183.801| 12.094| 33.303|1109122757.951| 0.000] - [PKTLEN......: 82.000| 82.000| 82.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 183.801| 12.094| 33.303| 1109122757.951| 2.600] + [PKTLEN......: 68.000| 68.000| 68.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 0.3,1000.4,2000.4,14687.4,0.3,1000.2,2000.4,21831.6,0.4,1000.5,2000.8,26318.9,0.4,1000.3,2000.5,41917.2,0.4,1000.2,2000.7,183800.6,0.4,1000.9,2001.0,33299.7,0.4,1000.7,2000.5,29037.0,0.3,1000.2,2000.7] - [PKTLENS.....: 82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82] + [PKTLENS.....: 68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68] + [ENTROPIES...: 4.3,4.3,4.3,4.2,4.3,4.3,4.3,4.3,4.3,4.3,4.3,4.3,4.2,4.2,4.2,4.3,4.3,4.3,4.2,4.3,4.3,4.2,4.2,4.3,4.3,4.3,4.3,4.3,4.3,4.3,4.2,4.2] analyse: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 183.800| 12.094| 33.303|1109120811.794| 0.000] - [PKTLEN......: 102.000| 102.000| 102.000| 0.000| 0.000| 5.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 183.800| 12.094| 33.303| 1109120811.794| 2.600] + [PKTLEN......: 88.000| 88.000| 88.000| 0.000| 0.000| 5.000] [BINS(c->s)..: 0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 0.3,1000.4,2000.4,14687.4,0.3,1000.3,2000.4,21831.5,0.4,1000.6,2000.8,26318.9,0.4,1000.4,2000.5,41917.1,0.3,1000.2,2000.8,183800.4,0.3,1001.0,2001.0,33299.7,0.4,1000.7,2000.5,29036.9,0.3,1000.3,2000.7] - [PKTLENS.....: 102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102] + [PKTLENS.....: 88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88] + [ENTROPIES...: 3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8,3.8] new: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] new: [....53] [ip4][..tcp] [..192.168.1.103][54120] -> [203.205.151.162][..443] detected: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] @@ -335,14 +349,15 @@ RISK: Unsafe Protocol update: [.....2] [ip4][..udp] [..192.168.1.103][.5353] -> [....224.0.0.251][.5353] [MDNS][Network][Acceptable] analyse: [....52] [ip4][..tcp] [..192.168.1.103][54119] -> [203.205.151.162][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 7.133| 0.619| 1.664|2769657.004| 0.000] - [PKTLEN......: 66.000| 1494.000| 492.200| 547.100|299307.700| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 7.133| 0.619| 1.664| 2769657.004| 2.700] + [PKTLEN......: 52.000| 1480.000| 478.200| 547.100| 299307.700| 4.100] [BINS(c->s)..: 8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,1,1,0] [IATS(ms)....: 356.2,356.2,0.4,353.3,0.7,353.6,0.7,0.7,0.3,0.3,2.4,365.6,364.5,5.6,381.3,26.7,2.8,403.9,13.5,5.0,378.8,57.2,418.9,4.2,370.5,28.2,433.2,6695.6,7132.7,143.5,540.7] - [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,263,1306,541,66,1003,66,1127,66,1494,66] + [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1292,527,52,1480,112,52,1225,429,52,249,1292,527,52,989,52,1113,52,1480,52] + [ENTROPIES...: 4.6,5.1,4.8,5.8,5.0,6.8,5.0,7.5,4.9,7.2,4.9,6.3,5.9,7.8,7.5,5.1,7.9,6.2,4.8,7.8,7.5,5.1,7.1,7.8,7.6,5.1,7.8,4.9,7.8,5.0,7.9,4.9] guessed: [....37] [ip4][..tcp] [..192.168.1.103][54109] -> [203.205.151.162][..443] [TLS][Web][Safe] end: [....37] [ip4][..tcp] [..192.168.1.103][54109] -> [203.205.151.162][..443] guessed: [....38] [ip4][..tcp] [..192.168.1.103][54110] -> [203.205.151.162][..443] [TLS][Web][Safe] @@ -367,14 +382,15 @@ detection-update: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] detection-update: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] analyse: [....57] [ip4][..tcp] [..192.168.1.103][58038] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 2.509| 0.286| 0.565|319614.583| 0.000] - [PKTLEN......: 66.000| 1754.000| 551.900| 561.400|315202.600| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 2.509| 0.286| 0.565| 319614.583| 3.400] + [PKTLEN......: 52.000| 1740.000| 537.900| 561.400| 315202.600| 4.200] [BINS(c->s)..: 7,0,0,1,0,0,0,1,0,0,0,2,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0] [IATS(ms)....: 266.6,266.7,0.4,272.2,1.3,273.1,0.6,0.6,2.9,271.8,269.6,3.2,281.4,29.7,327.6,3.2,299.6,37.4,350.9,50.9,3.2,368.6,30.2,307.1,2227.6,3.2,2508.5,50.9,328.7,16.1,3.1] - [PKTLENS.....: 74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1371,1239,443,66,264,66,1306,541,66,1004,66,1306,541,66,1381,66,1239,443] + [PKTLENS.....: 60,60,52,290,52,1480,52,1740,52,178,103,1292,527,52,1357,1225,429,52,250,52,1292,527,52,990,52,1292,527,52,1367,52,1225,429] + [ENTROPIES...: 4.7,5.3,5.1,5.9,5.1,6.8,5.0,7.6,5.0,6.3,5.9,7.8,7.5,5.1,7.8,7.8,7.4,5.1,7.1,5.0,7.8,7.6,5.1,7.8,4.9,7.8,7.6,5.1,7.9,4.9,7.8,7.4] guessed: [....41] [ip4][..tcp] [..192.168.1.103][54106] -> [203.205.151.162][..443] [TLS][Web][Safe] end: [....41] [ip4][..tcp] [..192.168.1.103][54106] -> [203.205.151.162][..443] update: [.....3] [ip6][..udp] [..............fe80::7a92:9cff:fe0f:a88e][.5353] -> [...............................ff02::fb][.5353] [MDNS][Network][Acceptable] @@ -444,14 +460,15 @@ detection-update: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] detection-update: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] analyse: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.577| 0.182| 0.352|123851.137| 0.000] - [PKTLEN......: 66.000| 1494.000| 559.600| 599.000|358844.300| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.577| 0.182| 0.352| 123851.137| 3.200] + [PKTLEN......: 52.000| 1480.000| 545.600| 599.000| 358844.300| 4.100] [BINS(c->s)..: 7,0,0,1,0,0,0,1,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,0,0,0,0,0,5,0,0,0] [BINS(s->c)..: 6,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,0,0] [IATS(ms)....: 268.3,268.4,0.5,270.4,0.8,270.7,0.4,0.4,1.0,1.0,2.8,273.1,271.4,0.2,0.0,0.0,0.0,0.0,1.2,289.4,22.8,22.4,9.7,380.7,1255.6,5.0,1577.0,73.3,351.0,6.0,3.3] - [PKTLENS.....: 74,74,66,304,66,1494,66,1494,66,326,66,192,117,1246,1494,1494,1494,1494,1494,329,66,66,66,157,66,1234,527,66,297,66,1306,541] + [PKTLENS.....: 60,60,52,290,52,1480,52,1480,52,312,52,178,103,1232,1480,1480,1480,1480,1480,315,52,52,52,143,52,1220,513,52,283,52,1292,527] + [ENTROPIES...: 4.7,5.2,4.9,5.8,5.0,6.8,4.8,7.5,4.8,7.2,4.9,6.3,5.9,7.8,7.9,7.9,7.9,7.9,7.9,7.2,5.0,4.8,4.9,6.4,5.0,7.8,7.5,5.1,7.2,4.9,7.8,7.5] detection-update: [....72] [ip4][..tcp] [..192.168.1.103][58040] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] detected: [....73] [ip4][..tcp] [..192.168.1.103][58041] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] detection-update: [....73] [ip4][..tcp] [..192.168.1.103][58041] -> [203.205.147.171][..443] [TLS.WeChat][Chat][Fun] diff --git a/test/results/flow-info/weibo.pcap.out b/test/results/flow-info/weibo.pcap.out index 1dde002ab..4ab19300c 100644 --- a/test/results/flow-info/weibo.pcap.out +++ b/test/results/flow-info/weibo.pcap.out @@ -23,14 +23,15 @@ new: [....14] [ip4][..tcp] [..192.168.1.105][34699] -> [..216.58.212.65][..443] [MIDSTREAM] detection-update: [....11] [ip4][..tcp] [..192.168.1.105][51698] -> [.93.188.134.137][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] analyse: [....11] [ip4][..tcp] [..192.168.1.105][51698] -> [.93.188.134.137][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.482| 0.042| 0.114|12948.299| 0.000] - [PKTLEN......: 66.000| 2938.000| 462.100| 693.400|480801.900| 3.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.482| 0.042| 0.114| 12948.299| 2.500] + [PKTLEN......: 52.000| 2924.000| 448.100| 693.400| 480801.900| 3.700] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 29.2,29.2,0.3,28.2,454.5,482.4,0.1,0.1,13.2,13.2,0.1,0.0,0.0,0.0,8.4,8.4,0.1,0.1,0.0,0.0,0.0,0.0,0.0,0.0,15.4,15.4,68.3,68.3,0.1,0.0,54.8] - [PKTLENS.....: 74,74,66,516,66,71,78,1502,78,1502,78,68,86,1078,78,72,78,2938,78,294,86,68,86,1502,78,819,66,72,66,1502,66,1502] + [PKTLENS.....: 60,60,52,502,52,57,64,1488,64,1488,64,54,72,1064,64,58,64,2924,64,280,72,54,72,1488,64,805,52,58,52,1488,52,1488] + [ENTROPIES...: 4.7,5.2,5.0,5.9,5.1,5.1,5.1,7.9,5.1,7.9,5.1,5.1,5.1,7.8,5.1,5.2,5.1,7.9,5.1,7.2,5.1,5.1,5.2,7.8,5.1,5.8,5.1,5.2,5.0,7.9,4.9,7.9] new: [....15] [ip4][..udp] [..192.168.1.105][53543] -> [....192.168.1.1][...53] detected: [....15] [ip4][..udp] [..192.168.1.105][53543] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun] detection-update: [....15] [ip4][..udp] [..192.168.1.105][53543] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun] @@ -44,23 +45,25 @@ new: [....19] [ip4][..udp] [..192.168.1.105][41352] -> [....192.168.1.1][...53] detected: [....19] [ip4][..udp] [..192.168.1.105][41352] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun] analyse: [....17] [ip4][..tcp] [..192.168.1.105][35804] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.314| 0.038| 0.072| 5116.345| 0.000] - [PKTLEN......: 66.000| 2938.000| 710.700| 831.300|691142.800| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.314| 0.038| 0.072| 5116.345| 3.500] + [PKTLEN......: 52.000| 2924.000| 696.700| 831.300| 691142.800| 4.000] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,2] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 26.8,26.8,0.2,31.4,283.1,314.3,2.6,2.6,16.7,16.7,12.8,12.8,0.1,0.0,45.7,45.8,5.1,5.0,71.0,71.0,5.5,5.5,32.3,32.3,43.0,43.0,3.2,3.2,2.5,2.5,2.8] - [PKTLENS.....: 74,74,66,498,66,580,66,1502,66,2938,66,1502,66,1078,78,1502,66,893,66,580,78,2938,78,1502,78,1502,78,1502,78,1502,78,1502] + [PKTLENS.....: 60,60,52,484,52,566,52,1488,52,2924,52,1488,52,1064,64,1488,52,879,52,566,64,2924,64,1488,64,1488,64,1488,64,1488,64,1488] + [ENTROPIES...: 4.6,5.2,5.0,5.9,5.2,5.7,4.9,7.8,4.9,7.9,5.0,7.9,4.9,7.8,5.0,7.9,4.9,7.7,5.0,5.7,5.0,7.9,5.0,7.8,5.1,7.9,5.1,7.9,5.1,7.9,5.0,7.9] analyse: [....16] [ip4][..tcp] [..192.168.1.105][35803] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.401| 0.041| 0.093| 8612.838| 0.000] - [PKTLEN......: 66.000| 4374.000| 847.800| 1162.900|1352437.000| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.401| 0.041| 0.093| 8612.838| 3.200] + [PKTLEN......: 52.000| 4360.000| 833.800| 1162.900| 1352437.000| 3.800] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,3] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 26.7,26.8,0.2,28.2,372.4,400.5,6.7,6.7,6.6,6.6,15.5,15.5,6.6,6.6,9.2,9.2,23.4,23.4,49.3,49.3,71.7,71.7,3.3,3.3,2.9,2.9,2.8,2.8,5.5,5.5,3.7] - [PKTLENS.....: 74,74,66,486,66,581,66,1502,66,4374,66,1502,66,4374,66,2938,66,581,78,581,78,1502,66,1502,66,1502,78,1502,78,1502,78,1502] + [PKTLENS.....: 60,60,52,472,52,567,52,1488,52,4360,52,1488,52,4360,52,2924,52,567,64,567,64,1488,52,1488,52,1488,64,1488,64,1488,64,1488] + [ENTROPIES...: 4.6,5.1,4.9,5.9,5.0,5.7,4.8,7.8,4.9,8.0,4.9,7.9,4.8,8.0,4.9,7.9,4.9,5.7,5.0,5.7,5.0,7.9,4.9,7.9,4.9,7.9,5.0,7.9,5.0,7.9,5.0,7.8] new: [....20] [ip4][..udp] [..192.168.1.105][18035] -> [....192.168.1.1][...53] detected: [....20] [ip4][..udp] [..192.168.1.105][18035] -> [....192.168.1.1][...53] [DNS.Sina(Weibo)][SocialNetwork][Fun] new: [....21] [ip4][..udp] [..192.168.1.105][50640] -> [....192.168.1.1][...53] @@ -109,32 +112,35 @@ new: [....43] [ip4][..tcp] [..192.168.1.105][52274] -> [..42.156.184.19][..443] new: [....44] [ip4][..tcp] [..192.168.1.105][47723] -> [.140.205.170.63][..443] analyse: [....18] [ip4][..tcp] [..192.168.1.105][35805] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.439| 0.087| 0.119|14239.990| 0.000] - [PKTLEN......: 66.000| 1502.000| 528.000| 578.700|334896.400| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.439| 0.087| 0.119| 14239.990| 3.800] + [PKTLEN......: 52.000| 1488.000| 514.000| 578.700| 334896.400| 4.100] [BINS(c->s)..: 14,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 26.8,26.8,0.3,31.4,276.1,307.3,6.9,6.9,153.9,153.9,2.9,2.9,375.9,438.8,4.4,67.2,2.9,3.0,31.5,31.4,138.5,138.5,6.1,6.1,4.5,4.5,193.5,193.5,28.8,28.7,2.7] - [PKTLENS.....: 74,74,66,476,66,577,66,1026,66,577,78,1026,78,525,66,494,66,1502,66,494,78,1502,66,1502,66,1502,66,1502,78,1502,66,1502] + [PKTLENS.....: 60,60,52,462,52,563,52,1012,52,563,64,1012,64,511,52,480,52,1488,52,480,64,1488,52,1488,52,1488,52,1488,64,1488,52,1488] + [ENTROPIES...: 4.7,5.1,5.0,5.9,5.0,5.8,5.0,7.8,5.0,5.7,5.0,7.8,5.0,5.9,5.1,5.8,5.0,6.4,5.1,5.8,5.1,7.7,5.1,7.7,5.1,7.7,5.1,7.7,5.2,7.7,5.1,7.7] analyse: [....26] [ip4][..tcp] [..192.168.1.105][35807] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.184| 0.031| 0.055| 2983.622| 0.000] - [PKTLEN......: 66.000| 1502.000| 647.200| 674.000|454231.700| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.184| 0.031| 0.055| 2983.622| 3.400] + [PKTLEN......: 52.000| 1488.000| 633.200| 674.000| 454231.700| 4.100] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 62.2,62.2,0.1,161.1,22.7,183.7,5.7,5.7,2.6,2.5,10.5,10.6,5.2,5.3,3.2,3.2,2.5,2.4,5.5,5.5,2.9,2.9,2.6,2.6,4.8,4.8,162.1,162.1,26.3,26.3,3.1] - [PKTLENS.....: 74,74,66,550,66,493,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,493,78,1502,66,1502] + [PKTLENS.....: 60,60,52,536,52,479,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,479,64,1488,52,1488] + [ENTROPIES...: 4.7,5.2,5.0,5.8,5.1,5.8,5.0,7.8,5.0,7.8,5.1,7.7,5.1,7.7,5.1,7.8,5.0,7.6,5.1,7.9,5.1,7.8,5.1,7.9,5.0,7.8,5.1,5.8,5.1,7.9,5.0,7.8] analyse: [....28] [ip4][..tcp] [..192.168.1.105][35809] -> [.93.188.134.246][...80] [HTTP.Sina(Weibo)][SocialNetwork][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.252| 0.036| 0.056| 3089.619| 0.000] - [PKTLEN......: 66.000| 1502.000| 647.700| 673.800|454044.400| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.252| 0.036| 0.056| 3089.619| 3.800] + [PKTLEN......: 52.000| 1488.000| 633.700| 673.800| 454044.400| 4.100] [BINS(c->s)..: 15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 50.2,50.2,0.1,181.5,70.9,252.2,2.7,2.7,2.6,2.5,4.2,4.3,31.8,31.8,8.1,8.1,11.4,11.4,8.7,8.7,2.6,2.6,7.1,7.1,13.6,13.6,66.3,66.3,92.4,92.4,2.8] - [PKTLENS.....: 74,74,66,539,66,507,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,507,78,1502,66,1502] + [PKTLENS.....: 60,60,52,525,52,493,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,493,64,1488,52,1488] + [ENTROPIES...: 4.7,5.2,5.0,5.9,5.1,5.8,5.0,7.3,5.0,7.9,5.1,7.9,5.0,7.9,5.0,7.8,5.0,7.9,5.0,7.9,5.1,7.9,4.9,7.9,4.9,7.9,5.0,5.8,5.1,7.9,5.1,7.9] idle: [....30] [ip4][..tcp] [..192.168.1.105][42275] -> [...222.73.28.96][...80] guessed: [....37] [ip4][..tcp] [..192.168.1.105][42280] -> [...222.73.28.96][...80] [HTTP][Web][Acceptable] idle: [....37] [ip4][..tcp] [..192.168.1.105][42280] -> [...222.73.28.96][...80] diff --git a/test/results/flow-info/whatsapp_login_call.pcap.out b/test/results/flow-info/whatsapp_login_call.pcap.out index 6cbeecb72..3f868017e 100644 --- a/test/results/flow-info/whatsapp_login_call.pcap.out +++ b/test/results/flow-info/whatsapp_login_call.pcap.out @@ -30,39 +30,42 @@ detected: [....16] [ip4][..tcp] [....192.168.2.4][49193] -> [..17.110.229.14][.5223] [ApplePush][Cloud][Acceptable] detected: [....14] [ip4][..tcp] [....192.168.2.4][49202] -> [.184.173.179.37][.5222] [WhatsApp][Chat][Acceptable] analyse: [....13] [ip4][..tcp] [....192.168.2.4][49201] -> [..17.178.104.12][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.712| 0.120| 0.179|32210.293| 0.000] - [PKTLEN......: 54.000| 1494.000| 446.900| 595.100|354099.200| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.712| 0.120| 0.179| 32210.293| 3.400] + [PKTLEN......: 40.000| 1480.000| 432.900| 595.100| 354099.200| 3.800] [BINS(c->s)..: 9,1,0,2,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0] [BINS(s->c)..: 8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1] [IATS(ms)....: 281.8,283.2,8.7,294.4,1.1,0.0,286.0,0.8,0.5,0.6,39.8,0.2,0.3,326.4,1.4,0.4,3.0,289.9,5.8,0.5,0.0,317.5,1.9,68.9,0.6,382.6,405.2,0.7,0.0,712.5,2.0] - [PKTLENS.....: 78,66,54,244,1494,1494,585,54,54,54,54,321,60,91,54,54,54,97,54,1494,1494,167,54,54,1494,1210,54,1494,1494,167,54,54] + [PKTLENS.....: 64,52,40,230,1480,1480,571,40,40,40,40,307,46,77,40,40,40,83,40,1480,1480,153,40,40,1480,1196,40,1480,1480,153,40,40] + [ENTROPIES...: 4.5,4.9,4.7,5.6,7.2,7.4,6.9,4.9,4.9,4.9,4.8,7.2,4.8,5.7,4.8,4.8,4.8,5.8,4.9,7.9,7.9,6.7,4.7,4.7,7.9,7.8,4.9,7.9,7.8,6.7,4.8,4.8] detection-update: [....13] [ip4][..tcp] [....192.168.2.4][49201] -> [..17.178.104.12][..443] [TLS.Apple][Web][Safe] RISK: TLS (probably) Not Carrying HTTPS new: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] analyse: [....14] [ip4][..tcp] [....192.168.2.4][49202] -> [.184.173.179.37][.5222] [WhatsApp][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.709| 0.199| 0.171|29317.118| 0.000] - [PKTLEN......: 66.000| 267.000| 116.800| 60.800| 3698.600| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.709| 0.199| 0.171| 29317.118| 4.400] + [PKTLEN......: 52.000| 253.000| 102.800| 60.800| 3698.600| 4.800] [BINS(c->s)..: 9,0,2,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 4,10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,1,0] [IATS(ms)....: 153.9,242.2,244.8,708.1,709.4,35.6,213.2,0.3,145.7,325.0,262.8,250.3,148.2,98.4,249.4,163.4,164.5,351.1,174.0,178.0,0.0,178.3,0.3,171.7,0.0,302.7,0.3,301.9,0.0,204.0] - [PKTLENS.....: 78,74,66,66,232,144,87,66,66,267,98,85,87,66,241,98,66,132,98,198,98,98,200,66,99,99,266,66,99,99,99,132] + [PKTLENS.....: 64,60,52,52,218,130,73,52,52,253,84,71,73,52,227,84,52,118,84,184,84,84,186,52,85,85,252,52,85,85,85,118] + [ENTROPIES...: 4.5,5.3,5.3,5.1,6.6,6.2,5.4,5.2,5.2,7.1,5.8,5.8,5.7,5.2,7.1,5.8,5.2,6.3,5.8,6.8,5.8,5.7,6.8,5.3,5.9,5.9,7.0,5.3,5.9,5.8,5.8,6.3] detected: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] RISK: TLS (probably) Not Carrying HTTPS detection-update: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....17] [ip4][..tcp] [....192.168.2.4][49204] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.246| 0.057| 0.089| 7910.915| 0.000] - [PKTLEN......: 54.000| 1494.000| 303.300| 408.500|166890.900| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.246| 0.057| 0.089| 7910.915| 3.400] + [PKTLEN......: 40.000| 1480.000| 289.300| 408.500| 166890.900| 3.900] [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0] [IATS(ms)....: 139.3,206.5,8.2,215.7,0.1,2.7,195.5,0.8,0.3,0.0,1.9,0.3,2.1,191.6,2.4,13.1,3.7,6.4,14.7,0.0,200.9,0.3,63.3,0.3,2.2,246.3,5.3,14.9,0.0,241.0,0.2] - [PKTLENS.....: 78,66,54,281,54,146,91,54,54,60,91,1494,531,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54] + [PKTLENS.....: 64,52,40,267,40,132,77,40,40,46,77,1480,517,596,40,40,40,40,40,988,386,40,40,1480,526,596,40,40,988,386,40,40] + [ENTROPIES...: 4.5,4.8,4.7,6.0,4.7,6.0,5.7,4.9,4.9,4.7,5.6,7.8,7.6,7.6,4.8,4.8,4.7,4.8,4.7,7.8,7.4,4.8,4.8,7.9,7.6,7.6,4.6,4.7,7.8,7.5,4.8,4.8] new: [....18] [ip4][..tcp] [....192.168.2.4][49192] -> [...93.186.135.8][...80] [MIDSTREAM] new: [....19] [ip4][..tcp] [....192.168.2.4][49191] -> [..17.172.100.49][..443] [MIDSTREAM] new: [....20] [ip4][..tcp] [....192.168.2.4][49182] -> [..17.172.100.52][..443] [MIDSTREAM] @@ -100,14 +103,15 @@ detected: [....39] [ip4][..udp] [....192.168.2.4][51518] -> [..91.253.176.65][.9344] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....39] [ip4][..udp] [....192.168.2.4][51518] -> [..91.253.176.65][.9344] [STUN.WhatsAppCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.352| 0.131| 0.070| 4931.355| 0.000] - [PKTLEN......: 64.000| 351.000| 213.000| 98.800| 9763.600| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.352| 0.131| 0.070| 4931.355| 4.700] + [PKTLEN......: 50.000| 337.000| 199.000| 98.800| 9763.600| 4.800] [BINS(c->s)..: 1,2,1,1,0,1,1,1,7,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,2,3,1,1,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,1,0,0,1,0,1,0,0,1,1,0,1,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1] [IATS(ms)....: 85.5,95.2,66.1,60.4,102.7,208.4,184.1,159.6,139.1,188.5,352.4,23.4,152.9,55.1,31.1,91.6,0.1,141.2,0.0,163.2,159.2,188.6,161.9,163.6,162.1,156.8,164.9,143.2,181.6,163.3,123.9] - [PKTLENS.....: 86,86,342,86,86,315,225,311,248,315,220,148,64,249,199,148,137,68,260,68,274,134,351,117,315,117,319,243,320,331,329,305] + [PKTLENS.....: 72,72,328,72,72,301,211,297,234,301,206,134,50,235,185,134,123,54,246,54,260,120,337,103,301,103,305,229,306,317,315,291] + [ENTROPIES...: 5.6,5.7,7.3,5.6,5.6,7.3,6.9,7.2,7.0,7.3,6.9,6.5,5.1,7.0,6.8,6.4,6.4,5.2,7.1,5.1,7.1,6.4,7.3,6.1,7.4,6.1,7.3,7.0,7.3,7.3,7.3,7.2] new: [....40] [ip4][.icmp] [....192.168.2.4] -> [..91.253.176.65] detected: [....40] [ip4][.icmp] [....192.168.2.4] -> [..91.253.176.65] [ICMP][Network][Acceptable] new: [....41] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] @@ -159,14 +163,15 @@ detected: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port analyse: [....55] [ip4][..udp] [....192.168.2.4][52794] -> [..91.253.176.65][.9665] [STUN.WhatsAppCall][VoIP][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.307| 0.114| 0.086| 7398.241| 0.000] - [PKTLEN......: 68.000| 320.000| 155.000| 58.800| 3453.300| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.307| 0.114| 0.086| 7398.241| 4.500] + [PKTLEN......: 54.000| 306.000| 141.000| 58.800| 3453.300| 4.900] [BINS(c->s)..: 1,3,0,6,3,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,2,2,3,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,1,1,0,0,1,0,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0] [IATS(ms)....: 304.3,307.4,8.4,89.9,31.9,6.5,226.2,154.2,0.0,188.0,0.3,163.9,163.4,160.1,21.8,153.7,0.1,168.1,122.6,138.9,158.5,186.7,16.2,65.9,114.2,83.7,193.2,164.5,1.3,77.1,55.4] - [PKTLENS.....: 86,86,86,86,86,148,138,320,181,68,246,148,242,226,117,148,165,68,186,170,175,186,170,148,128,154,219,154,223,68,148,185] + [PKTLENS.....: 72,72,72,72,72,134,124,306,167,54,232,134,228,212,103,134,151,54,172,156,161,172,156,134,114,140,205,140,209,54,134,171] + [ENTROPIES...: 5.6,5.6,5.6,5.5,5.6,6.3,6.4,7.3,6.7,5.2,7.0,6.6,7.1,7.0,6.2,6.5,6.6,5.2,6.7,6.6,6.7,6.7,6.7,6.4,6.3,6.5,6.9,6.5,6.9,5.2,6.6,6.7] update: [....39] [ip4][..udp] [....192.168.2.4][51518] -> [..91.253.176.65][.9344] [STUN.WhatsAppCall][VoIP][Acceptable] RISK: Known Proto on Non Std Port update: [....40] [ip4][.icmp] [....192.168.2.4] -> [..91.253.176.65] [ICMP][Network][Acceptable] @@ -194,14 +199,15 @@ detection-update: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] RISK: TLS (probably) Not Carrying HTTPS analyse: [....57] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.AppleStore][SoftwareUpdate][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.272| 0.058| 0.092| 8444.798| 0.000] - [PKTLEN......: 54.000| 1494.000| 303.300| 408.500|166876.700| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.272| 0.058| 0.092| 8444.798| 3.300] + [PKTLEN......: 40.000| 1480.000| 289.300| 408.500| 166876.700| 3.900] [BINS(c->s)..: 9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0] [BINS(s->c)..: 9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0] [IATS(ms)....: 139.9,225.1,4.2,228.9,0.1,2.7,200.7,0.3,1.4,0.2,2.3,0.3,0.4,198.2,1.0,14.2,4.7,5.0,13.2,0.0,199.9,0.3,34.7,0.4,0.1,217.0,5.8,16.0,0.0,271.8,0.3] - [PKTLENS.....: 78,66,54,281,54,146,91,54,54,60,91,1494,530,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54] + [PKTLENS.....: 64,52,40,267,40,132,77,40,40,46,77,1480,516,596,40,40,40,40,40,988,386,40,40,1480,526,596,40,40,988,386,40,40] + [ENTROPIES...: 4.5,4.8,4.7,5.9,4.8,6.0,5.8,4.9,4.9,4.8,5.7,7.9,7.6,7.7,4.8,4.9,4.9,4.8,4.8,7.8,7.5,4.9,4.9,7.9,7.6,7.7,4.8,4.9,7.8,7.4,4.9,4.9] guessed: [.....7] [ip4][..tcp] [....192.168.2.4][49174] -> [....5.178.42.26][...80] [HTTP][Web][Acceptable] end: [.....7] [ip4][..tcp] [....192.168.2.4][49174] -> [....5.178.42.26][...80] guessed: [.....5] [ip4][..tcp] [....192.168.2.4][49173] -> [..93.186.135.82][...80] [HTTP][Web][Acceptable] diff --git a/test/results/flow-info/whatsapp_login_chat.pcap.out b/test/results/flow-info/whatsapp_login_chat.pcap.out index 6a7b66c3b..0dc6548a7 100644 --- a/test/results/flow-info/whatsapp_login_chat.pcap.out +++ b/test/results/flow-info/whatsapp_login_chat.pcap.out @@ -11,14 +11,15 @@ new: [.....4] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [MIDSTREAM] detected: [.....4] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.Apple][Web][Safe] analyse: [.....4] [ip4][..tcp] [....192.168.2.4][49205] -> [..17.173.66.102][..443] [TLS.Apple][Web][Safe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 3.031| 0.229| 0.711|505750.847| 0.000] - [PKTLEN......: 54.000| 1494.000| 529.600| 518.700|269058.200| 4.300] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 3.031| 0.229| 0.711| 505750.847| 2.000] + [PKTLEN......: 40.000| 1480.000| 515.600| 518.700| 269058.200| 4.200] [BINS(c->s)..: 4,0,1,0,0,0,0,0,0,0,0,0,0,0,2,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,4,0,0] [BINS(s->c)..: 9,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0] [IATS(ms)....: 0.3,0.1,156.1,6.0,20.6,0.0,205.0,0.2,59.6,0.4,0.1,237.8,6.4,13.7,0.0,246.4,0.2,2803.2,0.7,0.1,0.2,0.2,0.1,3030.6,5.8,14.0,0.0,0.0,10.3,10.4,268.2] - [PKTLENS.....: 1494,531,610,54,54,1000,400,54,54,1494,538,610,54,54,1002,400,54,54,1494,531,610,1494,1254,1254,54,54,1002,400,54,54,54,127] + [PKTLENS.....: 1480,517,596,40,40,986,386,40,40,1480,524,596,40,40,988,386,40,40,1480,517,596,1480,1240,1240,40,40,988,386,40,40,40,113] + [ENTROPIES...: 7.8,7.6,7.7,4.9,4.8,7.8,7.3,4.8,4.9,7.9,7.6,7.6,4.8,4.9,7.8,7.4,4.9,4.9,7.9,7.6,7.7,7.9,7.8,7.9,4.9,4.9,7.8,7.4,4.8,4.8,4.8,6.4] new: [.....5] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] detected: [.....5] [ip4][..udp] [....192.168.2.1][17500] -> [..192.168.2.255][17500] [Dropbox][Cloud][Acceptable] new: [.....6] [ip4][..udp] [........0.0.0.0][...68] -> [255.255.255.255][...67] diff --git a/test/results/flow-info/whatsapp_voice_and_message.pcap.out b/test/results/flow-info/whatsapp_voice_and_message.pcap.out index 86421c6e4..c01ea41cb 100644 --- a/test/results/flow-info/whatsapp_voice_and_message.pcap.out +++ b/test/results/flow-info/whatsapp_voice_and_message.pcap.out @@ -20,27 +20,29 @@ new: [.....9] [ip4][..udp] [.......10.8.0.1][53620] -> [....31.13.73.48][.3478] detected: [.....9] [ip4][..udp] [.......10.8.0.1][53620] -> [....31.13.73.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] analyse: [.....1] [ip4][..tcp] [.......10.8.0.1][35480] -> [.184.173.179.46][..443] [WhatsApp][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 10.749| 0.839| 2.600|6759456.965| 0.000] - [PKTLEN......: 54.000| 469.000| 107.400| 97.600| 9526.400| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 10.749| 0.839| 2.600| 6759456.965| 2.200] + [PKTLEN......: 40.000| 455.000| 93.400| 97.600| 9526.400| 4.500] [BINS(c->s)..: 9,2,4,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 12,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,0,1,0] [IATS(ms)....: 61.0,61.1,147.7,147.9,346.8,397.2,0.1,50.5,310.1,310.1,199.8,397.9,0.1,198.2,50.5,50.6,386.7,386.7,54.1,104.5,50.5,50.4,398.3,400.0,10696.7,10748.9,0.3,0.2,0.2,0.3,0.2] - [PKTLENS.....: 74,54,54,231,54,132,54,84,54,77,54,223,54,86,54,104,54,410,54,77,54,75,54,469,54,133,54,133,54,133,54,133] + [PKTLENS.....: 60,40,40,217,40,118,40,70,40,63,40,209,40,72,40,90,40,396,40,63,40,61,40,455,40,119,40,119,40,119,40,119] + [ENTROPIES...: 4.4,4.5,4.7,6.6,4.6,6.1,4.7,5.6,4.6,5.2,4.6,6.9,4.7,5.7,4.6,5.9,4.6,7.4,4.6,5.4,4.7,5.3,4.7,7.5,4.6,6.3,4.6,6.3,4.6,6.3,4.6,6.3] new: [....10] [ip4][..tcp] [.......10.8.0.1][44819] -> [...158.85.58.42][.5222] detected: [....10] [ip4][..tcp] [.......10.8.0.1][44819] -> [...158.85.58.42][.5222] [WhatsApp][Chat][Acceptable] new: [....11] [ip4][..tcp] [.......10.8.0.1][42241] -> [173.192.222.189][.5222] detected: [....11] [ip4][..tcp] [.......10.8.0.1][42241] -> [173.192.222.189][.5222] [WhatsApp][Chat][Acceptable] analyse: [....11] [ip4][..tcp] [.......10.8.0.1][42241] -> [173.192.222.189][.5222] [WhatsApp][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.458| 0.064| 0.104|10787.211| 0.000] - [PKTLEN......: 54.000| 559.000| 102.200| 100.300|10067.600| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.458| 0.064| 0.104| 10787.211| 3.700] + [PKTLEN......: 40.000| 545.000| 88.200| 100.300| 10067.600| 4.400] [BINS(c->s)..: 10,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 14,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,0] [IATS(ms)....: 1.3,2.4,29.8,31.2,401.5,457.9,56.4,0.2,0.1,0.2,50.5,50.4,0.2,112.5,112.8,50.8,57.3,6.5,0.3,0.2,50.4,50.5,0.1,50.4,131.0,50.4,131.2,0.1,50.5,50.6,0.8] - [PKTLENS.....: 74,54,54,228,54,132,54,559,84,54,54,77,54,54,79,54,76,135,54,299,54,76,78,54,108,54,72,105,54,223,54,54] + [PKTLENS.....: 60,40,40,214,40,118,40,545,70,40,40,63,40,40,65,40,62,121,40,285,40,62,64,40,94,40,58,91,40,209,40,40] + [ENTROPIES...: 4.5,4.7,4.8,6.6,4.6,6.1,4.7,7.6,5.6,4.6,4.6,5.4,4.6,4.8,5.5,4.6,5.3,6.3,4.6,7.2,4.5,5.4,5.5,4.6,5.9,4.7,5.4,5.9,4.6,7.0,4.8,4.7] update: [.....5] [ip4][..udp] [.......10.8.0.1][53620] -> [..173.252.121.1][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] update: [.....6] [ip4][..udp] [.......10.8.0.1][53620] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] update: [.....2] [ip4][..udp] [.......10.8.0.1][53620] -> [....31.13.84.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] @@ -52,14 +54,15 @@ new: [....12] [ip4][..tcp] [.......10.8.0.1][49721] -> [..158.85.58.109][.5222] detected: [....12] [ip4][..tcp] [.......10.8.0.1][49721] -> [..158.85.58.109][.5222] [WhatsApp][Chat][Acceptable] analyse: [....12] [ip4][..tcp] [.......10.8.0.1][49721] -> [..158.85.58.109][.5222] [WhatsApp][Chat][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.768| 0.148| 0.316|100094.116| 0.000] - [PKTLEN......: 54.000| 308.000| 99.100| 70.400| 4957.000| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.768| 0.148| 0.316| 100094.116| 3.400] + [PKTLEN......: 40.000| 294.000| 85.100| 70.400| 4957.000| 4.600] [BINS(c->s)..: 11,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 11,1,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,0] [IATS(ms)....: 2.0,2.6,34.1,34.8,390.3,440.9,50.6,0.2,0.1,50.4,50.5,139.3,139.3,0.1,50.5,50.4,0.1,51.2,51.1,0.2,0.1,77.8,128.3,50.9,179.2,229.7,260.6,260.6,50.5,50.5,1768.4] - [PKTLENS.....: 74,54,54,228,54,132,54,308,84,54,77,54,79,54,76,135,54,76,299,54,54,54,223,112,54,113,54,179,54,76,54,90] + [PKTLENS.....: 60,40,40,214,40,118,40,294,70,40,63,40,65,40,62,121,40,62,285,40,40,40,209,98,40,99,40,165,40,62,40,76] + [ENTROPIES...: 4.5,4.7,4.7,6.8,4.7,6.1,4.7,7.2,5.5,4.7,5.6,4.7,5.5,4.7,5.5,6.4,4.7,5.5,7.2,4.7,4.9,4.9,6.9,6.1,4.7,6.0,4.8,6.7,4.8,5.4,4.8,5.7] update: [.....5] [ip4][..udp] [.......10.8.0.1][53620] -> [..173.252.121.1][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] update: [.....6] [ip4][..udp] [.......10.8.0.1][53620] -> [..179.60.192.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] update: [.....2] [ip4][..udp] [.......10.8.0.1][53620] -> [....31.13.84.48][.3478] [STUN.WhatsAppCall][VoIP][Acceptable] diff --git a/test/results/flow-info/whatsappfiles.pcap.out b/test/results/flow-info/whatsappfiles.pcap.out index cd4f7ef00..b19582f3c 100644 --- a/test/results/flow-info/whatsappfiles.pcap.out +++ b/test/results/flow-info/whatsappfiles.pcap.out @@ -6,26 +6,28 @@ detection-update: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] detection-update: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] analyse: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 24.640| 0.846| 4.345|18880535.724| 0.000] - [PKTLEN......: 66.000| 1464.000| 343.100| 491.800|241822.200| 3.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 24.640| 0.846| 4.345| 18880535.724| 0.500] + [PKTLEN......: 52.000| 1450.000| 329.100| 491.800| 241822.200| 3.800] [BINS(c->s)..: 9,4,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0] [BINS(s->c)..: 5,1,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,0,0] [IATS(ms)....: 90.0,91.9,3.0,95.6,1.4,1.2,0.0,95.9,1.0,78.9,282.8,460.9,0.0,97.9,0.0,4.0,7.0,1.0,0.0,0.0,115.1,0.0,1.2,0.0,102.9,1.0,41.1,24639.8,5.0,6.0,3.0] - [PKTLENS.....: 78,74,66,309,66,1464,1464,478,66,66,66,192,324,147,66,66,119,116,108,249,104,66,104,66,176,66,66,66,289,1464,1464,1464] + [PKTLENS.....: 64,60,52,295,52,1450,1450,464,52,52,52,178,310,133,52,52,105,102,94,235,90,52,90,52,162,52,52,52,275,1450,1450,1450] + [ENTROPIES...: 4.4,5.2,5.0,5.6,5.2,6.9,7.3,7.4,5.1,5.1,4.9,6.3,7.1,6.4,5.0,5.0,5.6,5.7,5.4,6.9,5.4,5.2,5.9,5.2,6.6,5.0,5.1,5.2,7.0,7.9,7.8,7.9] new: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] detected: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] detection-update: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] analyse: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.108| 0.019| 0.031| 953.946| 0.000] - [PKTLEN......: 66.000| 1464.000| 499.400| 599.200|359069.100| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.108| 0.019| 0.031| 953.946| 3.300] + [PKTLEN......: 52.000| 1450.000| 485.400| 599.200| 359069.100| 4.000] [BINS(c->s)..: 6,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 5,2,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,8,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 56.7,61.0,1.0,66.0,0.1,65.0,1.0,5.0,0.0,1.0,0.0,59.9,51.0,0.0,7.3,0.0,4.1,0.1,11.0,0.0,86.4,107.5,0.0,1.4,0.9,1.4,1.2,1.2,1.0,1.2,1.2] - [PKTLENS.....: 78,74,66,583,66,212,66,117,119,116,108,290,147,66,104,66,104,66,108,66,66,66,1464,234,1464,1282,1464,1464,1464,1464,1464,1464] + [PKTLENS.....: 64,60,52,569,52,198,52,103,105,102,94,276,133,52,90,52,90,52,94,52,52,52,1450,220,1450,1268,1450,1450,1450,1450,1450,1450] + [ENTROPIES...: 4.5,5.2,5.1,6.5,5.3,6.5,5.1,5.5,5.8,5.7,5.5,7.1,6.5,5.1,5.5,5.2,6.1,5.3,6.0,5.1,5.1,5.3,7.9,7.1,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9] end: [.....1] [ip4][..tcp] [...192.168.2.29][49674] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] idle: [.....2] [ip4][..tcp] [...192.168.2.29][49698] -> [..185.60.216.53][..443] [TLS.WhatsAppFiles][Download][Acceptable] DAEMON-EVENT: shutdown diff --git a/test/results/flow-info/wireguard.pcap.out b/test/results/flow-info/wireguard.pcap.out index 08c965af7..9303688fe 100644 --- a/test/results/flow-info/wireguard.pcap.out +++ b/test/results/flow-info/wireguard.pcap.out @@ -4,14 +4,15 @@ new: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] detected: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] analyse: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 5.526| 0.606| 1.489|2218508.681| 0.000] - [PKTLEN......: 138.000| 842.000| 260.000| 181.000|32764.000| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 5.526| 0.606| 1.489| 2218508.681| 2.500] + [PKTLEN......: 124.000| 828.000| 246.000| 181.000| 32764.000| 4.700] [BINS(c->s)..: 0,0,0,6,7,0,0,0,0,1,1,0,0,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 0,0,0,7,1,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,0,1] [IATS(ms)....: 0.0,0.2,13.3,82.4,23.4,0.1,92.8,0.7,114.4,124.5,0.2,238.5,14.3,86.0,36.4,0.1,108.2,0.8,113.6,3087.0,3060.6,97.5,183.7,5525.9,0.0,5525.9,16.5,88.0,44.4,0.1,115.9] - [PKTLENS.....: 842,186,138,314,138,330,186,138,298,138,666,186,138,314,138,362,186,138,298,138,186,154,186,154,698,186,138,314,138,570,186,138] + [PKTLENS.....: 828,172,124,300,124,316,172,124,284,124,652,172,124,300,124,348,172,124,284,124,172,140,172,140,684,172,124,300,124,556,172,124] + [ENTROPIES...: 7.7,6.5,6.1,7.3,6.1,7.2,6.5,6.1,7.2,6.0,7.6,6.6,6.1,7.2,6.0,7.3,6.6,6.2,7.2,6.1,6.5,6.3,6.6,6.3,7.7,6.6,6.1,7.2,6.1,7.6,6.6,6.2] update: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] update: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] update: [.....1] [ip4][..udp] [139.162.192.157][51820] -> [...192.168.0.14][36116] [WireGuard][VPN][Acceptable] diff --git a/test/results/flow-info/youtube_quic.pcap.out b/test/results/flow-info/youtube_quic.pcap.out index e30a05ab2..59acb8ff0 100644 --- a/test/results/flow-info/youtube_quic.pcap.out +++ b/test/results/flow-info/youtube_quic.pcap.out @@ -6,14 +6,15 @@ new: [.....2] [ip4][..udp] [....192.168.1.7][56074] -> [..216.58.198.33][..443] detected: [.....2] [ip4][..udp] [....192.168.1.7][56074] -> [..216.58.198.33][..443] [QUIC.YouTube][Media][Fun] analyse: [.....2] [ip4][..udp] [....192.168.1.7][56074] -> [..216.58.198.33][..443] [QUIC.YouTube][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.047| 0.007| 0.013| 177.503| 0.000] - [PKTLEN......: 73.000| 1392.000| 865.500| 620.100|384534.200| 4.500] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.047| 0.007| 0.013| 177.503| 3.300] + [PKTLEN......: 59.000| 1378.000| 851.500| 620.100| 384534.200| 4.500] [BINS(c->s)..: 0,8,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0] [BINS(s->c)..: 1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1] [IATS(ms)....: 43.7,0.6,47.4,0.3,0.2,0.0,22.6,22.3,0.0,41.9,0.1,4.3,1.2,5.2,1.0,1.2,2.1,1.0,1.2,2.2,1.1,0.9,2.0,1.3,1.0,2.3,0.9,1.3,2.3,0.6,7.7] - [PKTLENS.....: 1392,1392,1392,1392,459,177,178,77,1392,73,83,83,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1030,1392] + [PKTLENS.....: 1378,1378,1378,1378,445,163,164,63,1378,59,69,69,1378,1378,66,1378,1378,66,1378,1378,66,1378,1378,66,1378,1378,66,1378,1378,66,1016,1378] + [ENTROPIES...: 2.5,7.5,2.6,5.5,7.5,6.7,6.7,5.2,7.9,5.3,5.5,5.6,7.8,7.8,5.6,7.9,7.9,5.6,7.9,7.9,5.5,7.9,7.9,5.6,7.9,7.9,5.6,7.9,7.9,5.5,7.8,7.9] new: [.....3] [ip4][..udp] [....192.168.1.7][53859] -> [..216.58.205.66][..443] detected: [.....3] [ip4][..udp] [....192.168.1.7][53859] -> [..216.58.205.66][..443] [QUIC.Google][Advertisement][Acceptable] idle: [.....2] [ip4][..udp] [....192.168.1.7][56074] -> [..216.58.198.33][..443] [QUIC.YouTube][Media][Fun] diff --git a/test/results/flow-info/youtubeupload.pcap.out b/test/results/flow-info/youtubeupload.pcap.out index cf6412560..679195203 100644 --- a/test/results/flow-info/youtubeupload.pcap.out +++ b/test/results/flow-info/youtubeupload.pcap.out @@ -10,14 +10,15 @@ new: [.....3] [ip4][..udp] [...192.168.2.27][62232] -> [.172.217.23.111][..443] detected: [.....3] [ip4][..udp] [...192.168.2.27][62232] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun] analyse: [.....1] [ip4][..udp] [...192.168.2.27][51925] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 1.883| 0.207| 0.510|259988.193| 0.000] - [PKTLEN......: 58.000| 1392.000| 781.800| 621.300|386013.800| 4.400] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 1.883| 0.207| 0.510| 259988.193| 2.400] + [PKTLEN......: 44.000| 1378.000| 767.800| 621.300| 386013.800| 4.400] [BINS(c->s)..: 0,6,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0] [BINS(s->c)..: 4,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,0,1,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0] [IATS(ms)....: 56.1,1.0,59.8,1.8,0.4,60.9,0.1,57.5,0.4,30.7,1096.9,0.5,1126.8,0.7,1825.8,1883.1,71.2,0.1,128.5,3.3,2.8,0.4,0.7,1.0,1.1,1.2,1.1,1.2,1.1,1.2,1.2] - [PKTLENS.....: 1392,1392,1392,80,1392,424,1392,73,83,80,72,58,611,83,77,344,78,154,58,83,387,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392] + [PKTLENS.....: 1378,1378,1378,66,1378,410,1378,59,69,66,58,44,597,69,63,330,64,140,44,69,373,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378] + [ENTROPIES...: 2.6,7.5,7.4,5.3,4.6,7.4,7.9,5.4,5.7,5.8,5.5,5.0,7.7,5.6,5.7,7.3,5.5,6.6,5.0,5.7,7.5,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.9,7.8,7.9] idle: [.....2] [ip4][..tcp] [...192.168.2.27][57452] -> [.172.217.23.111][..443] idle: [.....1] [ip4][..udp] [...192.168.2.27][51925] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun] idle: [.....3] [ip4][..udp] [...192.168.2.27][62232] -> [.172.217.23.111][..443] [QUIC.YouTubeUpload][Media][Fun] diff --git a/test/results/flow-info/zcash.pcap.out b/test/results/flow-info/zcash.pcap.out index 95c6559ad..7311f74f9 100644 --- a/test/results/flow-info/zcash.pcap.out +++ b/test/results/flow-info/zcash.pcap.out @@ -5,14 +5,15 @@ detected: [.....1] [ip4][..tcp] [...192.168.2.92][55190] -> [.178.32.196.217][.9050] [Mining][Mining][Unsafe] RISK: Known Proto on Non Std Port, Unsafe Protocol analyse: [.....1] [ip4][..tcp] [...192.168.2.92][55190] -> [.178.32.196.217][.9050] [Mining][Mining][Unsafe] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 50.191| 6.014| 12.034|144808530.149| 0.000] - [PKTLEN......: 66.000| 369.000| 156.600| 98.900| 9779.100| 4.700] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 50.191| 6.014| 12.034| 144808530.149| 3.200] + [PKTLEN......: 52.000| 355.000| 142.600| 98.900| 9779.100| 4.700] [BINS(c->s)..: 9,0,0,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 6,5,0,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1] [IATS(ms)....: 82.7,82.7,0.2,82.6,1.5,84.0,12149.8,12261.6,111.7,2618.8,2732.4,113.5,6931.2,7044.0,112.8,7848.9,7848.9,48786.2,308.4,320.0,608.0,50191.4,0.1,0.0,41.7,210.6,4833.2,4833.2,8034.7,8116.9,41.4] - [PKTLENS.....: 74,74,66,326,66,369,66,249,129,66,249,129,66,249,129,66,319,66,249,249,249,249,78,78,78,129,66,319,66,249,66,129] + [PKTLENS.....: 60,60,52,312,52,355,52,235,115,52,235,115,52,235,115,52,305,52,235,235,235,235,64,64,64,115,52,305,52,235,52,115] + [ENTROPIES...: 4.8,5.3,5.2,6.2,5.2,5.3,5.1,5.5,5.5,5.1,5.5,5.5,5.2,5.6,5.5,5.1,5.3,4.9,5.4,5.4,5.5,5.4,5.1,5.2,5.2,5.5,5.0,5.3,5.2,5.5,5.2,5.6] DAEMON-EVENT: [Processed: 87 pkts][ZLib][compressions: 0|diff: 0 / 0] DAEMON-EVENT: [Flows][active: 1 / 1|skipped: 0|!detected: 0|guessed: 0|detection-updates: 0|updates: 0] idle: [.....1] [ip4][..tcp] [...192.168.2.92][55190] -> [.178.32.196.217][.9050] [Mining][Mining][Unsafe] diff --git a/test/results/flow-info/zoom.pcap.out b/test/results/flow-info/zoom.pcap.out index 95be0cdc5..1e01c9419 100644 --- a/test/results/flow-info/zoom.pcap.out +++ b/test/results/flow-info/zoom.pcap.out @@ -58,14 +58,15 @@ detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Video][Acceptable] detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Video][Acceptable] analyse: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.211| 0.038| 0.059| 3527.760| 0.000] - [PKTLEN......: 54.000| 1506.000| 677.000| 660.100|435695.100| 4.200] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.211| 0.038| 0.059| 3527.760| 3.300] + [PKTLEN......: 40.000| 1492.000| 663.000| 660.100| 435695.100| 4.200] [BINS(c->s)..: 11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0] [IATS(ms)....: 112.4,112.5,31.1,144.0,1.8,0.2,0.0,114.8,0.2,0.2,7.2,2.9,121.9,111.9,4.3,0.0,116.6,98.0,0.5,0.0,210.7,0.0,0.2,0.1,0.2,0.1,0.1,0.2,0.1,0.0,0.1] - [PKTLENS.....: 78,66,54,571,60,1506,1506,1506,54,1306,54,54,245,105,54,745,864,60,1506,1506,1506,54,54,1506,1506,54,1506,1506,54,1506,459,54] + [PKTLENS.....: 64,52,40,557,46,1492,1492,1492,40,1292,40,40,231,91,40,731,850,46,1492,1492,1492,40,40,1492,1492,40,1492,1492,40,1492,445,40] + [ENTROPIES...: 4.4,4.9,4.5,4.1,4.5,7.1,7.3,7.3,4.7,7.6,4.6,4.7,6.9,5.7,4.7,7.7,7.7,4.5,7.9,7.9,7.9,4.7,4.6,7.9,7.9,4.7,7.9,7.9,4.6,7.9,7.5,4.6] detection-update: [....21] [ip4][..tcp] [..192.168.1.117][54866] -> [..52.202.62.236][..443] [TLS.Zoom][Video][Acceptable] new: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] detected: [....22] [ip4][..udp] [..192.168.1.117][57621] -> [..192.168.1.255][57621] [Spotify][Music][Acceptable] @@ -114,28 +115,30 @@ detection-update: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Video][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [....30] [ip4][..tcp] [..192.168.1.117][54871] -> [..109.94.160.99][..443] [TLS.Zoom][Video][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.156| 0.028| 0.040| 1628.090| 0.000] - [PKTLEN......: 66.000| 1506.000| 434.500| 552.400|305116.100| 4.000] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.156| 0.028| 0.040| 1628.090| 3.800] + [PKTLEN......: 52.000| 1492.000| 420.500| 552.400| 305116.100| 3.900] [BINS(c->s)..: 10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,0,0] [IATS(ms)....: 31.6,31.8,0.2,32.7,2.0,0.1,0.0,34.5,0.0,10.5,0.0,10.6,60.1,93.9,33.8,0.4,31.3,30.9,4.6,0.0,36.6,6.2,38.2,156.1,156.1,0.1,0.0,0.1,10.6,59.1,3.1] - [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,66,66,1506,93,66,192,308,66,206,132,66,1506,547,66,104,66,1331,66,1506,160,66,104,216,237] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1268,52,52,1492,79,52,178,294,52,192,118,52,1492,533,52,90,52,1317,52,1492,146,52,90,202,223] + [ENTROPIES...: 4.4,5.3,5.0,4.3,5.2,7.1,7.3,7.3,5.0,5.1,7.6,5.6,5.1,6.6,7.1,5.1,6.9,6.3,5.1,7.9,7.6,5.1,5.9,5.1,7.9,5.1,7.9,6.6,5.1,5.8,6.9,7.0] new: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] detected: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable] ERROR-EVENT: Unknown packet type new: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] detected: [....32] [ip4][..udp] [..192.168.1.117][60620] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable] analyse: [....31] [ip4][..udp] [..192.168.1.117][58327] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.036| 0.010| 0.009| 72.691| 0.000] - [PKTLEN......: 55.000| 1071.000| 886.800| 383.700|147246.200| 4.800] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.036| 0.010| 0.009| 72.691| 4.500] + [PKTLEN......: 41.000| 1057.000| 872.800| 383.700| 147246.200| 4.800] [BINS(c->s)..: 1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 32.0,0.0,32.2,4.7,35.6,13.8,10.3,10.2,10.0,0.1,10.1,10.3,10.0,10.0,0.1,9.9,10.2,10.3,10.3,0.1,10.1,10.0,10.1,10.5,0.0,10.0,10.3,9.7,10.3,0.4,9.8] - [PKTLENS.....: 149,77,60,55,105,85,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071] + [PKTLENS.....: 135,63,46,41,91,71,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057] + [ENTROPIES...: 5.9,4.8,4.4,4.6,5.1,4.8,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5,0.5] new: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] detected: [....33] [ip4][..udp] [..192.168.1.117][61731] -> [..109.94.160.99][.8801] [Zoom][Video][Acceptable] idle: [....17] [ip4][.icmp] [..192.168.1.117] -> [..162.255.38.14] [ICMP][Network][Acceptable] diff --git a/test/results/flow-info/zoom2.pcap.out b/test/results/flow-info/zoom2.pcap.out index 7b81c5e98..677e3364f 100644 --- a/test/results/flow-info/zoom2.pcap.out +++ b/test/results/flow-info/zoom2.pcap.out @@ -9,48 +9,52 @@ detection-update: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Video][Acceptable] RISK: TLS (probably) Not Carrying HTTPS analyse: [.....1] [ip4][..tcp] [..192.168.1.178][50076] -> [.144.195.73.154][..443] [TLS.Zoom][Video][Acceptable] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.199| 0.059| 0.083| 6897.605| 0.000] - [PKTLEN......: 66.000| 1506.000| 464.300| 547.400|299645.500| 4.100] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.199| 0.059| 0.083| 6897.605| 3.400] + [PKTLEN......: 52.000| 1492.000| 450.300| 547.400| 299645.500| 4.000] [BINS(c->s)..: 11,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0] [BINS(s->c)..: 3,1,1,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0,0,0,3,0,0] [DIRECTIONS..: 0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,0,1,0,0,0,1,1,1,0,1,0,0,1,0,1,1] [IATS(ms)....: 174.7,174.8,0.6,174.0,1.3,0.0,0.0,0.0,175.4,0.0,0.0,23.6,1.3,198.6,173.1,0.3,174.5,174.1,5.8,0.0,187.6,0.7,0.0,182.4,0.1,0.1,0.1,0.9,0.8,0.5,0.0] - [PKTLENS.....: 78,74,66,583,66,1506,1506,1282,828,66,66,66,66,192,117,66,222,141,66,1506,781,66,1506,456,66,214,66,116,1344,66,1344,270] + [PKTLENS.....: 64,60,52,569,52,1492,1492,1268,814,52,52,52,52,178,103,52,208,127,52,1492,767,52,1492,442,52,200,52,102,1330,52,1330,256] + [ENTROPIES...: 4.3,5.2,5.1,4.4,5.1,7.2,7.4,7.5,7.6,5.0,5.0,5.0,5.0,6.5,5.8,4.9,6.8,6.3,5.0,7.9,7.7,5.1,7.9,7.5,5.0,6.7,5.0,6.0,7.9,5.0,7.9,6.9] new: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] analyse: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.167| 0.025| 0.040| 1639.456| 0.000] - [PKTLEN......: 60.000| 1078.000| 718.700| 464.600|215864.300| 4.600] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.167| 0.025| 0.040| 1639.456| 3.600] + [PKTLEN......: 46.000| 1064.000| 704.700| 464.600| 215864.300| 4.600] [BINS(c->s)..: 0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1] [IATS(ms)....: 101.4,166.6,0.0,73.0,12.3,100.4,0.0,101.8,73.0,11.9,4.9,10.9,10.5,10.1,0.2,9.2,10.4,10.3,11.4,0.0,0.3,9.4,8.6,5.4,4.9,0.1,10.8,10.0,10.5,9.4,0.2] - [PKTLENS.....: 165,165,86,60,170,170,86,60,170,102,102,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,102,1078,1078,1078,1078,1078,1078,1078] + [PKTLENS.....: 151,151,72,46,156,156,72,46,156,88,88,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,88,1064,1064,1064,1064,1064,1064,1064] + [ENTROPIES...: 5.8,5.8,4.9,4.2,5.4,5.6,4.8,4.3,5.6,4.7,4.7,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,0.6,4.8,0.6,0.6,0.6,0.6,0.6,0.6,0.6] guessed: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] detected: [.....2] [ip4][..udp] [..192.168.1.178][60653] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] new: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] new: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] analyse: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.176| 0.043| 0.049| 2389.122| 0.000] - [PKTLEN......: 60.000| 203.000| 143.000| 35.800| 1279.800| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.176| 0.043| 0.049| 2389.122| 4.100] + [PKTLEN......: 46.000| 189.000| 129.000| 35.800| 1279.800| 4.900] [BINS(c->s)..: 0,0,1,6,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 2,5,3,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1] [IATS(ms)....: 98.5,176.4,0.1,85.5,9.5,94.8,0.0,99.9,94.2,12.3,1.9,12.4,20.6,17.0,20.1,168.4,18.0,3.6,10.9,10.3,19.4,32.1,20.9,115.3,0.0,17.8,18.7,20.1,20.2,21.5,85.5] - [PKTLENS.....: 165,165,86,60,170,170,86,60,170,102,102,175,178,168,163,159,130,102,163,106,157,158,148,149,180,203,130,164,162,157,158,130] + [PKTLENS.....: 151,151,72,46,156,156,72,46,156,88,88,161,164,154,149,145,116,88,149,92,143,144,134,135,166,189,116,150,148,143,144,116] + [ENTROPIES...: 5.8,5.8,4.9,4.4,5.6,5.6,4.8,4.4,5.5,4.7,4.7,6.0,6.0,5.9,5.8,5.7,5.1,4.7,5.8,4.7,5.7,5.7,5.6,5.6,6.0,6.2,5.3,5.7,5.7,5.7,5.7,5.2] guessed: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] detected: [.....3] [ip4][..udp] [..192.168.1.178][58117] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] analyse: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] - min| max| avg| stddev| variance| entropy - [IAT.........: 0.000| 0.188| 0.047| 0.043| 1844.784| 0.000] - [PKTLEN......: 60.000| 185.000| 105.100| 44.600| 1993.400| 4.900] + min| max| avg| stddev| variance| entropy + [IAT.........: 0.000| 0.188| 0.047| 0.043| 1844.784| 4.300] + [PKTLEN......: 46.000| 171.000| 91.100| 44.600| 1993.400| 4.800] [BINS(c->s)..: 7,0,0,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [BINS(s->c)..: 9,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0] [DIRECTIONS..: 0,0,1,1,0,0,1,1,0,0,0,1,1,0,1,0,0,1,1,0,1,1,1,0,1,0,1,1,0,1,1,0] [IATS(ms)....: 102.1,187.6,0.0,105.6,0.1,93.5,0.0,87.6,70.7,0.1,106.0,0.0,21.5,32.8,59.0,0.0,48.4,5.5,49.5,50.2,0.0,0.0,55.2,45.7,56.3,52.4,0.0,59.8,52.1,47.7,58.6] - [PKTLENS.....: 167,167,86,60,177,177,86,60,177,177,177,117,117,69,69,185,69,69,117,69,117,117,69,69,69,69,117,69,69,69,69,69] + [PKTLENS.....: 153,153,72,46,163,163,72,46,163,163,163,103,103,55,55,171,55,55,103,55,103,103,55,55,55,55,103,55,55,55,55,55] + [ENTROPIES...: 5.8,5.9,4.8,4.3,5.5,5.5,4.8,4.4,5.6,5.5,5.6,4.4,4.5,3.6,3.9,5.5,3.6,3.9,4.5,3.7,4.5,4.5,3.9,3.7,4.0,3.7,4.5,3.9,3.7,3.9,3.9,3.7] guessed: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] detected: [.....4] [ip4][..udp] [..192.168.1.178][57953] -> [.144.195.73.154][.8801] [Zoom][Video][Acceptable] new: [.....5] [ip4][.icmp] [..192.168.1.178] -> [.144.195.73.154] diff --git a/test/results/forticlient.pcap.out b/test/results/forticlient.pcap.out index 041c57ace..0e7a74395 100644 --- a/test/results/forticlient.pcap.out +++ b/test/results/forticlient.pcap.out @@ -35,7 +35,7 @@ 01349{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":103,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209262263,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1621067209264717,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01409{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":105,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209346748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1621067209346748,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01675{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067209264717,"flow_dst_last_pkt_time":1621067209348677,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":2421,"midstream":0,"thread_ts_usec":1621067209348677,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN","hostname":"82.81.46.13","tls": {"version":"TLSv1.2","ja3":"40adfd923eb82b89d8836ba37a19bca1","ja3s":"e35df3e00ca4ef31d42b34bebaa2f86e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=Certificate Authority, CN=support","subjectDN":"C=US, ST=California, L=Sunnyvale, O=Fortinet, OU=FortiGate, CN=FWF60E4Q16012050","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"AA:8A:CE:95:99:2A:E0:A4:11:42:E4:C8:40:D7:DB:87:1F:4A:23:45"}}} -01995{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":131,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067210297694,"flow_dst_last_pkt_time":1621067210301240,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1845,"flow_dst_tot_l4_payload_len":4568,"midstream":0,"thread_ts_usec":1621067210301240,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":39,"avg":70952.1,"max":495036,"stddev":111597.5,"var":12454002688.0,"ent":3.7,"data": [62553,62662,2345,64550,19935,1929,84016,11197,85323,74192,429584,495036,65428,84550,160241,75696,71555,6274,142878,591,65604,251,221,2934,4011,39,64164,57249,427,3990,89]},"pktlen": {"min":66,"avg":267.0,"max":1506,"stddev":343.0,"var":117623.0,"ent":4.2,"data": [78,74,66,379,66,1506,1047,66,224,308,66,596,841,66,362,937,66,357,113,66,113,66,113,66,113,131,117,113,66,113,125,125]},"bins": {"c_to_s": [9,4,1,0,1,0,0,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,0,0,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +02388{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":131,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1621067209199710,"flow_src_last_pkt_time":1621067210297694,"flow_dst_last_pkt_time":1621067210301240,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1845,"flow_dst_tot_l4_payload_len":4568,"midstream":0,"thread_ts_usec":1621067210301240,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61820,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":39,"avg":70952.1,"max":495036,"stddev":111597.5,"var":12454002688.0,"ent":3.7,"data": [62553,62662,2345,64550,19935,1929,84016,11197,85323,74192,429584,495036,65428,84550,160241,75696,71555,6274,142878,591,65604,251,221,2934,4011,39,64164,57249,427,3990,89]},"pktlen": {"min":52,"avg":253.0,"max":1492,"stddev":343.0,"var":117623.0,"ent":4.1,"data": [64,60,52,365,52,1492,1033,52,210,294,52,582,827,52,348,923,52,343,99,52,99,52,99,52,99,117,103,99,52,99,111,111]},"bins": {"c_to_s": [9,4,1,0,1,0,0,0,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,0,0,0,1,0,0,1,1],"entropies": [4.410132408,5.346732616,5.038779736,6.080028534,5.156889915,7.061070919,7.727006912,5.115703106,6.685589790,7.192217827,5.038779736,7.622327805,7.737955093,5.115703106,7.355971813,7.761943817,5.077241421,7.386271954,5.969920158,5.233812809,6.092373371,5.154164791,6.132777691,5.070539474,6.022900581,6.156826973,6.011271954,6.160604477,5.115703106,6.070930004,6.207380772,6.322289944]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"5":"DPI (cache)"},"proto":"TLS.FortiClient","proto_id":"91.259","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00771{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":9,"flow_first_seen":1621067203571879,"flow_src_last_pkt_time":1621067204621391,"flow_dst_last_pkt_time":1621067204682403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":493,"flow_dst_tot_l4_payload_len":2929,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61805,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00772{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":11,"flow_first_seen":1621067204622472,"flow_src_last_pkt_time":1621067205650296,"flow_dst_last_pkt_time":1621067205708789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":526,"flow_dst_tot_l4_payload_len":6225,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61806,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00772{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2000,"source":"forticlient.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":11,"flow_first_seen":1621067205651500,"flow_src_last_pkt_time":1621067206681899,"flow_dst_last_pkt_time":1621067206738955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1621067222261499,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"82.81.46.13","src_port":61811,"dst_port":10443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -50,10 +50,10 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6155028 bytes -~~ total memory freed........: 6155028 bytes -~~ total allocations/frees...: 123564/123564 +~~ total memory allocated....: 6155708 bytes +~~ total memory freed........: 6155708 bytes +~~ total allocations/frees...: 123569/123569 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars -~~ json string max len.......: 2000 chars -~~ json string avg len.......: 1246 chars +~~ json string max len.......: 2393 chars +~~ json string avg len.......: 1441 chars diff --git a/test/results/ftp-start-tls.pcap.out b/test/results/ftp-start-tls.pcap.out index 463bfd7c3..e2a6f0dc5 100644 --- a/test/results/ftp-start-tls.pcap.out +++ b/test/results/ftp-start-tls.pcap.out @@ -8,7 +8,7 @@ 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":8,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629098899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":73,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1383123629101855,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 01332{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":11,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629103318,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1383123629103318,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 01333{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":13,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629101855,"flow_dst_last_pkt_time":1383123629103328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":1447,"midstream":0,"thread_ts_usec":1383123629103328,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} -01527{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":4811.0,"max":40376,"stddev":9556.7,"var":91331016.0,"ent":3.2,"data": [415,134,1253,15030,72,17807,3947,60,788,5,4347,3279,113,1027,2,8,2,118,3,2582,8520,40376,68,34737,4456,749,2222,1775,305,2738,2203]},"pktlen": {"min":60,"avg":174.9,"max":566,"stddev":164.2,"var":26956.4,"ent":4.5,"data": [60,60,60,60,127,127,64,60,60,85,85,204,60,60,566,566,269,566,566,269,60,384,105,105,91,136,136,91,136,136,99,144]},"bins": {"c_to_s": [4,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,7,0,0,0,2,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1]}} +01924{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":4811.0,"max":40376,"stddev":9556.7,"var":91331016.0,"ent":3.2,"data": [415,134,1253,15030,72,17807,3947,60,788,5,4347,3279,113,1027,2,8,2,118,3,2582,8520,40376,68,34737,4456,749,2222,1775,305,2738,2203]},"pktlen": {"min":46,"avg":160.9,"max":552,"stddev":164.2,"var":26956.4,"ent":4.4,"data": [46,46,46,46,113,113,50,46,46,71,71,190,46,46,552,552,255,552,552,255,46,370,91,91,77,122,122,77,122,122,85,130]},"bins": {"c_to_s": [4,3,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,7,0,0,0,2,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,1,1,1,0,1,1,1,1,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1],"entropies": [4.174477577,4.816402912,4.816402912,4.390829086,5.377844810,5.377844810,4.955727100,4.347350597,4.347350597,5.319664001,5.319664001,5.167058468,4.434307098,4.434307098,6.822389126,7.154568672,6.962697506,6.822389126,7.151652813,6.962697029,4.544876099,7.242094517,5.879006863,5.879006863,5.747309208,6.191079140,6.207472801,5.766408920,6.279234409,6.279234409,5.962334156,6.287871361]}} 01333{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629152654,"flow_dst_last_pkt_time":1383123629153383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":609,"flow_dst_tot_l4_payload_len":3206,"midstream":0,"thread_ts_usec":1383123629153383,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 01365{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":51,"source":"ftp-start-tls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":35,"flow_first_seen":1383123629078448,"flow_src_last_pkt_time":1383123629412168,"flow_dst_last_pkt_time":1383123629233523,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":330,"flow_dst_max_l4_payload_len":512,"flow_src_tot_l4_payload_len":856,"flow_dst_tot_l4_payload_len":3834,"midstream":0,"thread_ts_usec":1383123629412168,"l3_proto":"ip4","src_ip":"10.238.26.36","dst_ip":"10.220.50.76","src_port":62092,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"FTPS","proto_id":"311","encrypted":1,"breed":"Unsafe","category_id":7,"category":"Download"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":51,"source":"ftp-start-tls.pcap","alias":"nDPId-test","packets-captured":51,"packets-processed":51,"total-skipped-flows":0,"total-l4-payload-len":4690,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1383123629412168} @@ -20,10 +20,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043479 bytes -~~ total memory freed........: 6043479 bytes -~~ total allocations/frees...: 121546/121546 +~~ total memory allocated....: 6043615 bytes +~~ total memory freed........: 6043615 bytes +~~ total allocations/frees...: 121547/121547 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars -~~ json string max len.......: 1532 chars -~~ json string avg len.......: 1006 chars +~~ json string max len.......: 1929 chars +~~ json string avg len.......: 1192 chars diff --git a/test/results/ftp.pcap.out b/test/results/ftp.pcap.out index ea6b69119..5d0963bd7 100644 --- a/test/results/ftp.pcap.out +++ b/test/results/ftp.pcap.out @@ -5,7 +5,7 @@ 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1552590234892296,"flow_dst_last_pkt_time":1552590234919708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590234919708,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1AAVxgZYKsHSoyOX7qASqbA+KAAAAgQFrAQCCAoSZ\/tNO1eYmQEDAw4="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1552590234919816,"flow_dst_last_pkt_time":1552590234919708,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1552590234919816,"pkt":"EBMx8Tl2xCwDBkn+CABFAAA0AABAAEAGAADAqAHUWoJGScYGABWjI5fuWCrB04AQECxjbgAAAQEICjtXmLQSZ\/tN"} 01043{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590234976972,"flow_dst_last_pkt_time":1552590235066945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":29,"flow_dst_tot_l4_payload_len":77,"midstream":0,"thread_ts_usec":1552590235066945,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download","ftp": {"user":"anonymous","password":"NcFTP@","auth_failed":0}}} -01793{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590235175924,"flow_dst_last_pkt_time":1552590235202548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":532,"midstream":0,"thread_ts_usec":1552590235202548,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":19157.4,"max":90047,"stddev":20644.4,"var":426190272.0,"ent":4.1,"data": [27412,27520,29008,29012,526,27660,315,27401,217,69061,21193,90047,306,27070,21,26780,133,26972,64,26857,6,275,27478,27261,90,29,651,27147,26517,90,26761]},"pktlen": {"min":66,"avg":85.9,"max":307,"stddev":42.7,"var":1824.0,"ent":4.9,"data": [78,74,66,86,66,82,66,100,66,79,66,89,66,71,66,100,66,72,81,131,66,66,77,110,66,307,66,96,88,66,71,100]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}} +02188{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590235175924,"flow_dst_last_pkt_time":1552590235202548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":532,"midstream":0,"thread_ts_usec":1552590235202548,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":19157.4,"max":90047,"stddev":20644.4,"var":426190272.0,"ent":4.1,"data": [27412,27520,29008,29012,526,27660,315,27401,217,69061,21193,90047,306,27070,21,26780,133,26972,64,26857,6,275,27478,27261,90,29,651,27147,26517,90,26761]},"pktlen": {"min":52,"avg":71.9,"max":293,"stddev":42.7,"var":1824.0,"ent":4.8,"data": [64,60,52,72,52,68,52,86,52,65,52,75,52,57,52,86,52,58,67,117,52,52,63,96,52,293,52,82,74,52,57,86]},"bins": {"c_to_s": [18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1],"entropies": [4.219557285,5.306893826,4.854784012,5.580945969,4.891996861,5.392103672,5.192626476,5.723867416,4.853535175,5.160228252,5.115703106,5.653334618,4.853535175,5.038432598,5.038779736,5.595732212,4.829590797,5.029721737,5.522709370,5.304079056,4.891996861,4.891996861,5.214752197,5.731670380,4.891996861,5.029207230,4.891996861,5.558178902,5.555310249,4.891996861,5.073520184,5.687595367]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1552590236580045,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236580045,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1552590236580045,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50695,"dst_port":25685,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236580045,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1552590236580045,"pkt":"EBMx8Tl2xCwDBkn+CABFAABAAABAAEAGAADAqAHUWoJGScYHZFXuwKKMAAAAALAC\/\/9jegAAAgQFtAEDAwUBAQgKO1efIQAAAAAEAgAA"} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"ftp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1552590236580045,"flow_dst_last_pkt_time":1552590236608252,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590236608252,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1GRVxgdmK2Nw7sCijaASqbDL3QAAAgQFrAQCCAoSZ\/zzO1efIQEDAw4="} @@ -15,7 +15,7 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1552590241545143,"flow_dst_last_pkt_time":1552590241545143,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1552590241545143,"pkt":"EBMx8Tl2xCwDBkn+CABFAABAAABAAEAGAADAqAHUWoJGScYIX8sNBxpOAAAAALAC\/\/9jegAAAgQFtAEDAwUBAQgKO1eyYgAAAAAEAgAA"} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1552590241545143,"flow_dst_last_pkt_time":1552590241573913,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1552590241573913,"pkt":"xCwDBkn+EBMx8Tl2CABFAAA8AABAADYG4XRagkZJwKgB1F\/LxggMTnkwDQcaT6ASqbBmYgAAAgQFrAQCCAoSaAHMO1eyYgEDAw4="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":68,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1552590241573957,"flow_dst_last_pkt_time":1552590241573913,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1552590241573957,"pkt":"EBMx8Tl2xCwDBkn+CABFAAA0AABAAEAGAADAqAHUWoJGScYIX8sNBxpPDE55MYAQECxjbgAAAQEICjtXsn0SaAHM"} -01548{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6033.4,"max":29579,"stddev":11108.9,"var":123407192.0,"ent":3.1,"data": [28770,28814,29579,29566,281,284,597,608,340,458,790,363,375,64,327,2,379,43,300,27513,27767,195,211,1702,115,4,1805,1866,1903,218,1796]},"pktlen": {"min":66,"avg":832.0,"max":1506,"stddev":717.5,"var":514855.0,"ent":4.3,"data": [78,74,66,1506,78,1506,66,1506,66,1506,1506,66,1506,66,1506,1506,1506,66,66,1506,1506,66,1506,66,1506,1506,66,66,1506,66,1506,1506]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,0,1,1]}} +01947{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6033.4,"max":29579,"stddev":11108.9,"var":123407192.0,"ent":3.1,"data": [28770,28814,29579,29566,281,284,597,608,340,458,790,363,375,64,327,2,379,43,300,27513,27767,195,211,1702,115,4,1805,1866,1903,218,1796]},"pktlen": {"min":52,"avg":818.0,"max":1492,"stddev":717.5,"var":514855.0,"ent":4.3,"data": [64,60,52,1492,64,1492,52,1492,52,1492,1492,52,1492,52,1492,1492,1492,52,52,1492,1492,52,1492,52,1492,1492,52,52,1492,52,1492,1492]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,1,1,1,0,1,0,1,1],"entropies": [4.309056282,5.300120831,4.882569313,0.368800014,5.022979736,0.368800014,4.955154896,0.368800014,4.829590797,0.368800014,0.368800014,4.916693211,0.368800014,4.829590797,0.368800014,0.368800014,0.367459536,4.916693211,4.829590797,0.367459506,0.360797286,4.878231525,0.368800014,4.829590797,0.367459536,0.367459536,5.171406746,4.955154896,0.367459536,4.829590797,0.367459536,0.368800014]}} 00806{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":100,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241637688,"flow_dst_last_pkt_time":1552590241639633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":24480,"midstream":0,"thread_ts_usec":1552590241639633,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00845{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1192,"source":"ftp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":380,"flow_dst_packets_processed":735,"flow_first_seen":1552590241545143,"flow_src_last_pkt_time":1552590241851108,"flow_dst_last_pkt_time":1552590241878454,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":1048576,"midstream":0,"thread_ts_usec":1552590243371057,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50696,"dst_port":24523,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1192,"source":"ftp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":41,"flow_dst_packets_processed":27,"flow_first_seen":1552590234892296,"flow_src_last_pkt_time":1552590243340268,"flow_dst_last_pkt_time":1552590243371057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":30,"flow_dst_max_l4_payload_len":241,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":889,"midstream":0,"thread_ts_usec":1552590243371057,"l3_proto":"ip4","src_ip":"192.168.1.212","dst_ip":"90.130.70.73","src_port":50694,"dst_port":21,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"FTP_CONTROL","proto_id":"1","encrypted":0,"breed":"Unsafe","category_id":7,"category":"Download"}} @@ -29,10 +29,10 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6079632 bytes -~~ total memory freed........: 6079632 bytes -~~ total allocations/frees...: 122703/122703 +~~ total memory allocated....: 6080040 bytes +~~ total memory freed........: 6080040 bytes +~~ total allocations/frees...: 122706/122706 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1798 chars -~~ json string avg len.......: 1142 chars +~~ json string max len.......: 2193 chars +~~ json string avg len.......: 1339 chars diff --git a/test/results/ftp_failed.pcap.out b/test/results/ftp_failed.pcap.out index 121f7caa2..ed3c8309e 100644 --- a/test/results/ftp_failed.pcap.out +++ b/test/results/ftp_failed.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038238 bytes -~~ total memory freed........: 6038238 bytes -~~ total allocations/frees...: 121507/121507 +~~ total memory allocated....: 6038374 bytes +~~ total memory freed........: 6038374 bytes +~~ total allocations/frees...: 121508/121508 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 1061 chars diff --git a/test/results/fuzz-2006-06-26-2594.pcap.out b/test/results/fuzz-2006-06-26-2594.pcap.out index 32cf1af48..7e98fc141 100644 --- a/test/results/fuzz-2006-06-26-2594.pcap.out +++ b/test/results/fuzz-2006-06-26-2594.pcap.out @@ -676,7 +676,7 @@ 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":287,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470158623642,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158623642,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470158623642,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2757,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"1.v.0.127.in-addr.arpa","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00594{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":288,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_packet_id":2,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158625217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"thread_ts_usec":1120470158625217,"pkt":"AODtAW69ADBUADRWCABFAABbAABAAEARtz7AqAEBwKgBAgA1CsUARyeF3\/CAAAABAAEAAAAAAXMBMAElcwAyNwdpbi1hZGRyBGFycGEAAAwAAcAMAAwAAQAAJxAACwlsb2NhbGhvc3QA"} 01120{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":288,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":111,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1120470158623642,"flow_src_last_pkt_time":1120470158623642,"flow_dst_last_pkt_time":1120470158625217,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":63,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":63,"midstream":0,"thread_ts_usec":1120470158625217,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2757,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01787{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1120469540839312,"flow_src_last_pkt_time":1120470161396896,"flow_dst_last_pkt_time":1120469540839312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1592,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470161396896,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":741823,"avg":20017986.0,"max":47494748,"stddev":22627942.0,"var":512023754440704.0,"ent":3.9,"data": [746308,47494748,744583,751092,46512252,745680,46548540,1500555,45837567,749435,751083,46756478,741823,751085,45987992,749213,47479804,47268139,749384,47257959,751080,46297871,749788,46627979,750158,751078,45907667,749430,751084,46347688,750041]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02186{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":291,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1120469540839312,"flow_src_last_pkt_time":1120470161396896,"flow_dst_last_pkt_time":1120469540839312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1592,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470161396896,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":741823,"avg":20017986.0,"max":47494748,"stddev":22627942.0,"var":512023754440704.0,"ent":3.9,"data": [746308,47494748,744583,751092,46512252,745680,46548540,1500555,45837567,749435,751083,46756478,741823,751085,45987992,749213,47479804,47268139,749384,47257959,751080,46297871,749788,46627979,750158,751078,45907667,749430,751084,46347688,750041]},"pktlen": {"min":78,"avg":78.0,"max":78,"stddev":0.0,"var":0.0,"ent":5.0,"data": [78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.275660515,4.184385777,4.229382992,4.337641239,4.229382992,4.245346546,4.229382992,4.275660515,4.299727440,4.275660515,4.292109013,4.275660515,4.337901115,4.229382992,4.229382992,4.203742027,4.250019550,4.178100586,4.229382992,4.255024433,4.194064140,4.238767147,4.229382992,4.325850487,4.194064140,4.194064140,4.264408588,4.321938515,4.255024433,4.256044388,4.229382992,3.185813189]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":76,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120469973959320,"flow_src_last_pkt_time":1120469973959320,"flow_dst_last_pkt_time":1120469973959320,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":63,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470162147971,"l3_proto":"ip4","src_ip":"192.168.130.1","dst_ip":"192.168.1.2","src_port":53,"dst_port":2741,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00766{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":75,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120469973957831,"flow_src_last_pkt_time":1120469973957831,"flow_dst_last_pkt_time":1120469973957831,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470162147971,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2741,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00741{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":293,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120469847669186,"flow_src_last_pkt_time":1120469847669186,"flow_dst_last_pkt_time":1120469847669186,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":475,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":475,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":475,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470162147971,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","l4_proto":120,"flow_datalink":1,"flow_max_packets":3} @@ -1162,7 +1162,7 @@ 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":428,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":165,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470473526171,"flow_src_last_pkt_time":1120470473526171,"flow_dst_last_pkt_time":1120470473526171,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470473526171,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"192.168.1.1","src_port":2788,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"1.0.0.127.in-addr.arpa","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":12,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00732{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":429,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":166,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1120470473527682,"flow_src_last_pkt_time":1120470473527682,"flow_dst_last_pkt_time":1120470473527682,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":71,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":71,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":71,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1120470473527682,"l3_proto":"ip4","src_ip":"192.168.1.1","dst_ip":"192.168.1.2","l4_proto":0,"flow_datalink":1,"flow_max_packets":3} 00593{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":429,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":166,"flow_packet_id":1,"flow_src_last_pkt_time":1120470473527682,"flow_dst_last_pkt_time":1120470473527682,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":105,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":105,"pkt_l4_len":71,"thread_ts_usec":1120470473527682,"pkt":"AODtAW69ADBUADRWCABFAABbAABAJXMAtz7AqAEBwKgBAgA1CuQAR5xtaumAAAABAAEAAAAAATEBMAEwAzEyNwdpbi1hZGRyBGFycGEAAAwAAcAMAAwAAQAAJxAACwlsb2NhbGhvc3Qw"} -01857{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":430,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1120469572981006,"flow_src_last_pkt_time":1120470268128176,"flow_dst_last_pkt_time":1120470473529233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":306,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":593,"flow_dst_max_l4_payload_len":1076,"flow_src_tot_l4_payload_len":4595,"flow_dst_tot_l4_payload_len":6254,"midstream":0,"thread_ts_usec":1120470473529233,"l3_proto":"ip4","src_ip":"212.242.33.35","dst_ip":"192.168.1.2","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25935,"avg":51474044.0,"max":279041814,"stddev":59389388.0,"var":3527099352612864.0,"ent":4.2,"data": [17474795,107207461,89874891,17280679,167478647,167525220,17335822,73902652,91241081,17333170,25935,17724998,29031776,29092737,68237242,29272359,29031830,29031631,29031476,18604480,279041814,227102,15287489,17115049,32679444,257340,76383084,29031077,58063525,24495477,17375114]},"pktlen": {"min":47,"avg":381.0,"max":1118,"stddev":296.2,"var":87757.2,"ent":4.5,"data": [528,388,509,528,722,528,722,533,528,722,348,512,47,47,47,47,47,47,47,47,867,635,382,47,1118,487,377,47,47,47,480,715]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,2,0,0,1,1,0,0,0,0,0,0,4,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02256{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":430,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1120469572981006,"flow_src_last_pkt_time":1120470268128176,"flow_dst_last_pkt_time":1120470473529233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":306,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":593,"flow_dst_max_l4_payload_len":1076,"flow_src_tot_l4_payload_len":4595,"flow_dst_tot_l4_payload_len":6254,"midstream":0,"thread_ts_usec":1120470473529233,"l3_proto":"ip4","src_ip":"212.242.33.35","dst_ip":"192.168.1.2","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25935,"avg":51474044.0,"max":279041814,"stddev":59389388.0,"var":3527099352612864.0,"ent":4.2,"data": [17474795,107207461,89874891,17280679,167478647,167525220,17335822,73902652,91241081,17333170,25935,17724998,29031776,29092737,68237242,29272359,29031830,29031631,29031476,18604480,279041814,227102,15287489,17115049,32679444,257340,76383084,29031077,58063525,24495477,17375114]},"pktlen": {"min":33,"avg":367.0,"max":1104,"stddev":296.2,"var":87757.2,"ent":4.4,"data": [514,374,495,514,708,514,708,519,514,708,334,498,33,33,33,33,33,33,33,33,853,621,368,33,1104,473,363,33,33,33,466,701]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,0,0,0,2,0,0,1,1,0,0,0,0,0,0,4,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,1,0,1,0,0,1,0,0,1,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1],"entropies": [5.828991890,5.782027245,5.782989502,5.772095203,5.761000156,1.504078388,3.362369776,2.947608709,5.765282631,4.114200115,5.769235611,3.191431999,4.098355293,4.098355293,4.098355293,4.098355293,4.098355293,4.098355293,4.098355293,4.098355293,5.808829308,5.790666103,5.744666100,4.098355293,1.549071550,5.804477692,4.601107121,4.098355293,4.037749290,4.098355293,3.348246098,2.334293365]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00201{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":431,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","layer_type":2157,"global_ts_usec":1120470473631455} 00403{"packet_event_id":1,"packet_event_name":"packet","packet_id":431,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":86,"pkt_type":2157,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":86,"pkt_l4_len":0,"thread_ts_usec":1120470473529233,"pkt":"ADBUADRWACVzVG69CG1FAABIa2IAAIARS+\/AqAECwKgBAQrlADUANLH1d+oBAAABAAAAAAAABF9zaXAEX3VkcANzaXAJY3liZXJjaXR5AmRrAAAhAAE="} 00220{"error_event_id":9,"error_event_name":"nDPI IPv4\/L4 payload detection failed","datalink":1,"packet_id":432,"source":"fuzz-2006-06-26-2594.pcap","alias":"nDPId-test","l4_data_len":498,"global_ts_usec":1120470473676412} @@ -2081,10 +2081,10 @@ ~~ total active/idle flows...: 257/257 ~~ total timeout flows.......: 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6499006 bytes -~~ total memory freed........: 6499006 bytes -~~ total allocations/frees...: 124653/124653 +~~ total memory allocated....: 6533958 bytes +~~ total memory freed........: 6533958 bytes +~~ total allocations/frees...: 124910/124910 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 203 chars -~~ json string max len.......: 1956 chars -~~ json string avg len.......: 1079 chars +~~ json string max len.......: 2261 chars +~~ json string avg len.......: 1232 chars diff --git a/test/results/fuzz-2006-09-29-28586.pcap.out b/test/results/fuzz-2006-09-29-28586.pcap.out index f7ab00652..a895e7f22 100644 --- a/test/results/fuzz-2006-09-29-28586.pcap.out +++ b/test/results/fuzz-2006-09-29-28586.pcap.out @@ -206,9 +206,9 @@ ~~ total active/idle flows...: 39/39 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6113627 bytes -~~ total memory freed........: 6113627 bytes -~~ total allocations/frees...: 122015/122015 +~~ total memory allocated....: 6118931 bytes +~~ total memory freed........: 6118931 bytes +~~ total allocations/frees...: 122054/122054 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 204 chars ~~ json string max len.......: 2485 chars diff --git a/test/results/fuzz-2020-02-16-11740.pcap.out b/test/results/fuzz-2020-02-16-11740.pcap.out index a7d688957..c03ae4e56 100644 --- a/test/results/fuzz-2020-02-16-11740.pcap.out +++ b/test/results/fuzz-2020-02-16-11740.pcap.out @@ -94,7 +94,7 @@ 00220{"error_event_id":9,"error_event_name":"nDPI IPv4\/L4 payload detection failed","datalink":1,"packet_id":58,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","l4_data_len":284,"global_ts_usec":1528997012338586} 00714{"packet_event_id":1,"packet_event_name":"packet","packet_id":58,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":318,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":318,"pkt_l4_len":0,"thread_ts_usec":1528997012137776,"pkt":"ABRP+4rqcNuYVcUnCABFAIEw++ZAAPwRV5TG4hk1CgxAHgcUchABHA0JAicBFBsdKAWbpXDSR2MuOEvDRI4aCwAAV8gbBVNQQxpuAAABNxA0owm4HCG6PU2XNAkv\/vzDOB0KCSSyhii6vunR59O76CIKGOYjAfl7PUhdXq\/+IyUA1AERNOgzhBq9cBFTORk8iq5zOGawlRK5SmrzC9CE14BmLSTx9+rzUr5gcK7nljeTYDH3Q7JtAU4wMzExNDgwMDczNjM4MDcyQHdsYW4ubW5jNCUALm12YzMxMS4zZ3BwbmV0d29yay5vcmcsIDViMjJhNDg0L2YwOjc5OjYwOmQxOjdkOjM3LzIxNVkMOTA4NDIxMzI5MhIJU3VjY2VzcxkFU1BDTwYDAgAEUBJln13lrCrLxGDT3fIxBMmg"} 00925{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":1,"flow_first_seen":1528996603395872,"flow_src_last_pkt_time":1528996832079336,"flow_dst_last_pkt_time":1528996609592806,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":209,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":834,"flow_dst_max_l4_payload_len":105,"flow_src_tot_l4_payload_len":2009,"flow_dst_tot_l4_payload_len":105,"midstream":0,"thread_ts_usec":1528997012137776,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1813,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01851{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1528996068129675,"flow_src_last_pkt_time":1528997019398709,"flow_dst_last_pkt_time":1528997011828903,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":655,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":703,"flow_dst_max_l4_payload_len":276,"flow_src_tot_l4_payload_len":12258,"flow_dst_tot_l4_payload_len":2595,"midstream":0,"thread_ts_usec":1528997019398709,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1812,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":155168,"avg":61128012.0,"max":612411195,"stddev":140850256.0,"var":19838793242640384.0,"ent":2.7,"data": [155168,452627740,595449,114837328,612411195,44261470,205164,4046522,4037802,201918,4553249,187053,43562433,202627,48502104,3244519,3442366,3335821,3536360,209147,201397,255983176,256164296,599645,6262990,492548,7309633,8000538,8015324,522347,7260933]},"pktlen": {"min":179,"avg":506.2,"max":745,"stddev":248.2,"var":61618.1,"ent":4.8,"data": [697,257,239,318,239,745,179,697,179,697,206,745,697,745,697,206,179,697,745,179,697,206,745,239,725,745,725,318,745,239,725,745]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,4,3,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,1,0,1,0,1,0,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02250{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":59,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1528996068129675,"flow_src_last_pkt_time":1528997019398709,"flow_dst_last_pkt_time":1528997011828903,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":655,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":703,"flow_dst_max_l4_payload_len":276,"flow_src_tot_l4_payload_len":12258,"flow_dst_tot_l4_payload_len":2595,"midstream":0,"thread_ts_usec":1528997019398709,"l3_proto":"ip4","src_ip":"10.12.64.30","dst_ip":"198.226.25.53","src_port":29200,"dst_port":1812,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":155168,"avg":61128012.0,"max":612411195,"stddev":140850256.0,"var":19838793242640384.0,"ent":2.7,"data": [155168,452627740,595449,114837328,612411195,44261470,205164,4046522,4037802,201918,4553249,187053,43562433,202627,48502104,3244519,3442366,3335821,3536360,209147,201397,255983176,256164296,599645,6262990,492548,7309633,8000538,8015324,522347,7260933]},"pktlen": {"min":165,"avg":492.2,"max":731,"stddev":248.2,"var":61618.1,"ent":4.8,"data": [683,243,225,304,225,731,165,683,165,683,192,731,683,731,683,192,165,683,731,165,683,192,731,225,711,731,711,304,731,225,711,731]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,4,3,5,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,1,0,1,0,1,0,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,1,0,1,0,0],"entropies": [6.047428131,2.762376308,6.336006641,6.922207832,6.356189251,5.597228050,5.971614838,6.076896191,5.962701321,0.885235786,6.148619175,6.046576977,6.067515373,2.928206921,4.093657970,6.062733173,5.981721401,6.049886227,6.077444077,5.974218369,5.025151253,6.080809116,6.063514709,6.407587528,5.992080212,6.077442646,5.517450333,6.840845585,6.115455151,6.520883560,5.811926842,4.154052258]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Radius","proto_id":"146","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00199{"error_event_id":2,"error_event_name":"Unknown L3 protocol","datalink":1,"packet_id":63,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","protocol":2048,"global_ts_usec":1528997023243075} 01284{"packet_event_id":1,"packet_event_name":"packet","packet_id":63,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":745,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":745,"pkt_l4_len":0,"thread_ts_usec":1528997020091114,"pkt":"AAAMB6xAABRP+4rqCAAHAALbIOZAAP8RAAAKDEAexuIZNXIQBxQC1gAAASoCn1lLG5tNeGgoWBAiZw18BtkaCgAAV8gOBFVTGgwAAFfIDQZ3aWZpGg8AAFfICVZXSVNQUjEwGgkAADghDQMyNwZbIqSfATUwMzExNDgwMjgxNTAxNTg5QHdsYW4ubW5jNDgwLm1jYzMxMS4zZ3BwbmV0d29yay5vcmdZAxB+CDFjaXNjb4MGAAAAAR+qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqg=="} 00773{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":66,"source":"fuzz-2020-02-16-11740.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1528997023501287,"flow_src_last_pkt_time":1528997023501287,"flow_dst_last_pkt_time":1528997023501287,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":164,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":164,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":164,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1528997023501287,"l3_proto":"ip4","src_ip":"198.162.25.53","dst_ip":"10.12.64.30","src_port":1810,"dst_port":29200,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -609,10 +609,10 @@ ~~ total active/idle flows...: 79/79 ~~ total timeout flows.......: 13 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6170958 bytes -~~ total memory freed........: 6170958 bytes -~~ total allocations/frees...: 122565/122565 +~~ total memory allocated....: 6181702 bytes +~~ total memory freed........: 6181702 bytes +~~ total allocations/frees...: 122644/122644 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 204 chars -~~ json string max len.......: 1856 chars -~~ json string avg len.......: 1030 chars +~~ json string max len.......: 2255 chars +~~ json string avg len.......: 1229 chars diff --git a/test/results/genshin-impact.pcap.out b/test/results/genshin-impact.pcap.out index a006945ef..9097dfbbf 100644 --- a/test/results/genshin-impact.pcap.out +++ b/test/results/genshin-impact.pcap.out @@ -50,9 +50,9 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6052515 bytes -~~ total memory freed........: 6052515 bytes -~~ total allocations/frees...: 121630/121630 +~~ total memory allocated....: 6053331 bytes +~~ total memory freed........: 6053331 bytes +~~ total allocations/frees...: 121636/121636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars ~~ json string max len.......: 1055 chars diff --git a/test/results/git.pcap.out b/test/results/git.pcap.out index d55aafc42..b785bc72d 100644 --- a/test/results/git.pcap.out +++ b/test/results/git.pcap.out @@ -5,7 +5,7 @@ 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1460821630164056,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1460821630221958,"pkt":"PJcOZtCOnJcm0ghCCABFCAA8AABAAC8GnhAFmecVwKgATSTKu3dqwE5VfoYLRaASOJBfrwAAAgQFrAQCCAorjWmrAadIEgEDAwc="} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1460821630222020,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1460821630222020,"pkt":"nJcm0ghCPJcOZtCOCABFAAA0Q1dAAEAGScnAqABNBZnnFbt3JMp+hgtFasBOVoAQAB3G2AAAAQEICgGnSCArjWmr"} 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630222080,"flow_dst_last_pkt_time":1460821630221958,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":69,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":69,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1460821630222080,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}} -01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630544728,"flow_dst_last_pkt_time":1460821630545903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":19825,"midstream":0,"thread_ts_usec":1460821630545903,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":29,"avg":24597.4,"max":99851,"stddev":28614.0,"var":818762240.0,"ent":3.8,"data": [57902,57964,60,56073,43848,99851,54739,54730,537,49455,48900,45519,29,17836,63404,1849,203,2031,860,202,1063,209,208,710,439,1139,50571,205,50785,547,651]},"pktlen": {"min":66,"avg":704.9,"max":2946,"stddev":773.9,"var":598945.8,"ent":4.1,"data": [74,74,66,135,66,267,66,962,66,593,66,75,66,74,1506,66,1506,1506,66,1506,1506,66,2946,66,1506,1506,66,1506,1506,66,1506,1506]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,1,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}} +02107{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821630544728,"flow_dst_last_pkt_time":1460821630545903,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":19825,"midstream":0,"thread_ts_usec":1460821630545903,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":29,"avg":24597.4,"max":99851,"stddev":28614.0,"var":818762240.0,"ent":3.8,"data": [57902,57964,60,56073,43848,99851,54739,54730,537,49455,48900,45519,29,17836,63404,1849,203,2031,860,202,1063,209,208,710,439,1139,50571,205,50785,547,651]},"pktlen": {"min":52,"avg":690.9,"max":2932,"stddev":773.9,"var":598945.8,"ent":4.1,"data": [60,60,52,121,52,253,52,948,52,579,52,61,52,60,1492,52,1492,1492,52,1492,1492,52,2932,52,1492,1492,52,1492,1492,52,1492,1492]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,1,1,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1],"entropies": [4.739262104,5.279368877,5.115703106,5.628006458,5.195351124,5.731617451,5.115702629,4.962421417,5.154164791,5.045848370,5.195351601,5.288749218,5.233812809,5.389901161,4.890160084,5.154164791,6.262699604,7.849300385,5.154164791,7.861139297,7.866855145,5.154164791,7.887691021,5.024262905,7.851975918,7.853373528,5.154164791,7.871936798,7.800623894,5.115703106,7.834641933,7.837094784]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":90,"source":"git.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":41,"flow_dst_packets_processed":49,"flow_first_seen":1460821630164056,"flow_src_last_pkt_time":1460821631220936,"flow_dst_last_pkt_time":1460821631269756,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":527,"flow_dst_max_l4_payload_len":2880,"flow_src_tot_l4_payload_len":605,"flow_dst_tot_l4_payload_len":67444,"midstream":0,"thread_ts_usec":1460821631269756,"l3_proto":"ip4","src_ip":"192.168.0.77","dst_ip":"5.153.231.21","src_port":47991,"dst_port":9418,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Git","proto_id":"226","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":90,"source":"git.pcap","alias":"nDPId-test","packets-captured":90,"packets-processed":90,"total-skipped-flows":0,"total-l4-payload-len":68049,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1460821631269756} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038251 bytes -~~ total memory freed........: 6038251 bytes -~~ total allocations/frees...: 121577/121577 +~~ total memory allocated....: 6038387 bytes +~~ total memory freed........: 6038387 bytes +~~ total allocations/frees...: 121578/121578 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1713 chars -~~ json string avg len.......: 1042 chars +~~ json string max len.......: 2112 chars +~~ json string avg len.......: 1217 chars diff --git a/test/results/gnutella.pcap.out b/test/results/gnutella.pcap.out index 250e8aa1b..33c1e47d2 100644 --- a/test/results/gnutella.pcap.out +++ b/test/results/gnutella.pcap.out @@ -1143,10 +1143,10 @@ 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1296,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":267,"flow_packet_id":3,"flow_src_last_pkt_time":99778426,"flow_dst_last_pkt_time":90738015,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778426,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0Rs5AAIAGRA0KAAIPyAeb0sRzbs28TEPZAAAAAIAC+vDQzwAAAgQFtAEDAwgBAQQC"} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1297,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":286,"flow_packet_id":3,"flow_src_last_pkt_time":99778446,"flow_dst_last_pkt_time":90745561,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778446,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0O4NAAIAGzRIKAAIPTG6ZscSGnFbyaQhuAAAAAIAC+vAmPAAAAgQFtAEDAwgBAQQC"} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1298,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":266,"flow_packet_id":3,"flow_src_last_pkt_time":99778471,"flow_dst_last_pkt_time":90737440,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":99778471,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0gg9AAIAGKkQKAAIPSVn5CMRyxdmnmnGXAAAAAIAC+vCCMAAAAgQFtAEDAwgBAQQC"} -01864{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1317,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":239,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":88704875,"flow_src_last_pkt_time":100541304,"flow_dst_last_pkt_time":100658601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":10762,"midstream":0,"thread_ts_usec":100658601,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"75.133.101.93","src_port":50285,"dst_port":52367,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":68,"avg":767424.4,"max":8796467,"stddev":2113226.8,"var":4465727373312.0,"ent":2.6,"data": [111774,112031,223,580,122233,123811,1735,510239,510348,125373,7027,133055,508500,509079,643423,701863,8737919,8796467,643884,78,644721,118605,2969,121592,121581,84,121516,120907,68,120959,117511]},"pktlen": {"min":54,"avg":423.2,"max":1514,"stddev":491.7,"var":241767.6,"ent":4.1,"data": [66,58,54,653,54,666,104,54,367,54,196,437,54,82,54,463,54,100,54,1514,1066,54,654,1502,54,1514,642,54,1514,642,54,654]},"bins": {"c_to_s": [9,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +02261{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1317,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":239,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":88704875,"flow_src_last_pkt_time":100541304,"flow_dst_last_pkt_time":100658601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":10762,"midstream":0,"thread_ts_usec":100658601,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"75.133.101.93","src_port":50285,"dst_port":52367,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":68,"avg":767424.4,"max":8796467,"stddev":2113226.8,"var":4465727373312.0,"ent":2.6,"data": [111774,112031,223,580,122233,123811,1735,510239,510348,125373,7027,133055,508500,509079,643423,701863,8737919,8796467,643884,78,644721,118605,2969,121592,121581,84,121516,120907,68,120959,117511]},"pktlen": {"min":40,"avg":409.2,"max":1500,"stddev":491.7,"var":241767.6,"ent":4.1,"data": [52,44,40,639,40,652,90,40,353,40,182,423,40,68,40,449,40,86,40,1500,1052,40,640,1488,40,1500,628,40,1500,628,40,640]},"bins": {"c_to_s": [9,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1],"entropies": [4.585552692,4.823068142,4.680641651,5.822128773,4.621928692,5.725380421,5.587119579,4.671928883,7.096185207,4.621928692,6.667861462,7.368043423,4.680641651,5.340273857,4.621928692,7.401152134,4.780641556,5.582901478,4.621928692,7.849462032,7.784356117,4.730641365,7.643722534,7.861162663,4.730641365,7.864004135,7.644542217,4.680641174,7.856564045,7.631118298,4.680641174,7.673601151]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 01456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1320,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":316,"flow_packet_id":2,"flow_src_last_pkt_time":95784128,"flow_dst_last_pkt_time":100920359,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":769,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":769,"pkt_l4_len":735,"thread_ts_usec":100920359,"pkt":"CAAn5uVZUlQAEjUCCABFAALzBEAAAEARxyNeNkJSCgACD\/iVcAkC34d4LkYxAuq77b+oti7DkMaMrEQAAMACAAAGR1RLRwAA+wNHJRwgXbAuWugSpAUSxJsCHL8EXjZCUviVAQAAAAR+IhyrFEdUS0cAAOCbIyHZHrkrYnNgnMXp7j9XkbO8BG2EvGL1g1dTSFIAAPJ8p2NaB+IvDcmOjYwpnv4Dgo0cBBinyTW4skdUS0cAAPLJywhbkrobDN\/JQ6AnuEOyGSGjBLBjsBQYykdUS0cAAPdrnSa2ww\/WjIRLC1ipyWI+KDekBGjurPpb\/FdTSFIAAPUb1vVQWKsuipKs18obx69UnmxtBEftyls+9UdUS0cAAPXAlRBP9j9OpxXVbJllgFo1AUWcBFzZVBBO\/0dUS0cAAPk7PafFnhokmbg2Skj0CN9dtWlxBGDszQeH6kdUS0cAAP2LxejmjNINBLJfc3hRxQZnhG+dBK23t27qEEdUS0cAAMJCPsbCyFi2EKuhIjR8FOxLMgMMBKSEChnYBkdUS0cAAMs4SkQs8Plx39K+G3osYia2QR5gBLnsyIm8DkdUS0cAANFgvV19Qr+DjCD+VI9ncRVX3pcfBLyly75V61dTSFIAANEo391sZyCjuFpU0yy2PWYlrl8ABC1Yddsa\/UdUS0cAANCctnuhx+ItXQPhY9ykozj36PhcBGD2nH7bBkdUS0cAANY8nyC9cCseHTJEnvv8hZLF1GA+BEn6s+1RcEdUS0cAAN60b0CUs3pQ36DSdMP3NoNcDa2fBFOgjzCQrEdUS0cAAKZeyrvsa5mvejLQ38QnOIQ2zbdtBGQB54rc7ldTSFIAAKQeYlqSZYffwoHRlw8bFrfmBFSvBFQcNeGvO1dTSFIAAKr7G8iP9T\/W+jUmPMkpEJiqR57KBMvcaRtLPEdUS0cAAK10JPaTOb0hgYkPVi8cpzY7gtJoBFx1+WIan0dUS0cAALNy1PV19iuZm7NzjEzMA6wUOO22BFJALAsFSA=="} -01859{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1333,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":238,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":88704150,"flow_src_last_pkt_time":101062565,"flow_dst_last_pkt_time":101062734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":600,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1062,"flow_dst_tot_l4_payload_len":6684,"midstream":0,"thread_ts_usec":101062734,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.156.226.72","src_port":50284,"dst_port":53258,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":797322.6,"max":8218469,"stddev":1970792.9,"var":3884024594432.0,"ent":2.9,"data": [128313,128710,372,938,178629,178799,1,501219,501471,98390,140683,469376,511641,1190983,1233531,8175797,8218469,772334,828075,95677,89547,96875,110099,405396,409608,95445,89124,2830,63380,645,642]},"pktlen": {"min":54,"avg":296.6,"max":1078,"stddev":381.8,"var":145784.6,"ent":4.0,"data": [66,58,54,654,54,682,104,54,367,54,588,54,82,54,456,54,100,54,1078,54,1078,54,1078,54,1078,54,1078,54,69,54,64,54]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} -01821{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1370,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":288,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90745963,"flow_src_last_pkt_time":101065402,"flow_dst_last_pkt_time":101065057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":601,"flow_dst_max_l4_payload_len":628,"flow_src_tot_l4_payload_len":1115,"flow_dst_tot_l4_payload_len":1487,"midstream":0,"thread_ts_usec":101065402,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.238.172.250","src_port":50312,"dst_port":23548,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":346,"avg":665759.1,"max":8692014,"stddev":2110974.0,"var":4456211546112.0,"ent":1.9,"data": [30928,31210,439,818,29157,31647,2471,501745,502012,17074,17362,35097,479690,480352,544167,592641,8643736,8692014,619,570,563,598,427,387,461,428,346,360,379,396,439]},"pktlen": {"min":54,"avg":135.8,"max":682,"stddev":170.0,"var":28912.7,"ent":4.2,"data": [66,58,54,655,54,682,104,54,367,54,196,384,54,81,54,441,54,108,54,64,54,64,54,64,54,64,54,64,54,64,54,64]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +02256{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1333,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":238,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":88704150,"flow_src_last_pkt_time":101062565,"flow_dst_last_pkt_time":101062734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":600,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1062,"flow_dst_tot_l4_payload_len":6684,"midstream":0,"thread_ts_usec":101062734,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.156.226.72","src_port":50284,"dst_port":53258,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":797322.6,"max":8218469,"stddev":1970792.9,"var":3884024594432.0,"ent":2.9,"data": [128313,128710,372,938,178629,178799,1,501219,501471,98390,140683,469376,511641,1190983,1233531,8175797,8218469,772334,828075,95677,89547,96875,110099,405396,409608,95445,89124,2830,63380,645,642]},"pktlen": {"min":40,"avg":282.6,"max":1064,"stddev":381.8,"var":145784.6,"ent":3.9,"data": [52,44,40,640,40,668,90,40,353,40,574,40,68,40,442,40,86,40,1064,40,1064,40,1064,40,1064,40,1064,40,55,40,50,40]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,0,1,0,1],"entropies": [4.662476063,4.732159138,4.630641460,5.806861401,4.521928787,5.724582195,5.627513409,4.621928692,7.193869114,4.621928692,7.467946053,4.730641842,5.399097443,4.571928978,7.330091953,4.730641365,5.719189644,4.621928692,7.801183701,4.730641365,7.783223152,4.680641174,7.789729118,4.730641365,7.787688255,4.730641365,7.814134598,4.680641651,4.944017887,4.621928692,4.859469414,4.621928692]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +02218{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1370,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":288,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90745963,"flow_src_last_pkt_time":101065402,"flow_dst_last_pkt_time":101065057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":601,"flow_dst_max_l4_payload_len":628,"flow_src_tot_l4_payload_len":1115,"flow_dst_tot_l4_payload_len":1487,"midstream":0,"thread_ts_usec":101065402,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"104.238.172.250","src_port":50312,"dst_port":23548,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":346,"avg":665759.1,"max":8692014,"stddev":2110974.0,"var":4456211546112.0,"ent":1.9,"data": [30928,31210,439,818,29157,31647,2471,501745,502012,17074,17362,35097,479690,480352,544167,592641,8643736,8692014,619,570,563,598,427,387,461,428,346,360,379,396,439]},"pktlen": {"min":40,"avg":121.8,"max":668,"stddev":170.0,"var":28912.7,"ent":4.1,"data": [52,44,40,641,40,668,90,40,353,40,182,370,40,67,40,427,40,94,40,50,40,50,40,50,40,50,40,50,40,50,40,50]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,1,0,0,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [4.492582321,4.720129013,4.521928787,5.809185505,4.508695602,5.773917675,5.619303703,4.558695793,7.143177032,4.389823914,6.687948704,7.327623844,4.671928406,5.289166927,4.558695793,7.411965370,4.621928692,5.812307358,4.489823818,4.722780704,4.489823818,4.682780743,4.489823818,4.722780704,4.489823818,4.722780704,4.439823627,4.722780704,4.489823818,4.722780704,4.489823818,4.642780781]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 00732{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":101122346,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":101122346,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"203.220.105.27","src_port":28681,"dst_port":19260,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_packet_id":1,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":101122346,"pkt":"UlQAEjUCCAAn5uVZCABFAABt2AwAAIARIW0KAAIPy9xpG3AJSzwAWVR20YMxAsOjfW6uj7unlpr730QAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAAONVJKmT8c3egN9Xa0CwzKQP3iGM"} 00972{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1450,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":328,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":101122346,"flow_src_last_pkt_time":101122346,"flow_dst_last_pkt_time":101122346,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":101122346,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"203.220.105.27","src_port":28681,"dst_port":19260,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} @@ -1221,8 +1221,8 @@ 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2009,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":311,"flow_packet_id":3,"flow_src_last_pkt_time":116916595,"flow_dst_last_pkt_time":95753158,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116916595,"pkt":"UlQAEjUCCAAn5uVZCABFAABtSkYAAIARukQKAAIPbYS8YnAJ9YMAWSTZAPYxAt0gaIFrQZ34NDjR2kQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"} 00587{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2010,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":317,"flow_packet_id":3,"flow_src_last_pkt_time":116942486,"flow_dst_last_pkt_time":95892313,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116942486,"pkt":"UlQAEjUCCAAn5uVZCABFAABtkeQAAIARbpkKAAIPYOzNB3AJh+oAWWt89cIxAlSvaqi63PpUHKTx3UQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"} 00589{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2012,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":316,"flow_packet_id":3,"flow_src_last_pkt_time":116952656,"flow_dst_last_pkt_time":100920359,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":116952656,"pkt":"UlQAEjUCCAAn5uVZCABFAABtMigAAIARW8EKAAIPXjZCUnAJ+JUAWdgAXr4xAg\/r1cFsj19qlWaDPkQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAACidCo0G3v\/IJjwziXwskXn9hKth"} -02078{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":333,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":114930255,"flow_src_last_pkt_time":119175893,"flow_dst_last_pkt_time":120208521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":533,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":533,"flow_dst_tot_l4_payload_len":25332,"midstream":0,"thread_ts_usec":120208521,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50327,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":307222.7,"max":1138736,"stddev":463516.9,"var":214847930368.0,"ent":3.3,"data": [108990,109470,822,1560,1123233,14904,1138736,509,4088,37,4418,993404,175,19,291,993807,142,988894,159,41,989074,4759,4845,1004141,96,26,62,1004324,1027632,5162,84]},"pktlen": {"min":54,"avg":862.8,"max":1514,"stddev":665.4,"var":442787.6,"ent":4.4,"data": [66,58,54,587,54,848,1514,54,1514,1514,118,54,1514,1514,1514,912,54,54,1514,1514,1514,54,912,54,1514,1514,1514,912,54,1514,1514,1514]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} -01862{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2072,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":276,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90742816,"flow_src_last_pkt_time":121143186,"flow_dst_last_pkt_time":117002254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1696,"flow_dst_tot_l4_payload_len":3374,"midstream":0,"thread_ts_usec":121143186,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"188.61.52.183","src_port":50300,"dst_port":11852,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":1827735.8,"max":13801588,"stddev":3934254.5,"var":15478358540288.0,"ent":2.8,"data": [17190,17418,3506,3946,14197,14999,687,2797,2855,25798,49,26144,8990,9323,15893,71757,495574,483536,221196,265159,15579,77266,487598,467678,9468962,9510672,13760964,13801588,1593559,1633954,4140974]},"pktlen": {"min":54,"avg":212.9,"max":1514,"stddev":294.0,"var":86413.1,"ent":4.1,"data": [66,58,54,653,54,713,125,54,318,54,1514,194,54,180,54,105,54,233,54,418,54,401,54,521,54,129,54,125,54,190,54,115]},"bins": {"c_to_s": [8,1,2,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +02477{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":333,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":114930255,"flow_src_last_pkt_time":119175893,"flow_dst_last_pkt_time":120208521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":533,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":533,"flow_dst_tot_l4_payload_len":25332,"midstream":0,"thread_ts_usec":120208521,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50327,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":307222.7,"max":1138736,"stddev":463516.9,"var":214847930368.0,"ent":3.3,"data": [108990,109470,822,1560,1123233,14904,1138736,509,4088,37,4418,993404,175,19,291,993807,142,988894,159,41,989074,4759,4845,1004141,96,26,62,1004324,1027632,5162,84]},"pktlen": {"min":40,"avg":848.8,"max":1500,"stddev":665.4,"var":442787.6,"ent":4.4,"data": [52,44,40,573,40,834,1500,40,1500,1500,104,40,1500,1500,1500,898,40,40,1500,1500,1500,40,898,40,1500,1500,1500,898,40,1500,1500,1500]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,0,1,1,1,1,0,0,1,1,1,0,1,0,1,1,1,1,0,1,1,1],"entropies": [4.609497547,4.578639030,4.630641460,5.871806145,4.521928787,5.952865124,0.550871491,4.780641079,0.258170635,0.344010741,2.390491486,4.730641365,0.581234336,0.509969771,0.584714293,5.567255974,4.730641365,4.780641079,7.829332829,7.753004074,7.739068508,4.630640984,7.696638107,4.680641174,7.725103855,7.755664349,7.761345387,7.697982311,4.780641079,7.769303799,7.739727497,7.769325733]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} +02260{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2072,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":276,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":90742816,"flow_src_last_pkt_time":121143186,"flow_dst_last_pkt_time":117002254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":599,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1696,"flow_dst_tot_l4_payload_len":3374,"midstream":0,"thread_ts_usec":121143186,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"188.61.52.183","src_port":50300,"dst_port":11852,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":1827735.8,"max":13801588,"stddev":3934254.5,"var":15478358540288.0,"ent":2.8,"data": [17190,17418,3506,3946,14197,14999,687,2797,2855,25798,49,26144,8990,9323,15893,71757,495574,483536,221196,265159,15579,77266,487598,467678,9468962,9510672,13760964,13801588,1593559,1633954,4140974]},"pktlen": {"min":40,"avg":198.9,"max":1500,"stddev":294.0,"var":86413.1,"ent":4.0,"data": [52,44,40,639,40,699,111,40,304,40,1500,180,40,166,40,91,40,219,40,404,40,387,40,507,40,115,40,111,40,176,40,101]},"bins": {"c_to_s": [8,1,2,1,1,0,0,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0],"entropies": [4.624014378,4.823068142,4.780641079,5.806199551,4.621928692,5.719610691,5.576837540,4.671928883,5.283092022,4.671928883,7.655467510,6.721651554,4.721928596,6.328861237,4.558695793,5.166602612,4.830641270,6.855683327,4.780641556,7.482919216,4.671928883,7.395811558,4.730640888,7.500388622,4.830641270,5.985765934,4.621928692,5.830484867,4.830641270,6.691635132,4.621928692,5.872485161]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 00729{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2082,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":134,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":72852470,"flow_src_last_pkt_time":72852470,"flow_dst_last_pkt_time":72852470,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":121253102,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"78.231.73.14","src_port":28681,"dst_port":6346,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00731{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2082,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":128,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":72850420,"flow_src_last_pkt_time":72850420,"flow_dst_last_pkt_time":72850420,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":121253102,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"77.141.219.27","src_port":28681,"dst_port":37580,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00728{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2082,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":114,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":71540581,"flow_src_last_pkt_time":71540581,"flow_dst_last_pkt_time":71540581,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":121253102,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"86.23.75.69","src_port":28681,"dst_port":6346,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -1312,7 +1312,7 @@ 00588{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2125,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":344,"flow_packet_id":1,"flow_src_last_pkt_time":124090730,"flow_dst_last_pkt_time":124090730,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":123,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":123,"pkt_l4_len":89,"thread_ts_usec":124090730,"pkt":"UlQAEjUCCAAn5uVZCABFAABtN+oAAIARg3wKAAIPzyaj5HAJGnoAWUl8GqIxAsDHb8ARC\/TCVyKtTkQAADoAAAAFR1RLRwAAKJ0KjQbe\/8gmPDOJfCyRef2Eq2EEXS\/iNXAJAQEAAIek2ZxoyMuuDPvZIwnux4CwuAqS"} 00971{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2125,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":344,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":124090730,"flow_src_last_pkt_time":124090730,"flow_dst_last_pkt_time":124090730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":81,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":81,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":124090730,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"207.38.163.228","src_port":28681,"dst_port":6778,"l4_proto":"udp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 01460{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2126,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":340,"flow_packet_id":2,"flow_src_last_pkt_time":124066131,"flow_dst_last_pkt_time":124181723,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":769,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":769,"pkt_l4_len":735,"thread_ts_usec":124181723,"pkt":"CAAn5uVZUlQAEjUCCABFAALzBkkAAEARxyomjnfqCgACD8JEcAkC3z99SEIxAiBrw4qXLe42xzCJ9UQAAMACAAAGR1RLRwAAjVz9Bf0jf1LZ5zMd\/xsbFCoGHdIEJo536sJEAQAAAAT9X3JyFEdUS0cAAIQFsf+Bv2njsZMOcK5XBzk5Qq3rBN3GzcRRKkdUS0cAAIPPdMtTw3ywAQrcKHskULaFt8T9BFd7NurTckdUS0cAAIBDDfCNVDqFgBWTNBe\/R1a2V7AXBLm7Sq3Q8VdTSFIAAIsML3baZ9qjEzov01XuwUWPp8CvBBiB6TxOFldTSFIAAIgInuBYn2DWNYTpgSOhE3nGOSSqBGLQGpoTgldTSFIAAJMpLUy99S6l5+o3G\/7HZbY0zUPGBFnUW5sUS1NOT1cAAJJLJdecP9uDvZhuUeP7MwcedtuWBM8mo+QaekdUS0cAAJ6Xxzbx1oA8a67zMFTEYzHds+ukBEziVWkYyldTSFIAAJ7Bez1ZQQgPxovuLAykgS8CMrDdBLAKqQox\/0dUS0cAAJp\/6ofTpH0Z7c9sfONgy\/6jjg5ZBFTFYV4FUFdTSFIAAJgFqYyWS9v2Yq4KyYrmzTVJWc5SBGP6\/WMuK0dUS0cAAKZeyrvsa5mvejLQ38QnOIQ2zbdtBGQB54rc7ldTSFIAAKQeYlqSZYffwoHRlw8bFrfmBFSvBFQcNeGvO0dUS0cAAK10JPaTOb0hgYkPVi8cpzY7gtJoBFx1+WIan1dTSFIAAKr7G8iP9T\/W+jUmPMkpEJiqR57KBMvcaRtLPEdUS0cAALd6AZ7svQKtiRxAHRTzpxSemu\/LBNXlb+ATDEdUS0cAALSr6ArQaneMzMJ81PWuqjO12gqLBLV2NdR1LkdUS0cAALNy1PV19iuZm7NzjEzMA6wUOO22BFJALAsFSEdUS0cAALFbZ+HgSIrho0RaGRNTd1qTgMZFBC0fmHBo40dUS0cAAL1cZVAaZZhJTOPlkpw6jfT8aYRtBD\/kr6kHkA=="} -02110{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2138,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":334,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":114930776,"flow_src_last_pkt_time":123432179,"flow_dst_last_pkt_time":124445371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":538,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":538,"flow_dst_tot_l4_payload_len":22968,"midstream":0,"thread_ts_usec":124445371,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"189.147.72.83","src_port":50328,"dst_port":26108,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42,"avg":581161.2,"max":1214808,"stddev":505873.5,"var":255907954688.0,"ent":4.2,"data": [193649,195345,1788,3675,1208824,5559,69,1214808,993314,122,993548,1040345,116,1040488,1001310,128,1001514,998194,120,998177,1008259,218,1008532,1046807,141,1046873,1000209,118,1000330,1013376,42]},"pktlen": {"min":54,"avg":789.1,"max":1514,"stddev":623.9,"var":389219.0,"ent":4.4,"data": [66,58,54,592,54,860,1514,340,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146,54,1514,1146]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} +02509{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2138,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":334,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":114930776,"flow_src_last_pkt_time":123432179,"flow_dst_last_pkt_time":124445371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":538,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":538,"flow_dst_tot_l4_payload_len":22968,"midstream":0,"thread_ts_usec":124445371,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"189.147.72.83","src_port":50328,"dst_port":26108,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42,"avg":581161.2,"max":1214808,"stddev":505873.5,"var":255907954688.0,"ent":4.2,"data": [193649,195345,1788,3675,1208824,5559,69,1214808,993314,122,993548,1040345,116,1040488,1001310,128,1001514,998194,120,998177,1008259,218,1008532,1046807,141,1046873,1000209,118,1000330,1013376,42]},"pktlen": {"min":40,"avg":775.1,"max":1500,"stddev":623.9,"var":389219.0,"ent":4.4,"data": [52,44,40,578,40,846,1500,326,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132,40,1500,1132]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1],"entropies": [4.624014378,4.777613640,4.730640888,5.858736038,4.571928978,5.938837528,7.826196671,7.250766277,4.730641365,7.843273640,7.780950546,4.780641079,7.843047142,7.798923969,4.780641079,7.867131710,7.830142498,4.671928406,7.858473778,7.796208858,4.780641079,7.826694965,7.757758141,4.730641365,7.853250504,7.817744732,4.780641079,7.872528076,7.809401989,4.780641079,7.820863247,7.791663170]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"HTTP.Gnutella","proto_id":"7.35","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} 00730{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2164,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":126831784,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126831784,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":126831784,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"69.118.162.229","src_port":50330,"dst_port":46906,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2164,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_packet_id":1,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126831784,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":126831784,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0bCBAAIAGmjkKAAIPRXai5cSatzq0d6IdAAAAAIAC+vCtSgAAAgQFtAEDAwgBAQQC"} 00503{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2165,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":345,"flow_packet_id":2,"flow_src_last_pkt_time":126831784,"flow_dst_last_pkt_time":126943376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":126943376,"pkt":"CAAn5uVZUlQAEjUCCABFAAAsBmMAAEAGf\/9FdqLlCgACD7c6xJoBCaABtHeiHmAS\/\/8wNgAAAgQFtA=="} @@ -1428,7 +1428,7 @@ 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2265,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":114,"flow_packet_id":2,"flow_src_last_pkt_time":131673544,"flow_dst_last_pkt_time":71540581,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673544,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0Wk0AAIARMwEKAAIPVhdLRXAJGMoAIGjuR05EED8SAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2266,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":157,"flow_packet_id":2,"flow_src_last_pkt_time":131673716,"flow_dst_last_pkt_time":82058208,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673716,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0rD4AAIARiPIKAAIPVuOilnAJGMoAIBDQR05EED8TAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2267,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":111,"flow_packet_id":2,"flow_src_last_pkt_time":131673854,"flow_dst_last_pkt_time":71540138,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":131673854,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0JF4AAIARIm4KAAIPWkGNnXAJGMoAICJqR05EED8UAQFUC1FLUlAGUk5BXS\/iNQlw"} -01878{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2277,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":93,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":71205274,"flow_src_last_pkt_time":117002547,"flow_dst_last_pkt_time":132821508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":304,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":2420,"midstream":0,"thread_ts_usec":132821508,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"109.214.154.216","src_port":50248,"dst_port":6346,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1091,"avg":3464951.8,"max":22684647,"stddev":6255594.5,"var":39132462055424.0,"ent":3.3,"data": [399865,400165,2576,3065,879170,880284,1091,343284,15848,359592,3003,2180,5087,145122,145627,10048654,10048652,469496,2676,472723,3557750,3604090,6175326,6222212,413766,464528,22633783,22684647,605343,604983,15818919]},"pktlen": {"min":54,"avg":152.2,"max":1078,"stddev":217.4,"var":47264.8,"ent":4.2,"data": [66,58,54,358,54,337,157,54,132,776,54,67,72,54,163,54,118,54,1078,59,54,136,54,84,54,227,54,66,54,137,54,76]},"bins": {"c_to_s": [9,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,2,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,1,1,0,0,1,0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +02277{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2277,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":93,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":71205274,"flow_src_last_pkt_time":117002547,"flow_dst_last_pkt_time":132821508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":304,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":705,"flow_dst_tot_l4_payload_len":2420,"midstream":0,"thread_ts_usec":132821508,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"109.214.154.216","src_port":50248,"dst_port":6346,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1091,"avg":3464951.8,"max":22684647,"stddev":6255594.5,"var":39132462055424.0,"ent":3.3,"data": [399865,400165,2576,3065,879170,880284,1091,343284,15848,359592,3003,2180,5087,145122,145627,10048654,10048652,469496,2676,472723,3557750,3604090,6175326,6222212,413766,464528,22633783,22684647,605343,604983,15818919]},"pktlen": {"min":40,"avg":138.2,"max":1064,"stddev":217.4,"var":47264.8,"ent":4.0,"data": [52,44,40,344,40,323,143,40,118,762,40,53,58,40,149,40,104,40,1064,45,40,122,40,70,40,213,40,52,40,123,40,62]},"bins": {"c_to_s": [9,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,2,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,1,1,0,0,1,0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1],"entropies": [4.638531685,4.760457039,4.611769199,5.768550396,4.503056526,5.575543404,5.615631580,4.553056717,5.640929699,7.709812641,4.680641174,4.708038807,4.874885082,4.592897415,6.317804813,4.453056812,5.923436165,4.453056812,7.776337624,4.335103989,4.830641270,6.163827896,4.780641556,5.454720020,4.621928692,6.573338509,4.730640888,4.776329994,4.621928692,6.159438610,4.571928978,4.925578117]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 00733{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2280,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":353,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":132831233,"flow_src_last_pkt_time":132831233,"flow_dst_last_pkt_time":132831233,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":132831233,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"195.181.151.217","src_port":28681,"dst_port":25282,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2280,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":353,"flow_packet_id":1,"flow_src_last_pkt_time":132831233,"flow_dst_last_pkt_time":132831233,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":132831233,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0BqoAAIARzHEKAAIPw7WX2XAJYsIAIGTAR05EED8VAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2281,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":138,"flow_packet_id":2,"flow_src_last_pkt_time":132831544,"flow_dst_last_pkt_time":72853189,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":132831544,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0jJMAAIARUAgKAAIPp3KqnHAJXSQAIHPdR05EED8WAQFUC1FLUlAGUk5BXS\/iNQlw"} @@ -1743,7 +1743,7 @@ 00731{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2959,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":158,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":82058413,"flow_src_last_pkt_time":82058413,"flow_dst_last_pkt_time":82058413,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":181645126,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"118.166.226.70","src_port":28681,"dst_port":6346,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00731{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2959,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":204,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":82065556,"flow_src_last_pkt_time":82065556,"flow_dst_last_pkt_time":82065556,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":181645126,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"84.126.240.32","src_port":28681,"dst_port":45313,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00731{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2959,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":202,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":82065172,"flow_src_last_pkt_time":82065172,"flow_dst_last_pkt_time":82065172,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":181645126,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"176.134.139.39","src_port":28681,"dst_port":6346,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} -01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3028,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":94,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":71205609,"flow_src_last_pkt_time":187576304,"flow_dst_last_pkt_time":187064352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":713,"flow_dst_tot_l4_payload_len":3012,"midstream":0,"thread_ts_usec":187576304,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"86.208.180.181","src_port":50249,"dst_port":45883,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":276,"avg":7491272.5,"max":55455380,"stddev":14262251.0,"var":203411798622208.0,"ent":3.2,"data": [106993,107336,276,805,178388,179820,1439,41004,98031,375723,432936,10046845,10046768,42293,94463,6595038,6594815,3591919,3643921,39217,93460,24009088,24063297,605105,604823,14641110,23768,14665256,55396943,55455380,453178]},"pktlen": {"min":54,"avg":170.9,"max":1119,"stddev":244.6,"var":59812.5,"ent":4.1,"data": [66,58,54,357,54,337,157,54,926,54,163,54,118,54,1119,54,214,54,84,54,203,54,66,54,137,54,78,503,54,64,54,63]},"bins": {"c_to_s": [11,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,0,0,1,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,0,0]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} +02285{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3028,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":94,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":71205609,"flow_src_last_pkt_time":187576304,"flow_dst_last_pkt_time":187064352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":713,"flow_dst_tot_l4_payload_len":3012,"midstream":0,"thread_ts_usec":187576304,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"86.208.180.181","src_port":50249,"dst_port":45883,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":276,"avg":7491272.5,"max":55455380,"stddev":14262251.0,"var":203411798622208.0,"ent":3.2,"data": [106993,107336,276,805,178388,179820,1439,41004,98031,375723,432936,10046845,10046768,42293,94463,6595038,6594815,3591919,3643921,39217,93460,24009088,24063297,605105,604823,14641110,23768,14665256,55396943,55455380,453178]},"pktlen": {"min":40,"avg":156.9,"max":1105,"stddev":244.6,"var":59812.5,"ent":4.0,"data": [52,44,40,343,40,323,143,40,912,40,149,40,104,40,1105,40,200,40,70,40,189,40,52,40,123,40,64,489,40,50,40,49]},"bins": {"c_to_s": [11,0,2,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,0,0,1,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,0,0],"entropies": [4.624014378,4.624093533,4.730641365,5.758390427,4.553056717,5.558244705,5.696007252,4.621928692,7.730160713,4.830641270,6.349717140,4.521929264,5.981128693,4.571928978,7.767892838,4.780641556,6.727245331,4.730641365,5.454720020,4.603056908,6.642654419,4.780641079,4.853253365,4.671928883,6.256999493,4.671928883,5.061660290,7.508594036,4.830641270,4.642780781,4.780641556,4.618614674]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Gnutella","proto_id":"35","encrypted":0,"breed":"Potentially Dangerous","category_id":7,"category":"Download"}} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3065,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":116,"flow_packet_id":2,"flow_src_last_pkt_time":191700213,"flow_dst_last_pkt_time":71540796,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700213,"pkt":"UlQAEjUCCAAn5uVZCABFAAA00HEAAIARI3sKAAIPfCy+kXAJJ7oAIMCGR05EED8oAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3066,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":187,"flow_packet_id":2,"flow_src_last_pkt_time":191700445,"flow_dst_last_pkt_time":82062863,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700445,"pkt":"UlQAEjUCCAAn5uVZCABFAAA0uoEAAIARu5gKAAIPXFhcOHAJUhEAIBhcR05EED8pAQFUC1FLUlAGUk5BXS\/iNQlw"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3067,"source":"gnutella.pcap","alias":"nDPId-test","flow_id":209,"flow_packet_id":3,"flow_src_last_pkt_time":191700671,"flow_dst_last_pkt_time":82066425,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":191700671,"pkt":"UlQAEjUCCAAn5uVZCABFAAA06UYAAIARhsYKAAIPW7Ni6nAJGMoAIEuVR05EED8qAQFUC1FLUlAGUk5BXS\/iNQlw"} @@ -6532,10 +6532,10 @@ ~~ total active/idle flows...: 801/801 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7669082 bytes -~~ total memory freed........: 7669082 bytes -~~ total allocations/frees...: 137208/137208 +~~ total memory allocated....: 7778018 bytes +~~ total memory freed........: 7778018 bytes +~~ total allocations/frees...: 138009/138009 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 180 chars -~~ json string max len.......: 2115 chars -~~ json string avg len.......: 1147 chars +~~ json string max len.......: 2514 chars +~~ json string avg len.......: 1347 chars diff --git a/test/results/google_ssl.pcap.out b/test/results/google_ssl.pcap.out index 0abe8a0ad..0c11683c3 100644 --- a/test/results/google_ssl.pcap.out +++ b/test/results/google_ssl.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038501 bytes -~~ total memory freed........: 6038501 bytes -~~ total allocations/frees...: 121516/121516 +~~ total memory allocated....: 6038637 bytes +~~ total memory freed........: 6038637 bytes +~~ total allocations/frees...: 121517/121517 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 892 chars diff --git a/test/results/googledns_android10.pcap.out b/test/results/googledns_android10.pcap.out index 9de6efd9c..baa53794f 100644 --- a/test/results/googledns_android10.pcap.out +++ b/test/results/googledns_android10.pcap.out @@ -25,7 +25,7 @@ 01167{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":47,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826049329,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552826051495,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":52,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826080321,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1592552826080321,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01628{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":53,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552826051495,"flow_dst_last_pkt_time":1592552826081468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":2836,"midstream":0,"thread_ts_usec":1592552826081468,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}}} -01876{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":80,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552827147738,"flow_dst_last_pkt_time":1592552827146388,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592552827147738,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":99,"avg":71648.9,"max":447414,"stddev":121761.7,"var":14825912320.0,"ent":3.5,"data": [12824,14641,349,14827,16165,1147,99,31089,1039,512,12517,28602,36858,41216,19219,12546,6221,5033,24265,307087,326211,13788,74283,386701,447414,5048,23824,155667,173706,5036,23182]},"pktlen": {"min":66,"avg":282.2,"max":1484,"stddev":356.7,"var":127227.7,"ent":4.2,"data": [74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,225,565,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66]},"bins": {"c_to_s": [9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +02275{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":80,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552826036505,"flow_src_last_pkt_time":1592552827147738,"flow_dst_last_pkt_time":1592552827146388,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592552827147738,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48048,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":99,"avg":71648.9,"max":447414,"stddev":121761.7,"var":14825912320.0,"ent":3.5,"data": [12824,14641,349,14827,16165,1147,99,31089,1039,512,12517,28602,36858,41216,19219,12546,6221,5033,24265,307087,326211,13788,74283,386701,447414,5048,23824,155667,173706,5036,23182]},"pktlen": {"min":52,"avg":268.2,"max":1470,"stddev":356.7,"var":127227.7,"ent":4.1,"data": [60,60,52,206,52,1470,1470,291,52,52,52,145,344,211,52,211,551,52,551,52,211,52,551,52,211,52,551,52,211,52,551,52]},"bins": {"c_to_s": [9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,0,1,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0],"entropies": [4.326680183,5.023234367,4.955651283,5.448351860,4.985801220,7.066713810,7.519642353,7.136388302,5.063529015,5.025067329,5.063529015,6.146316528,7.108041286,6.700643539,4.985801220,6.774869442,7.568095207,4.947339535,7.581867695,5.078046322,6.760867119,5.062724590,7.546683311,5.078046322,6.761339188,4.972088814,7.559946537,5.078046322,6.814634323,4.964581966,7.566140175,5.078046322]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00731{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552827426405,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":98,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":98,"pkt_l4_len":64,"thread_ts_usec":1592552827426405,"pkt":"EBMx8Tl2ag\/ahpuQCABFAABUl9BAAEAB0IHAqAGfCAgICAgA4JUAAgABem3sXgAAAADqxwcAAAAAABAREhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc="} 00856{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":81,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552827426405,"flow_dst_last_pkt_time":1592552827426405,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552827426405,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":5.297900}} @@ -41,7 +41,7 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1592552878563796,"flow_dst_last_pkt_time":1592552878562423,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1592552878563796,"pkt":"EBMx8Tl2ag\/ahpuQCABFAAA0PO9AAEAGL4LAqAGfCAgEBLviA1WhETzKd2wcRoAQAVeSlgAAAQEICgAAACw7E6h3"} 01168{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":162,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552878564695,"flow_dst_last_pkt_time":1592552878562423,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592552878564695,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"b734f75d22aaff9866fbd5d27eef9106","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01226{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":164,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552878564695,"flow_dst_last_pkt_time":1592552878577421,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":147,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":147,"midstream":0,"thread_ts_usec":1592552878577421,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"b734f75d22aaff9866fbd5d27eef9106","ja3s":"1249fb68f48c0444718e4d3b48b27188","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} -01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552881411235,"flow_dst_last_pkt_time":1592552881429656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1592552881429656,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":79,"avg":185210.9,"max":1253719,"stddev":341703.1,"var":116761001984.0,"ent":3.2,"data": [12746,14119,899,14919,79,14194,1137,19603,19131,13753,1318,58447,651251,714961,3808,23304,1234142,1253719,12532,32716,484043,503710,3783,30780,265369,292430,20267,12603,11759,7400,12615]},"pktlen": {"min":66,"avg":212.2,"max":583,"stddev":197.9,"var":39161.3,"ent":4.4,"data": [74,74,66,583,66,213,66,117,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,565,66,225,66,225,565,66,66,565]},"bins": {"c_to_s": [8,1,0,0,6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +02280{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":190,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552881411235,"flow_dst_last_pkt_time":1592552881429656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":1522,"flow_dst_tot_l4_payload_len":3141,"midstream":0,"thread_ts_usec":1592552881429656,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":79,"avg":185210.9,"max":1253719,"stddev":341703.1,"var":116761001984.0,"ent":3.2,"data": [12746,14119,899,14919,79,14194,1137,19603,19131,13753,1318,58447,651251,714961,3808,23304,1234142,1253719,12532,32716,484043,503710,3783,30780,265369,292430,20267,12603,11759,7400,12615]},"pktlen": {"min":52,"avg":198.2,"max":569,"stddev":197.9,"var":39161.3,"ent":4.4,"data": [60,60,52,569,52,199,52,103,52,211,52,551,52,211,52,551,52,211,52,551,52,211,52,551,52,211,52,211,551,52,52,551]},"bins": {"c_to_s": [8,1,0,0,6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,1,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,1],"entropies": [4.235814571,4.852156162,4.801308155,6.238618374,4.739399433,6.089945793,4.839769840,5.473562241,4.801805496,6.831297874,4.671903133,7.530720711,4.839769840,6.775491714,4.763343334,7.509344101,4.801308155,6.680355549,4.891996861,7.580490112,4.947339535,6.744199276,4.770353794,7.577538013,4.860989094,6.758264065,4.878231525,6.768933296,7.616032600,4.884933472,4.916693211,7.554844856]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00883{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":251,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552828402579,"flow_dst_last_pkt_time":1592552828415412,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":128,"midstream":0,"thread_ts_usec":1592552910946566,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00881{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":277,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1592552827426405,"flow_src_last_pkt_time":1592552828402579,"flow_dst_last_pkt_time":1592552828415412,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":128,"midstream":0,"thread_ts_usec":1592552955542932,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.8.8","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00884{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":277,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":1,"flow_first_seen":1592552824409182,"flow_src_last_pkt_time":1592552826207745,"flow_dst_last_pkt_time":1592552826208808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1592552955542932,"l3_proto":"ip4","src_ip":"8.8.8.8","dst_ip":"192.168.1.159","src_port":853,"dst_port":55856,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"DoH_DoT.Google","proto_id":"196.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} @@ -58,7 +58,7 @@ 01168{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":295,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007051414,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1592553007088078,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":297,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007118877,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":1418,"midstream":0,"thread_ts_usec":1592553007118877,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01629{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":298,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553007088078,"flow_dst_last_pkt_time":1592553007118996,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":154,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":2836,"midstream":0,"thread_ts_usec":1592553007118996,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"dns.google","tls": {"version":"TLSv1.2","server_names":"dns.google,*.dns.google.com,8888.google,dns.google.com,dns64.dns.google,2001:4860:4860::64,2001:4860:4860::6464,2001:4860:4860::8844,2001:4860:4860::8888,8.8.4.4,8.8.8.8","ja3":"2c776785ee603cc85d37df996bb90cc8","ja3s":"b44baa8a20901c5663b3a9664ba8a767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Google Trust Services, CN=GTS CA 1O1","subjectDN":"C=US, ST=California, L=Mountain View, O=Google LLC, CN=dns.google","fingerprint":"5B:59:09:FC:7D:50:E6:F7:D1:08:8E:57:42:A2:D8:AE:1F:03:FF:EC"}}} -01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":323,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553013061132,"flow_dst_last_pkt_time":1592553013091250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592553013091250,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":78,"avg":389623.4,"max":5703762,"stddev":1387530.2,"var":1925240193024.0,"ent":1.5,"data": [14386,41870,9180,49912,17551,119,78,32502,535,103,15369,30822,15661,19948,22571,85476,5640736,5703762,20528,7552,6167,13685,17563,31103,85377,103703,33240,18803,6257,16181,17586]},"pktlen": {"min":66,"avg":282.2,"max":1484,"stddev":356.7,"var":127227.7,"ent":4.2,"data": [74,74,66,220,66,1484,1484,305,66,66,66,159,358,225,66,565,66,225,66,225,565,66,66,565,66,225,66,225,565,66,66,565]},"bins": {"c_to_s": [9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +02280{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":323,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553013061132,"flow_dst_last_pkt_time":1592553013091250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1042,"flow_dst_tot_l4_payload_len":5862,"midstream":0,"thread_ts_usec":1592553013091250,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":78,"avg":389623.4,"max":5703762,"stddev":1387530.2,"var":1925240193024.0,"ent":1.5,"data": [14386,41870,9180,49912,17551,119,78,32502,535,103,15369,30822,15661,19948,22571,85476,5640736,5703762,20528,7552,6167,13685,17563,31103,85377,103703,33240,18803,6257,16181,17586]},"pktlen": {"min":52,"avg":268.2,"max":1470,"stddev":356.7,"var":127227.7,"ent":4.1,"data": [60,60,52,206,52,1470,1470,291,52,52,52,145,344,211,52,551,52,211,52,211,551,52,52,551,52,211,52,211,551,52,52,551]},"bins": {"c_to_s": [9,0,1,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,1,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,1],"entropies": [4.338340282,5.027645111,4.884933472,5.431665897,4.776611805,7.047077656,7.517809868,7.078123569,4.923395157,4.961856842,4.884933472,5.934261322,7.043113232,6.764406681,4.891996861,7.507923126,5.000318527,6.783365250,4.853535175,6.745207787,7.564836025,4.961856842,4.815073490,7.579652309,4.808010578,6.780797958,4.587473392,6.752651691,7.539085865,4.961856842,4.878231525,7.529703617]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 01058{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":68,"flow_dst_packets_processed":65,"flow_first_seen":1592552878549677,"flow_src_last_pkt_time":1592552996489587,"flow_dst_last_pkt_time":1592552996502369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":499,"flow_src_tot_l4_payload_len":5210,"flow_dst_tot_l4_payload_len":14618,"midstream":0,"thread_ts_usec":1592553079303170,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48098,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 01063{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":121,"flow_dst_packets_processed":120,"flow_first_seen":1592553007037028,"flow_src_last_pkt_time":1592553079303170,"flow_dst_last_pkt_time":1592553079299653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":11059,"flow_dst_tot_l4_payload_len":37798,"midstream":0,"thread_ts_usec":1592553079303170,"l3_proto":"ip4","src_ip":"192.168.1.159","dst_ip":"8.8.4.4","src_port":48210,"dst_port":853,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00575{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":532,"source":"googledns_android10.pcap","alias":"nDPId-test","packets-captured":532,"packets-processed":532,"total-skipped-flows":0,"total-l4-payload-len":97842,"total-not-detected-flows":0,"total-guessed-flows":2,"total-detected-flows":6,"total-detection-updates":9,"total-updates":2,"current-active-flows":0,"total-active-flows":8,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":64,"global_ts_usec":1592553079303170} @@ -70,10 +70,10 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6098589 bytes -~~ total memory freed........: 6098589 bytes -~~ total allocations/frees...: 122160/122160 +~~ total memory allocated....: 6099677 bytes +~~ total memory freed........: 6099677 bytes +~~ total allocations/frees...: 122168/122168 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars -~~ json string max len.......: 1886 chars -~~ json string avg len.......: 1194 chars +~~ json string max len.......: 2285 chars +~~ json string avg len.......: 1393 chars diff --git a/test/results/gquic.pcap.out b/test/results/gquic.pcap.out index 734977579..ff3a81028 100644 --- a/test/results/gquic.pcap.out +++ b/test/results/gquic.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046041 bytes -~~ total memory freed........: 6046041 bytes -~~ total allocations/frees...: 121508/121508 +~~ total memory allocated....: 6046177 bytes +~~ total memory freed........: 6046177 bytes +~~ total allocations/frees...: 121509/121509 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 2331 chars diff --git a/test/results/gre_no_options.pcapng.out b/test/results/gre_no_options.pcapng.out index e3f969fcb..dac0ed3b5 100644 --- a/test/results/gre_no_options.pcapng.out +++ b/test/results/gre_no_options.pcapng.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035699 bytes -~~ total memory freed........: 6035699 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6035835 bytes +~~ total memory freed........: 6035835 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars ~~ json string max len.......: 879 chars diff --git a/test/results/gtp_c.pcap.out b/test/results/gtp_c.pcap.out index d47db77fb..d3175ece9 100644 --- a/test/results/gtp_c.pcap.out +++ b/test/results/gtp_c.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035757 bytes -~~ total memory freed........: 6035757 bytes -~~ total allocations/frees...: 121491/121491 +~~ total memory allocated....: 6035893 bytes +~~ total memory freed........: 6035893 bytes +~~ total allocations/frees...: 121492/121492 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 913 chars diff --git a/test/results/gtp_false_positive.pcapng.out b/test/results/gtp_false_positive.pcapng.out index b6e215c08..52a50ff1e 100644 --- a/test/results/gtp_false_positive.pcapng.out +++ b/test/results/gtp_false_positive.pcapng.out @@ -26,9 +26,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039092 bytes -~~ total memory freed........: 6039092 bytes -~~ total allocations/frees...: 121514/121514 +~~ total memory allocated....: 6039500 bytes +~~ total memory freed........: 6039500 bytes +~~ total allocations/frees...: 121517/121517 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 505 chars ~~ json string max len.......: 950 chars diff --git a/test/results/h323-overflow.pcap.out b/test/results/h323-overflow.pcap.out index 090c4a903..1d9d4a55d 100644 --- a/test/results/h323-overflow.pcap.out +++ b/test/results/h323-overflow.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037718 bytes -~~ total memory freed........: 6037718 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6037854 bytes +~~ total memory freed........: 6037854 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 889 chars diff --git a/test/results/h323.pcap.out b/test/results/h323.pcap.out index 3e33d5b5f..9858a8b4f 100644 --- a/test/results/h323.pcap.out +++ b/test/results/h323.pcap.out @@ -20,9 +20,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039661 bytes -~~ total memory freed........: 6039661 bytes -~~ total allocations/frees...: 121510/121510 +~~ total memory allocated....: 6039933 bytes +~~ total memory freed........: 6039933 bytes +~~ total allocations/frees...: 121512/121512 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 901 chars diff --git a/test/results/hangout.pcap.out b/test/results/hangout.pcap.out index 4418bd16c..595bef1c7 100644 --- a/test/results/hangout.pcap.out +++ b/test/results/hangout.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6044424 bytes -~~ total memory freed........: 6044424 bytes -~~ total allocations/frees...: 121508/121508 +~~ total memory allocated....: 6044560 bytes +~~ total memory freed........: 6044560 bytes +~~ total allocations/frees...: 121509/121509 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 1105 chars diff --git a/test/results/hpvirtgrp.pcap.out b/test/results/hpvirtgrp.pcap.out index a487d4e4c..f9177eeba 100644 --- a/test/results/hpvirtgrp.pcap.out +++ b/test/results/hpvirtgrp.pcap.out @@ -71,9 +71,9 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6071008 bytes -~~ total memory freed........: 6071008 bytes -~~ total allocations/frees...: 121712/121712 +~~ total memory allocated....: 6072232 bytes +~~ total memory freed........: 6072232 bytes +~~ total allocations/frees...: 121721/121721 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 924 chars diff --git a/test/results/hsrp0.pcap.out b/test/results/hsrp0.pcap.out index 6031cea02..b6a13c2bd 100644 --- a/test/results/hsrp0.pcap.out +++ b/test/results/hsrp0.pcap.out @@ -25,9 +25,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6040517 bytes -~~ total memory freed........: 6040517 bytes -~~ total allocations/frees...: 121517/121517 +~~ total memory allocated....: 6041061 bytes +~~ total memory freed........: 6041061 bytes +~~ total allocations/frees...: 121521/121521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 900 chars diff --git a/test/results/hsrp2.pcap.out b/test/results/hsrp2.pcap.out index 0bf4159d2..e2cee0a79 100644 --- a/test/results/hsrp2.pcap.out +++ b/test/results/hsrp2.pcap.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037267 bytes -~~ total memory freed........: 6037267 bytes -~~ total allocations/frees...: 121497/121497 +~~ total memory allocated....: 6037539 bytes +~~ total memory freed........: 6037539 bytes +~~ total allocations/frees...: 121499/121499 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 902 chars diff --git a/test/results/hsrp2_ipv6.pcapng.out b/test/results/hsrp2_ipv6.pcapng.out index 1dc48f1de..1e49cf5b6 100644 --- a/test/results/hsrp2_ipv6.pcapng.out +++ b/test/results/hsrp2_ipv6.pcapng.out @@ -25,9 +25,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038253 bytes -~~ total memory freed........: 6038253 bytes -~~ total allocations/frees...: 121531/121531 +~~ total memory allocated....: 6038525 bytes +~~ total memory freed........: 6038525 bytes +~~ total allocations/frees...: 121533/121533 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars ~~ json string max len.......: 1036 chars diff --git a/test/results/http-crash-content-disposition.pcap.out b/test/results/http-crash-content-disposition.pcap.out index 8b9e34737..7f196dc1b 100644 --- a/test/results/http-crash-content-disposition.pcap.out +++ b/test/results/http-crash-content-disposition.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036046 bytes -~~ total memory freed........: 6036046 bytes -~~ total allocations/frees...: 121502/121502 +~~ total memory allocated....: 6036182 bytes +~~ total memory freed........: 6036182 bytes +~~ total allocations/frees...: 121503/121503 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 515 chars ~~ json string max len.......: 1106 chars diff --git a/test/results/http-lines-split.pcap.out b/test/results/http-lines-split.pcap.out index 2950b60ec..3191c3472 100644 --- a/test/results/http-lines-split.pcap.out +++ b/test/results/http-lines-split.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036077 bytes -~~ total memory freed........: 6036077 bytes -~~ total allocations/frees...: 121503/121503 +~~ total memory allocated....: 6036213 bytes +~~ total memory freed........: 6036213 bytes +~~ total allocations/frees...: 121504/121504 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars ~~ json string max len.......: 1100 chars diff --git a/test/results/http-manipulated.pcap.out b/test/results/http-manipulated.pcap.out index 0c8872a47..dbee07433 100644 --- a/test/results/http-manipulated.pcap.out +++ b/test/results/http-manipulated.pcap.out @@ -11,7 +11,7 @@ 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":946729142063151,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":946729142063378,"pkt":"ABjzZLGI0h+5iIqPCABFAAA0AABAAEAGuVjAqAAHwKgAFB+Qg5SNfRmbETdtNIAS+vAp\/QAAAgQFtAEBBAIBAwMG"} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":946729142063387,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":946729142063387,"pkt":"0h+5iIqPABjzZLGICABFAAAosvpAAL4GiGnAqAAUwKgAB4OUH5ARN200jX0ZnFAQAfaBhgAA"} 01228{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142063498,"flow_dst_last_pkt_time":946729142063378,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946729142063498,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.lan","http": {"url":"www.lan:8080\/aaaaaaaaaaaaaaaaaaaaaaaa_very_long_uri","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64; rv:81.0) Gecko\/20100101 Firefox\/81.0","detected_os":"Linux x86_64"}}} -01793{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142137590,"flow_dst_last_pkt_time":946729142137635,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":5840,"flow_src_tot_l4_payload_len":721,"flow_dst_tot_l4_payload_len":44377,"midstream":0,"thread_ts_usec":946729142137635,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":4804.0,"max":73065,"stddev":17898.4,"var":320351264.0,"ent":1.2,"data": [227,236,111,336,193,414,72850,73065,187,402,51,53,13,9,38,39,116,116,52,52,10,8,43,47,49,47,9,7,46,48,49]},"pktlen": {"min":54,"avg":1464.4,"max":5894,"stddev":1938.5,"var":3757919.2,"ent":3.8,"data": [66,66,54,440,60,631,54,389,60,2974,54,4434,54,2974,54,4434,54,1514,54,4434,54,2974,54,4434,54,1514,54,5894,54,5894,54,2974]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,10]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02192{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729142137590,"flow_dst_last_pkt_time":946729142137635,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":5840,"flow_src_tot_l4_payload_len":721,"flow_dst_tot_l4_payload_len":44377,"midstream":0,"thread_ts_usec":946729142137635,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":4804.0,"max":73065,"stddev":17898.4,"var":320351264.0,"ent":1.2,"data": [227,236,111,336,193,414,72850,73065,187,402,51,53,13,9,38,39,116,116,52,52,10,8,43,47,49,47,9,7,46,48,49]},"pktlen": {"min":40,"avg":1450.4,"max":5880,"stddev":1938.5,"var":3757919.5,"ent":3.7,"data": [52,52,40,426,46,617,40,375,46,2960,40,4420,40,2960,40,4420,40,1500,40,4420,40,2960,40,4420,40,1500,40,5880,40,5880,40,2960]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,10]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.593450069,4.752667427,4.730641365,5.668842793,4.347350597,5.745784283,4.730641365,5.579823494,4.347351074,7.830016136,4.680641174,7.888666153,4.730641365,7.823786259,4.621928692,7.852690220,4.680641174,7.708244801,4.730641842,7.858263493,4.730641365,7.790898323,4.730641842,7.845959663,4.630641460,7.734711647,4.630641460,7.881909370,4.680641651,7.903243542,4.680641174,7.864356995]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01034{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":4,"flow_first_seen":946727901369326,"flow_src_last_pkt_time":946727901370537,"flow_dst_last_pkt_time":946727901370531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":577,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":577,"midstream":0,"thread_ts_usec":946729148160196,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33632,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01045{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":156,"flow_dst_packets_processed":162,"flow_first_seen":946729142063151,"flow_src_last_pkt_time":946729148159974,"flow_dst_last_pkt_time":946729148160196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":29200,"flow_src_tot_l4_payload_len":973,"flow_dst_tot_l4_payload_len":939919,"midstream":0,"thread_ts_usec":946729148160196,"l3_proto":"ip4","src_ip":"192.168.0.20","dst_ip":"192.168.0.7","src_port":33684,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00572{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":328,"source":"http-manipulated.pcap","alias":"nDPId-test","packets-captured":328,"packets-processed":328,"total-skipped-flows":0,"total-l4-payload-len":941545,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":946729148160196} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046998 bytes -~~ total memory freed........: 6046998 bytes -~~ total allocations/frees...: 121834/121834 +~~ total memory allocated....: 6047270 bytes +~~ total memory freed........: 6047270 bytes +~~ total allocations/frees...: 121836/121836 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars -~~ json string max len.......: 1798 chars -~~ json string avg len.......: 1129 chars +~~ json string max len.......: 2197 chars +~~ json string avg len.......: 1316 chars diff --git a/test/results/http-proxy.pcapng.out b/test/results/http-proxy.pcapng.out index 5f3bdc71b..ed029ca04 100644 --- a/test/results/http-proxy.pcapng.out +++ b/test/results/http-proxy.pcapng.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036085 bytes -~~ total memory freed........: 6036085 bytes -~~ total allocations/frees...: 121502/121502 +~~ total memory allocated....: 6036221 bytes +~~ total memory freed........: 6036221 bytes +~~ total allocations/frees...: 121503/121503 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars ~~ json string max len.......: 1086 chars diff --git a/test/results/http_auth.pcap.out b/test/results/http_auth.pcap.out index bc61f61c1..8c797599d 100644 --- a/test/results/http_auth.pcap.out +++ b/test/results/http_auth.pcap.out @@ -5,7 +5,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1381844050222515,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1381844050402547,"pkt":"KM\/pITwrTBfruiThCABFAAA8AABAADgGA2jA\/r2pwKgABABQ1EEDZtH9muIxs6ASOJA\/hAAAAgQFtAQCCAowzbX3H38TuAEDAwc="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1381844050402655,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1381844050402655,"pkt":"TBfruiThKM\/pITwrCABFAAA0XSJAAEAGnk3AqAAEwP69qdRBAFCa4jGzA2bR\/oAQICuGBAAAAQEICh9\/FGkwzbX3"} 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844050402794,"flow_dst_last_pkt_time":1381844050402547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1381844050402794,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"browserspy.dk","http": {"url":"browserspy.dk\/password-ok.php","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (Macintosh; Intel Mac OS X 10_8_5) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/30.0.1599.69 Safari\/537.36","detected_os":"Intel Mac OS X 10_8_5"}}} -01736{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844055865656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057134728,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":405011.4,"max":4861829,"stddev":1193509.9,"var":1424465723392.0,"ent":2.2,"data": [180032,180140,139,193993,206403,1322,401505,596,594,735,724,4027,4555,8666,4603,3019,7560,3303,5323,8621,158972,3971,162953,3627,4243,7859,2612,2607,4861805,4861829,1269016]},"pktlen": {"min":66,"avg":640.9,"max":1514,"stddev":665.6,"var":443042.2,"ent":4.2,"data": [78,74,66,805,66,1514,551,66,145,66,288,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,1514,1514,66,989,66,66,66,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02135{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844055865656,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057134728,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":405011.4,"max":4861829,"stddev":1193509.9,"var":1424465723392.0,"ent":2.2,"data": [180032,180140,139,193993,206403,1322,401505,596,594,735,724,4027,4555,8666,4603,3019,7560,3303,5323,8621,158972,3971,162953,3627,4243,7859,2612,2607,4861805,4861829,1269016]},"pktlen": {"min":52,"avg":626.9,"max":1500,"stddev":665.6,"var":443042.2,"ent":4.1,"data": [64,60,52,791,52,1500,537,52,131,52,274,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,1500,1500,52,975,52,52,52,52]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,1,0,0],"entropies": [4.441382408,5.118823051,5.130219936,5.854406357,5.046594620,5.442737579,5.621041775,5.077241421,5.402398586,5.024262905,5.623777390,5.077241421,5.441255569,5.120078564,4.955154419,5.048518181,5.069016457,5.130219936,5.089414597,5.056834221,5.053296566,5.097548008,5.174168587,5.115702629,5.356103420,5.382487297,5.046594620,5.653643131,5.038779736,5.046595097,5.130219936,5.085056305]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00906{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":33,"source":"http_auth.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":19,"flow_first_seen":1381844050222515,"flow_src_last_pkt_time":1381844057134728,"flow_dst_last_pkt_time":1381844057320871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":739,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":739,"flow_dst_tot_l4_payload_len":17637,"midstream":0,"thread_ts_usec":1381844057320871,"l3_proto":"ip4","src_ip":"192.168.0.4","dst_ip":"192.254.189.169","src_port":54337,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00562{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"http_auth.pcap","alias":"nDPId-test","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":18376,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1381844057320871} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036836 bytes -~~ total memory freed........: 6036836 bytes -~~ total allocations/frees...: 121526/121526 +~~ total memory allocated....: 6036972 bytes +~~ total memory freed........: 6036972 bytes +~~ total allocations/frees...: 121527/121527 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars -~~ json string max len.......: 1741 chars -~~ json string avg len.......: 1066 chars +~~ json string max len.......: 2140 chars +~~ json string avg len.......: 1241 chars diff --git a/test/results/http_connect.pcap.out b/test/results/http_connect.pcap.out index e9844efb7..f487951e4 100644 --- a/test/results/http_connect.pcap.out +++ b/test/results/http_connect.pcap.out @@ -16,8 +16,8 @@ 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1631454722876748,"flow_dst_last_pkt_time":1631454722876712,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1631454722876748,"pkt":"ACWQX+cTAAwpTU5kCABFAAA0Fy5AAEAGx3LAqAGSl2UChIyAAbsTD57breozroAQAfZcSgAAAQEICgoEV40sPaiU"} 01079{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722879577,"flow_dst_last_pkt_time":1631454722876712,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1631454722879577,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"apache.org","tls": {"version":"TLSv1.2","ja3":"c834494f5948ae026d160656c93c8871","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01124{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722879577,"flow_dst_last_pkt_time":1631454722895566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1384,"midstream":0,"thread_ts_usec":1631454722895566,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"apache.org","tls": {"version":"TLSv1.3","ja3":"c834494f5948ae026d160656c93c8871","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01670{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722915624,"flow_dst_last_pkt_time":1631454722915766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1070,"flow_dst_tot_l4_payload_len":14818,"midstream":0,"thread_ts_usec":1631454722915766,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":3086.0,"max":16011,"stddev":4867.3,"var":23690602.0,"ent":3.4,"data": [8850,8886,2829,11347,7507,16011,65,50,21,19,18,33,7291,458,15010,14,4004,11279,678,666,42,41,26,25,27,27,115,115,31,32,149]},"pktlen": {"min":66,"avg":563.0,"max":1450,"stddev":627.7,"var":394029.6,"ent":4.1,"data": [74,74,66,583,66,1450,66,1450,66,1450,66,985,66,130,555,66,66,125,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450,66,1450]},"bins": {"c_to_s": [13,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722971434,"flow_dst_last_pkt_time":1631454722971505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722971505,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":6924.9,"max":53379,"stddev":12836.3,"var":164771856.0,"ent":3.4,"data": [32,2664,352,3052,9578,12352,2730,16207,17263,6110,7163,474,478,42,22,11387,743,133,163,12593,29,193,4,101,98,705,4022,50186,53379,1210,1208]},"pktlen": {"min":54,"avg":813.0,"max":5590,"stddev":1594.6,"var":2542806.2,"ent":3.3,"data": [66,66,60,257,54,130,571,54,5125,60,118,54,224,54,373,54,113,5590,2822,1438,85,60,54,60,5590,1438,963,60,187,54,129,54]},"bins": {"c_to_s": [7,0,2,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02069{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722915624,"flow_dst_last_pkt_time":1631454722915766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1070,"flow_dst_tot_l4_payload_len":14818,"midstream":0,"thread_ts_usec":1631454722915766,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":3086.0,"max":16011,"stddev":4867.3,"var":23690602.0,"ent":3.4,"data": [8850,8886,2829,11347,7507,16011,65,50,21,19,18,33,7291,458,15010,14,4004,11279,678,666,42,41,26,25,27,27,115,115,31,32,149]},"pktlen": {"min":52,"avg":549.0,"max":1436,"stddev":627.7,"var":394029.6,"ent":4.0,"data": [60,60,52,569,52,1436,52,1436,52,1436,52,971,52,116,541,52,52,111,52,1436,52,1436,52,1436,52,1436,52,1436,52,1436,52,1436]},"bins": {"c_to_s": [13,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.679967880,5.108291149,5.100070000,5.268876553,5.138531685,7.847479820,5.061608315,7.859804630,5.061608315,7.874018669,5.061608315,7.772319317,5.061608315,6.130341530,7.577058315,5.047091484,5.047091484,6.133301258,5.100070000,7.864048481,5.100070000,7.878256798,5.100070000,7.852052212,5.061608315,7.879714489,5.100070000,7.869248867,5.023146629,7.862973690,5.100070000,7.856719017]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02099{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":79,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722971434,"flow_dst_last_pkt_time":1631454722971505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722971505,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":6924.9,"max":53379,"stddev":12836.3,"var":164771856.0,"ent":3.4,"data": [32,2664,352,3052,9578,12352,2730,16207,17263,6110,7163,474,478,42,22,11387,743,133,163,12593,29,193,4,101,98,705,4022,50186,53379,1210,1208]},"pktlen": {"min":40,"avg":799.0,"max":5576,"stddev":1594.6,"var":2542806.0,"ent":3.2,"data": [52,52,46,243,40,116,557,40,5111,46,104,40,210,40,359,40,99,5576,2808,1424,71,46,40,46,5576,1424,949,46,173,40,115,40]},"bins": {"c_to_s": [7,0,2,0,1,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,4]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,0,0,1,0,1,1,1,0,0,1,0,1],"entropies": [4.439885139,4.777055740,4.478915215,5.741591930,4.562815189,5.677224636,5.225388527,4.612814903,7.961506844,4.522394180,6.123366356,4.662815094,7.000855446,4.662815094,7.384087086,4.612815380,5.976536274,7.968001366,7.926353455,7.858606339,5.619441509,4.435437202,4.593943596,4.462504864,7.966147423,7.859233379,7.772559643,4.522394180,6.695012093,4.662815094,6.320215225,4.662815094]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00904{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1631454722867400,"flow_src_last_pkt_time":1631454722867400,"flow_dst_last_pkt_time":1631454722867500,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":55,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":55,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"192.168.1.2","src_port":47767,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00907{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":30,"flow_first_seen":1631454722867862,"flow_src_last_pkt_time":1631454722977215,"flow_dst_last_pkt_time":1631454722977251,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1384,"flow_src_tot_l4_payload_len":1701,"flow_dst_tot_l4_payload_len":30951,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.146","dst_ip":"151.101.2.132","src_port":35968,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"http_connect.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":22,"flow_first_seen":1631454722864133,"flow_src_last_pkt_time":1631454722976969,"flow_dst_last_pkt_time":1631454722977036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5536,"flow_src_tot_l4_payload_len":1904,"flow_dst_tot_l4_payload_len":22723,"midstream":0,"thread_ts_usec":1631454722977251,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.146","src_port":1714,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP_Connect","proto_id":"130","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} @@ -30,10 +30,10 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6057504 bytes -~~ total memory freed........: 6057504 bytes -~~ total allocations/frees...: 121617/121617 +~~ total memory allocated....: 6057912 bytes +~~ total memory freed........: 6057912 bytes +~~ total allocations/frees...: 121620/121620 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars -~~ json string max len.......: 1706 chars -~~ json string avg len.......: 1096 chars +~~ json string max len.......: 2104 chars +~~ json string avg len.......: 1291 chars diff --git a/test/results/http_guessed_host_and_guessed.pcapng.out b/test/results/http_guessed_host_and_guessed.pcapng.out index 829902466..1a4d7624a 100644 --- a/test/results/http_guessed_host_and_guessed.pcapng.out +++ b/test/results/http_guessed_host_and_guessed.pcapng.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037718 bytes -~~ total memory freed........: 6037718 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6037854 bytes +~~ total memory freed........: 6037854 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 516 chars ~~ json string max len.......: 949 chars diff --git a/test/results/http_ipv6.pcap.out b/test/results/http_ipv6.pcap.out index db01eeb64..6706d8c4a 100644 --- a/test/results/http_ipv6.pcap.out +++ b/test/results/http_ipv6.pcap.out @@ -20,7 +20,7 @@ 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1448269127960079,"flow_dst_last_pkt_time":1448269127960079,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":260,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":260,"pkt_l4_len":206,"thread_ts_usec":1448269127960079,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAAM4RQCoADUAAAQADeqzA\/\/6nDUwqABRQQAsMAgAAAAAAAABf12kBuwDOCoAMj5N114hr41MJBd7sKG9JfODv2KzX0uexKi4OUzkr936AyksmjfKzejWhR1IllABVz6\/Nd8+DDPRvVbNJa4sAljMB\/byd9EnDrnASdvNnincHpyqVPP90d4TSxj+ARZa\/L622T2LNfPxOM6m\/si1ZmPjMCf2wR7DzkfTBciJe2oZugnMhbWbTFVoln8LtSZhpET4oRj3Jk\/IY0Vhm0AHAVNXjHBEt89UVS7Gr6h9OBH5HRJ1TIdTk4GJ40SQl9lgo1l4eCx0="} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1448269127960079,"flow_dst_last_pkt_time":1448269128003411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":143,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":143,"pkt_l4_len":89,"thread_ts_usec":1448269128003411,"pkt":"eKzApw1M9LUv\/K\/Cht1gAAAAAFkRMyoAFFBACwwCAAAAAAAAAF8qAA1AAAEAA3qswP\/+pw1MAbvXaQBZLuIAB1nnejc74Zg5YssedTReRP0KRIf1hcs3Aafoe+Tuwy6JT\/77UOdg9PcT9s8XDyyGEBG\/Mph8KZAg9aAfxnp6BrSLMfMbzThg3fGY8Pw0dHA="} 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":34,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1448269128028795,"flow_dst_last_pkt_time":1448269128003411,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":99,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":99,"pkt_l4_len":45,"thread_ts_usec":1448269128028795,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAAC0RQCoADUAAAQADeqzA\/\/6nDUwqABRQQAsMAgAAAAAAAABf12kBuwAtCd8Mj5N114hr41MKZOnBWgR9A+MJ4bypcpF9U29vj07q+fvNp9EO"} -01803{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1448269127400446,"flow_src_last_pkt_time":1448269137275811,"flow_dst_last_pkt_time":1448269136257808,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4058,"flow_dst_tot_l4_payload_len":4856,"midstream":0,"thread_ts_usec":1448269137275811,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1512,"avg":604281.6,"max":6008829,"stddev":1486148.8,"var":2208638173184.0,"ent":2.8,"data": [25363,26190,172445,219452,15689,87208,38758,110203,47003,1512,26672,45844,1752482,1778725,6798,78256,246614,318052,6008829,6008710,4760,76866,102599,174483,2367,73860,70885,142482,2922,74310,992388]},"pktlen": {"min":91,"avg":340.6,"max":1412,"stddev":376.2,"var":141514.9,"ent":4.3,"data": [1412,1412,99,1216,94,674,102,252,94,102,581,102,91,257,94,637,105,102,94,262,91,589,105,263,94,586,102,264,94,561,102,265]},"bins": {"c_to_s": [0,9,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02194{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1448269127400446,"flow_src_last_pkt_time":1448269137275811,"flow_dst_last_pkt_time":1448269136257808,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4058,"flow_dst_tot_l4_payload_len":4856,"midstream":0,"thread_ts_usec":1448269137275811,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a00:1450:4001:803::1017","src_port":45931,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1512,"avg":604281.6,"max":6008829,"stddev":1486148.8,"var":2208638173184.0,"ent":2.8,"data": [25363,26190,172445,219452,15689,87208,38758,110203,47003,1512,26672,45844,1752482,1778725,6798,78256,246614,318052,6008829,6008710,4760,76866,102599,174483,2367,73860,70885,142482,2922,74310,992388]},"pktlen": {"min":77,"avg":326.6,"max":1398,"stddev":376.2,"var":141514.9,"ent":4.3,"data": [1398,1398,85,1202,80,660,88,238,80,88,567,88,77,243,80,623,91,88,80,248,77,575,91,249,80,572,88,250,80,547,88,251]},"bins": {"c_to_s": [0,9,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0],"entropies": [4.737460136,7.856492996,5.340356827,7.783504963,5.237494946,7.640817642,5.426836967,6.897242546,5.228057861,5.435415268,7.531185150,5.426837444,4.923079967,6.917997837,5.187493324,7.660722733,5.627426147,5.458142281,5.212494373,6.952660084,4.934730053,7.572426796,5.495558739,6.882013798,5.262493610,7.594254971,5.480869293,6.910377979,5.237494469,7.573482990,5.374089718,6.950065613]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":84,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1448269138575377,"flow_src_last_pkt_time":1448269138575377,"flow_dst_last_pkt_time":1448269138575377,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1448269138575377,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37486,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1448269138575377,"flow_dst_last_pkt_time":1448269138575377,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1448269138575377,"pkt":"UMWNrEEBeKzApw1Mht1gAAAAACgGQCoADUAAAQADeqzA\/\/6nDUwqA7DAAAMA0AAAAAAAcBABkm4Bu5jVbXIAAAAAoAJwgGsaAAACBAWgBAIIChINdycAAAAAAQMDBw=="} 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":85,"source":"http_ipv6.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1448269138575474,"flow_src_last_pkt_time":1448269138575474,"flow_dst_last_pkt_time":1448269138575474,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1448269138575474,"l3_proto":"ip6","src_ip":"2a00:d40:1:3:7aac:c0ff:fea7:d4c","dst_ip":"2a03:b0c0:3:d0::70:1001","src_port":37488,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -105,9 +105,9 @@ ~~ total active/idle flows...: 15/15 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6148731 bytes -~~ total memory freed........: 6148731 bytes -~~ total allocations/frees...: 121897/121897 +~~ total memory allocated....: 6150771 bytes +~~ total memory freed........: 6150771 bytes +~~ total allocations/frees...: 121912/121912 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2369 chars diff --git a/test/results/http_on_sip_port.pcap.out b/test/results/http_on_sip_port.pcap.out index 5b7b40d03..c5d91de5d 100644 --- a/test/results/http_on_sip_port.pcap.out +++ b/test/results/http_on_sip_port.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036105 bytes -~~ total memory freed........: 6036105 bytes -~~ total allocations/frees...: 121497/121497 +~~ total memory allocated....: 6036241 bytes +~~ total memory freed........: 6036241 bytes +~~ total allocations/frees...: 121498/121498 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars ~~ json string max len.......: 1339 chars diff --git a/test/results/i3d.pcap.out b/test/results/i3d.pcap.out index 9e49428a9..ae76b7755 100644 --- a/test/results/i3d.pcap.out +++ b/test/results/i3d.pcap.out @@ -35,9 +35,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042253 bytes -~~ total memory freed........: 6042253 bytes -~~ total allocations/frees...: 121577/121577 +~~ total memory allocated....: 6042797 bytes +~~ total memory freed........: 6042797 bytes +~~ total allocations/frees...: 121581/121581 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 2155 chars diff --git a/test/results/iax.pcap.out b/test/results/iax.pcap.out index a1530e8f5..03aa48b8d 100644 --- a/test/results/iax.pcap.out +++ b/test/results/iax.pcap.out @@ -5,7 +5,7 @@ 00852{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005963862,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":66,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":66,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":66,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1123840005963862,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005966035,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1123840005966035,"pkt":"AOCBJ2JwAMDwli5rCABFAAAoV7tAAEARqSfAqAJ4Um4kVBHWEdkAFBwTgBcABAAAAAEAAQYE"} 00502{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1123840005963862,"flow_dst_last_pkt_time":1123840005971132,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1123840005971132,"pkt":"AOCBJ2JwAMDwli5rCABFAAAoV71AAEARqSXAqAJ4Um4kVBHWEdkAFBwJgBcABAAAAAgAAQYH"} -01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006456930,"flow_dst_last_pkt_time":1123840006059195,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3882,"flow_dst_tot_l4_payload_len":372,"midstream":0,"thread_ts_usec":1123840006456930,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":948,"avg":18980.7,"max":51403,"stddev":10969.1,"var":120322248.0,"ent":4.7,"data": [2173,5097,7653,24399,24352,24724,16912,51403,9638,12261,14097,6869,22758,16765,31325,17887,20048,11489,43190,21320,13940,17067,22553,948,20517,34133,6854,21003,19904,17982,29140]},"pktlen": {"min":54,"avg":175.5,"max":214,"stddev":59.5,"var":3538.2,"ent":4.9,"data": [108,54,54,60,54,60,206,214,214,60,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206,206]},"bins": {"c_to_s": [3,0,1,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02117{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":5,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006456930,"flow_dst_last_pkt_time":1123840006059195,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3882,"flow_dst_tot_l4_payload_len":372,"midstream":0,"thread_ts_usec":1123840006456930,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":948,"avg":18980.7,"max":51403,"stddev":10969.1,"var":120322248.0,"ent":4.7,"data": [2173,5097,7653,24399,24352,24724,16912,51403,9638,12261,14097,6869,22758,16765,31325,17887,20048,11489,43190,21320,13940,17067,22553,948,20517,34133,6854,21003,19904,17982,29140]},"pktlen": {"min":40,"avg":161.5,"max":200,"stddev":59.5,"var":3538.2,"ent":4.9,"data": [94,40,40,46,40,46,192,200,200,46,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192,192]},"bins": {"c_to_s": [3,0,1,0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.666565895,4.339823723,4.439823151,4.354552269,4.384184837,4.354552269,1.312757373,1.546443224,1.322564363,4.327484608,1.142194629,1.312757373,1.944322586,1.302340746,1.312757373,1.312757373,1.312757373,1.302340746,1.312757373,1.335405827,1.335405827,1.335405827,1.335405827,1.335405827,1.335405827,1.335405827,1.335405827,1.321057439,1.335405827,1.335405827,1.335405827,1.335405827]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00902{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":50,"source":"iax.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":22,"flow_first_seen":1123840005963862,"flow_src_last_pkt_time":1123840006472888,"flow_dst_last_pkt_time":1123840006489877,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":4046,"flow_dst_tot_l4_payload_len":3008,"midstream":0,"thread_ts_usec":1123840006489877,"l3_proto":"ip4","src_ip":"82.110.36.84","dst_ip":"192.168.2.120","src_port":4569,"dst_port":4566,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IAX","proto_id":"95","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00555{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":50,"source":"iax.pcap","alias":"nDPId-test","packets-captured":50,"packets-processed":50,"total-skipped-flows":0,"total-l4-payload-len":7054,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1123840006489877} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037091 bytes -~~ total memory freed........: 6037091 bytes -~~ total allocations/frees...: 121537/121537 +~~ total memory allocated....: 6037227 bytes +~~ total memory freed........: 6037227 bytes +~~ total allocations/frees...: 121538/121538 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1724 chars -~~ json string avg len.......: 1050 chars +~~ json string max len.......: 2122 chars +~~ json string avg len.......: 1224 chars diff --git a/test/results/icmp-tunnel.pcap.out b/test/results/icmp-tunnel.pcap.out index a3263d62d..7bc547eb3 100644 --- a/test/results/icmp-tunnel.pcap.out +++ b/test/results/icmp-tunnel.pcap.out @@ -5,7 +5,7 @@ 00977{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227866459330,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":92,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1360227866459330,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":5.703333}} 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1360227867458100,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1360227867458100,"pkt":"AAwpy+OCAAwpzwzBCABFAABwAABAAEABhDTAqJqDwKiahAgAAAD+\/wAARQAAVAAAQABAASPpCl8BAQpfAQIIAH3tPQgAAi5uE1EKRgYACAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"} 00610{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1360227868458136,"flow_dst_last_pkt_time":1360227866459330,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":92,"thread_ts_usec":1360227868458136,"pkt":"AAwpy+OCAAwpzwzBCABFAABwAABAAEABhDTAqJqDwKiahAgAAAD+\/wAARQAAVAAAQABAASPpCl8BAQpfAQIIAD\/sPQgAAy9uE1FHRgYACAkKCwwNDg8QERITFBUWFxgZGhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3"} -01906{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227888466859,"flow_dst_last_pkt_time":1360227888466987,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":2116,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1360227888466987,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":998770,"avg":1419844.6,"max":13999352,"stddev":2296693.5,"var":5274800750592.0,"ent":4.2,"data": [998770,1000036,1000056,999983,1000051,1000074,1000009,1000032,1000047,1000127,999991,999982,1000043,999922,13999352,1001250,1001214,1000977,1001002,1001107,1001081,1000973,1000923,1000944,1000921,1001115,1001144,1001036,1001015,1001004,1001005]},"pktlen": {"min":126,"avg":126.0,"max":126,"stddev":0.0,"var":0.0,"ent":5.0,"data": [126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126,126]},"bins": {"c_to_s": [0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02305{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227888466859,"flow_dst_last_pkt_time":1360227888466987,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":92,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":92,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":2116,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1360227888466987,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":998770,"avg":1419844.6,"max":13999352,"stddev":2296693.5,"var":5274800750592.0,"ent":4.2,"data": [998770,1000036,1000056,999983,1000051,1000074,1000009,1000032,1000047,1000127,999991,999982,1000043,999922,13999352,1001250,1001214,1000977,1001002,1001107,1001081,1000973,1000923,1000944,1000921,1001115,1001144,1001036,1001015,1001004,1001005]},"pktlen": {"min":112,"avg":112.0,"max":112,"stddev":0.0,"var":0.0,"ent":5.0,"data": [112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112,112]},"bins": {"c_to_s": [0,0,23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.610230446,5.622818947,5.669650555,5.651793003,5.651793003,5.604961395,5.645053387,5.630681515,5.633935928,5.622818947,5.633935928,5.669650555,5.651793480,5.645053387,5.669650555,5.683875084,5.669650555,5.701732159,5.633935928,5.666017056,5.633935928,5.666017056,5.645053387,5.677134514,5.637421608,5.672758102,5.602598667,5.623562336,5.651793003,5.683875084,5.669650555,5.701732159]},"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01011{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":104,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":59,"flow_dst_packets_processed":38,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360227908233821,"flow_dst_last_pkt_time":1360227908233520,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":852,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":6481,"flow_dst_tot_l4_payload_len":5677,"midstream":0,"thread_ts_usec":1360227908233821,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01011{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":160,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":87,"flow_dst_packets_processed":60,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360228057029534,"flow_dst_last_pkt_time":1360228057029101,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":852,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":9088,"flow_dst_tot_l4_payload_len":8105,"midstream":0,"thread_ts_usec":1360228057029534,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01015{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":188,"source":"icmp-tunnel.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":99,"flow_dst_packets_processed":72,"flow_first_seen":1360227866459330,"flow_src_last_pkt_time":1360228087392773,"flow_dst_last_pkt_time":1360228087392391,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1036,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":14860,"flow_dst_tot_l4_payload_len":13877,"midstream":0,"thread_ts_usec":1360228087392773,"l3_proto":"ip4","src_ip":"192.168.154.131","dst_ip":"192.168.154.132","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"17": {"risk":"Malformed Packet","severity":"Low","risk_score": {"total":260,"client":130,"server":130}}},"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -43,10 +43,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6060668 bytes -~~ total memory freed........: 6060668 bytes -~~ total allocations/frees...: 122350/122350 +~~ total memory allocated....: 6060804 bytes +~~ total memory freed........: 6060804 bytes +~~ total allocations/frees...: 122351/122351 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars -~~ json string max len.......: 1911 chars -~~ json string avg len.......: 1202 chars +~~ json string max len.......: 2310 chars +~~ json string avg len.......: 1402 chars diff --git a/test/results/iec60780-5-104.pcap.out b/test/results/iec60780-5-104.pcap.out index 66ceb2a4d..2bd3f963a 100644 --- a/test/results/iec60780-5-104.pcap.out +++ b/test/results/iec60780-5-104.pcap.out @@ -36,7 +36,7 @@ 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":107,"source":"iec60780-5-104.pcap","alias":"nDPId-test","packets-captured":107,"packets-processed":106,"total-skipped-flows":0,"total-l4-payload-len":343,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":3,"total-active-flows":6,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":36,"global_ts_usec":1219992852463357} 00919{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":117,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":10,"flow_first_seen":1219992590188368,"flow_src_last_pkt_time":1219992781349438,"flow_dst_last_pkt_time":1219992781349461,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":6,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":24,"midstream":0,"thread_ts_usec":1219992910077446,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1572,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":124,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":5,"flow_first_seen":1219992782348776,"flow_src_last_pkt_time":1219992818955088,"flow_dst_last_pkt_time":1219992818955112,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":17,"flow_dst_max_l4_payload_len":6,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":6,"midstream":0,"thread_ts_usec":1219992961194617,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1577,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} -01791{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219992991664467,"flow_dst_last_pkt_time":1219992991860370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":94,"flow_dst_tot_l4_payload_len":207,"midstream":0,"thread_ts_usec":1219992991860370,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":133,"avg":11085131.0,"max":32516052,"stddev":10877058.0,"var":118310385483776.0,"ent":4.1,"data": [133,283,1182,4289,153898,32516052,32485009,17329020,17462619,171223,19844571,20033163,171510,19860294,20118307,25436246,25352045,204330,19828922,20215237,5341755,5765246,10455867,10671339,13934,15202,139861,131307,218735,19641453,20056039]},"pktlen": {"min":54,"avg":65.6,"max":118,"stddev":11.5,"var":132.4,"ent":5.0,"data": [62,62,60,60,60,60,70,60,70,118,60,60,70,60,60,54,70,76,60,60,54,70,60,70,76,70,76,60,77,60,60,54]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +02190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219992991664467,"flow_dst_last_pkt_time":1219992991860370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":94,"flow_dst_tot_l4_payload_len":207,"midstream":0,"thread_ts_usec":1219992991860370,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":133,"avg":11085131.0,"max":32516052,"stddev":10877058.0,"var":118310385483776.0,"ent":4.1,"data": [133,283,1182,4289,153898,32516052,32485009,17329020,17462619,171223,19844571,20033163,171510,19860294,20118307,25436246,25352045,204330,19828922,20215237,5341755,5765246,10455867,10671339,13934,15202,139861,131307,218735,19641453,20056039]},"pktlen": {"min":40,"avg":51.6,"max":104,"stddev":11.5,"var":132.4,"ent":5.0,"data": [48,48,46,46,46,46,56,46,56,104,46,46,56,46,46,40,56,62,46,46,40,56,46,56,62,56,62,46,63,46,46,40]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1],"entropies": [4.558206558,4.926427364,4.435436726,4.740953922,4.740953445,4.478915215,4.605515957,4.522393703,4.811381817,4.822690010,4.522393703,4.922443390,4.864342690,4.462504864,4.862554550,4.781687260,5.115302563,5.039213181,4.478915215,4.878964901,4.781687260,4.824862003,4.478915215,5.079588413,4.986872673,4.972445488,4.999047756,4.478915215,4.964986324,4.478915215,4.922443390,4.781687260]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00922{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":147,"source":"iec60780-5-104.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":19,"flow_first_seen":1219992819942883,"flow_src_last_pkt_time":1219993055118751,"flow_dst_last_pkt_time":1219993055118603,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":64,"flow_src_tot_l4_payload_len":154,"flow_dst_tot_l4_payload_len":263,"midstream":0,"thread_ts_usec":1219993055118751,"l3_proto":"ip4","src_ip":"172.27.248.109","dst_ip":"172.27.248.79","src_port":1578,"dst_port":2404,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IEC60870","proto_id":"245","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":147,"source":"iec60780-5-104.pcap","alias":"nDPId-test","packets-captured":147,"packets-processed":147,"total-skipped-flows":0,"total-l4-payload-len":748,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":6,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":41,"global_ts_usec":1219993055118751} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -47,10 +47,10 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6048024 bytes -~~ total memory freed........: 6048024 bytes -~~ total allocations/frees...: 121684/121684 +~~ total memory allocated....: 6048840 bytes +~~ total memory freed........: 6048840 bytes +~~ total allocations/frees...: 121690/121690 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars -~~ json string max len.......: 1796 chars -~~ json string avg len.......: 1092 chars +~~ json string max len.......: 2195 chars +~~ json string avg len.......: 1267 chars diff --git a/test/results/imap-starttls.pcap.out b/test/results/imap-starttls.pcap.out index fbefe14bd..6cf345761 100644 --- a/test/results/imap-starttls.pcap.out +++ b/test/results/imap-starttls.pcap.out @@ -8,7 +8,7 @@ 01240{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568570497,"flow_dst_last_pkt_time":1437584568569894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":271,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":530,"midstream":0,"thread_ts_usec":1437584568570497,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01242{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":7,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568570497,"flow_dst_last_pkt_time":1437584568767274,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":1990,"midstream":0,"thread_ts_usec":1437584568767274,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01243{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":19,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":10,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584568767550,"flow_dst_last_pkt_time":1437584568769690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":344,"flow_dst_tot_l4_payload_len":5492,"midstream":0,"thread_ts_usec":1437584568769690,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -01582{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":188486.4,"max":1677753,"stddev":378167.8,"var":143010873344.0,"ent":3.3,"data": [189790,189950,188317,188305,133,192463,259,192553,155,186504,9,186418,431,197380,166,197053,2043,207,2163,90,3747,191586,187876,1486951,1677753,168,190848,49,279,1,189432]},"pktlen": {"min":54,"avg":249.2,"max":1514,"stddev":424.6,"var":180326.2,"ent":3.7,"data": [78,66,54,325,54,68,60,281,54,66,86,60,54,372,1514,1514,54,1514,636,54,54,180,105,54,93,133,85,54,54,85,54,60]},"bins": {"c_to_s": [15,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1]}} +01980{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":188486.4,"max":1677753,"stddev":378167.8,"var":143010873344.0,"ent":3.3,"data": [189790,189950,188317,188305,133,192463,259,192553,155,186504,9,186418,431,197380,166,197053,2043,207,2163,90,3747,191586,187876,1486951,1677753,168,190848,49,279,1,189432]},"pktlen": {"min":40,"avg":235.2,"max":1500,"stddev":424.6,"var":180326.2,"ent":3.6,"data": [64,52,40,311,40,54,46,267,40,52,72,46,40,358,1500,1500,40,1500,622,40,40,166,91,40,79,119,71,40,40,71,40,46]},"bins": {"c_to_s": [15,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1],"entropies": [4.577819824,4.737868309,4.461769104,5.374657631,4.734183788,5.080696583,4.457919598,5.160151482,4.684183598,5.024262428,5.301461220,4.501398087,4.784183979,5.382153988,6.856912613,7.178915024,4.665312290,7.104553223,7.666580677,4.403056622,4.684184551,6.516188145,5.466528416,4.684184074,5.702392578,6.104408741,5.134844303,4.665312290,4.734184265,5.452422619,4.492897511,3.926021099]}} 01244{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01274{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1437584567812552,"flow_src_last_pkt_time":1437584570639554,"flow_dst_last_pkt_time":1437584570828629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":318,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":540,"flow_dst_tot_l4_payload_len":5653,"midstream":0,"thread_ts_usec":1437584570828629,"l3_proto":"ip4","src_ip":"192.168.17.53","dst_ip":"212.227.17.186","src_port":49640,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"IMAPS","proto_id":"51","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"imap-starttls.pcap","alias":"nDPId-test","packets-captured":32,"packets-processed":32,"total-skipped-flows":0,"total-l4-payload-len":6193,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1437584570828629} @@ -20,10 +20,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6054965 bytes -~~ total memory freed........: 6054965 bytes -~~ total allocations/frees...: 121531/121531 +~~ total memory allocated....: 6055101 bytes +~~ total memory freed........: 6055101 bytes +~~ total allocations/frees...: 121532/121532 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars -~~ json string max len.......: 1587 chars -~~ json string avg len.......: 1029 chars +~~ json string max len.......: 1985 chars +~~ json string avg len.......: 1216 chars diff --git a/test/results/imap.pcap.out b/test/results/imap.pcap.out index 6952cbbd3..1990cfc12 100644 --- a/test/results/imap.pcap.out +++ b/test/results/imap.pcap.out @@ -5,7 +5,7 @@ 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1213095262213846,"flow_dst_last_pkt_time":1213095262213972,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1213095262213972,"pkt":"ABUXJM1lAASWJ8g6CABFAAA8VURAAH8GiyQKKAMCCigEAgCPs903+0YNiGqqZqASIAAxdQAAAgQFtAEDAwgEAggKAoc1IAoMNC0="} 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1213095262213996,"flow_dst_last_pkt_time":1213095262213972,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1213095262213996,"pkt":"AASWJ8g6ABUXJM1lCABFAAA0nklAAEAGgScKKAQCCigDArPdAI+IaqpmN\/tGDoAQAC6AFAAAAQEICgoMNC0ChzUg"} 01025{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":4,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266594138,"flow_dst_last_pkt_time":1213095262264097,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":26,"flow_dst_max_l4_payload_len":65,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":1213095266594138,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email","imap": {"user":"samir","password":"pfres","auth_failed":0}}} -01804{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780228,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780369,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":88,"avg":294609.8,"max":4331408,"stddev":1060070.4,"var":1123749068800.0,"ent":1.4,"data": [126,150,12887,12906,231,444,36852,36794,135,4330018,4331408,1394,16846,17272,39867,39540,93,199,596,39710,39393,88,905,1344,39009,38693,107,104,10836,47768,37190]},"pktlen": {"min":66,"avg":115.9,"max":762,"stddev":125.9,"var":15857.5,"ent":4.6,"data": [74,74,66,108,66,85,131,66,98,66,92,93,66,86,87,66,123,66,86,87,66,123,66,87,78,66,325,66,139,178,66,762]},"bins": {"c_to_s": [18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}} +02202{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780228,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780369,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":88,"avg":294609.8,"max":4331408,"stddev":1060070.4,"var":1123749068800.0,"ent":1.4,"data": [126,150,12887,12906,231,444,36852,36794,135,4330018,4331408,1394,16846,17272,39867,39540,93,199,596,39710,39393,88,905,1344,39009,38693,107,104,10836,47768,37190]},"pktlen": {"min":52,"avg":101.9,"max":748,"stddev":125.9,"var":15857.5,"ent":4.4,"data": [60,60,52,94,52,71,117,52,84,52,78,79,52,72,73,52,109,52,72,73,52,109,52,73,64,52,311,52,125,164,52,748]},"bins": {"c_to_s": [18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1,0,0,1,0,1],"entropies": [4.466519356,4.994044781,4.884933472,5.545080185,4.923395157,5.188045025,5.565508366,4.846471786,5.532327652,4.923395157,5.445330620,5.491897583,4.961857319,5.242550373,5.321550369,4.892440796,5.645212650,4.899451256,5.225256920,5.331891060,4.961856842,5.594664574,4.961857319,5.357347012,5.240169048,4.961857319,5.602889538,4.923395157,5.631970406,5.824433327,4.923395157,5.541430473]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}} 01009{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":33,"source":"imap.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":13,"flow_first_seen":1213095262213846,"flow_src_last_pkt_time":1213095266780387,"flow_dst_last_pkt_time":1213095266780369,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":73,"flow_dst_max_l4_payload_len":696,"flow_src_tot_l4_payload_len":179,"flow_dst_tot_l4_payload_len":1401,"midstream":0,"thread_ts_usec":1213095266780387,"l3_proto":"ip4","src_ip":"10.40.4.2","dst_ip":"10.40.3.2","src_port":46045,"dst_port":143,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"IMAP","proto_id":"4","encrypted":0,"breed":"Unsafe","category_id":3,"category":"Email"}} 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":33,"source":"imap.pcap","alias":"nDPId-test","packets-captured":33,"packets-processed":33,"total-skipped-flows":0,"total-l4-payload-len":1580,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1213095266780387} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038674 bytes -~~ total memory freed........: 6038674 bytes -~~ total allocations/frees...: 121522/121522 +~~ total memory allocated....: 6038810 bytes +~~ total memory freed........: 6038810 bytes +~~ total allocations/frees...: 121523/121523 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1809 chars -~~ json string avg len.......: 1090 chars +~~ json string max len.......: 2207 chars +~~ json string avg len.......: 1264 chars diff --git a/test/results/imaps.pcap.out b/test/results/imaps.pcap.out index cf61c65c7..44b2d9498 100644 --- a/test/results/imaps.pcap.out +++ b/test/results/imaps.pcap.out @@ -25,9 +25,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6051892 bytes -~~ total memory freed........: 6051892 bytes -~~ total allocations/frees...: 121538/121538 +~~ total memory allocated....: 6052164 bytes +~~ total memory freed........: 6052164 bytes +~~ total allocations/frees...: 121540/121540 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 1015 chars diff --git a/test/results/imo.pcap.out b/test/results/imo.pcap.out index 3d04b8250..feafc6503 100644 --- a/test/results/imo.pcap.out +++ b/test/results/imo.pcap.out @@ -10,8 +10,8 @@ 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1646579366870607,"flow_dst_last_pkt_time":1646579366906814,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":43,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":43,"pkt_l4_len":9,"thread_ts_usec":1646579366906814,"pkt":"mt9Y+uvcCL6sCxduCABFAAAd07xAADYRF2ddIS86wKgMqeEEwDcACY7ydg=="} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":27,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1646579366870607,"flow_dst_last_pkt_time":1646579366927729,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"thread_ts_usec":1646579366927729,"pkt":"mt9Y+uvcCL6sCxduCABFAACH071AADYRFvxdIS86wKgMqeEEwDcAc11kag0AAJobOdZhqhsqD3t\/ZsLZznm6P+VojS4Ym286bkA4KafGXg3iLF\/wjB8hr6WLuR7MT5lbl5UGnsPZptwcvPKKbJmOyY4TOPC9kAo6L6kDDYE4iSyFwPlyWfdtSAheyL2rRrc\/cATh7Qs="} 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":28,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579366939802,"flow_dst_last_pkt_time":1646579366927729,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":10,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":11,"flow_dst_tot_l4_payload_len":108,"midstream":0,"thread_ts_usec":1646579366939802,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01690{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":62,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579367998159,"flow_dst_last_pkt_time":1646579367589404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":241,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1646579367998159,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":59559.6,"max":463846,"stddev":120414.4,"var":14499615744.0,"ent":3.2,"data": [36207,20915,69195,11193,10953,10897,11928,60266,17574,7210,47,9880,379036,463846,100219,9477,9867,20901,22,106515,270,209,156,89,19549,7836,19677,23241,7950,3744,407480]},"pktlen": {"min":43,"avg":57.0,"max":149,"stddev":23.0,"var":529.8,"ent":4.9,"data": [43,43,149,52,52,52,52,52,52,52,52,52,52,43,142,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52,52]},"bins": {"c_to_s": [15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579368878172,"flow_dst_last_pkt_time":1646579368918568,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":11806,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1646579368918568,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":138459.7,"max":1002796,"stddev":305661.1,"var":93428727808.0,"ent":2.8,"data": [396,41304,49,43405,10843,2151,275,10533,8077,9421,9986,55709,51,24,9743,18469,13472,314,9827,9743,9558,13513,46,69283,127192,99850,16582,835382,861703,1002796,1002553]},"pktlen": {"min":52,"avg":433.4,"max":1266,"stddev":488.9,"var":239046.1,"ent":4.2,"data": [242,371,53,160,1266,1266,224,242,1266,1266,1266,1266,122,266,53,1266,52,1266,242,52,52,52,52,53,226,139,361,138,242,53,242,53]},"bins": {"c_to_s": [0,0,0,0,0,2,5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,1,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02089{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":62,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579367998159,"flow_dst_last_pkt_time":1646579367589404,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":100,"flow_dst_max_l4_payload_len":107,"flow_src_tot_l4_payload_len":241,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1646579367998159,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":59559.6,"max":463846,"stddev":120414.4,"var":14499615744.0,"ent":3.2,"data": [36207,20915,69195,11193,10953,10897,11928,60266,17574,7210,47,9880,379036,463846,100219,9477,9867,20901,22,106515,270,209,156,89,19549,7836,19677,23241,7950,3744,407480]},"pktlen": {"min":29,"avg":43.0,"max":135,"stddev":23.0,"var":529.8,"ent":4.9,"data": [29,29,135,38,38,38,38,38,38,38,38,38,38,29,128,38,38,38,38,38,38,38,38,38,38,38,38,38,38,38,38,38]},"bins": {"c_to_s": [15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,1,0,1,0,1,0,0],"entropies": [4.444189072,4.513154984,6.563591003,4.339262962,4.286631107,4.266765594,4.339262962,4.339262962,4.444526196,4.391894341,4.372028828,4.444526196,4.444526196,4.444189072,6.433364868,4.458455563,4.458455563,4.511087418,4.511087418,4.511087418,4.405824184,4.405824184,4.405824184,4.458455563,4.458455563,4.511087418,4.353192329,4.511087418,4.385958672,4.458455563,4.458455563,4.266765594]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02130{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579368878172,"flow_dst_last_pkt_time":1646579368918568,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":11806,"flow_dst_tot_l4_payload_len":720,"midstream":0,"thread_ts_usec":1646579368918568,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":138459.7,"max":1002796,"stddev":305661.1,"var":93428727808.0,"ent":2.8,"data": [396,41304,49,43405,10843,2151,275,10533,8077,9421,9986,55709,51,24,9743,18469,13472,314,9827,9743,9558,13513,46,69283,127192,99850,16582,835382,861703,1002796,1002553]},"pktlen": {"min":38,"avg":419.4,"max":1252,"stddev":488.9,"var":239046.1,"ent":4.1,"data": [228,357,39,146,1252,1252,210,228,1252,1252,1252,1252,108,252,39,1252,38,1252,228,38,38,38,38,39,212,125,347,124,228,39,228,39]},"bins": {"c_to_s": [0,0,0,0,0,2,5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,1,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1],"entropies": [6.951599121,7.408638477,4.155817986,6.605685711,7.827155590,7.851851463,6.958688259,6.942827225,7.823550224,7.844932079,7.851901054,7.830797195,6.188582897,7.144678593,4.053254128,7.818601608,4.339262486,7.858332157,6.930744171,4.391894341,4.391894341,4.391894341,4.391894341,4.155817986,6.930866241,6.293650627,7.455466747,6.412575722,6.928594112,4.207099915,6.941227913,4.207099915]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00908{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":37,"flow_first_seen":1646579366870607,"flow_src_last_pkt_time":1646579370069590,"flow_dst_last_pkt_time":1646579370091576,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1052,"flow_dst_max_l4_payload_len":1039,"flow_src_tot_l4_payload_len":6713,"flow_dst_tot_l4_payload_len":11506,"midstream":0,"thread_ts_usec":1646579370091576,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"93.33.47.58","src_port":49207,"dst_port":57604,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00911{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":16,"flow_first_seen":1646579366752245,"flow_src_last_pkt_time":1646579369944784,"flow_dst_last_pkt_time":1646579369921382,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":182,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1224,"flow_dst_max_l4_payload_len":224,"flow_src_tot_l4_payload_len":12230,"flow_dst_tot_l4_payload_len":731,"midstream":0,"thread_ts_usec":1646579370091576,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"185.155.137.30","src_port":49207,"dst_port":36535,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IMO","proto_id":"216","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00559{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"imo.pcap","alias":"nDPId-test","packets-captured":100,"packets-processed":100,"total-skipped-flows":0,"total-l4-payload-len":31180,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1646579370091576} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6040165 bytes -~~ total memory freed........: 6040165 bytes -~~ total allocations/frees...: 121597/121597 +~~ total memory allocated....: 6040437 bytes +~~ total memory freed........: 6040437 bytes +~~ total allocations/frees...: 121599/121599 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1736 chars -~~ json string avg len.......: 1098 chars +~~ json string max len.......: 2135 chars +~~ json string avg len.......: 1291 chars diff --git a/test/results/instagram.pcap.out b/test/results/instagram.pcap.out index 327420570..a0641705f 100644 --- a/test/results/instagram.pcap.out +++ b/test/results/instagram.pcap.out @@ -11,7 +11,7 @@ 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"instagram.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1436720898354402,"flow_src_last_pkt_time":1436720898501130,"flow_dst_last_pkt_time":1436720898499269,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":464,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720898501130,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"173.252.107.4","src_port":56382,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"telegraph-ash.instagram.com","tls": {"version":"TLSv1","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01358{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1436720898386781,"flow_dst_last_pkt_time":1436720898551576,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":679,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":679,"pkt_l4_len":645,"thread_ts_usec":1436720898551576,"pkt":"QPMIw47hABsv8H60CABFAAKZ5iRAAFUG\/+kfDV00wKgAZwG7hJCk1JOYiMGTh4AYAE6DfwAAAQEIClpSq5UAA+qLFwMBAmB3TNLiDxMdaG\/77FJR8O6B7ETM5PL1YEwRicjM0iP0UHaAjwUM69tZJRboKPSJSylQ1372woiRMUoGT0dkqivXwS77nykGpDpQxH2zG\/qLmXj10Apbm9mNJzojbuGkVAQeXciVaLovJfxV8pe4ApuOMtqX+wzNa0ZzIxrRfdGy1r+REoc96\/duttzeccU7r8F+0sSj4kAMBptpjPxHIWmQ8bvcQmsOZTBbtWqbInBydwnOzZKHuUG4UpWsNoKQLrxSa1ETAsjugoyEe5PPT8+cb8Irh4mKsNfbStX5KDjpe9Dme8aKUCL1ceYHHjALeMY9l4fx2o0KIF6TukGkzvqR8cZ+qcyDG5U\/HYh5lxYTcHS7lDXS1PzV6XOR41h1cZ9L+KxXE6JczRHCSiNT1VF7boI4Qizj5lEdfdajhSQHOEg16UAhsZHpgK1G5Iki1ek6rdWyUqwchJMZYUThaRdJpKv9RM0OW9cAtKW4cZKenq0TEdOPDEBRCwskRboA6Gi3YnhJ3qdvDGkTLGo9t+FpkGczAZZn4gKC4xoEybQb10OFqFb4BP0BHlc1dmzqbYjWeEKW2wJjaNEaqdUvlusDaKzJPAfd\/FC3qcdqBy6RoP1rw6AWfXgFirXb5SF1IsZGaICO7Vi\/A05NBIj2TN+sAkrMTvlnJxzijI3OS4z\/O7pdS0yJ1AhdM2CbNqiTSP1\/fSWG2i895LYIERx7TAiABxyhh9ufac6WLn1D9wJV86snpuHfJEPWipx7pSJs20IjfVBIUe\/onrcoOjL6GotP95FotxVNOdpbLqczmpv1mQ=="} 01235{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"instagram.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1436720898354402,"flow_src_last_pkt_time":1436720898501130,"flow_dst_last_pkt_time":1436720898646669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":464,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1436720898646669,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"173.252.107.4","src_port":56382,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"telegraph-ash.instagram.com","tls": {"version":"TLSv1","ja3":"54ae5fcb0159e2ddf6a50e149221c7c7","ja3s":"acb741bcdffb787c5a52654c78645bdf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}}} -01562{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":136248.2,"max":1572479,"stddev":382122.6,"var":146017665024.0,"ent":2.2,"data": [88898,75897,164978,1522736,1572479,340302,390014,2197,2137,122,91,92,92,91,91,61,61,92,92,61,91,91,61,92,92,29907,29999,733,671,702,672]},"pktlen": {"min":66,"avg":682.5,"max":1464,"stddev":663.9,"var":440818.0,"ent":4.2,"data": [1431,66,679,66,1063,66,1464,66,209,66,1464,66,1297,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66,1464,66]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}} +01961{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":136248.2,"max":1572479,"stddev":382122.6,"var":146017665024.0,"ent":2.2,"data": [88898,75897,164978,1522736,1572479,340302,390014,2197,2137,122,91,92,92,91,91,61,61,92,92,61,91,91,61,92,92,29907,29999,733,671,702,672]},"pktlen": {"min":52,"avg":668.5,"max":1450,"stddev":663.9,"var":440818.0,"ent":4.2,"data": [1417,52,665,52,1049,52,1450,52,195,52,1450,52,1283,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52,1450,52]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,11,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [7.861261845,5.070539474,7.656534195,5.014835358,7.778872013,5.017560959,7.868881702,5.053297043,6.745593071,5.053297043,7.855556488,5.091758728,7.839184761,5.091758728,7.864506721,5.038780212,7.844711781,5.115703106,7.864735603,5.077241421,7.847777367,5.077241898,7.868622303,5.077241421,7.866432190,5.115703106,7.875942230,5.115703106,7.870041847,5.115703106,7.866209507,5.077241421]}} 00893{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":49,"source":"instagram.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1436720898386781,"flow_src_last_pkt_time":1436720900498659,"flow_dst_last_pkt_time":1436720900498598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1365,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":2362,"flow_dst_tot_l4_payload_len":17365,"midstream":1,"thread_ts_usec":1436720900498659,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"31.13.93.52","src_port":33936,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":76,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":260,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720900684083,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00878{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900684083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":326,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":326,"pkt_l4_len":292,"thread_ts_usec":1436720900684083,"pkt":"ABsv8H60QPMIw47hCABFAAE4wXBAAEAGQn\/AqABnLiFGoJegAFCP9SVkp0jV34AYH+olJAAAAQEICgAD63Ga3vWjR0VUIC9ocGhvdG9zLWFrLXhhcDEvdDUxLjI4ODUtMTUvZTM1LzEwODU5OTk0XzEwMDk0MzM3OTI0MzQ0NDdfMTYyNzY0NjA2Ml9uLmpwZz9zZT03IEhUVFAvMS4xDQpIb3N0OiBwaG90b3MtaC5hay5pbnN0YWdyYW0uY29tDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50OiBJbnN0YWdyYW0gNy4xLjEgQW5kcm9pZCAoMTkvNC40LjI7IDQ4MGRwaTsgMTA4MHgxOTIwOyBzYW1zdW5nOyBHVC1JOTUwNTsgamZsdGU7IHFjb207IGl0X0lUKQ0KDQo="} @@ -27,10 +27,10 @@ 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":79,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720900692262,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900692262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":259,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":259,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720900692262,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.185","src_port":57965,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-f.ak.instagram.com","http": {"url":"photos-f.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11424623_1608163109450421_663315883_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} 02436{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":80,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900684083,"flow_dst_last_pkt_time":1436720900716768,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900716768,"pkt":"QPMIw47hABsv8H60CABFAAW+uH1AADkGTewuIUagwKgAZwBQl6CnSNXfj\/UmaIAQAiku5gAAAQEICprfPdsAA+txSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBTYXQsIDExIEp1bCAyMDE1IDE2OjU3OjA4IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTUwMDMxDQpDYWNoZS1Db250cm9sOiBuby10cmFuc2Zvcm0sIG1heC1hZ2U9MTIwOTYwMA0KRXhwaXJlczogU3VuLCAyNiBKdWwgMjAxNSAxNzowODoyMCBHTVQNCkRhdGU6IFN1biwgMTIgSnVsIDIwMTUgMTc6MDg6MjAgR01UDQpDb25uZWN0aW9uOiBrZWVwLWFsaXZlDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AfFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABfHAIoAFpGQk1EMjMwMDA5NjkwMTAwMDBjMzQ3MDAwMDEzNjQwMDAwNjM4NDAwMDA4MzJiMDEwMDBiODUwMTAwODdkZjAxMDAwZDRhMDIwMDlkYTIwMjAwNzY3MzAzMDAA\/9sAQwAGBgYGBgYLBgYLEAsLCxAVEBAQEBUbFRUVFRUbIBsbGxsbGyAgICAgICAgJycnJycnLS0tLS0zMzMzMzMzMzMz\/9sAQwEICAgNDA0WDAwWNSQeJDU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1NTU1\/8IAEQgEDwQPAwEiAAIRAQMRAf\/EABwAAAEFAQEBAAAAAAAAAAAAAAUBAgMEBgAHCP\/EABoBAAMBAQEBAAAAAAAAAAAAAAABAgMEBQb\/2gAMAwEAAhADEAAAANnYrv6OWePnpwvl4Ucr5ZqutmsxzGNFZbBKECWI2oX8gp+rqOdscgJarTJrPTiAtUZEnHz0qOljcEskD1c01Rksi2ko7C10FaSJqLDY0bkkglRK+J01IqIm99eIL6jmheWgjCKVJUTsjcmxJXNVG3K1KNr3irtvMCithKVbraoq9cQKb5mse+vydpRzhEXinDIvFyoIspSDsdW4LfVORbSFGS9z0Q07Vapihe24SRFCV8D5p7U4fInJNSacY9CnDoLekTpOusTppdQVRUWk5Z3S6nSOaiisOZWrWqtSjFjqVjcxzA+ktxbdV5FmYfOO1PR5O6tOVN6dGCvruavqOenPG2AT0hWptvhfNzvglTijkaS2WB9FlYElvdXcE7qNkc6sYnO6nwWWwvB6cwHJ3BI+Pk7LqzU7SQPCRiRBzWw1M8o9Wr7h8yd2Yes0RUdMne6nInZbXUcjq0gpefEOw6FZdhsSpo1\/NNSRGRwz8KussbUKdHc9LXYK7JQkHbZE9CMRrLHVuCy6tIhIp+ajbOxDZOaN8kM6b52TRosiOmpWqktXN4fR9WcyxQQ3Mi1m1NxKzxO57gjldCOau1Guh6KocxG0s90jNuePlRqSaiqL7xrhlZBD1ROCogrq0VC86jwXI66CmfUcy84e5MlIKemSZRcnZWo5lqOCIVpafMuyjnIKtHOmrjanNWmV0at9VUdlavIty0UHfcNVBHhvASbQRlyCBWndG1xZlpvVXVpuTtPpPHelHPmiqjZJuxJVci8tKRVa6m0Lsg1QJNocO+lKMV1BqVN+Km1zbjrI1P1ZzUr6iNEZRL5ZRw56q6yDgmfWQLsg16ZNg3hkHi+ETQdInbdS4duCJorHU42r7hqMKoMQCnCeAuojkF0F8BRBzhkEpcFpK6im5sQ5GRJU57qi78tptbhTpBzLHQKE7qrwsdX4LS1+Ts9Uc1YWugWOruCfoFCwtRydla3CsLCo7DIlTl6FQm6BQnWuoT9DwSpCoS9DwTdA4JVrqE\/QKOx0ChM6u5EjoeCVY+ZIiIA="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":81,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900717195,"flow_dst_last_pkt_time":1436720900716768,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720900717195,"pkt":"ABsv8H60QPMIw47hCABFAAA0wXFAAEAGQ4LAqABnLiFGoJegAFCP9SZop0jbaYAQH+o19wAAAQEICgAD63Sa3z3b"} -01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900734468,"flow_dst_last_pkt_time":1436720900734651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":36868,"midstream":1,"thread_ts_usec":1436720900734651,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":3256.5,"max":33112,"stddev":8022.9,"var":64366212.0,"ent":2.9,"data": [32685,33112,763,702,1770,2075,61,30,336,366,672,610,610,611,610,641,610,611,10956,1922,1953,366,305,794,1068,458,457,428,824,4059,488]},"pktlen": {"min":66,"avg":1226.2,"max":1484,"stddev":538.2,"var":289645.8,"ent":4.8,"data": [326,1484,66,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,1484,66,1484,66,1484,66,1484,1484,1484,1484,1484,1484,66,1484]},"bins": {"c_to_s": [5,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0]},"directions": [0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02125{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":110,"source":"instagram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1436720900684083,"flow_src_last_pkt_time":1436720900734468,"flow_dst_last_pkt_time":1436720900734651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":36868,"midstream":1,"thread_ts_usec":1436720900734651,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38816,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":3256.5,"max":33112,"stddev":8022.9,"var":64366212.0,"ent":2.9,"data": [32685,33112,763,702,1770,2075,61,30,336,366,672,610,610,611,610,641,610,611,10956,1922,1953,366,305,794,1068,458,457,428,824,4059,488]},"pktlen": {"min":52,"avg":1212.2,"max":1470,"stddev":538.2,"var":289645.8,"ent":4.8,"data": [312,1470,52,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,1470,52,1470,52,1470,52,1470,1470,1470,1470,1470,1470,52,1470]},"bins": {"c_to_s": [5,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0]},"directions": [0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,0,1,1,1,1,1,1,0,1],"entropies": [5.898158073,7.321296692,5.085056305,7.712381363,7.732598782,7.839711666,7.840396881,7.816926956,7.824441910,7.832503319,7.834330559,7.838201523,7.842141628,7.832640171,7.857853413,7.693085670,7.721205235,7.765996933,7.720492840,5.123517990,7.778287411,5.085056305,7.565217018,5.123517990,7.755377769,7.760787010,7.733772278,7.715420246,7.768604279,7.540043831,5.123517990,7.831338882]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 02434{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":130,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900687959,"flow_dst_last_pkt_time":1436720900744752,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900744752,"pkt":"QPMIw47hABsv8H60CABFAAW+u1hAADkGUttSVRqiwKgAZwBQ4lApkhzMOpIM7IAQAku18QAAAQEIClYLL1sAA+txSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBTYXQsIDExIEp1bCAyMDE1IDE2OjMyOjE3IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTEyMjY4DQpEYXRlOiBTdW4sIDEyIEp1bCAyMDE1IDE3OjA4OjIwIEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0xMjA5NjAwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AbFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABPHAIoAEpGQk1EMGYwMDA3NWIwMTAwMDBjZDFlMDAwMDUxNmQwMDAwYTY3YjAwMDBkMzhhMDAwMDQ3MTMwMTAwZDU4MDAxMDA4Y2I2MDEwMAD\/2wBDAAMCAgMCAgMDAwMEAwMEBQgFBQQEBQoHBwYIDAoMDAsKCwsNDhIQDQ4RDgsLEBYQERMUFRUVDA8XGBYUGBIUFRT\/2wBDAQMEBAUEBQkFBQkUDQsNFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBT\/wgARCAKAAoADASIAAhEBAxEB\/8QAHQAAAAYDAQAAAAAAAAAAAAAAAAECAwUGBAcICf\/EABsBAAIDAQEBAAAAAAAAAAAAAAABAgMEBQYH\/9oADAMBAAIQAxAAAADRJrP1fOIlpAgZgklAaSWREiWQ0hYBBKMG1GQ0mshINSQNKwDZqISVGBpCiEDBAlSiBIUY0GoAhRgEhRMIlm0hLpRTallISS1AgnEASgbEmowbUamIMzBKgaCCgBEs2NLM2INRiSFhiApTEksNJDhobBqHjA10yQHEiSSgCQoARGYJBhCQZgklkCTCgQThDSSzabMzAkuECSUY0gwJJmbEGogIGpiCWaEBSgbNRAk1hiCcJCDUGkGshpCjEkKVJthagbCzEgKMEmYAjNQICzaaWoAhZmxAUYIUZySQsAQcITZqJSxlGVMgDAJCwCUrCEBQYgwoEBQQkzAJBmxKXSBBmbEAGggowSlYBIcQJKloYRrJCQtLEmsASVhiA4kRGYGQUQkk4AQsEwgswbNZNESw2kzUk2awBJdKQg1KQ2ow0ROkNBOpEk1BhBZtEDMASgCCdCMMwuixAcIEBYE2HEjbNYBBOkNAUoSCWTaTCiKSWBthwkkBZAQUGINwDaCjkkhZobDgBCXDE0pYbQThobDiXEicJjalhNIMCSayBCjAEa0ySQ4QJNQYkzMCJYBBrMEEpQIDokIJwkIUoMSToBClAEGtQkEs0YClHRYk1pBIMwbNQYgnSYgLIEBwkICyYhS0tJCxFthwmkKMASVmhAWbEE4TSQsgIGpNBLIRBQaQayBJOAEBwMQFpAkukCQsAg1kwjMMCVgRGahtk4ASFmDYdSCQtbGjUbRJdAkBZDILMTalGxBqU0hLiYmGDXVNCjMaUrANmsIQlZttqUY2w4RFAcShClECQoCSlwmETgBsKNMgZsSTpAgKSIlGYICyESVkBBYBBqJog4E0E4TEB0gQHA00FqGlLhuKTNQINQJJJZgg1KY2ZpImFGNJLDSTWQIWFASXDBBg5BGoAgOEGEajpmg1hCCcIEEswQl5DSTM00EswQFATalGCCUYJJRg2oGCQsxoSswQow0lLgQhSgCDUGkBYEkOEDYdAIJZgk1ESQpQcUhRsSFGCQZgklgEmZg2pZyEBZgglmMiWQkhRgkOBoicSMiWbSDWGJNQBJOAMAKVVMgYiIUahNE4Y2wsNICwNCXUCIlmDRuGk2S1NsLUYIJwRbZrDSAo00GsmINQEkk="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":131,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900745027,"flow_dst_last_pkt_time":1436720900744752,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720900745027,"pkt":"ABsv8H60QPMIw47hCABFAAA00CZAAEAGPJfAqABnUlUaouJQAFA6kgzsKZIiVoAQH3QuLQAAAQEICgAD63dWCy9b"} -01716{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":161,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900687959,"flow_src_last_pkt_time":1436720900865663,"flow_dst_last_pkt_time":1436720900865785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":253,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":253,"flow_dst_tot_l4_payload_len":22769,"midstream":1,"thread_ts_usec":1436720900865785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":57936,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":11468.7,"max":111969,"stddev":29722.3,"var":883413632.0,"ent":2.3,"data": [56793,57068,1160,977,610,610,428,397,457,457,672,702,1281,1282,1160,1160,488,457,428,458,111480,31,111969,336,1343,61,30,1038,885,793,519]},"pktlen": {"min":66,"avg":785.4,"max":1484,"stddev":697.7,"var":486813.2,"ent":4.3,"data": [319,1484,66,1445,66,1484,66,1484,66,1484,66,1484,66,186,66,1484,66,1484,66,1484,66,1484,1484,66,66,1484,1484,1484,66,1484,66,1484]},"bins": {"c_to_s": [14,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,15,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02115{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":161,"source":"instagram.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900687959,"flow_src_last_pkt_time":1436720900865663,"flow_dst_last_pkt_time":1436720900865785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":253,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":253,"flow_dst_tot_l4_payload_len":22769,"midstream":1,"thread_ts_usec":1436720900865785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":57936,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":11468.7,"max":111969,"stddev":29722.3,"var":883413632.0,"ent":2.3,"data": [56793,57068,1160,977,610,610,428,397,457,457,672,702,1281,1282,1160,1160,488,457,428,458,111480,31,111969,336,1343,61,30,1038,885,793,519]},"pktlen": {"min":52,"avg":771.4,"max":1470,"stddev":697.7,"var":486813.2,"ent":4.3,"data": [305,1470,52,1431,52,1470,52,1470,52,1470,52,1470,52,172,52,1470,52,1470,52,1470,52,1470,1470,52,52,1470,1470,1470,52,1470,52,1470]},"bins": {"c_to_s": [14,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,15,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,1,1,0,1,0,1],"entropies": [5.838165760,6.902098656,5.046594620,7.571764946,5.046594620,7.804839134,5.046594620,7.765610695,5.046594620,7.812949181,5.085056305,7.799284935,5.032077789,6.483376980,5.046594620,6.923000336,4.993616104,7.515916824,5.008132935,7.819376469,5.046594620,7.844942093,7.811455250,5.123517990,5.085056305,7.765757561,7.802289486,7.797224998,5.123517990,7.813294411,5.123517990,7.806335449]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 02425{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":179,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900872835,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900872835,"pkt":"QPMIw47hABsv8H60CABFAAW+QeVAADkGzDdSVRq5wKgAZwBQ4m1aOHmGBPBEEYAQAktTqQAAAQEIClnq0tYAA+t6pEVxjNbEsTo05BJiqWC+y9Cm00IuBsqQ3OjXYmls3ooNNijoaA4JvaGXA6WBNFUSNxldWicRkqfSvQ+ysT9n0voZ+EyJR6Oy8JFg5mjiK3jhnpErGpjhG8skeRODdCdQ2MDy8miGRvQk1oSZFhVmGQ28jcag3sVEigomNJgo2R5DYnSdEiIuyPaJg2JvQlTQl7HH2PCFhjS9CYo0RCdlSaY2qVbA7SVlukMk60Nrou0FvVb7YyZLsTJUNNjXYcKjL2NNBHY6YRIqyEsm+g1byhIVtLCoTuULeROaIZSg30H1KXibE4I6MNQaNsuwl6EmkRW2hNPKHVGvY2h4LXCptXgsREUx4KkzYc6itsZrGceuCUwiNvZ0NlpU4bHVgOMeBQT+hXsW4NkxniYRKY0LOGPOuJ3wxvNY30XInTbyUHSrYx3BbGhCWhOLAjiZyQZFUJdjY3cIt4ZOkJvIlCy+hRiRG+RuPBllCy6VrIsIWMN5wEbUZGNRwXYxYMsCZvBM0SI+CRpDbsamyBbROyZoo8CJEl6E9mJ2S8EM3LEKN5FGYSlBs8UdkxmA2mpRC0zPZ7xJ9CwL8H7GJMEIRrTFqwKrYnyiJkSFrOodENU0wTGWNK2jlI9lfZlilokuhJLsxJCYIN4hejdRoOrIspMTJA01hjZUKPFINeESqCUMEQXvhWETJONsmi4g1wbPQfoNvgSpYMGCvY9YNIqvA3SQSmRLI4YPo2XNMYImYP1DY4jPgTTw2RtDTZj2bUhs0VbI6JdDjHkaG0not6KSwmmsQgk2Q2d8EY0NThbnDb6LikplbG2dZcC3WN4yZoyEhYNBej0BWx7I90tpJlyN42ZDbInnJ1C1j9i4ezDdGzUCRBRluhyJbIYWhtD6NOhqmcKFroh5EphFtxoj0LHA27N4EuzbHNiablHlZGpBOsMNmxNFXQsIyISmhtLI00bJ7F+j1S+jDRaWi3vmNnZe2dMzFsHjJciezaGpgnsUwLB9OsnZ3niE9jVXaWBDK2XAvaENk6N0ekQ2O9mkVid2JeCeikitCaY2qSMSexWxPhK4FBtCR+iXk7ssgLA2L0SCdTorMmVWF2XC0NTE0Jx1GuCltCJQTg1LLSyaM2UJLoSF6DFF9Mw9kaL7IKmI4MmxmzPiZWtisp9MNxiCdRNs2PYXFI7EHTI1SpITxUMwngXpkyZLmoTeRzsWCnZ+DfRVtifokzCxuYoykLQuIaLckmHw90WsHeOLnJ84eDeStIr0XApBloXsSFOuGxPJSo9D4JV5INNsaqEnFWmLKwNNiDhZETR+8N0hPQnDfQ9jUeRJC3L2abSUYrSyXKQvTLUJ0TMDXTG22NpLA+h7pbgbPbEFhURZQjQj9GNi+DZGcFGLsjYTTQlYRp28M2yQyxotDecoU0R2IEl2iJYG4illoT0E0yNMauOGKUSPA0mRrZpNHQ9mUtCe8LiDqwZ6FGTD0YCawPKG6VPR1B6om0oVtJszsT2oPLg1iChibE3sd6Emqj9QlcmEXhv0J3fFLW0UaJbG7obENhs2LInSGhYWLA09oR2MwU2WaOiiYyFETeCZiGhtrYmeGRtwUYEs5HJsYE8FFhHQyA82YMmWhvJ+luERPJpCaXRrgavgriCd7HBcZJXUMHg9aNwpE0U5guCZyNlQ8sSjo1kSMsTUUFRQbOhYwhtnKP6SOXI1R12JOnuIeq2VMpZgm+hdg0iYglGUXsWqM1gbLTRccdQh6Ku0exnodIIyzBObLeyzRbgl2MPIvcF+DTaqR8HaG7s1kuabRjJ0TpPR2VPJV7KLKyJPRF0V2DRrKEZhaNsjpZo9uNoKHwaJdi0JwbUojVhqtMTJ4I0NdDcP0bBkIaxSOjsCQm08MyRGoPKyP2uPoVQ="} 02431{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":180,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900873323,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720900873323,"pkt":"QPMIw47hABsv8H60CABFAAW+QeZAADkGzDZSVRq5wKgAZwBQ4m1aOH8QBPBEEYAQAktstgAAAQEIClnq0tgAA+t6yOoxEtjJYMe0j6G03geIuahaK1oTHsEliMMTZ8IV3w+jNLnJcKpRQYoNH0Q1owU7ElIg1BvY00M1sKh00GrYYaKmxapIfSuhKlliV5Ggz2ZEdUXqEuURYhcRmGdF6HkVYKkoGKmh3bGvRvDFLCRD9sysMedkSiftieCrscIysGDeGZuR52JNFJwy1gdIqmuE8SC43k2NNmXvnK0LZ7Q9kdYKlspkg9CZoqhXWJtbKpgafXBrJWhOsqdlcjGlMIf02UEyYUEoN\/R3BPJjY2bCG2s0iEvRRNQ+jO4xqKDwyI0ohahosjThi9BIrI7gehuDWUCCJLBXotaGI3Qlg0wJ4IVBKoTow2PA\/UqeR2ILqdQ62OGMraO4hekPhuNoceBSE3cCJmskaK+hP2IZK1kxs+D0NwaUQbYMYurNlQeMoTLYsrBUslTyTGB4bJjIpUh1Csyxlol2o3gucCaI7VzLkaJHRLOOI9DqwQy9GXvictCZRvBROF7M75lwMNqMbA1Q7yIm8GJWsFybGm8jbOi8hKnkr2M2jAtIEustYo61E\/YmmP6L0b3whJbGvRDYcGUzATfFIDVQIw2Oobux01kTo0N6FINdmGBYdKOUophoRJtodkbFVo9gsdiVGqholRuBaWjGKEmDKSSFXnjQZrsSagmHGQ2V6YSOqJlWjZkzB3BjS9mOWLBMSDwqGspicFTSY2vRnKTsOEJT6izJU3UzZMYLFNbFHhcKrhEElmjUHgsGw3eFliqL7LktKtGhuCzshGkdcMxokwNDSEy0x5WRazwkNsaY8bLNjG6JXCGsDRGmNiieYQKFSLNMh9GJBBqDcYmQ\/TLYs4Y5okeCCq6KrROsWRPA\/QgqexNDwJeyORUtLVhijncHacZgTImKglDuKPKPiNMVuBBPFGsVisByZlsa7HsdRZxjrKIyEiLkwMS2JuxPlJTJB8H6bZlkrSN1n4byX0J4EzWxRB5yNNiRbIpUIU6KJCXaHjR8G5KJ9CS9nWBuYG8YG6i9HshCfoTL7I9i9svs2S0igzvAmIqQvhrDHLkQf6KrgpKCatLEWjeRJbOsDeINKDg0ui5F0zaibWWN0bpi9BWZoEHKMpILVMCwVlji1gwwlSnhCVWC+iHqDPofxpWqTM0eNJ2xqh8YRjmCGxosC24xO6HlDsYiabHsVY3Q2j8FwXDnhHTop2I0ZBKKmqh+g1MksMLJUzHQ4tCWBioqFxpAlEhOSDo8Dagmn2S4NI9pDj9P0qphlFmxt9ob7Q4fDeWdIS9mSomrgesCHk9xVyISbeBYZYqOnkRY6Qi+xNoTGi3wtcJ8IdEGuiiJs+CUCzHWBIwyehKjUWCjSYQ2xehJQkV4bmCDSE3ajpBI9MbbKsnYhMqSE6SoSmxVZQz7F7Cxw52a0Oi4wa6G80SyNISCZNs1kTWjAjbEjBSIX0JgVNEej4YLk6FUNkLSpOMieS4G8EdEeg2KpGUxUsEchDaYw1FYKjISLZtH5xdj6MjnZrR0KQaPJCYqtCpZNBN3Ym8GJNCRoeRqPAyVRi2Jvp8EoJ4hRsvRtEZTjFNsRZ6Lg1GM+iyL6KpBqRssXcg5w2Ui1l6HGqjFFnaPpYhNtEfI6Fk9p+jWy+h1jWBucKo6btHQ1cIbLY6jKwI1kTtCe6OF7GyQ+luTvB+OCeRZE8Cjzw\/QQ2lsbbGNL0REErSTiKuDRksFTw2JZIJTbY1oaZGzXwTzsbdEiLmog0Ji7YqmN+hroiag0PQeUVDI9mcQw6G101ZROVMQtGQ7eH6WaIbNDwsDsK10NpNDbcMrspisEOJISYYqTRU0RDqgVWGQxaXIsvmpFmWPDA8JDDqHRSQsC9DYnnBYhpbF9KmJvaYk7Ktm8jfrhZcJnL5r4twNjbk="} 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":180,"source":"instagram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1436720900692262,"flow_src_last_pkt_time":1436720900692262,"flow_dst_last_pkt_time":1436720900873323,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":259,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":259,"flow_dst_tot_l4_payload_len":2836,"midstream":1,"thread_ts_usec":1436720900873323,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.185","src_port":57965,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-f.ak.instagram.com","http": {"url":"photos-f.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11424623_1608163109450421_663315883_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} @@ -41,7 +41,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1436720901182283,"flow_dst_last_pkt_time":1436720901182283,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720901182283,"pkt":"ABsv8H60QPMIw47hCABFAAA0W\/BAAEAGs3DAqABnTUMdEYS4AFDrYaSj8+woZ4AQH+origAAAQEICgAD66NkobAz"} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":203,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1436720901182466,"flow_dst_last_pkt_time":1436720901182283,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720901182466,"pkt":"ABsv8H60QPMIw47hCABFAAA0W\/FAAEAGs2\/AqABnTUMdEYS4AFDrYaSj8+wze4AQH+origAAAQEICgAD66NkobA0"} 02444{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":204,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1436720901182466,"flow_dst_last_pkt_time":1436720901183137,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720901183137,"pkt":"QPMIw47hABsv8H60CABFAAW+nH9AADkGdFdNQx0RwKgAZwBQhLjz7DN762Gko4AQAq9DyQAAAQEICmShsDQAA+ufWEdJBRPnaSmosKHYDmQEyGHV3GAwTrGe5kQxyGEYyxmyELBrJc+SMi3dmmwq1mAYjd9asgZG6SWIbmuecSeibLvJUKPOw0JlNLd+SsFoR4AyWWZMuWzjy22t8lg9nL1yby0j7G5yGHP2UfvrthqhUQLZPhRPRii5ZImLbbxtBh75Nwi10QstpiiOURwgsk\/gse0fhODW3xEaIlCTuwGMxEsajO6KBwgVZE4oD8EZJ8CUI+IftidbAnEAzCB+CxiXeSUkT7I4PLvoy1NnMNCUuGI63ybZNQBpkMtmgmFlmfthxhK9DguCw4XPNprshLbUVoAbHdBaG0WibQPaUDoawN0QnEMFu5OOsEXu+c3ydgozRy0R9FbV0F8hsoSyHLIicGyGMakQqAYSTks8J\/2+\/kORfizOWuAtMcMCSaUPfEY6f\/ttodWXWPLX7bzs5o8i2FH5IZ4wLEpEOhwV2MADYJIWDBmF9CQdn6hh1kzmvWM7b4SuFg+iI0QmrTgRgMl\/rAMZDtwdyKQyk+DPksJTgtrhZZRA\/GY+X2oyKfiboDY0NouOzUthrGCw4ToWxqMKM+rf1sDDAEsjSzJB7rCfcDOwibANVH23SwWhh5rFCY04ksXdhurOKpIBQXzCwN2yHF8S1j2hc2z0kMsCW+OeS+e5HaaRoyzZaCzPNrgnwkhY7i8yZQkeMkH4woSzgHZw7AMoJTs5nD21BiRDuFCBqB4lGX+kk55UTfE62aMJ9jBPBhqltnyYDTEarQKEsWGbVjV7cRHRc\/JgmbZkQlW0YI\/xZdFg6wN2R+J3fOBbBmIcOvB5bIKiWTEFFXRESk7pA\/G3UwXXKB8XDGTJIAkPv49GZuMRZBkC+FhZzCzZ\/iYJh8LIJjV10uzY7Q6E8RpFbyee3Ru25UC5ETbDsFPCaR1ZZC+Qlrsu3Z2QOnm5Ijct96wHLCiQoCUx5CFCGTynRCNjadMyB8tlLRKCwv7KX++dvy1I4Ngs+X8bALTsRQ81XIDydJihBYicmO+O5EykyOu25b+jIYCOXX2WfISuvyX8JiI2GJxqYZEg+OZPoDhxBrn8TYtguClNRehGIQDtqZcwjb\/V86w0sQMOHMZzpnYBjpA8i2eJoGlmik3CQHHMRm8DxLkyFvCZWDFGTUEVI6mHEnfCoaSoN+\/pJIKAlCT4XxDOVC6F8g19jfq1eEJAj0k3u3yFtEJC0DXJolurtJkzJ6y5KHJWSGujZ7ucFS0YjpIoSX0blPAySPJvg33fP2OLma7cQ\/o6PyUHgctick8cobWRNWzIJG3koi8vkKbBIHEMIhdatBUZ40kmN4wtVBz4xoAKljf4v6tXAUt\/sabl0bLkuRE5KikyGgBCbojsrcdwSEGEBomIUFpEl4TvPOqQ8EQF08if3O9FnhnUw2jwQHpaPsw+3EzgNs0zWy6OB623FWGwH7yRctwfDWnw6uSz7AvbHpmHBs+lzanaBkBBq2DLF24dyAfJ1fyW2F8GD9sWLVnjCGZF3EsLst8bQIxxKOwYkoOS2WRsw0xVMJlnywe3Dcc8w+9gQNiBfxyDpYA\/BXzFgEQ3SDtI\/Iov2XBZk1lmPY59tj\/SH+23V5dy\/iiOkLW8UdeiSozNTMFJIdoa309Kn34h+DTnlxZPJVqKRj7du3Uk37CetFC6vFxS2151HHC6aWXemK7B3BpAILjJ\/RL8v0ZA5dOz14w3bAaJWBEg+oUMkesS4WzNnMtGFzWDqZOmcWARMZvW5QUXehDRGok1aYS2VUwcI4nRFkmR4HYk3YsQQ7hbSjts4wBuESi5cIWAPkICk+lgVslThZsIux2ZS+mHik4DwoYI7IF8QlYXTsSiw2By7i5s7AeQhpAzljeQfkQaQPQMK5P3IVCAQHZWMgI="} -01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":255,"source":"instagram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900690339,"flow_src_last_pkt_time":1436720901257356,"flow_dst_last_pkt_time":1436720901259248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":518,"flow_dst_tot_l4_payload_len":24096,"midstream":1,"thread_ts_usec":1436720901259248,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.186","src_port":44379,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":36642.8,"max":372071,"stddev":92640.3,"var":8582226944.0,"ent":2.3,"data": [185486,185853,397,519,640,61,1434,61,1404,61,580,733,1434,61,310272,372071,63232,2166,2198,336,305,549,427,733,793,580,519,519,519,1007,976]},"pktlen": {"min":66,"avg":840.4,"max":1484,"stddev":686.9,"var":471900.1,"ent":4.4,"data": [325,1484,94,1484,1484,94,94,1484,1484,94,94,1484,94,1484,1484,325,1484,66,1484,66,1474,66,1484,66,1484,66,1484,66,1484,66,1484,1484]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0]},"directions": [0,1,0,1,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02120{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":255,"source":"instagram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720900690339,"flow_src_last_pkt_time":1436720901257356,"flow_dst_last_pkt_time":1436720901259248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":259,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":518,"flow_dst_tot_l4_payload_len":24096,"midstream":1,"thread_ts_usec":1436720901259248,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.186","src_port":44379,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":36642.8,"max":372071,"stddev":92640.3,"var":8582226944.0,"ent":2.3,"data": [185486,185853,397,519,640,61,1434,61,1404,61,580,733,1434,61,310272,372071,63232,2166,2198,336,305,549,427,733,793,580,519,519,519,1007,976]},"pktlen": {"min":52,"avg":826.4,"max":1470,"stddev":686.9,"var":471900.1,"ent":4.4,"data": [311,1470,80,1470,1470,80,80,1470,1470,80,80,1470,80,1470,1470,311,1470,52,1470,52,1460,52,1470,52,1470,52,1470,52,1470,52,1470,1470]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0]},"directions": [0,1,0,1,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1],"entropies": [5.875868797,7.799760818,5.230642319,7.805149555,7.815236568,5.230642319,5.255642891,7.775027752,7.764830589,5.255642891,5.255642891,7.786373615,5.230642796,7.780581951,7.802150726,5.830727100,7.246917725,4.955154419,7.568865299,4.969671726,7.664569378,5.008132935,7.792304993,4.959492207,7.832537174,5.008132935,7.790991306,5.008132935,7.830072880,5.046594620,7.783673286,7.843332291]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720901262544,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00875{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":324,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":324,"pkt_l4_len":290,"thread_ts_usec":1436720901262544,"pkt":"ABsv8H60QPMIw47hCABFAAE2VBZAAEAGt67AqABnUlUamZHmAFCdoJYSxR9Z0oAYDfbnvwAAAQEICgAD66tZ6cc2R0VUIC9ocGhvdG9zLWFrLXhmYTEvdDUxLjI4ODUtMTUvZTM1LzExMjQ4ODI5Xzg1Mzc4MjEyMTM3Mzk3Nl85MDk5MzY5MzRfbi5qcGc\/c2U9NyBIVFRQLzEuMQ0KSG9zdDogcGhvdG9zLWEuYWsuaW5zdGFncmFtLmNvbQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KVXNlci1BZ2VudDogSW5zdGFncmFtIDcuMS4xIEFuZHJvaWQgKDE5LzQuNC4yOyA0ODBkcGk7IDEwODB4MTkyMDsgc2Ftc3VuZzsgR1QtSTk1MDU7IGpmbHRlOyBxY29tOyBpdF9JVCkNCg0K"} 01179{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":262,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720901262544,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-a.ak.instagram.com","http": {"url":"photos-a.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11248829_853782121373976_909936934_n.jpg?se=7","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} @@ -75,7 +75,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":344,"source":"instagram.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1436720908466005,"flow_dst_last_pkt_time":1436720908518251,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720908518251,"pkt":"QPMIw47hABsv8H60CABFAAA0kN9AAFUGV5QfDV00wKgAZwG7g+MQ445PobbjVYAQANn+UgAAAQEICvAgscMAA+57"} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":345,"source":"instagram.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720908521089,"flow_src_last_pkt_time":1436720908521089,"flow_dst_last_pkt_time":1436720908521089,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720908521089,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"46.33.70.160","src_port":38817,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"instagram.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1436720908521089,"flow_dst_last_pkt_time":1436720908521089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720908521089,"pkt":"ABsv8H60QPMIw47hCABFAAA0\/y1AAEAGBcbAqABnLiFGoJehAFBl4Bu99+Pb34ARFTc19wAAAQEICgAD7oGa3vT1"} -01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":237350.0,"max":7321503,"stddev":1293384.0,"var":1672842313728.0,"ent":0.1,"data": [183,854,1526,2655,488,367,335,397,1495,519,1160,1800,61,31,2258,92,3204,427,3571,1038,549,367,1953,885,885,671,3632,61,4699,183,7321503]},"pktlen": {"min":66,"avg":903.3,"max":1484,"stddev":693.1,"var":480370.2,"ent":4.4,"data": [66,66,1484,1484,66,1484,1484,1484,1484,66,66,1484,1484,1484,1484,66,66,1484,1484,66,1484,1484,1484,66,1484,66,1484,1484,1337,66,66,66]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,18,0,0,0]},"directions": [0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,0,0]}} +01965{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":237350.0,"max":7321503,"stddev":1293384.0,"var":1672842313728.0,"ent":0.1,"data": [183,854,1526,2655,488,367,335,397,1495,519,1160,1800,61,31,2258,92,3204,427,3571,1038,549,367,1953,885,885,671,3632,61,4699,183,7321503]},"pktlen": {"min":52,"avg":889.3,"max":1470,"stddev":693.1,"var":480370.2,"ent":4.4,"data": [52,52,1470,1470,52,1470,1470,1470,1470,52,52,1470,1470,1470,1470,52,52,1470,1470,52,1470,1470,1470,52,1470,52,1470,1470,1323,52,52,52]},"bins": {"c_to_s": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,18,0,0,0]},"directions": [0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,0,0],"entropies": [5.046594620,5.046594620,7.807667255,7.804625511,5.046594620,7.835396767,7.830054760,7.827408791,7.815585136,4.955154419,5.085056305,7.818941593,7.842073441,7.811964035,7.825482368,5.085056305,5.046594620,7.838124752,7.812465668,5.046594620,7.832524300,7.839126110,7.830482006,5.085056305,7.832290173,5.046594620,7.787267685,7.789937973,7.772590160,5.123517990,5.123517990,5.085056305]}} 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":346,"source":"instagram.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1436720901182283,"flow_src_last_pkt_time":1436720908522279,"flow_dst_last_pkt_time":1436720901200136,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":26795,"midstream":1,"thread_ts_usec":1436720908522279,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"77.67.29.17","src_port":33976,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":347,"source":"instagram.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720908523744,"flow_src_last_pkt_time":1436720908523744,"flow_dst_last_pkt_time":1436720908523744,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720908523744,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":51219,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -141,12 +141,12 @@ 01177{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":466,"source":"instagram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720942580781,"flow_src_last_pkt_time":1436720942580781,"flow_dst_last_pkt_time":1436720942580781,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":255,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":255,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":255,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720942580781,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58053,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-g.ak.instagram.com","http": {"url":"photos-g.ak.instagram.com\/hphotos-ak-xfa1\/t51.2885-15\/e35\/11379284_1651416798408214_1525641466_n.jpg","code":0,"content_type":"","user_agent":"Instagram 7.1.1 Android (19\/4.4.2; 480dpi; 1080x1920; samsung; GT-I9505; jflte; qcom; it_IT)"}}} 02448{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":467,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1436720942530885,"flow_dst_last_pkt_time":1436720942592195,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720942592195,"pkt":"QPMIw47hABsv8H60CABFAAW+MAFAADkG3jJSVRqiwKgAZwBQ4sRSEEyML7VmbIAQAggFiAAAAQEIClYL0tgAA\/vKSFRUUC8xLjEgMjAwIE9LDQpMYXN0LU1vZGlmaWVkOiBUaHUsIDA5IEp1bCAyMDE1IDIxOjI4OjQ3IEdNVA0KQ29udGVudC1UeXBlOiBpbWFnZS9qcGVnDQpDb250ZW50LUxlbmd0aDogMTE3NzgwDQpEYXRlOiBTdW4sIDEyIEp1bCAyMDE1IDE3OjA5OjAyIEdNVA0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KQ2FjaGUtQ29udHJvbDogbWF4LWFnZT0xMjA5NjAwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/+0AfFBob3Rvc2hvcCAzLjAAOEJJTQQEAAAAAABfHAIoAFpGQk1EMjMwMDA5NjkwMTAwMDA4NzQ5MDAwMDFlNjAwMDAwZmE3MzAwMDA2M2U0MDAwMGEyMzYwMTAwZTk2MDAxMDAxMmNjMDEwMDdkMTQwMjAwZGE1ZjAyMDAA\/9sAQwAHBwcHBwcMBwcMEQwMDBEXERERERceFxcXFxceJB4eHh4eHiQkJCQkJCQkKysrKysrMjIyMjI4ODg4ODg4ODg4\/9sAQwEJCQkODQ4ZDQ0ZOyghKDs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7Ozs7\/8IAEQgEOAQ4AwEiAAIRAQMRAf\/EABwAAAEFAQEBAAAAAAAAAAAAAAQAAQIDBQYHCP\/EABoBAAMBAQEBAAAAAAAAAAAAAAABAgMEBQb\/2gAMAwEAAhADEAAAAO9N4sXTDu15V0zXWqS6eeKmgreaCCmgg7uEVJBFpoIqbJxUnCLu4QeTiZpSHB3cGdOqZ3QRk7jdJJupIE7IbunTdJ01OMhpJ0O7ON3aSOfwekxeD0uW5b1DncnTsA9NJjtugMD53fqZhIgWgSaAtbEsWQtyzLPTnJhkzlli0uis5Bw7O7irEdfDm7Q3o5VwFjvEUYqlhUYWiOMp6HN4L9xoRfHbOtZDzdIqnt5UkurlUXoRcsXKR16897uavZ1aZJAySBM7AzpAoyQRQgyWmsrLZ1OZUcAMdHNE+Pr4jXWjcf5Yn6n5BjRjQdkY2Ci0j2KtwOa\/UpM3ThJRs3xi0n0mLpwZpOEVJkou7MSd02Z3ZFpOEHkgZ06GTuOLuhNJONJONnSQ6khpJwSdxp0k3SkN0kh3Zxu7STU1Wnghs\/P2jYmxyVZaPV5dg9EEcFEMbREli20VTekwDSyB3KDNbYk3lNtwDNIYAe3by0E+sjys0+hryZgbUO7JtFhyPAtU9x0fnXT5Pe0s8iDQmLcK2RFHXhU6XTyJnQ28l6vzLNitasqL77zvTx19X0ci6zQXnPPdfP7MvnHFT+lsL59dHsm\/89emZV6Rwnnza5jdZxo6r1zovBcxn0zk+Fuz0rN88YOj54WAHVCQZESpRo6asDUEg+pcTzW\/zOv0wrwT2tqjD9I4GWD0GFZpn3V3jttz7jDCvpQgFzWGnoul5+tsu35+PE65+hGeTZlT7uR8ydJvn72\/jvpsaaqz69ctVZ2lpLKT0oqTAk8hxUkhJOCdONJONpJwUoyTdncE6dNSUk25Pb4401KwD+XrjwXoWViQow+4a5bP6vJ0nnR9YKwCs6sKb6awPu58RHXNxxs1uwH0ZoswO2Gbbm0i2IA2jMsDvRdUaULFs2KwzolWtLXv2s7q0nGSLJCq2zNhzG32cRjcZ5mHvkvmnpYZ\/G44avfLzN1IbE7nlky\/T\/MstLZrG1W\/PSfZOu5d\/ArvpDw\/t5uJCKz6NPKChFXSGiq1p59mmZDDhAbKIjC40UhbGFKqLSdOLO4MkkfQh1cJjj+O9GqqPQOf5vU87txCsYGo7vZ879onVefdz8yDmjOv7+Tz\/pFy8v0="} 02456{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":468,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":3,"flow_src_last_pkt_time":1436720942530885,"flow_dst_last_pkt_time":1436720942592409,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1484,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1484,"pkt_l4_len":1450,"thread_ts_usec":1436720942592409,"pkt":"QPMIw47hABsv8H60CABFAAW+MAJAADkG3jFSVRqiwKgAZwBQ4sRSEFIWL7VmbIAQAghpXgAAAQEIClYL0tgAA\/vKkxiut5qB26Ow9Pj8+yfWMCa4DUGy+Ho3+c5jmKfpvReNdKH0EH5lbcbz+eZjXvWt849W37RLwLcqfYn89ApepLzJrn01eX8qj3x\/Byg9vl4hMftksS8eq4V9yQ9dg87nd3j8t6NPn9HZ78M8\/m15\/SI4iV0+Hr5YZdJFWiriRaANGqKgC2yBU5D1y9AGO5LwC+hZAOnTCa0b8GSfSXc3ZK6AUI8M2\/RlL0N3AaXqkYlae70WFvXE\/MysjfHhicTX059\/nyudDYrqom8O\/SwbXeAYWCl2HDbeHOmh0nFvU+hbHnPQ5vucrmudw17ngsyPVk8VHSYNOA4HAkiaZ9LkB4VlFV6oQoQoqHF7YpwjYwQuo3UsJOh\/RGPbfOPDFikaxDY4DU5OkkXmo2bPofj3YqtI3A2tMe8H5Nt8O55y1B5\/7N5\/Hj7N63x3O1z+g38A6wXb+eEc9NDyaVW6IJldX6R5B6ZmuRoJAaDtPubZt\/FrO\/ofNxI07nn+e9Kt8ed1WPUA43vniOOoe+MdtjoYlp8vJuziWF9ZSfTEwvQuT1MrucEnl3NmPfozec2Q8b4rocvm7XZ0ZulcvKtUOGRAQ4+gnWZDVgPNWhEKtHOpze6ZyDRXdX8BKT0GfAkRXbz40uX19WJqIDO0OmFTszkplJub3z+cPQ\/JvQ6z862sGNz1mVnCXPSY4Ty9OzHqpGSzpKihVIIPNmVKcRNOqLCYDILVVeEY398LgV1vOVI9RE0wT4QEQJpSDAaZU3nNoOD251yCtoLfS5daqb9QCMzcp43dzem6ufhS6Oew6aI6IVlfacgTJtbFeleWXZh0ue8o8\/FVehcsDozfPVyqd2beAaLdw7AEWuPBsy\/NtRo7nK6amwzE7wely5\/Li6bHG7EM3mel42aI9A86edPRMPG0Ly9C4IXGVdSXyWneZ42VsFYuj6kTogdbNyRn62pnUvPuruzMr3A+oweXcoviYt9jgW6815zm+k8\/tAB\/OBUuybA1gvm903GUlLnZS6ZF4KFr24FYdVfxNcHoN\/nFir0ejjdiS\/RN6WHm6VtwnvhPbN\/CPbfkffMXtuX3qjh3relJQiEoMQKEpOyKasJqDId1NjV21hXC6QDvdJEJVO1s\/Q\/zN6OTm8v3oOGonI9l57alQUrkXYpZMcsGthFgcg05VXIYrOJRhIhUfQ\/A63I8zG3eKzunHr8oC2NDAbQaOkGxtKX2WhycdMdrn93jLkKuKz3vZ9JmVLTQZa3BEZ0bqBxVlISUosM18C1LstzjfR8zjgcXvgyeor56XydIvT6GCMTACyMtUrgCKhlE19BSC9tDF2gkO5dOOJom5fPt2VnLbnJsVlaDDEPHHuS8fSny7ebZ3qPK2w9TgzU+rEx8ulpAaNFzDbyos643zk7Ou5p5O+X0FYusqEnp3Q6dbPtiuk0uU14ejc98q24cupIjGzSHlDhtF575ZOO+XSVH4SnEqKawNGGtZiJmIRtjEC5UnTQtnUn51xEfWfPtM8B7b2wbSKwHWlcGMSfEWVosImWLXNObHxqcs3YBBYOiCN6LkB4epBLK0KLAqqCHVFoZN\/S\/La3Ded0EcjPZ3z3AN\/GxrIy9iG8YgvWH1PnkuwzLWQPtqlhubqs540iAhZVVsNHpgy+LaCMldVgpipyGjRNCQdSLo8zK5\/dN6RMPzzXjRmF7eCA9vW05aci1898xYkdUwXtNbK2ik7MtyrTKySLWrnk2azz+9hky9fQzRuXXXQYOOm8sLU6Mz+T6DMig+c38yaBw+rLTxauj59VjG6rUoWWXRciQb8rJMP0s6wZdhrOeI1OpspY+oXQgyBjtBm3CyFWZNgavivsvzz15cAGTDTH0Hz\/1jzPKsrUpltBIzz0jO0ZWIpZqARY="} -01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720942530885,"flow_src_last_pkt_time":1436720942601472,"flow_dst_last_pkt_time":1436720942602785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":23009,"midstream":1,"thread_ts_usec":1436720942602785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58052,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":4596.4,"max":62164,"stddev":15022.2,"var":225667616.0,"ent":2.0,"data": [61310,214,427,62164,336,336,1434,671,916,885,1556,61,61,1618,61,61,1312,92,30,1312,61,92,31,61,519,549,2411,2441,1373,61,31]},"pktlen": {"min":66,"avg":793.2,"max":1484,"stddev":693.8,"var":481326.3,"ent":4.3,"data": [326,1484,1484,1475,66,66,66,1484,66,1484,66,1484,1484,1484,66,66,66,1484,1484,1484,66,66,1484,66,66,1484,66,1484,66,396,1484,1484]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0]},"directions": [0,1,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02100{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"instagram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1436720942530885,"flow_src_last_pkt_time":1436720942601472,"flow_dst_last_pkt_time":1436720942602785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":23009,"midstream":1,"thread_ts_usec":1436720942602785,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.162","src_port":58052,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":4596.4,"max":62164,"stddev":15022.2,"var":225667616.0,"ent":2.0,"data": [61310,214,427,62164,336,336,1434,671,916,885,1556,61,61,1618,61,61,1312,92,30,1312,61,92,31,61,519,549,2411,2441,1373,61,31]},"pktlen": {"min":52,"avg":779.2,"max":1470,"stddev":693.8,"var":481326.3,"ent":4.3,"data": [312,1470,1470,1461,52,52,52,1470,52,1470,52,1470,1470,1470,52,52,52,1470,1470,1470,52,52,1470,52,52,1470,52,1470,52,382,1470,1470]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0]},"directions": [0,1,1,1,0,0,0,1,0,1,0,1,1,1,0,0,0,1,1,1,0,0,1,0,0,1,0,1,0,1,1,1],"entropies": [5.872007370,7.407559395,7.844656944,7.852430344,4.993615627,5.046594620,5.008132935,7.842045307,5.046594620,7.880799770,5.008132935,7.822133541,7.825195312,7.841379166,5.046594620,5.008132935,4.969671249,7.828572273,7.860865593,7.842309952,5.046594620,5.008132935,7.841728687,5.046594620,4.969671249,7.704082012,5.046594620,7.760354519,5.046594620,7.391226292,7.738003731,7.744394302]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Instagram","proto_id":"7.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":541,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950909974,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1398,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950909974,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02452{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":541,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950909974,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1464,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1464,"pkt_l4_len":1430,"thread_ts_usec":1436720950909974,"pkt":"QPMIw47hABsv8H60CABFAAWqgMlAAFYGaDQfDVY0wKgAZwBQ42ig4vcaLhm0z4AQADsFTwAAAQEIChPCQpUAA\/8J\/RR\/Qw44auNd5sy65M8X7sSNLvesqLPp\/hWIEgj7u\/c3G33+CGWHr5NjTBvseCa33d9vm54JLq\/16uWtfE8LiAl4wMLDP475fV1R18fJlgWHzmvfo5rv8qseyXDb2HUuXqKoKX0JEHYQ4SCsd7x2l6PL5eytk2f\/kmJp\/iODsxx2N\/N4UQwH1r7vqSLq\/y5DElOXzRARZUzbImejgsz5wOzVgeOngfBrQtGX6fL5DmkthCiZgx4mBvjCvzFR0YP1xM0OXv+CShnIqVrP5zMdqJDyzU483pE+34fsEdDMZT4JhGoy\/98gru4qi0lyXyEksrGabld776ByfJIVVp4RivH8YLNUqtpfCVBnMTiA7j\/sfl7slzSCJaM2S8tAkbhjEusFLl75fI1asIxOiRsWcrVhmx\/PbZlpNd4K8\/v2iJLC1YElBY1y9j56WJc0LPwne+0suiyX3kgj3Fb6y+5RCsQCy2EKLdhWRbyLYVKkL4lX1A\/hBl\/EQkdQU6AhwlzHoU9XC8zrf\/sv+pTGiGgMczA3HQL0c6iXziIlynBHwH6WDIGpFhs4sIl7R4Y0SaCPOZA1lnMfjRJoKCOWKLZc4VEiazWUhaMala+ExIJc2XmtrYy\/iRYyo+LY2ytYUtBbJwRglHwtVOPffxRf4sv1nIag0M0miGXxU6GsLdqvokImfUh+1xnyRB2wekFeanQUhm7KU2GNA\/Wut8I6Yh\/BrGK2ISAtFCkh5uw9+EN15dd79TckDZ5M\/1IXL8vqbu\/hTG\/JfucZfR3dz3L3c+OhdygQW8UzKVOFvvFE3uZQnd322DAH7zC3LRHAXbCjqHBmwf2whhpegjLfm6RfL+z+IzmMokA9e2qfVhZ6xYQdwpjxowXA\/a0hFuEIYBqgg2RBxOTW9B0lNexKZj7L7myCIQt5asMs3OULjIFOSJmLxUIk3Q37w4ymEfVUM4Q7YQrd2Q7D7oXQeE3jsBBmSxiRovqahgnBN4hvIeCZZMLY1uvosfkYR3vNLSiHuKZeam\/RFQJomYqTPcrO3yya\/L8n\/bJvfwlRzHWNuu76VGEBOTSmIQrzPwlvzfa91FS9xmltfjK8v2vivjQ79d9wnDovM7E8heMjng\/L76qTSur9Xu++liqI9lESwcV36\/iMv+UhBAvwlNl9yFOXzTHExcfuKxDjy2WcT\/yjID\/XwdhLUHYsgQ9jzrKZiitJYPrb03G\/4eqDHUUFspftslQp6lFXZbtMgT+PtX+iul7L97VDMHXGdwaI8TzZ6\/jXre8vnY2F+CmIZKNEjnJpMB39UHX\/p7\/3FfZpIUwHcB3IlgFw2RAH5dbcIGzC1nhuJYVIQctqJ04wUFMG9bZhr46HZ73BXAQuUhUW68mxXOEcSUvu6IiD4944qVAoG\/m5vfXCzer8TXXbtxGJy\/lJZWKxmuOzEdM\/69tZAld3d7Oi+E\/\/wSXdP1F9r8RHsvFnMaKa\/Gb3fFq120z5cfUI5ObITs4O5x1e\/k2SP4T55SQ1l\/\/E7jbfd3y\/W+K4YanQb4PNdLvnwtOUEVU10v172Jve733E93FYrd8\/r7COigUu\/j7zMkQoWBxC6yXxRL8fBFpX1\/jifjboOb9QR4q79l+S7kBZXF3dpMduttP55\/mpWYFflzvfd\/Hx+Ie9ijit30tVfYliZvDoVqX8Iibo18xmX2SURsTLcDlv6t9hYNRdUnFiX1r9e4\/4uD+iVcRBUU8hc0fHv5tu\/ghpv97F5dOxeZj2CiEjpYqtM2N6y9Ex9X2v34njvtqIprtcVwGtsEjAY8n2yd95fX6LnY6678J3vfovd9+pLl7ZMl\/\/3mgopvtAOiqdmdl8m1KgVxW1IDqxnD5Yq+7jVsvs"} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":542,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":1436720950909974,"flow_dst_last_pkt_time":1436720950910341,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1436720950910341,"pkt":"ABsv8H60QPMIw47hCABFAAA0TetAAEAGtojAqABnHw1WNONoAFAuGbTPoOL3GoAQH8w2dwAAAQEICgAD\/xATwkKT"} 02439{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":543,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_src_last_pkt_time":1436720950911439,"flow_dst_last_pkt_time":1436720950910341,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1464,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1464,"pkt_l4_len":1430,"thread_ts_usec":1436720950911439,"pkt":"QPMIw47hABsv8H60CABFAAWqgMpAAFYGaDMfDVY0wKgAZwBQ42ig4vyQLhm0z4AYADulrQAAAQEIChPCQpYAA\/8JIuSEmFKcHvUO79IuA4AtgLK1ooHfe\/xvCx6EanjcjDye5qfYfg99btIFMlfpEyS0+WXx48YQQIBKyWOQayb5WbhMWSz8Ru7MV\/a5RJtywzl84iv9BLl6PdqXz3kxPZm4yY8HdjILE3vdfyWVN0pVFaKK+f+Osc32N80bLx0naY6\/StT9w4Neeouf2Tn\/vkhhHb5a5vAV9Sx5efQ\/Fatqq174n5ea7v9ir3vf4yK3Pnlx3v3fywdfv\/ld3jdWI6CQY9xByO962aeABxBaD0Ff8vq65YOluUkGW\/xG5p7nyyq1NumgVeaWXPx2O3qpBCTyam4Mj9KNa9CLu77T788mzfZZLswHVfevJGWxpG6er55a4je67Jde+KzsbHfq771q7M2+z\/WWJw+2E3Gv8+Ffd+tBC77nzd2bXmu\/clj6qf9o8rFbG7XiKrvvv6XxVyXfvsflY+OxHlh7gk3Z3+CHdjx7fieVi8bxm781fQKvN8eNlagx6Pt3\/NOSAfXLBsZ085Sli5c\/HVLg4fEITYcZuYfT1VtMLoUR\/it2aocyhvwSZMTvD5t065r2N7JUsZycS8vq283r4S3bSl8\/xBhG2Ci5YyWnWnN8pxV7z+JfURJd7rip6XefL+Ju6T2Uxe8n5uUueW8j7FWxyhWWeGt2YWoIb6BgT6P7uCHnx\/HwXcNPzZiXBYPY6liIwioP5BO9O7zdXvrl6Ju71WJu93dF9e+W764JLl\/1aJkh+a8yX4S4lMe7dI+73eX7WiDQUaZve75ZfLkLUJX2tpOX0s4hxEi8nbq2h\/\/mvflq9RBfYRrfTdMUcVv5e78i9rwQyT\/Sl\/1zQY9T8g\/Uty51S6PL8o6JLB8VrQkT8ugJnmu83Eyez2e5Qy1+W7Aw4JHINbEb3Lj395YP7YvjhcMBXfvXJ44Z+Ixmnuj5fXvqryZ8aIvNfJRrTESolEZ4VaoKtE96vFFfwld9u321frxC3vvk10K23e7KuXiuSPeX78kEfFYr7eXpJxFpezOY6TshceqnnmzDJNaHyWEjeK+xtg7siFQxNUarW6raVTT\/fwlt3m1+qIhVuJsRCxFdbFXtQf9\/RdIuTCv1R7IUVly5mtgVW\/5h5d378ta7e\/5QkWm71LXLL\/Y\/yuCATBPFbu75ZM1tF4Xr2urFPeZ1jp6PYqu0ysRtkUSKOnvSvJ9F0HEq\/Rr4RDbTxd+7uU\/Q0X5NSa4riJq7\/YqaIUW4dNr2MWX30vRqr09mqvna6y\/VdiohYPHuWzpM\/5V791hHspd591pkzSvTJiOetcEmlGTx05fm5r+E5WPIYg3+Ld5OiDJCb38Xd9ysF92RKCKwntddXfaT3LP\/4K7yaDr4HbV6D7vh8Ru7u\/ShH0gWZxKK93e\/u7nhshKX\/8u99ZHz6WcFOZh7FbiudjfLamk58fUJd3H2j6sTr\/E4xQhYhPxokXSHH53b6EIn4I8kGvoiAAQAAAAAAACAYAavAAAAAgECXIEAAAAAAAAAAAAAAAACAAWcAAAAZwAAAAUAAQABAAAAAIBgBrAAAAACAQJcAQAAAAAAAAAAAAAAAAIABZwAAABnAAAFoQABAAEAAAAAgGAGsQAAAAIBAlwBAAAAAAAAAAAAAAAAAgAFnAAAAGcAAAs9AAEAAQAAAACA4AayAAAAAgECXEEAAAAAAAAAAAAAAAACAAFNAAAAZwAAENkAAQABARggBwEYIAcAABVgQZrjwgqFiDcfxdYWFjNTGhc\/+kWorCzCP06aQacK5fU3p2bDv4QjGkzRtJEnNbVPk\/10ykQi0ZJ4s6VFQ2Ko59C0bD2u1KUtTyS\/\/DlRe1HhoMlOd6CAkkRYQkwPPOx2Ho6SCe9GzaPNROS+"} -01553{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":853.5,"max":2198,"stddev":594.0,"var":352792.4,"ent":4.6,"data": [367,1465,1587,519,458,824,1465,61,30,1648,2198,2075,366,213,641,367,1312,1678,488,214,610,641,1037,1679,336,488,915,794,335,977,672]},"pktlen": {"min":66,"avg":983.4,"max":1464,"stddev":664.0,"var":440886.1,"ent":4.5,"data": [1464,66,1464,66,1464,1464,66,1464,1464,1464,66,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464,1464,66,1464]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]}} +01952{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":30,"avg":853.5,"max":2198,"stddev":594.0,"var":352792.4,"ent":4.6,"data": [367,1465,1587,519,458,824,1465,61,30,1648,2198,2075,366,213,641,367,1312,1678,488,214,610,641,1037,1679,336,488,915,794,335,977,672]},"pktlen": {"min":52,"avg":969.4,"max":1450,"stddev":664.0,"var":440886.1,"ent":4.5,"data": [1450,52,1450,52,1450,1450,52,1450,1450,1450,52,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450,1450,52,1450]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,21,0,0,0,0],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0],"entropies": [7.845948219,5.046595097,7.540397644,4.969671726,7.871668816,7.850661755,5.008133411,7.849848747,7.439690590,7.543411732,5.008133411,7.855735302,5.008133411,7.820466042,7.850073814,4.969671726,7.838098049,7.834076881,5.046594620,7.213315964,7.751162052,5.046594620,7.844347477,7.850857258,5.008132935,7.825020313,7.824017048,5.046594620,7.437387466,7.851827145,5.046594620,7.850535870]}} 00915{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"HTTP.Facebook","proto_id":"7.119","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","http": {}}} 00916{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":572,"source":"instagram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1436720950909974,"flow_src_last_pkt_time":1436720950923433,"flow_dst_last_pkt_time":1436720950922975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1398,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":29358,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720950923433,"l3_proto":"ip4","src_ip":"31.13.86.52","dst_ip":"192.168.0.103","src_port":80,"dst_port":58216,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"HTTP.Facebook","proto_id":"7.119","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"","http": {}}} 00877{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":644,"source":"instagram.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1436720908464754,"flow_src_last_pkt_time":1436720911139558,"flow_dst_last_pkt_time":1436720908464754,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":340,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720951306703,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"192.168.0.103","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -164,7 +164,7 @@ 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952563081,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952563081,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":27124,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1436720952563081,"pkt":"ABsv8H60QPMIw47hCABFAABH\/7VAAEARadHAqABnCAgICGn0ADUAM87BrqQBAAABAAAAAAAACHBob3Rvcy1iAmFrCWluc3RhZ3JhbQNjb20AAAEAAQ=="} 01013{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":669,"source":"instagram.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952563081,"flow_src_last_pkt_time":1436720952563081,"flow_dst_last_pkt_time":1436720952563081,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952563081,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"8.8.8.8","src_port":27124,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Instagram","proto_id":"5.211","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"photos-b.ak.instagram.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":1290.6,"max":3846,"stddev":1167.1,"var":1362190.6,"ent":4.3,"data": [122,2106,427,3387,31,3174,2289,427,946,1892,213,2563,1831,3785,61,3846,183,1342,1312,367,183,213,275,519,519,885,854,2075,2106,2014,61]},"pktlen": {"min":66,"avg":819.3,"max":1484,"stddev":707.6,"var":500717.4,"ent":4.3,"data": [1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,1484,66,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,66,1484,1484]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0],"s_to_c": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0]}} +01950{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":31,"avg":1290.6,"max":3846,"stddev":1167.1,"var":1362190.6,"ent":4.3,"data": [122,2106,427,3387,31,3174,2289,427,946,1892,213,2563,1831,3785,61,3846,183,1342,1312,367,183,213,275,519,519,885,854,2075,2106,2014,61]},"pktlen": {"min":52,"avg":805.3,"max":1470,"stddev":707.6,"var":500717.4,"ent":4.3,"data": [1470,52,1470,1470,52,52,1470,52,1470,1470,52,52,1470,52,1470,1470,52,52,1470,52,1470,52,1470,52,1470,52,1470,52,1470,52,1470,1470]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0],"s_to_c": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0],"entropies": [7.838996410,5.123517990,7.796014309,7.834145069,5.123517990,5.085056305,7.799090385,5.085056305,7.778009892,7.746161938,5.046594620,5.085056305,7.694964409,5.085056305,7.722822666,7.781306744,5.161979675,5.109000683,7.744096756,5.161979675,7.786537647,5.161979675,7.830977440,5.161979675,7.801307678,5.123517990,7.796917439,5.123517990,7.805510998,5.123517990,7.825653553,7.826405048]}} 00901{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00902{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":694,"source":"instagram.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1436720952553865,"flow_src_last_pkt_time":1436720952574830,"flow_dst_last_pkt_time":1436720952572908,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1418,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1418,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24106,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1436720952574830,"l3_proto":"ip4","src_ip":"2.22.236.51","dst_ip":"192.168.0.103","src_port":80,"dst_port":44151,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":737,"source":"instagram.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720952611482,"flow_src_last_pkt_time":1436720952611482,"flow_dst_last_pkt_time":1436720952611482,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1436720952611482,"l3_proto":"ip4","src_ip":"46.33.70.150","dst_ip":"192.168.0.103","src_port":80,"dst_port":40855,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -177,7 +177,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":747,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1568796253784713,"flow_dst_last_pkt_time":1568796253782515,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1568796253784713,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGAsrAqAIRHw1WNMDLAbuZigak9a8KwoAQCAwKkgAAAQEICg1wcq86Lg6w"} 01124{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":748,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253784771,"flow_dst_last_pkt_time":1568796253782515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796253784771,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.2","ja3":"7a29c223fb122ec64d10f0a159e07996","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01176{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":750,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253784771,"flow_dst_last_pkt_time":1568796253798864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1568796253798864,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"7a29c223fb122ec64d10f0a159e07996","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} -01703{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":776,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253821857,"flow_dst_last_pkt_time":1568796253819210,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":498,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":784,"flow_dst_tot_l4_payload_len":17805,"midstream":0,"thread_ts_usec":1568796253821857,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":3252.7,"max":16760,"stddev":5626.7,"var":31659210.0,"ent":3.3,"data": [12399,14597,58,14624,1725,26,7,16760,58,2044,498,16542,723,227,12497,604,464,936,285,275,177,245,128,170,272,201,2390,75,1564,117,147]},"pktlen": {"min":66,"avg":647.5,"max":1454,"stddev":640.4,"var":410152.9,"ent":4.2,"data": [78,74,66,288,66,1454,1454,369,66,66,130,564,259,696,89,66,1454,1454,66,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66]},"bins": {"c_to_s": [11,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02102{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":776,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796253821857,"flow_dst_last_pkt_time":1568796253819210,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":498,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":784,"flow_dst_tot_l4_payload_len":17805,"midstream":0,"thread_ts_usec":1568796253821857,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":3252.7,"max":16760,"stddev":5626.7,"var":31659210.0,"ent":3.3,"data": [12399,14597,58,14624,1725,26,7,16760,58,2044,498,16542,723,227,12497,604,464,936,285,275,177,245,128,170,272,201,2390,75,1564,117,147]},"pktlen": {"min":52,"avg":633.5,"max":1440,"stddev":640.4,"var":410152.9,"ent":4.2,"data": [64,60,52,274,52,1440,1440,355,52,52,116,550,245,682,75,52,1440,1440,52,1440,1440,1440,1440,1440,1440,1440,1440,52,52,52,52,52]},"bins": {"c_to_s": [11,0,1,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0],"entropies": [4.303027153,5.094311714,4.831954956,6.418707371,4.961856842,7.850357056,7.872403145,7.366671085,4.947339535,4.947339535,5.857741833,7.586094856,7.121934414,7.678453922,5.461499214,5.000318050,7.859985828,7.855003357,4.955154419,7.881975174,7.852957726,7.858335018,7.869473934,7.875190735,7.849181652,7.858565331,7.871207237,5.000318050,4.916692734,5.038779736,4.916692734,4.947339058]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2070,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796254514906,"flow_dst_last_pkt_time":1568796254514906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796254514906,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2070,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1568796254514906,"flow_dst_last_pkt_time":1568796254514906,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1568796254514906,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGAr7AqAIRHw1WNMDNAbsBxqpOAAAAALAC\/\/8NqAAAAgQFtAEDAwYBAQgKDXB1TAAAAAAEAgAA"} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2071,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254515573,"flow_dst_last_pkt_time":1568796254515573,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796254515573,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -196,8 +196,8 @@ 01176{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2088,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796254529128,"flow_dst_last_pkt_time":1568796254539971,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":1016,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254539971,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2092,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254531371,"flow_dst_last_pkt_time":1568796254543357,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":529,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":948,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254543357,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2098,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254539348,"flow_dst_last_pkt_time":1568796254551766,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":513,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":932,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796254551766,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} -01713{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2163,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254710630,"flow_dst_last_pkt_time":1568796254725634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1587,"flow_dst_tot_l4_payload_len":13458,"midstream":0,"thread_ts_usec":1568796254725634,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":12492.0,"max":158859,"stddev":36696.7,"var":1346645888.0,"ent":2.3,"data": [12015,14119,556,167,14869,68,308,601,354,271,107,13997,388,138,112,165,226,1385,108,1160,122,114,5,489,10627,8948,1625,2191,142763,158859,395]},"pktlen": {"min":66,"avg":536.8,"max":1454,"stddev":570.2,"var":325102.6,"ent":4.2,"data": [78,74,66,485,579,66,66,288,699,1454,1454,1454,66,1454,1454,1454,720,1454,150,66,66,66,66,66,66,100,66,244,66,637,699,1454]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01718{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2187,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254765378,"flow_dst_last_pkt_time":1568796254925955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2208,"flow_dst_tot_l4_payload_len":12690,"midstream":0,"thread_ts_usec":1568796254925955,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":21296.4,"max":156515,"stddev":45250.9,"var":2047640320.0,"ent":2.9,"data": [11078,12229,3431,138,15990,219,497,12957,479,11770,12042,155644,475,129,254,92,123,275,7,156515,111,123,122,255,2699,48704,55896,8249,149165,503,16]},"pktlen": {"min":66,"avg":532.2,"max":1454,"stddev":557.6,"var":310915.1,"ent":4.2,"data": [78,74,66,485,595,66,66,288,66,150,244,66,840,1454,1454,1454,1454,1057,1454,100,66,66,66,66,66,654,654,66,66,841,1454,1454]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02111{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2163,"source":"instagram.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254524506,"flow_src_last_pkt_time":1568796254710630,"flow_dst_last_pkt_time":1568796254725634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":571,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1587,"flow_dst_tot_l4_payload_len":13458,"midstream":0,"thread_ts_usec":1568796254725634,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49359,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":12492.0,"max":158859,"stddev":36696.7,"var":1346645888.0,"ent":2.3,"data": [12015,14119,556,167,14869,68,308,601,354,271,107,13997,388,138,112,165,226,1385,108,1160,122,114,5,489,10627,8948,1625,2191,142763,158859,395]},"pktlen": {"min":52,"avg":522.8,"max":1440,"stddev":570.2,"var":325102.6,"ent":4.1,"data": [64,60,52,471,565,52,52,274,685,1440,1440,1440,52,1440,1440,1440,706,1440,136,52,52,52,52,52,52,86,52,230,52,623,685,1440]},"bins": {"c_to_s": [11,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,1,1,1,1,0,1,1,1,1,1,0,0,0,0,0,0,0,1,0,1,0,0,1,1],"entropies": [4.346072197,5.035815716,4.870416641,6.991298199,7.577324390,5.038779736,5.038779736,6.829315662,7.680058956,7.881175995,7.859010696,7.855990410,4.831954956,7.860237122,7.871424198,7.861568928,7.676653862,7.867210865,6.338829517,5.000318527,4.878231525,4.923395157,4.825253010,4.961856365,4.839769840,5.854624271,4.961856842,7.028743744,4.961856842,7.587353230,7.689682484,7.874731064]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02116{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2187,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796254765378,"flow_dst_last_pkt_time":1568796254925955,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2208,"flow_dst_tot_l4_payload_len":12690,"midstream":0,"thread_ts_usec":1568796254925955,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":21296.4,"max":156515,"stddev":45250.9,"var":2047640320.0,"ent":2.9,"data": [11078,12229,3431,138,15990,219,497,12957,479,11770,12042,155644,475,129,254,92,123,275,7,156515,111,123,122,255,2699,48704,55896,8249,149165,503,16]},"pktlen": {"min":52,"avg":518.2,"max":1440,"stddev":557.6,"var":310915.1,"ent":4.2,"data": [64,60,52,471,581,52,52,274,52,136,230,52,826,1440,1440,1440,1440,1043,1440,86,52,52,52,52,52,640,640,52,52,827,1440,1440]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1],"entropies": [4.346072197,5.127645016,4.961856365,6.968073845,7.557704926,5.014835358,5.000318050,6.747485161,4.894361019,6.339305878,6.972853184,4.923395157,7.735570908,7.861948490,7.862287998,7.850868702,7.873754501,7.803619862,7.845140934,5.812837601,5.000318050,5.038779736,5.000318050,5.000318050,5.000318050,7.587841034,7.587659836,5.038779736,4.985801220,7.746087074,7.844884872,7.864926338]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00763{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1436720901262544,"flow_src_last_pkt_time":1436720901262544,"flow_dst_last_pkt_time":1436720901262544,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":258,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":258,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.153","src_port":37350,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00769{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1436720908576723,"flow_src_last_pkt_time":1436720908733491,"flow_dst_last_pkt_time":1436720908662568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":226,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":4267,"midstream":0,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41181,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00769{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2210,"source":"instagram.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":6,"flow_first_seen":1436720908577363,"flow_src_last_pkt_time":1436720908737520,"flow_dst_last_pkt_time":1436720908665956,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":226,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":4267,"midstream":0,"thread_ts_usec":1568796255020912,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"82.85.26.154","src_port":41182,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -247,9 +247,9 @@ 01125{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2224,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265162908,"flow_dst_last_pkt_time":1568796265159201,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":404,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":404,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1568796265162908,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.2","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2230,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265162734,"flow_dst_last_pkt_time":1568796265175583,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796265175583,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2231,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265163365,"flow_dst_last_pkt_time":1568796265176036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":222,"flow_src_tot_l4_payload_len":930,"flow_dst_tot_l4_payload_len":222,"midstream":0,"thread_ts_usec":1568796265176036,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"scontent-mxp1-1.cdninstagram.com","tls": {"version":"TLSv1.3 (Fizz)","ja3":"44dab16d680ef93487bc16ad23b3ffb1","ja3s":"fcb2d4d0991292272fcb1e464eedfd43","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.3 (Fizz)"}}} -01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2260,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265180861,"flow_dst_last_pkt_time":1568796265192260,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":20310,"midstream":0,"thread_ts_usec":1568796265192260,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":2554.7,"max":16353,"stddev":4723.5,"var":22311642.0,"ent":3.2,"data": [11840,12942,2760,70,16353,27,401,1108,14120,264,633,553,236,305,380,53,1148,300,94,1743,117,248,13,105,10046,132,1375,75,1411,144,201]},"pktlen": {"min":66,"avg":733.0,"max":1454,"stddev":652.7,"var":426025.8,"ent":4.3,"data": [78,74,66,470,592,66,66,288,699,66,89,150,1454,1454,1454,1454,1454,66,1454,1454,66,66,66,66,66,1454,1454,1454,1454,1454,1454,1454]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,1,0,1,0,1,1,1,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2675,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796265194500,"flow_dst_last_pkt_time":1568796265280665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":10887,"midstream":0,"thread_ts_usec":1568796265280665,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":691785.6,"max":10469815,"stddev":2560795.0,"var":6557671096320.0,"ent":1.2,"data": [11096,12433,1241,548,13252,614,103,14204,568,14367,12466,169576,258,200,98,307,55,169,229,6,169709,106,1819,218,113,542,10413415,52212,10469815,9752,75862]},"pktlen": {"min":66,"avg":474.7,"max":1454,"stddev":528.6,"var":279392.3,"ent":4.2,"data": [78,74,66,485,663,66,66,288,66,150,244,66,839,1454,1454,1454,1454,1454,642,1454,100,66,66,66,66,66,66,601,601,66,66,842]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2811,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265327859,"flow_dst_last_pkt_time":1568796265324773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":15077,"midstream":0,"thread_ts_usec":1568796265327859,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":11563.7,"max":131670,"stddev":31792.0,"var":1010731712.0,"ent":2.4,"data": [12123,13295,2535,457,15987,6,842,13996,1396,14470,16133,131670,10,876,193,264,9,116,291,177,158,249,254,129919,113,139,2594,71,83,9,41]},"pktlen": {"min":66,"avg":569.5,"max":1454,"stddev":619.5,"var":383805.7,"ent":4.1,"data": [78,74,66,470,592,66,66,288,66,150,244,66,840,89,1454,1454,1454,1454,1454,1454,1454,1454,1454,1454,66,66,66,66,66,66,66,66]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02107{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2260,"source":"instagram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1568796265146962,"flow_src_last_pkt_time":1568796265180861,"flow_dst_last_pkt_time":1568796265192260,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":20310,"midstream":0,"thread_ts_usec":1568796265192260,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49360,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":2554.7,"max":16353,"stddev":4723.5,"var":22311642.0,"ent":3.2,"data": [11840,12942,2760,70,16353,27,401,1108,14120,264,633,553,236,305,380,53,1148,300,94,1743,117,248,13,105,10046,132,1375,75,1411,144,201]},"pktlen": {"min":52,"avg":719.0,"max":1440,"stddev":652.7,"var":426025.8,"ent":4.3,"data": [64,60,52,456,578,52,52,274,685,52,75,136,1440,1440,1440,1440,1440,52,1440,1440,52,52,52,52,52,1440,1440,1440,1440,1440,1440,1440]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,1,0,1,0,1,1,1,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1],"entropies": [4.314822197,5.127645493,4.839769840,6.925364971,7.610651493,4.993616104,4.955154419,6.841492653,7.701351166,4.870416641,5.685419083,6.370187283,7.864970684,7.852431297,7.854520321,7.870986938,7.857660770,4.961856842,7.885574341,7.873176098,4.961856842,4.839769840,4.961856365,5.000318527,4.878231049,7.857898235,7.858515739,7.865076542,7.865763187,7.848808289,7.881348610,7.866808891]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02129{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2675,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796265194500,"flow_dst_last_pkt_time":1568796265280665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":10887,"midstream":0,"thread_ts_usec":1568796265280665,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":691785.6,"max":10469815,"stddev":2560795.0,"var":6557671096320.0,"ent":1.2,"data": [11096,12433,1241,548,13252,614,103,14204,568,14367,12466,169576,258,200,98,307,55,169,229,6,169709,106,1819,218,113,542,10413415,52212,10469815,9752,75862]},"pktlen": {"min":52,"avg":460.7,"max":1440,"stddev":528.6,"var":279392.3,"ent":4.1,"data": [64,60,52,471,649,52,52,274,52,136,230,52,825,1440,1440,1440,1440,1440,628,1440,86,52,52,52,52,52,52,587,587,52,52,828]},"bins": {"c_to_s": [10,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1],"entropies": [4.215376377,5.115063667,4.860988617,7.062851906,7.630533695,5.014835358,4.976373672,6.836615562,4.884933949,6.378606796,7.007258415,4.822527409,7.742178440,7.852344990,7.873802185,7.849394321,7.865141869,7.857724190,7.720446110,7.850056171,5.757548332,4.976373672,4.976373672,4.937912464,4.937911987,4.899450779,4.976373672,7.590856075,7.594714642,5.053297043,5.053297043,7.784784317]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02106{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2811,"source":"instagram.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1568796265147078,"flow_src_last_pkt_time":1568796265327859,"flow_dst_last_pkt_time":1568796265324773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":526,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1014,"flow_dst_tot_l4_payload_len":15077,"midstream":0,"thread_ts_usec":1568796265327859,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49361,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":11563.7,"max":131670,"stddev":31792.0,"var":1010731712.0,"ent":2.4,"data": [12123,13295,2535,457,15987,6,842,13996,1396,14470,16133,131670,10,876,193,264,9,116,291,177,158,249,254,129919,113,139,2594,71,83,9,41]},"pktlen": {"min":52,"avg":555.5,"max":1440,"stddev":619.5,"var":383805.7,"ent":4.1,"data": [64,60,52,456,578,52,52,274,52,136,230,52,826,75,1440,1440,1440,1440,1440,1440,1440,1440,1440,1440,52,52,52,52,52,52,52,52]},"bins": {"c_to_s": [12,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0]},"directions": [0,1,0,0,0,1,1,1,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0],"entropies": [4.346072197,5.127645016,4.923394680,7.025774479,7.548739910,4.961856365,4.961856842,6.762446880,4.908877850,6.376214027,6.979849815,4.884933472,7.738527298,5.578752518,7.854865074,7.854829311,7.858168602,7.848493099,7.843452930,7.870431900,7.877417564,7.866308212,7.865350246,7.841341019,4.961856365,4.961856365,4.908877850,4.923394680,4.801308155,4.860988617,4.738902092,4.923395157]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00929{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":456,"flow_dst_packets_processed":910,"flow_first_seen":1568796253770116,"flow_src_last_pkt_time":1568796268061460,"flow_dst_last_pkt_time":1568796268058587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":591,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2978,"flow_dst_tot_l4_payload_len":1217228,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49355,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":63,"flow_dst_packets_processed":81,"flow_first_seen":1568796254514906,"flow_src_last_pkt_time":1568796268054084,"flow_dst_last_pkt_time":1568796268052355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":597,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2170,"flow_dst_tot_l4_payload_len":95612,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49357,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00928{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3443,"source":"instagram.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":165,"flow_dst_packets_processed":223,"flow_first_seen":1568796254515573,"flow_src_last_pkt_time":1568796268054096,"flow_dst_last_pkt_time":1568796268052381,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":588,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":3291,"flow_dst_tot_l4_payload_len":280319,"midstream":0,"thread_ts_usec":1568796268061460,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"31.13.86.52","src_port":49358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Instagram","proto_id":"91.211","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} @@ -265,9 +265,9 @@ ~~ total active/idle flows...: 38/38 ~~ total timeout flows.......: 5 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6382306 bytes -~~ total memory freed........: 6382306 bytes -~~ total allocations/frees...: 125436/125436 +~~ total memory allocated....: 6387474 bytes +~~ total memory freed........: 6387474 bytes +~~ total allocations/frees...: 125474/125474 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2476 chars diff --git a/test/results/ip_fragmented_garbage.pcap.out b/test/results/ip_fragmented_garbage.pcap.out index 8f346c3dd..d284d06cc 100644 --- a/test/results/ip_fragmented_garbage.pcap.out +++ b/test/results/ip_fragmented_garbage.pcap.out @@ -18221,9 +18221,9 @@ ~~ total active/idle flows...: 29/29 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6081142 bytes -~~ total memory freed........: 6081142 bytes -~~ total allocations/frees...: 121767/121767 +~~ total memory allocated....: 6085086 bytes +~~ total memory freed........: 6085086 bytes +~~ total allocations/frees...: 121796/121796 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 225 chars ~~ json string max len.......: 815 chars diff --git a/test/results/iphone.pcap.out b/test/results/iphone.pcap.out index 981806851..d756b94d1 100644 --- a/test/results/iphone.pcap.out +++ b/test/results/iphone.pcap.out @@ -243,16 +243,16 @@ 01008{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":338,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454599929249,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599929249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454599929249,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiTunes","proto_id":"5.145","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00764{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":2,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599930239,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":241,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":241,"pkt_l4_len":207,"thread_ts_usec":1582454599930239,"pkt":"xGGLNYKpxiwDYGpkCABFAADjtQsAAEARP5zAqAIBwKgCEQA1\/jcAz3eX0zSBgAABAAUAAAAABHBsYXkGaXR1bmVzBWFwcGxlA2NvbQAAAQABwAwABQABAAAMOwAmCHBsYXktY2RuDGl0dW5lcy1hcHBsZQNjb20GYWthZG5zA25ldADAMwAFAAEAAAOmACIEcGxheQZpdHVuZXMFYXBwbGUDY29tCWVkZ2VzdWl0ZcBUwGUABQABAAAAXgAUBWExODA2BGRzY2IGYWthbWFpwFTAkwABAAEAAAAOAARce00awJMAAQABAAAADgAEXHtNQA=="} 01025{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":340,"source":"iphone.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1582454599929249,"flow_src_last_pkt_time":1582454599929249,"flow_dst_last_pkt_time":1582454599930239,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":199,"midstream":0,"thread_ts_usec":1582454599930239,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":65079,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.AppleiTunes","proto_id":"5.145","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","dns": {"num_queries":1,"num_answers":5,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"92.123.77.26"}}} -01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":341,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454598587648,"flow_src_last_pkt_time":1582454599931707,"flow_dst_last_pkt_time":1582454599930073,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2695,"flow_dst_tot_l4_payload_len":5563,"midstream":0,"thread_ts_usec":1582454599931707,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50580,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":86660.8,"max":686219,"stddev":170333.3,"var":29013448704.0,"ent":3.1,"data": [33952,135750,186,135485,2092,235,8690,6,162529,885,167358,319355,36,34737,102,651125,555,14,127,59,44,145,155,686219,30,1215,16,33741,32499,122595,156547]},"pktlen": {"min":66,"avg":324.7,"max":1506,"stddev":443.9,"var":197074.7,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1090,438,104,200,438,66,104,66,66,66,66,637,66]},"bins": {"c_to_s": [8,4,1,0,1,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02115{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":341,"source":"iphone.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454598587648,"flow_src_last_pkt_time":1582454599931707,"flow_dst_last_pkt_time":1582454599930073,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1024,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2695,"flow_dst_tot_l4_payload_len":5563,"midstream":0,"thread_ts_usec":1582454599931707,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50580,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":86660.8,"max":686219,"stddev":170333.3,"var":29013448704.0,"ent":3.1,"data": [33952,135750,186,135485,2092,235,8690,6,162529,885,167358,319355,36,34737,102,651125,555,14,127,59,44,145,155,686219,30,1215,16,33741,32499,122595,156547]},"pktlen": {"min":52,"avg":310.7,"max":1492,"stddev":443.9,"var":197074.7,"ent":3.9,"data": [64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1076,424,90,186,424,52,90,52,52,52,52,623,52]},"bins": {"c_to_s": [8,4,1,0,1,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,0],"entropies": [4.367087364,4.985490322,5.017560959,4.490139484,4.940637589,6.738035202,7.532607555,7.533798218,7.267988205,4.916693211,4.940638065,6.015305996,5.526464462,6.046408176,5.017560959,4.940637589,5.714282036,5.647850037,5.530496597,7.812578678,7.423500061,5.337946892,6.641199589,7.413410664,4.947340012,5.416154385,5.024262905,5.024262905,4.940637589,5.062724590,7.662645340,4.979099274]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":343,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599934729,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454599934729,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":343,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599934729,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1582454599934729,"pkt":"xiwDYGpkxGGLNYKpCABFAABAAABAAEAGzmnAqAIRXHtNGsWbAbupO4D5AAAAALDC\/\/\/ZMQAAAgQFtAEDAwcBAQgKEd\/tTwAAAAAEAgAA"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":346,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":2,"flow_src_last_pkt_time":1582454599934729,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1582454599967985,"pkt":"xGGLNYKpxiwDYGpkCABFAAA8AAAAADUGGW5ce00awKgCEQG7xZtUZWomqTuA+qBScSDQrwAAAgQFrAQCCAozMbcgEd\/tTwEDAwc="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":351,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":3,"flow_src_last_pkt_time":1582454600080813,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1582454600080813,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGznXAqAIRXHtNGsWbAbupO4D6VGVqJ4AQBAtsOAAAAQEIChHf7eAzMbcg"} 01120{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":352,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600080888,"flow_dst_last_pkt_time":1582454599967985,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600080888,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01165{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":364,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600080888,"flow_dst_last_pkt_time":1582454600116695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1582454600116695,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"play.itunes.apple.com","tls": {"version":"TLSv1.3","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":397,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599225110,"flow_src_last_pkt_time":1582454600252426,"flow_dst_last_pkt_time":1582454600287478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1018,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2233,"flow_dst_tot_l4_payload_len":5676,"midstream":0,"thread_ts_usec":1582454600287478,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":67409.2,"max":654765,"stddev":146324.1,"var":21410738176.0,"ent":2.9,"data": [34116,36074,120,34743,1609,104,2287,55,140235,397,7279,143339,13,33865,58,1492,19,11,252,423,44,150,34850,6,1213,30,128241,155238,167955,510701,654765]},"pktlen": {"min":54,"avg":313.4,"max":1506,"stddev":449.8,"var":202280.4,"ent":3.9,"data": [78,74,66,583,66,1506,1506,1506,580,66,66,159,117,135,66,66,119,116,108,1084,104,450,104,66,104,66,66,66,750,66,54,66]},"bins": {"c_to_s": [9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":401,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600290030,"flow_dst_last_pkt_time":1582454600371223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3458,"flow_dst_tot_l4_payload_len":5165,"midstream":0,"thread_ts_usec":1582454600371223,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":25541.8,"max":147307,"stddev":44603.2,"var":1989448704.0,"ent":3.2,"data": [33256,146084,75,147307,1403,159,73,18,38616,19,50,10855,46914,12516,120151,44,4,168,1146,109,1513,467,107361,13,1221,31041,492,3663,24,4467,82566]},"pktlen": {"min":66,"avg":336.1,"max":1506,"stddev":461.1,"var":212650.1,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1282,456,66,66,66,146,353,353,112,109,101,1506,566,832,66,66,66,136,66,66,97,66,101,66,66]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} -01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":109285.4,"max":803512,"stddev":185220.7,"var":34306707456.0,"ent":3.4,"data": [145952,170980,359,171301,2704,133,11131,1277,11157,179655,19,50,112,15556,168247,146405,161443,749,308681,51490,198168,655712,185,186,293,803512,1267,180253,328,297,245]},"pktlen": {"min":66,"avg":735.0,"max":1506,"stddev":667.3,"var":445284.8,"ent":4.3,"data": [78,74,66,583,66,1506,1506,1506,1506,1488,66,66,66,66,159,117,66,1183,358,66,1010,66,1178,1506,1506,1506,66,66,1506,1506,1506,1506]},"bins": {"c_to_s": [8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0]}} +02110{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":397,"source":"iphone.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599225110,"flow_src_last_pkt_time":1582454600252426,"flow_dst_last_pkt_time":1582454600287478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1018,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2233,"flow_dst_tot_l4_payload_len":5676,"midstream":0,"thread_ts_usec":1582454600287478,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.176.75","src_port":50584,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":67409.2,"max":654765,"stddev":146324.1,"var":21410738176.0,"ent":2.9,"data": [34116,36074,120,34743,1609,104,2287,55,140235,397,7279,143339,13,33865,58,1492,19,11,252,423,44,150,34850,6,1213,30,128241,155238,167955,510701,654765]},"pktlen": {"min":40,"avg":299.4,"max":1492,"stddev":449.8,"var":202280.4,"ent":3.8,"data": [64,60,52,569,52,1492,1492,1492,566,52,52,145,103,121,52,52,105,102,94,1070,90,436,90,52,90,52,52,52,736,52,40,52]},"bins": {"c_to_s": [9,5,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1],"entropies": [4.410132408,5.160978794,5.101186275,4.520410061,5.142373085,6.747455597,7.544580936,7.534257412,7.316954136,4.932822704,5.009746075,6.044896126,5.671187878,6.038887501,4.985801220,5.024262905,5.722696304,5.781558990,5.543742657,7.804463387,5.504428864,7.447539806,5.482206821,4.932822704,5.457657814,4.988526344,4.974009514,4.894361019,7.697007179,5.009746075,4.521928787,5.089394093]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02102{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":401,"source":"iphone.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1582454599934729,"flow_src_last_pkt_time":1582454600290030,"flow_dst_last_pkt_time":1582454600371223,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3458,"flow_dst_tot_l4_payload_len":5165,"midstream":0,"thread_ts_usec":1582454600371223,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"92.123.77.26","src_port":50587,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":25541.8,"max":147307,"stddev":44603.2,"var":1989448704.0,"ent":3.2,"data": [33256,146084,75,147307,1403,159,73,18,38616,19,50,10855,46914,12516,120151,44,4,168,1146,109,1513,467,107361,13,1221,31041,492,3663,24,4467,82566]},"pktlen": {"min":52,"avg":322.1,"max":1492,"stddev":461.1,"var":212650.1,"ent":3.9,"data": [64,60,52,569,52,1492,1492,1268,442,52,52,52,132,339,339,98,95,87,1492,552,818,52,52,52,122,52,52,83,52,87,52,52]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [6,1,1,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,1,1,1,0,0,1,1,0,1],"entropies": [4.515677452,5.260978699,5.115703106,4.536097050,5.154164791,7.838258266,7.887313843,7.830554962,7.500537872,5.115703106,5.154164791,5.077241421,6.238309383,7.385308743,7.348131180,6.055991173,6.001430511,5.896850586,7.866535664,7.607725620,7.722208500,5.154164791,5.154164791,5.062724590,6.184679508,5.056022644,5.115703106,5.763531208,5.094483852,5.873862743,5.115703106,5.056022167]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} +01993{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":109285.4,"max":803512,"stddev":185220.7,"var":34306707456.0,"ent":3.4,"data": [145952,170980,359,171301,2704,133,11131,1277,11157,179655,19,50,112,15556,168247,146405,161443,749,308681,51490,198168,655712,185,186,293,803512,1267,180253,328,297,245]},"pktlen": {"min":52,"avg":721.0,"max":1492,"stddev":667.3,"var":445284.8,"ent":4.3,"data": [64,60,52,569,52,1492,1492,1492,1492,1474,52,52,52,52,145,103,52,1169,344,52,996,52,1164,1492,1492,1492,52,52,1492,1492,1492,1492]},"bins": {"c_to_s": [8,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,1,1,0,0,0,0],"entropies": [4.378882408,5.048397064,4.855899334,4.669833183,5.026988029,6.153114796,4.607729912,7.088045597,7.461877346,7.528841019,4.947339535,4.870416164,4.908878326,4.825253010,6.027275085,5.625993729,4.985801220,7.818661690,7.150210857,5.103910923,7.800937653,4.908877850,7.820833683,7.850773335,7.853681087,7.878564835,4.985801220,4.959492207,7.858905315,7.865253448,7.862413406,7.846001625]}} 03838{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":412,"source":"iphone.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1582454598721885,"flow_src_last_pkt_time":1582454600432880,"flow_dst_last_pkt_time":1582454600398737,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":13211,"flow_dst_tot_l4_payload_len":8177,"midstream":0,"thread_ts_usec":1582454600432880,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.185.87","src_port":50581,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"p26-keyvalueservice.icloud.com","tls": {"version":"TLSv1.2","server_names":"p62-keyvalueservice.icloud.com,p41-keyvalueservice.icloud.com,p97-keyvalueservice.icloud.com,p28-keyvalueservice.icloud.com,p32-keyvalueservice.icloud.com,p56-keyvalueservice.icloud.com,p33-keyvalueservice.icloud.com,p37-keyvalueservice.icloud.com,p67-keyvalueservice.icloud.com,p70-keyvalueservice.icloud.com,p63-keyvalueservice.icloud.com,p07-keyvalueservice.icloud.com,p52-keyvalueservice.icloud.com,p18-keyvalueservice.icloud.com,p21-keyvalueservice.icloud.com,p17-keyvalueservice.icloud.com,p36-keyvalueservice.icloud.com,p19-keyvalueservice.icloud.com,p26-keyvalueservice.icloud.com,p55-keyvalueservice.icloud.com,p06-keyvalueservice.icloud.com,p23-keyvalueservice.icloud.com,p65-keyvalueservice.icloud.com,p58-keyvalueservice.icloud.com,p35-keyvalueservice.icloud.com,p42-keyvalueservice.icloud.com,p12-keyvalueservice.icloud.com,p15-keyvalueservice.icloud.com,p16-keyvalueservice.icloud.com,p29-keyvalueservice.icloud.com,p39-keyvalueservice.icloud.com,p71-keyvalueservice.icloud.com,p22-keyvalueservice.icloud.com,p40-keyvalueservice.icloud.com,p11-keyvalueservice.icloud.com,p66-keyvalueservice.icloud.com,p68-keyvalueservice.icloud.com,p201-keyvalueservice.icloud.com,p10-keyvalueservice.icloud.com,p61-keyvalueservice.icloud.com,p30-keyvalueservice.icloud.com,p01-keyvalueservice.icloud.com,p14-keyvalueservice.icloud.com,p50-keyvalueservice.icloud.com,p31-keyvalueservice.icloud.com,p47-keyvalueservice.icloud.com,p48-keyvalueservice.icloud.com,p20-keyvalueservice.icloud.com,p51-keyvalueservice.icloud.com,p27-keyvalueservice.icloud.com,p49-keyvalueservice.icloud.com,p03-keyvalueservice.icloud.com,p24-keyvalueservice.icloud.com,p25-keyvalueservice.icloud.com,p08-keyvalueservice.icloud.com,p13-keyvalueservice.icloud.com,p04-keyvalueservice.icloud.com,p05-keyvalueservice.icloud.com,p02-keyvalueservice.icloud.com,p09-keyvalueservice.icloud.com,p57-keyvalueservice.icloud.com,p59-keyvalueservice.icloud.com,p64-keyvalueservice.icloud.com,p38-keyvalueservice.icloud.com,p54-keyvalueservice.icloud.com,p72-keyvalueservice.icloud.com,keyvalueservice.icloud.com,p69-keyvalueservice.icloud.com,p43-keyvalueservice.icloud.com,p45-keyvalueservice.icloud.com,p202-keyvalueservice.icloud.com,p98-keyvalueservice.icloud.com,p34-keyvalueservice.icloud.com,p44-keyvalueservice.icloud.com,p46-keyvalueservice.icloud.com,p53-keyvalueservice.icloud.com,p60-keyvalueservice.icloud.com","ja3":"6fa3244afc6bb6f9fad207b6b52af26b","ja3s":"1e60202b4001a190621caa963fb76697","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384","issuerDN":"CN=Apple IST CA 2 - G1, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=keyvalueservice.icloud.com, O=Apple Inc., ST=California, C=US","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"D8:84:3B:15:06:49:1C:72:C4:05:C0:F0:82:3B:43:4A:D1:8F:D5:9F"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":419,"source":"iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1582454600454021,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1582454600454021,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"192.168.2.1","src_port":63677,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":419,"source":"iphone.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1582454600454021,"flow_dst_last_pkt_time":1582454600454021,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1582454600454021,"pkt":"xiwDYGpkxGGLNYKpCABFAABDtJ8AAP8RgafAqAIRwKgCAfi9ADUAL+BtI4YBAAABAAAAAAAABHN5bmMGaXR1bmVzBWFwcGxlA2NvbQAAAQAB"} @@ -326,9 +326,9 @@ ~~ total active/idle flows...: 51/51 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6533485 bytes -~~ total memory freed........: 6533485 bytes -~~ total allocations/frees...: 122745/122745 +~~ total memory allocated....: 6540421 bytes +~~ total memory freed........: 6540421 bytes +~~ total allocations/frees...: 122796/122796 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 3843 chars diff --git a/test/results/ipp.pcap.out b/test/results/ipp.pcap.out index 5139eeea7..df8218ad9 100644 --- a/test/results/ipp.pcap.out +++ b/test/results/ipp.pcap.out @@ -10,7 +10,7 @@ 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1210953938235230,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953938235939,"pkt":"ABtjmL82ABJ5gGlgCABFAAA8U6wAAEAG\/dAKCgr7CgoKMQJ32C61d5gB3HcoNaASFtAB+AAAAgQFtAEDAwABAQgKAFjtJABr7jw="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":21,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1210953938235965,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1210953938235965,"pkt":"ABJ5gGlgABtjmL82CABFAAA0xglAAEAGS3sKCgoxCgoK+9guAnfcdyg1tXeYAoAQAC5EXQAAAQEICgBr7j0AWO0k"} 01264{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":22,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938236026,"flow_dst_last_pkt_time":1210953938235939,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":144,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":144,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1210953938236026,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"10.10.10.251","http": {"url":"10.10.10.251\/ipp\/","code":0,"content_type":"","user_agent":"CUPS\/1.3.4","request_content_type":"application\/ipp"}}} -01922{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938290667,"flow_dst_last_pkt_time":1210953938297849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2896,"flow_dst_max_l4_payload_len":25,"flow_src_tot_l4_payload_len":26572,"flow_dst_tot_l4_payload_len":25,"midstream":0,"thread_ts_usec":1210953938297849,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":3808.3,"max":9119,"stddev":3527.0,"var":12440042.0,"ent":4.2,"data": [709,735,61,34,3567,1615,5071,72,15,5799,5726,12,3653,3625,5,7253,7252,7,8848,8850,9,9119,9104,8,7245,7239,6,7601,7598,8,7210]},"pktlen": {"min":66,"avg":897.7,"max":2962,"stddev":882.8,"var":779357.9,"ent":4.2,"data": [74,74,66,210,214,66,91,66,2962,1514,66,2962,1586,66,1442,1610,66,1418,1634,66,1394,1658,66,1370,1682,66,1346,1706,66,1322,1730,66]},"bins": {"c_to_s": [3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,1,1,1,0,1,0,9],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,1,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02321{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ipp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1210953938235230,"flow_src_last_pkt_time":1210953938290667,"flow_dst_last_pkt_time":1210953938297849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2896,"flow_dst_max_l4_payload_len":25,"flow_src_tot_l4_payload_len":26572,"flow_dst_tot_l4_payload_len":25,"midstream":0,"thread_ts_usec":1210953938297849,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55342,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":3808.3,"max":9119,"stddev":3527.0,"var":12440042.0,"ent":4.2,"data": [709,735,61,34,3567,1615,5071,72,15,5799,5726,12,3653,3625,5,7253,7252,7,8848,8850,9,9119,9104,8,7245,7239,6,7601,7598,8,7210]},"pktlen": {"min":52,"avg":883.7,"max":2948,"stddev":882.8,"var":779357.9,"ent":4.2,"data": [60,60,52,196,200,52,77,52,2948,1500,52,2948,1572,52,1428,1596,52,1404,1620,52,1380,1644,52,1356,1668,52,1332,1692,52,1308,1716,52]},"bins": {"c_to_s": [3,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,1,1,1,0,1,0,9],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,1,1,0,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1],"entropies": [4.357651234,4.697803974,4.615702629,5.523350239,5.368941784,4.692625999,5.211149216,4.615702629,4.113531590,3.955130577,4.654164314,3.740996838,3.516076803,4.731087208,3.522020817,3.493224859,4.647461891,4.069941521,4.504707813,4.692625523,4.258998871,4.157813072,4.731087208,4.248043537,4.662984848,4.692625999,4.682926178,4.280339241,4.692625523,4.155966759,4.117242336,4.601185799]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.IPP","proto_id":"7.6","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":252,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1210953939430652,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939430652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1210953939430652,"l3_proto":"ip4","src_ip":"10.10.10.49","dst_ip":"10.10.10.251","src_port":55343,"dst_port":631,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939430652,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953939430652,"pkt":"ABJ5gGlgABtjmL82CABFAAA8ASxAAEAGEFEKCgoxCgoK+9gvAnfdKfPLAAAAAKACFtBpAQAAAgQFtAQCCAoAa\/LnAAAAAAEDAwc="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":254,"source":"ipp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1210953939430652,"flow_dst_last_pkt_time":1210953939431407,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1210953939431407,"pkt":"ABtjmL82ABJ5gGlgCABFAAA8VFQAAEAG\/SgKCgr7CgoKMQJ32C+1fm4B3SnzzKASFtBa+AAAAgQFtAEDAwABAQgKAFjtJwBr8uc="} @@ -28,10 +28,10 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6047129 bytes -~~ total memory freed........: 6047129 bytes -~~ total allocations/frees...: 121796/121796 +~~ total memory allocated....: 6047537 bytes +~~ total memory freed........: 6047537 bytes +~~ total allocations/frees...: 121799/121799 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1927 chars -~~ json string avg len.......: 1206 chars +~~ json string max len.......: 2326 chars +~~ json string avg len.......: 1406 chars diff --git a/test/results/ipsec_isakmp_esp.pcap.out b/test/results/ipsec_isakmp_esp.pcap.out index 1441c55d2..69ca488f0 100644 --- a/test/results/ipsec_isakmp_esp.pcap.out +++ b/test/results/ipsec_isakmp_esp.pcap.out @@ -15,7 +15,7 @@ 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":24,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","packets-captured":24,"packets-processed":23,"total-skipped-flows":0,"total-l4-payload-len":11884,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":2,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":946745300340000} 00914{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":42,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":14,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745301909000,"flow_dst_last_pkt_time":946745301906000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":11540,"flow_dst_tot_l4_payload_len":3360,"midstream":0,"thread_ts_usec":946745301909000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00909{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":42,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":946744638499000,"flow_src_last_pkt_time":946745300381000,"flow_dst_last_pkt_time":946745300411000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":4728,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":946745301909000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} -01771{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745723299000,"flow_dst_last_pkt_time":946745723443000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":12356,"flow_dst_tot_l4_payload_len":3648,"midstream":0,"thread_ts_usec":946745723443000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":87056800.0,"max":662067000,"stddev":203163760.0,"var":41275511887888384.0,"ent":2.0,"data": [122000,677000,771000,222000,34000,2372000,1000,23000,2387000,22000,24000,661960000,662067000,681000,743000,195000,34000,407000,421000,4000,138000,188000,12771000,421390000,408766000]},"pktlen": {"min":122,"avg":542.1,"max":1374,"stddev":468.7,"var":219671.5,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,1374,174,174,174,942,174,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250]},"bins": {"c_to_s": [0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0],"s_to_c": [0,0,3,0,7,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +02170{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":48,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745723299000,"flow_dst_last_pkt_time":946745723443000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":12356,"flow_dst_tot_l4_payload_len":3648,"midstream":0,"thread_ts_usec":946745723443000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":87056800.0,"max":662067000,"stddev":203163760.0,"var":41275511887888384.0,"ent":2.0,"data": [122000,677000,771000,222000,34000,2372000,1000,23000,2387000,22000,24000,661960000,662067000,681000,743000,195000,34000,407000,421000,4000,138000,188000,12771000,421390000,408766000]},"pktlen": {"min":108,"avg":528.1,"max":1360,"stddev":468.7,"var":219671.5,"ent":4.5,"data": [844,236,140,108,124,444,1360,1360,928,1360,160,160,160,928,160,844,236,140,108,124,444,1360,1360,928,160,160,160,1056,160,108,844,236]},"bins": {"c_to_s": [0,0,0,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0],"s_to_c": [0,0,3,0,7,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1],"entropies": [7.741627216,6.965078831,6.116603374,5.779674053,6.059063911,7.410885334,7.860165119,7.863566875,7.772638798,7.854592800,6.636003017,6.657938480,6.612657070,7.764769077,6.596687317,7.754736900,6.881987095,6.222157478,5.801217556,6.004589081,7.442288876,7.852550507,7.852631569,7.794322968,6.638905048,6.506283283,6.772091866,7.817639828,6.695438385,5.748310089,7.756398201,6.820323944]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00914{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":61,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":22,"flow_first_seen":946744635161000,"flow_src_last_pkt_time":946745725650000,"flow_dst_last_pkt_time":946745725647000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":16260,"flow_dst_tot_l4_payload_len":5568,"midstream":0,"thread_ts_usec":946745725650000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00909{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":61,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":8,"flow_first_seen":946744638499000,"flow_src_last_pkt_time":946745723231000,"flow_dst_last_pkt_time":946745723263000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":6304,"flow_dst_tot_l4_payload_len":1360,"midstream":0,"thread_ts_usec":946745725650000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00566{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":62,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","packets-captured":62,"packets-processed":61,"total-skipped-flows":0,"total-l4-payload-len":29572,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":6,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":21,"global_ts_usec":946747247312000} @@ -165,8 +165,8 @@ 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":348,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":816,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":816,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":816,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":14500,"dst_port":4500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00784{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":250,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":250,"pkt_l4_len":216,"thread_ts_usec":946763527783000,"pkt":"YDjgxTWgeJS0JASgCABFAADsy5UAAPcRCo5t7bvjwKgCZBGUOKQA2N2eAAAAAMT3roGUU5AxVDreTwHgKMguICMgAAAAAQAAAMwkAACw3+hDUjEFQ6MgpqAEcApKvn9uh3qVHzhAobzzdsLHNL0cE0MCy6hqRcHq2zyFYxqKUvV9qpSoUCOXzZX8acXWksJkwcZvlj3pHUnomqGBUy7YKx8\/BoUpsdZ+YJ66Urw6XFHoKHyVFJYrxhfDTA96A3GMtNoZk+CLmvMZh9uGXGXGb9zoZqBq9vHjZRx\/MplOtNEvpcXqGaCwVYcGtrGfedPqueJGKjXMXpyHhw=="} 00655{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAACMqXpAAD8RpQnAqAJkbe274zikEZQAeOw1AAAAAMT3roGUU5AxVDreTwHgKMguICMIAAAAAgAAAGwwAABQp3zPqAaPZdCtSbotjrN0irXGcY7JpOGxC6pjgSY\/TZB8lMPX2DP1QKzYFMuSni2xVCT2eLDFep09w0XbtiWVOI2z82MP7LPt5iJg1A=="} -01550{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":10256,"flow_dst_tot_l4_payload_len":4624,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":122,"avg":507.0,"max":1374,"stddev":453.9,"var":206039.0,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,4,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} -01532{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":465,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":12608,"flow_dst_tot_l4_payload_len":2720,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":94,"avg":521.0,"max":842,"stddev":320.2,"var":102515.0,"ent":4.7,"data": [818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330,818,94,842,330]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +01949{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":383,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":10256,"flow_dst_tot_l4_payload_len":4624,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":108,"avg":493.0,"max":1360,"stddev":453.9,"var":206039.0,"ent":4.4,"data": [844,236,140,108,124,444,1360,1360,928,160,160,160,1056,160,108,844,236,140,108,124,444,1360,1360,928,160,160,160,1056,160,108,844,236]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,4,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1],"entropies": [7.693149090,6.908532143,6.289921284,5.907789707,6.064967155,7.449052334,7.871124744,7.858648777,7.794081688,6.655786514,6.611001968,6.493160248,7.792814732,6.670437813,5.759838581,7.685832500,6.882148743,6.265015125,5.724118233,6.052976131,7.485020638,7.879636765,7.861135006,7.787482738,6.603220463,6.625156879,6.573005676,7.827785015,6.468286991,5.669764996,7.726345062,6.805452824]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +01931{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":465,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":12608,"flow_dst_tot_l4_payload_len":2720,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.227","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":80,"avg":507.0,"max":828,"stddev":320.2,"var":102515.0,"ent":4.7,"data": [804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316,804,80,828,316]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,8,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.943627357,4.600413322,5.035194874,6.560711384,4.957199574,4.634849548,5.032216549,6.619104385,4.913105965,4.609849930,4.993678570,6.435603142,4.935446262,4.594285965,5.011265278,6.551633835,4.906664848,4.582717896,4.951835632,6.504704952,4.882042408,4.594286442,4.970667839,6.575375080,4.923563004,4.694285870,5.003669262,6.614925861,4.935611725,4.644286156,5.001285553,6.506689072]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00768{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":466,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.226","src_port":10500,"dst_port":500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":466,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":818,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":818,"pkt_l4_len":784,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAAMkUT5AAD8R+q7AqAJkbe274ikEAfQDENNXqwswX1pdWlQAAAAAAAAAACEgIggAAAAAAAADCCIAAggCAABQAQEACAMAAAwBAAAMgA4AgAMAAAwBAAAMgA4BAAMAAAgDAAACAwAACAMAAAwDAAAIAgAAAgMAAAgCAAAFAwAACAQAAAIAAAAIBAAABQAAAbQCAQAuAwAACAEAAAMDAAAMAQAADIAOAIADAAAMAQAADIAOAMADAAAMAQAADIAOAQADAAAMAQAADYAOAIADAAAMAQAADYAOAMADAAAMAQAADYAOAQADAAAMAQAAEoAOAIADAAAMAQAAEoAOAMADAAAMAQAAEoAOAQADAAAMAQAAE4AOAIADAAAMAQAAE4AOAMADAAAMAQAAE4AOAQADAAAMAQAAFIAOAIADAAAMAQAAFIAOAMADAAAMAQAAFIAOAQADAAAIAwAAAQMAAAgDAAACAwAACAMAAAUDAAAIAwAADAMAAAgDAAANAwAACAMAAA4DAAAIAgAAAQMAAAgCAAACAwAACAIAAAQDAAAIAgAABQMAAAgCAAAGAwAACAIAAAcDAAAIBAAAAgMAAAgEAAAFAwAACAQAAA4DAAAIBAAADwMAAAgEAAAQAwAACAQAABIDAAAIBAAAEwMAAAgEAAAUAwAACAQAABUDAAAIBAAAFgMAAAgEAAAXAwAACAQAABgDAAAIBAAAGQMAAAgEAAAaAwAACAQAABsDAAAIBAAAHAMAAAgEAAAdAAAACAQAAB4oAACIAAIAANisWYZIjej7n3HtY6YrUGG6ju3JyAgfXaIbqQqsCk6WamsA3yJowbMrsQiavjlYliQ8\/bmnkd4oik6yfXzF2nnT5++MrBWp59hXjvpQG7CUKBYM2qK1rCYScGFGvoCH+VaOstA9qnbA93UZ+lGrf8oiyLKNCUx8EmTjNr1npSw0KQAAJEdv70J9iweqoyFFLnrl4Zzojnhs5HDATx3IKPlr2BaOKQAAHAAAQASxGcGDddgOxJ\/uFM4nQfEOTHdh1AAAABwAAEAFw3IlZSVVICry3JG3pa18XmliW9c="} 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":466,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.226","src_port":10500,"dst_port":500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} @@ -187,7 +187,7 @@ 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":658,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":816,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":816,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":816,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.130","src_port":14500,"dst_port":4500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00789{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":659,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":250,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":250,"pkt_l4_len":216,"thread_ts_usec":946763527783000,"pkt":"YDjgxTWgeJS0JASgCABFAADsk6IAAPYRQ+Jt7buCwKgCZBGUOKQA2IekAAAAAM17ri1L\/ac+HEFGvwEgEbUuICMgAAAAAQAAAMwkAACwnjHnEXtSQ9YBTsYWhNWWL2lb3zCSVGmtTzEvh47BEs\/bjLyBXTJjuCqg7wWeV74OlRvZj2lbuv2HF8N25vmjxy2gOj3GTSIkrJ81O5xBYrk\/DO\/U3vnDhNrRnxnnbUAcri8CK4colHYFHy00rAAnAiq\/J3y\/4Psn7O2YNdeQxTN+FVKTTs+PkcU9iJQYjyeso5yATeFNdg3Yo2REPpR\/v53srr2DXIiU+rV2BA=="} 00657{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":660,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAACMfEZAAD8R0p7AqAJkbe27gjikEZQAeEKcAAAAAM17ri1L\/ac+HEFGvwEgEbUuICMIAAAAAgAAAGwwAABQ4uWpvKvs0+Grd38C+Ik2kAU8jJda\/\/ZCHQQBPzJXFKXfyLyFjecJewBE8lyFFdf5WHr93Xl19FueaRtvNm5eWTihSgwraMBcuUWyzQ=="} -01556{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":697,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":7848,"flow_dst_tot_l4_payload_len":12096,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.130","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":122,"avg":665.2,"max":1374,"stddev":511.6,"var":261688.4,"ent":4.5,"data": [858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250,154,122,138,458,1374,1070,174,174,1070,174,1374,1374,1326,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0],"s_to_c": [0,0,2,0,4,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,4,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +01955{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":697,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":7848,"flow_dst_tot_l4_payload_len":12096,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.130","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":108,"avg":651.2,"max":1360,"stddev":511.6,"var":261688.4,"ent":4.5,"data": [844,236,140,108,124,444,1360,1056,160,160,1056,160,1360,1360,1312,844,236,140,108,124,444,1360,1056,160,160,1056,160,1360,1360,1312,844,236]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0],"s_to_c": [0,0,2,0,4,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,2,4,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1,0,1,0,1,0,0,1,1,1,0,1,1,1,0,1],"entropies": [7.731180668,6.807529449,6.307871342,5.782698631,6.032709122,7.449109077,7.850845337,7.804824352,6.606283665,6.623502254,7.788777351,6.573501587,7.833298206,7.853844643,7.853167534,7.760776520,6.845402241,6.255957603,5.919319153,6.125529766,7.423834324,7.868905544,7.797307491,6.606283665,6.670437813,7.803458691,6.729874611,7.870663643,7.821934700,7.841155052,7.723438740,6.936455250]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":768,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":416,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":416,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":42593,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01065{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":768,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":1,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":458,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":458,"pkt_l4_len":424,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAAG8AURAAP0RjjHAqAJkbe27waZhEZQBqLXBAAAAABcjot1R1L2v9VP\/ZQPMlAYuICMIAAAAAQAAAZwjAAGAFzlsP7YgimBjfIhMJEPhZdw0CnuZSvY37VZC7a055Lu7e+IEFmagHoqj\/3VU94cqC6SemXaaay0d\/2HUKJiZnpCAdCpw2HQ0KrTFW857JbKQ5j3IjKxRjcUYXqtMskX1DsgbCtObqa65cF5WltmtdmwVSANhLzG0LAR+CYEUUulm5YiOyMOFPbHpSrtDM2EEADmkbnPxO00Rexy0LvWXHDnINrIOiYbG6hzWEPIEI9Eq\/yH+hgIb4D\/vUKMOXGmPYj6eX3YPkbs08cGm1IBTDEzAwFQ6+Dut0IKwpkVjd+zPi5GajMElxeEZqtJlXKjo9Q5m9\/Z280gMX0Ev66KMtd6K6mBxkfkxU48zqh5WNlzUeROBsXFhnHi99g6+xt5SosQj2gpfId\/yriJfKS5T7sFkMpq5UCC9LwpNDHHYOliSKEorplbbZFT5pCqGgvpGJkdN1m+eylUPZy+lsCygyTo96r1KrC7wKmw+U5ttVkc6oJ49jPR1mswYgKs="} 00865{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":768,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":416,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":416,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.193","src_port":42593,"dst_port":4500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} @@ -228,8 +228,8 @@ 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":955,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":776,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.195","src_port":10500,"dst_port":500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":956,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":94,"pkt_l4_len":60,"thread_ts_usec":946763527783000,"pkt":"YDjgxTWgeJS0JASgCABFAABQw\/QAAPcREutt7bvDwKgCZAH0KQQAPDt0h60nd4XOo4EAAAAAAAAAACkgIiAAAAAAAAAANAAAABgAAEAGAAFWSjMix2hDw5Uoh9iWqg=="} 01572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":957,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":842,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":842,"pkt_l4_len":808,"thread_ts_usec":946763527783000,"pkt":"eJS0JASgYDjgxTWgCABFAAM8ygVAAD8Rge7AqAJkbe27wykEAfQDKIzIh60nd4XOo4EAAAAAAAAAACkgIggAAAAAAAADICEAABgAAEAGAAFWSjMix2hDw5Uoh9iWqiIAAggCAABQAQEACAMAAAwBAAAMgA4AgAMAAAwBAAAMgA4BAAMAAAgDAAACAwAACAMAAAwDAAAIAgAAAgMAAAgCAAAFAwAACAQAAAIAAAAIBAAABQAAAbQCAQAuAwAACAEAAAMDAAAMAQAADIAOAIADAAAMAQAADIAOAMADAAAMAQAADIAOAQADAAAMAQAADYAOAIADAAAMAQAADYAOAMADAAAMAQAADYAOAQADAAAMAQAAEoAOAIADAAAMAQAAEoAOAMADAAAMAQAAEoAOAQADAAAMAQAAE4AOAIADAAAMAQAAE4AOAMADAAAMAQAAE4AOAQADAAAMAQAAFIAOAIADAAAMAQAAFIAOAMADAAAMAQAAFIAOAQADAAAIAwAAAQMAAAgDAAACAwAACAMAAAUDAAAIAwAADAMAAAgDAAANAwAACAMAAA4DAAAIAgAAAQMAAAgCAAACAwAACAIAAAQDAAAIAgAABQMAAAgCAAAGAwAACAIAAAcDAAAIBAAAAgMAAAgEAAAFAwAACAQAAA4DAAAIBAAADwMAAAgEAAAQAwAACAQAABIDAAAIBAAAEwMAAAgEAAAUAwAACAQAABUDAAAIBAAAFgMAAAgEAAAXAwAACAQAABgDAAAIBAAAGQMAAAgEAAAaAwAACAQAABsDAAAIBAAAHAMAAAgEAAAdAAAACAQAAB4oAACIAAIAAEnKegIkLOmW4KZNcOCo7ZOC4licZ2A51HwGaEIiqoXRPN6FcRoNRdAJs+VA4OoEhdOX8Fx4+MU+pUH2RMi10WP9fW5dlYg6Cr9HTfi+4X5mNAA6iu7R0SUnBzU7WFhgJmUeZ23\/+YRhQU1yMpmQB5bWydw9ZfvTkPXAog0gKlZ1KQAAJIVS0Rg+btu6BkuEgsgaurW3aJ4eaYYGQ6VjkOvvz6QMKQAAHAAAQASo5HDOkRKoIfuPc\/+LezYZYFoAhAAAABwAAEAFi9H7SlG8iBMVMxjPqyusPgxIUYI="} -01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":983,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":10224,"flow_dst_tot_l4_payload_len":7128,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.195","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":122,"avg":584.2,"max":1374,"stddev":486.8,"var":236933.9,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,2,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} -01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1048,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":10240,"flow_dst_tot_l4_payload_len":5876,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.225","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":122,"avg":545.6,"max":1374,"stddev":472.2,"var":222978.4,"ent":4.5,"data": [858,250,154,122,138,458,1374,1374,942,174,174,174,1070,174,122,858,250,154,122,138,458,1374,1374,926,174,174,174,1070,174,1374,858,250]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,3,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +01951{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":983,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":10224,"flow_dst_tot_l4_payload_len":7128,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.195","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":108,"avg":570.2,"max":1360,"stddev":486.8,"var":236933.9,"ent":4.5,"data": [844,236,140,108,124,444,1360,1360,912,160,160,160,1056,160,1360,844,236,140,108,124,444,1360,1360,912,160,160,160,1056,160,1360,844,236]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,2,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1],"entropies": [7.744743347,6.853363991,6.347064018,5.738097668,6.151700020,7.473697186,7.876097679,7.831090450,7.765502453,6.747092724,6.687656403,6.679874420,7.827803612,6.462619305,7.846179008,7.744938850,6.903948784,6.261349678,5.757190228,6.099359512,7.429207802,7.852733135,7.863712311,7.793406487,6.532532215,6.538568020,6.619940281,7.820692539,6.667374134,7.838056564,7.740211487,6.937667370]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} +01951{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1048,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":10240,"flow_dst_tot_l4_payload_len":5876,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.225","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":108,"avg":531.6,"max":1360,"stddev":472.2,"var":222978.4,"ent":4.4,"data": [844,236,140,108,124,444,1360,1360,928,160,160,160,1056,160,108,844,236,140,108,124,444,1360,1360,912,160,160,160,1056,160,1360,844,236]},"bins": {"c_to_s": [0,0,0,4,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0],"s_to_c": [0,0,3,0,6,0,3,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,1,0,0,0,1,1,1,1,0,1,0,1],"entropies": [7.735000610,6.885608673,6.313099861,5.849783897,6.173916817,7.464264393,7.831699848,7.833400249,7.798014164,6.661001682,6.578844547,6.648502350,7.808434486,6.640223026,5.685765266,7.751714706,6.969136238,6.248125076,5.863762856,6.151700020,7.458979130,7.869451523,7.855331421,7.760697842,6.747092247,6.645437717,6.637656689,7.804164410,6.573502064,7.848899364,7.732619762,6.921160221]},"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00916{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1080,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":53,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1332,"flow_src_tot_l4_payload_len":21676,"flow_dst_tot_l4_payload_len":34636,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.130","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00912{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1080,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":8,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":4720,"flow_dst_tot_l4_payload_len":2208,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.131","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} 00912{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1080,"source":"ipsec_isakmp_esp.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":8,"flow_first_seen":946763527783000,"flow_src_last_pkt_time":946763527783000,"flow_dst_last_pkt_time":946763527783000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1332,"flow_dst_max_l4_payload_len":1028,"flow_src_tot_l4_payload_len":4720,"flow_dst_tot_l4_payload_len":2208,"midstream":0,"thread_ts_usec":946763527783000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"109.237.187.226","src_port":14500,"dst_port":4500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IPSec","proto_id":"79","encrypted":1,"breed":"Safe","category_id":2,"category":"VPN"}} @@ -261,10 +261,10 @@ ~~ total active/idle flows...: 36/36 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6123857 bytes -~~ total memory freed........: 6123857 bytes -~~ total allocations/frees...: 122919/122919 +~~ total memory allocated....: 6128753 bytes +~~ total memory freed........: 6128753 bytes +~~ total allocations/frees...: 122955/122955 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars -~~ json string max len.......: 1776 chars -~~ json string avg len.......: 1138 chars +~~ json string max len.......: 2175 chars +~~ json string avg len.......: 1338 chars diff --git a/test/results/irc.pcap.out b/test/results/irc.pcap.out index 5a71fe10d..0a69f7cca 100644 --- a/test/results/irc.pcap.out +++ b/test/results/irc.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038576 bytes -~~ total memory freed........: 6038576 bytes -~~ total allocations/frees...: 121518/121518 +~~ total memory allocated....: 6038712 bytes +~~ total memory freed........: 6038712 bytes +~~ total allocations/frees...: 121519/121519 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 1139 chars diff --git a/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out b/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out index bf9b5ed56..2e516e5c5 100644 --- a/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out +++ b/test/results/ja3_lots_of_cipher_suites_2_anon.pcap.out @@ -41,9 +41,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036424 bytes -~~ total memory freed........: 6036424 bytes -~~ total allocations/frees...: 121514/121514 +~~ total memory allocated....: 6036560 bytes +~~ total memory freed........: 6036560 bytes +~~ total allocations/frees...: 121515/121515 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 263 chars ~~ json string max len.......: 1931 chars diff --git a/test/results/jabber.pcap.out b/test/results/jabber.pcap.out index 836e1e3be..7a531612a 100644 --- a/test/results/jabber.pcap.out +++ b/test/results/jabber.pcap.out @@ -5,13 +5,13 @@ 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1502379723841804,"flow_dst_last_pkt_time":1502379723842248,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1502379723842248,"pkt":"aFs1pN2oTl6SKSKGCABFAAA8AABAAEAG4NOsEAGKrBAAPhRm3wagxQKCw6iV9qASOJCmRgAAAgQFtAQCCAoAGMyaTgMEJwEDAwc="} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1502379723842315,"flow_dst_last_pkt_time":1502379723842248,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1502379723842315,"pkt":"Tl6SKSKGaFs1pN2oCABFAAA0qcBAAEAGAACsEAA+rBABit8GFGbDqJX2oMUCg4AQICtaDwAAAQEICk4DBCcAGMya"} 00857{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379723843132,"flow_dst_last_pkt_time":1502379723843076,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":138,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502379723843132,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} -01693{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379724444209,"flow_dst_last_pkt_time":1502379724444121,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1485,"midstream":0,"thread_ts_usec":1502379724444209,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":218,"avg":38862.0,"max":337747,"stddev":84176.8,"var":7085729792.0,"ent":3.0,"data": [444,511,417,828,400,374,12411,12818,2412,2410,348,1979,1627,218,40781,36965,77519,220,613,337303,337747,374,834,51093,51498,6383,6386,306,844,109053,109606]},"pktlen": {"min":66,"avg":142.1,"max":445,"stddev":104.5,"var":10930.1,"ent":4.7,"data": [78,74,66,88,66,182,66,245,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66]},"bins": {"c_to_s": [11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02092{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":34,"source":"jabber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502379723841804,"flow_src_last_pkt_time":1502379724444209,"flow_dst_last_pkt_time":1502379724444121,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1485,"midstream":0,"thread_ts_usec":1502379724444209,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57094,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":218,"avg":38862.0,"max":337747,"stddev":84176.8,"var":7085729792.0,"ent":3.0,"data": [444,511,417,828,400,374,12411,12818,2412,2410,348,1979,1627,218,40781,36965,77519,220,613,337303,337747,374,834,51093,51498,6383,6386,306,844,109053,109606]},"pktlen": {"min":52,"avg":128.1,"max":431,"stddev":104.5,"var":10930.1,"ent":4.6,"data": [64,60,52,74,52,168,52,231,52,337,52,214,212,52,390,52,172,52,104,52,103,52,168,52,231,52,431,52,175,52,184,52]},"bins": {"c_to_s": [11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0],"entropies": [4.198073387,4.993659973,4.853535175,5.479191780,4.902175903,5.439201832,4.902175903,5.621643066,4.738150120,5.383924484,4.723633289,5.581990719,6.107189655,4.670654774,6.120055676,4.902175903,5.874162197,4.853535175,5.356550694,4.849197388,5.481268406,4.776612282,5.385900497,4.786790848,5.631215096,4.630272865,5.375878334,4.800556660,5.531776905,4.762094975,5.626255989,4.762094975]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":89,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175298881,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502380175298881,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175298881,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1502380175298881,"pkt":"Tl6SKSKGaFs1pN2oCABFAABAIwFAAEAGAACsEAA+rBABit8iFGaEgGHPAAAAALAC\/\/9aGwAAAgQFtAEDAwQBAQgKTgnffgAAAAAEAgAA"} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":90,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1502380175298881,"flow_dst_last_pkt_time":1502380175299571,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1502380175299571,"pkt":"aFs1pN2oTl6SKSKGCABFAAA8AABAAEAG4NOsEAGKrBAAPhRm3yLL7qcahIBh0KASOJCKxQAAAgQFtAQCCAoAH7AnTgnffgEDAwc="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":91,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1502380175299630,"flow_dst_last_pkt_time":1502380175299571,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1502380175299630,"pkt":"Tl6SKSKGaFs1pN2oCABFAAA0ciBAAEAGAACsEAA+rBABit8iFGaEgGHQy+6nG4AQICtaDwAAAQEICk4J334AH7An"} 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":94,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175300064,"flow_dst_last_pkt_time":1502380175300022,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":138,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1502380175300064,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} -01684{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175888009,"flow_dst_last_pkt_time":1502380175887945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1483,"midstream":0,"thread_ts_usec":1502380175888009,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":38006.2,"max":336798,"stddev":84915.4,"var":7210629120.0,"ent":2.8,"data": [690,749,72,451,362,328,190,509,138,134,177,1433,1288,169,39805,40983,80676,197,580,336438,336798,280,830,51170,51717,134,126,305,762,115132,115569]},"pktlen": {"min":66,"avg":142.0,"max":445,"stddev":104.5,"var":10917.3,"ent":4.7,"data": [78,74,66,88,66,182,66,243,66,351,66,228,226,66,404,66,186,66,118,66,117,66,182,66,245,66,445,66,189,66,198,66]},"bins": {"c_to_s": [11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02083{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":120,"source":"jabber.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1502380175298881,"flow_src_last_pkt_time":1502380175888009,"flow_dst_last_pkt_time":1502380175887945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":379,"flow_src_tot_l4_payload_len":929,"flow_dst_tot_l4_payload_len":1483,"midstream":0,"thread_ts_usec":1502380175888009,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57122,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":38006.2,"max":336798,"stddev":84915.4,"var":7210629120.0,"ent":2.8,"data": [690,749,72,451,362,328,190,509,138,134,177,1433,1288,169,39805,40983,80676,197,580,336438,336798,280,830,51170,51717,134,126,305,762,115132,115569]},"pktlen": {"min":52,"avg":128.0,"max":431,"stddev":104.5,"var":10917.3,"ent":4.6,"data": [64,60,52,74,52,168,52,229,52,337,52,214,212,52,390,52,172,52,104,52,103,52,168,52,231,52,431,52,175,52,184,52]},"bins": {"c_to_s": [11,1,0,3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,1,3,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,1,0],"entropies": [4.266673088,5.131404400,4.776611805,5.441964149,4.902175903,5.444538593,4.825252533,5.585448742,4.738150120,5.405127525,4.776611805,5.600682259,6.105852604,4.815073490,6.126323223,4.863714218,5.952934742,4.675744057,5.351836681,4.801308155,5.387970448,4.584303856,5.442506313,4.863714218,5.598178864,4.776611805,5.389763355,4.671903133,5.446438789,4.762094498,5.526237488,4.685171604]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380213387324,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1502380213387324,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57126,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1502380213387324,"pkt":"Tl6SKSKGaFs1pN2oCABFAABEEUNAAEAGAACsEAA+rBABit8mFGZE6SgmjZ+UW4AYIABaHwAAAQEICk4Kc24AIDNjPC9zdHJlYW06c3RyZWFtPg=="} 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":175,"source":"jabber.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1502380213387324,"flow_src_last_pkt_time":1502380213387324,"flow_dst_last_pkt_time":1502380213387324,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":16,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1502380213387324,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57126,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} @@ -36,7 +36,7 @@ 00688{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":251,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1502380915481182,"flow_dst_last_pkt_time":1502380915486217,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1502380915486217,"pkt":"aFs1pN2oTl6SKSKGCABFAACsmGdAAEAGR\/ysEAGKrBAAPhRm3z2fGhbwcCeU94AYAP6TqgAAAQEICgAq+5ZOFR2YPG1lc3NhZ2UgdG89J3RvbUBjcy14bXBwLmxhbi9kYXJrc3RhcicgZnJvbT0nY2hhdC13aXRoLXRvbUBjb25mZXJlbmNlLmNzLXhtcHAubGFuJyB0eXBlPSdncm91cGNoYXQnPjxzdWJqZWN0Lz48L21lc3NhZ2U+"} 00903{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":260,"source":"jabber.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":12,"flow_first_seen":1502380724652555,"flow_src_last_pkt_time":1502380725074115,"flow_dst_last_pkt_time":1502380725074074,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":338,"flow_dst_max_l4_payload_len":285,"flow_src_tot_l4_payload_len":654,"flow_dst_tot_l4_payload_len":772,"midstream":0,"thread_ts_usec":1502380919392608,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57147,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":260,"source":"jabber.pcap","alias":"nDPId-test","packets-captured":260,"packets-processed":243,"total-skipped-flows":0,"total-l4-payload-len":34275,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":38,"global_ts_usec":1502381519875958} -01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":282,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1502380915481182,"flow_src_last_pkt_time":1502381566576939,"flow_dst_last_pkt_time":1502381566616902,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":463,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":2076,"midstream":1,"thread_ts_usec":1502381566616902,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57149,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":42007464.0,"max":600487770,"stddev":147104800.0,"var":21639823353708544.0,"ent":1.4,"data": [5033,2,5089,3,217021,217977,974,3684463,3688323,3876,600484177,600487770,3,3561,6,1107,1119,7791,47498,39730,447,62982,63440,253,504,186,80,2,90,46583978,46623992]},"pktlen": {"min":66,"avg":164.8,"max":529,"stddev":117.9,"var":13893.8,"ent":4.7,"data": [305,474,186,66,66,248,529,66,248,193,66,216,270,172,120,66,286,66,114,66,114,66,288,66,114,167,66,66,171,66,201,66]},"bins": {"c_to_s": [9,4,0,0,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,5,0,0,3,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02120{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":282,"source":"jabber.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1502380915481182,"flow_src_last_pkt_time":1502381566576939,"flow_dst_last_pkt_time":1502381566616902,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":239,"flow_dst_max_l4_payload_len":463,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":2076,"midstream":1,"thread_ts_usec":1502381566616902,"l3_proto":"ip4","src_ip":"172.16.0.62","dst_ip":"172.16.1.138","src_port":57149,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":42007464.0,"max":600487770,"stddev":147104800.0,"var":21639823353708544.0,"ent":1.4,"data": [5033,2,5089,3,217021,217977,974,3684463,3688323,3876,600484177,600487770,3,3561,6,1107,1119,7791,47498,39730,447,62982,63440,253,504,186,80,2,90,46583978,46623992]},"pktlen": {"min":52,"avg":150.8,"max":515,"stddev":117.9,"var":13893.8,"ent":4.6,"data": [291,460,172,52,52,234,515,52,234,179,52,202,256,158,106,52,272,52,100,52,100,52,274,52,100,153,52,52,157,52,187,52]},"bins": {"c_to_s": [9,4,0,0,2,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,5,0,0,3,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1],"entropies": [5.572191238,5.460877895,5.502878189,4.891996861,4.853535175,5.455323696,5.262341499,4.891996861,5.508277893,5.549472332,4.853535175,5.489766598,5.608968258,5.516506672,5.456765175,4.747577667,5.601363182,4.800556183,5.462725163,4.870416641,5.430274010,4.908877850,5.580210686,4.647958755,5.434380531,5.509377956,4.699688911,4.762538910,5.683691025,4.646709919,5.424290180,4.908878326]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Jabber","proto_id":"67","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","packets-captured":289,"packets-processed":270,"total-skipped-flows":0,"total-l4-payload-len":36212,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":6,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":40,"global_ts_usec":1504181789350325} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1504181789350325,"flow_src_last_pkt_time":1504181789350325,"flow_dst_last_pkt_time":1504181789350325,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1504181789350325,"l3_proto":"ip4","src_ip":"192.168.58.1","dst_ip":"192.168.58.153","src_port":53460,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"jabber.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1504181789350325,"flow_dst_last_pkt_time":1504181789350325,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1504181789350325,"pkt":"AAwpvhIxAFBWwAAICABFAAA0dxlAAIAGjb\/AqDoBwKg6mdDUFGaBHPlXAAAAAIACIAD5dQAAAgQFtAEDAwgBAQQC"} @@ -92,10 +92,10 @@ ~~ total active/idle flows...: 12/12 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6088463 bytes -~~ total memory freed........: 6088463 bytes -~~ total allocations/frees...: 121967/121967 +~~ total memory allocated....: 6090095 bytes +~~ total memory freed........: 6090095 bytes +~~ total allocations/frees...: 121979/121979 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1726 chars -~~ json string avg len.......: 1108 chars +~~ json string max len.......: 2125 chars +~~ json string avg len.......: 1308 chars diff --git a/test/results/kerberos-error.pcap.out b/test/results/kerberos-error.pcap.out index 18737c82d..127216f7d 100644 --- a/test/results/kerberos-error.pcap.out +++ b/test/results/kerberos-error.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035699 bytes -~~ total memory freed........: 6035699 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6035835 bytes +~~ total memory freed........: 6035835 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars ~~ json string max len.......: 963 chars diff --git a/test/results/kerberos-login.pcap.out b/test/results/kerberos-login.pcap.out index 748d98813..394553664 100644 --- a/test/results/kerberos-login.pcap.out +++ b/test/results/kerberos-login.pcap.out @@ -84,9 +84,9 @@ ~~ total active/idle flows...: 13/13 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6056288 bytes -~~ total memory freed........: 6056288 bytes -~~ total allocations/frees...: 121647/121647 +~~ total memory allocated....: 6058056 bytes +~~ total memory freed........: 6058056 bytes +~~ total allocations/frees...: 121660/121660 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars ~~ json string max len.......: 2182 chars diff --git a/test/results/kerberos.pcap.out b/test/results/kerberos.pcap.out index a36147e71..dd1843fe9 100644 --- a/test/results/kerberos.pcap.out +++ b/test/results/kerberos.pcap.out @@ -194,9 +194,9 @@ ~~ total active/idle flows...: 36/36 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6145914 bytes -~~ total memory freed........: 6145914 bytes -~~ total allocations/frees...: 121939/121939 +~~ total memory allocated....: 6150810 bytes +~~ total memory freed........: 6150810 bytes +~~ total allocations/frees...: 121975/121975 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2482 chars diff --git a/test/results/kerberos_fuzz.pcapng.out b/test/results/kerberos_fuzz.pcapng.out index 013e43ef1..400b84986 100644 --- a/test/results/kerberos_fuzz.pcapng.out +++ b/test/results/kerberos_fuzz.pcapng.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035642 bytes -~~ total memory freed........: 6035642 bytes -~~ total allocations/frees...: 121487/121487 +~~ total memory allocated....: 6035778 bytes +~~ total memory freed........: 6035778 bytes +~~ total allocations/frees...: 121488/121488 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 980 chars diff --git a/test/results/kismet.pcap.out b/test/results/kismet.pcap.out index 7811f9401..383cf38e3 100644 --- a/test/results/kismet.pcap.out +++ b/test/results/kismet.pcap.out @@ -5,7 +5,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1144004385285325,"flow_dst_last_pkt_time":1144004385285353,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1144004385285353,"pkt":"AAAAAAAAAAAAAAAACABFAAA0AABAAIAG\/MF\/AAABfwAAAQnFhRGzPp6Js2uR14ASf\/+QygAAAgRADAEBBAIBAwMC"} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1144004385285367,"flow_dst_last_pkt_time":1144004385285353,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1144004385285367,"pkt":"AAAAAAAAAAAAAAAACABFAAAoPIdAAIAGwEZ\/AAABfwAAAYURCcWza5HXsz6eilAQIABr7wAA"} 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004385285367,"flow_dst_last_pkt_time":1144004385285561,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":199,"midstream":0,"thread_ts_usec":1144004385285561,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01771{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004397698680,"flow_dst_last_pkt_time":1144004398798485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1777,"midstream":0,"thread_ts_usec":1144004398798485,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":28,"avg":836339.2,"max":1099852,"stddev":406205.2,"var":165002641408.0,"ent":4.7,"data": [28,42,208,235,399947,399927,615244,615286,399575,399620,1099784,1099782,1099835,1099834,1099815,1099816,1099834,1099831,1099838,1099839,1099849,1099852,1099837,1099839,1099821,1099818,1099833,1099833,1099842,1099843,1099828]},"pktlen": {"min":54,"avg":142.9,"max":1099,"stddev":184.2,"var":33913.2,"ent":4.4,"data": [66,66,54,253,54,72,54,1099,54,129,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189,54,189]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02170{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004397698680,"flow_dst_last_pkt_time":1144004398798485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1777,"midstream":0,"thread_ts_usec":1144004398798485,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":28,"avg":836339.2,"max":1099852,"stddev":406205.2,"var":165002641408.0,"ent":4.7,"data": [28,42,208,235,399947,399927,615244,615286,399575,399620,1099784,1099782,1099835,1099834,1099815,1099816,1099834,1099831,1099838,1099839,1099849,1099852,1099837,1099839,1099821,1099818,1099833,1099833,1099842,1099843,1099828]},"pktlen": {"min":40,"avg":128.9,"max":1085,"stddev":184.2,"var":33913.2,"ent":4.2,"data": [52,52,40,239,40,58,40,1085,40,115,40,175,40,175,40,175,40,175,40,175,40,175,40,175,40,175,40,175,40,175,40,175]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,11,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.152935505,4.370187283,4.291446209,5.295236588,4.191446304,4.892910004,4.291446209,4.891900063,4.458695412,4.585392952,4.341446400,5.037372112,4.341446400,5.005887508,4.291446686,5.014514446,4.341446400,4.979419708,4.291446686,5.025943279,4.341446400,5.016745567,4.291446686,4.993078232,4.341446400,5.021629810,4.341446400,5.025943279,4.341446400,5.025943279,4.291446209,5.037371635]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00907{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":35,"source":"kismet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":17,"flow_first_seen":1144004385285325,"flow_src_last_pkt_time":1144004399898338,"flow_dst_last_pkt_time":1144004399898316,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1045,"flow_dst_max_l4_payload_len":199,"flow_src_tot_l4_payload_len":1045,"flow_dst_tot_l4_payload_len":1912,"midstream":0,"thread_ts_usec":1144004399898338,"l3_proto":"ip4","src_ip":"127.0.0.1","dst_ip":"127.0.0.1","src_port":34065,"dst_port":2501,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Kismet","proto_id":"309","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00558{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":35,"source":"kismet.pcap","alias":"nDPId-test","packets-captured":35,"packets-processed":35,"total-skipped-flows":0,"total-l4-payload-len":2957,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1144004399898338} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038704 bytes -~~ total memory freed........: 6038704 bytes -~~ total allocations/frees...: 121523/121523 +~~ total memory allocated....: 6038840 bytes +~~ total memory freed........: 6038840 bytes +~~ total allocations/frees...: 121524/121524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1776 chars -~~ json string avg len.......: 1071 chars +~~ json string max len.......: 2175 chars +~~ json string avg len.......: 1246 chars diff --git a/test/results/kontiki.pcap.out b/test/results/kontiki.pcap.out index 64d7d2ff2..4ad6db3da 100644 --- a/test/results/kontiki.pcap.out +++ b/test/results/kontiki.pcap.out @@ -26,7 +26,7 @@ 00722{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1213662198701406,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1213662198701406,"l3_proto":"ip4","src_ip":"4.79.219.125","dst_ip":"10.25.32.59","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1213662198701406,"pkt":"ABVYKKDoANAreRD8CABFwAA4\/Y8AAPoBuFQET9t9ChkgOwsADhsAAAAARQAAIA+mAAABEaq1ChkgO0DIlFZN7CK4AAx2NA=="} 00847{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":12,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1213662198701406,"flow_src_last_pkt_time":1213662198701406,"flow_dst_last_pkt_time":1213662198701406,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1213662198701406,"l3_proto":"ip4","src_ip":"4.79.219.125","dst_ip":"10.25.32.59","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}} -01854{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":41,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1213662198289578,"flow_src_last_pkt_time":1213662198988100,"flow_dst_last_pkt_time":1213662198992190,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":217,"flow_dst_max_l4_payload_len":1241,"flow_src_tot_l4_payload_len":591,"flow_dst_tot_l4_payload_len":24254,"midstream":0,"thread_ts_usec":1213662198992190,"l3_proto":"ip4","src_ip":"10.25.32.59","dst_ip":"64.200.148.86","src_port":19948,"dst_port":8888,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":45197.9,"max":607738,"stddev":118031.4,"var":13931400192.0,"ent":2.6,"data": [198615,212422,193796,607738,3074,5780,31191,29960,8831,9093,72,244,17,19380,18261,96,127,127,114,15289,14893,16,235,114,13,97,15924,15357,18,115,125]},"pktlen": {"min":46,"avg":818.4,"max":1283,"stddev":568.0,"var":322604.6,"ent":4.5,"data": [46,46,46,62,70,259,513,246,218,132,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,58,1283,1283,1283,1283,1283,1283,58,1283,1283,1283,1283]},"bins": {"c_to_s": [7,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,0,1,0,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Kontiki","proto_id":"32","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} +02253{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":41,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1213662198289578,"flow_src_last_pkt_time":1213662198988100,"flow_dst_last_pkt_time":1213662198992190,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":4,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":217,"flow_dst_max_l4_payload_len":1241,"flow_src_tot_l4_payload_len":591,"flow_dst_tot_l4_payload_len":24254,"midstream":0,"thread_ts_usec":1213662198992190,"l3_proto":"ip4","src_ip":"10.25.32.59","dst_ip":"64.200.148.86","src_port":19948,"dst_port":8888,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":45197.9,"max":607738,"stddev":118031.4,"var":13931400192.0,"ent":2.6,"data": [198615,212422,193796,607738,3074,5780,31191,29960,8831,9093,72,244,17,19380,18261,96,127,127,114,15289,14893,16,235,114,13,97,15924,15357,18,115,125]},"pktlen": {"min":32,"avg":804.4,"max":1269,"stddev":568.0,"var":322604.6,"ent":4.5,"data": [32,32,32,48,56,245,499,232,204,118,1269,1269,1269,1269,44,1269,1269,1269,1269,1269,44,1269,1269,1269,1269,1269,1269,44,1269,1269,1269,1269]},"bins": {"c_to_s": [7,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,0,1,0,1,0,1,1,1,1,0,1,1,1,1,1,0,1,1,1,1,1,1,0,1,1,1,1],"entropies": [4.327819824,4.390319824,4.390319824,4.808207035,5.107008457,6.254767418,7.256530285,7.013645172,6.874151707,6.231850147,7.871051788,7.843012333,7.837141991,7.838663578,4.925117970,7.837912083,7.840578079,7.843400478,7.848168850,7.821814060,4.879663467,7.851324558,7.825254917,7.844458103,7.841213703,7.862925529,7.835451603,4.925117970,7.832023621,7.834714890,7.855443478,7.864355564]},"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Kontiki","proto_id":"32","encrypted":0,"breed":"Potentially Dangerous","category_id":1,"category":"Media"}} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1173,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1213662200284689,"flow_dst_last_pkt_time":1213662198298123,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1213662200284689,"pkt":"AAAMB6wIABVYKKDoCABFAAAwEAgAACARi0EKGSA7QMiUWE3sAFAAHLz5AgUiAE9LWIs\/euHNAAAE5AIEAQA="} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1174,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1213662200285056,"flow_dst_last_pkt_time":1213662198298679,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1213662200285056,"pkt":"ABVYKKDoANABJAf8CABFAAA4wRIAAP8BpkIKGSADChkgOwMN8aAAAAAARQAAMBAIAAAfEYxBChkgO0DIlFhN7ABQABy8+Q=="} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2709,"source":"kontiki.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1213662202284851,"flow_dst_last_pkt_time":1213662198298123,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":62,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":62,"pkt_l4_len":28,"thread_ts_usec":1213662202284851,"pkt":"AAAMB6wIABVYKKDoCABFAAAwEJ8AACARiqoKGSA7QMiUWE3sAFAAHLz5AgUiAE9LWIs\/euHNAAAE5AIEAQA="} @@ -50,10 +50,10 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6142362 bytes -~~ total memory freed........: 6142362 bytes -~~ total allocations/frees...: 124845/124845 +~~ total memory allocated....: 6143450 bytes +~~ total memory freed........: 6143450 bytes +~~ total allocations/frees...: 124853/124853 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1859 chars -~~ json string avg len.......: 1174 chars +~~ json string max len.......: 2258 chars +~~ json string avg len.......: 1374 chars diff --git a/test/results/lisp_registration.pcap.out b/test/results/lisp_registration.pcap.out index 64a593287..438db3d4b 100644 --- a/test/results/lisp_registration.pcap.out +++ b/test/results/lisp_registration.pcap.out @@ -33,9 +33,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045479 bytes -~~ total memory freed........: 6045479 bytes -~~ total allocations/frees...: 121549/121549 +~~ total memory allocated....: 6046023 bytes +~~ total memory freed........: 6046023 bytes +~~ total allocations/frees...: 121553/121553 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 502 chars ~~ json string max len.......: 916 chars diff --git a/test/results/log4j-webapp-exploit.pcap.out b/test/results/log4j-webapp-exploit.pcap.out index 45e3282bc..2dd33db10 100644 --- a/test/results/log4j-webapp-exploit.pcap.out +++ b/test/results/log4j-webapp-exploit.pcap.out @@ -28,7 +28,7 @@ 00345{"packet_event_id":1,"packet_event_name":"packet","packet_id":35,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"thread_ts_usec":1639425815944860,"pkt":"AAAAAQAGAkJ2jzQWAAAIBgABCAAGBAABAkJ2jzQWrBDuAQAAAAAAAKwQ7go="} 00200{"error_event_id":2,"error_event_name":"Unknown L3 protocol","datalink":113,"packet_id":36,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","protocol":2054,"global_ts_usec":1639425820869752} 00345{"packet_event_id":1,"packet_event_name":"packet","packet_id":36,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":44,"pkt_type":2054,"pkt_l3_offset":16,"pkt_l4_offset":0,"pkt_len":44,"pkt_l4_len":0,"thread_ts_usec":1639425815944860,"pkt":"AAQAAQAGAkKsEO4KAAAIBgABCAAGBAACAkKsEO4KrBDuCgJCdo80FqwQ7gE="} -01509{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":46,"avg":474225.3,"max":7288582,"stddev":1789599.0,"var":3202664366080.0,"ent":1.1,"data": [143,183,7288581,7288582,60489,60668,256,174,116,102,89,87,86,86,151,159,99,144,121,87,73,51,50,48,47,46,47,47,47,46,81]},"pktlen": {"min":68,"avg":69.5,"max":76,"stddev":2.2,"var":4.6,"ent":5.0,"data": [76,76,68,71,68,69,68,69,68,69,68,69,68,69,68,69,68,69,68,71,68,73,68,71,68,71,68,71,68,71,68,71]},"bins": {"c_to_s": [17,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}} +01908{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":46,"avg":474225.3,"max":7288582,"stddev":1789599.0,"var":3202664366080.0,"ent":1.1,"data": [143,183,7288581,7288582,60489,60668,256,174,116,102,89,87,86,86,151,159,99,144,121,87,73,51,50,48,47,46,47,47,47,46,81]},"pktlen": {"min":52,"avg":53.5,"max":60,"stddev":2.2,"var":4.6,"ent":5.0,"data": [60,60,52,55,52,53,52,53,52,53,52,53,52,53,52,53,52,53,52,55,52,57,52,55,52,55,52,55,52,55,52,55]},"bins": {"c_to_s": [17,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [4.511636257,5.106626511,4.986606121,5.071912289,4.895165443,4.975576401,4.895165443,4.975576401,4.818242550,4.937840462,4.895165443,4.975576401,4.895165443,4.975576401,4.895165443,4.937840462,4.856703758,4.937840462,4.856703758,4.947280407,4.856703758,5.028079987,4.803725243,5.020007610,4.856703758,4.983644009,4.856703758,5.020007610,4.856703758,5.020007610,4.856703758,4.910916805]}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":65,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1639425815944677,"flow_src_last_pkt_time":1639425823295194,"flow_dst_last_pkt_time":1639425823295146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":5,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":1639425823295194,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"10.10.10.31","src_port":55408,"dst_port":9001,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00771{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":395,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1639425834628601,"flow_src_last_pkt_time":1639425834628601,"flow_dst_last_pkt_time":1639425834628601,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639425834628601,"l3_proto":"ip4","src_ip":"172.16.238.10","dst_ip":"172.16.238.11","src_port":57742,"dst_port":1389,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":395,"source":"log4j-webapp-exploit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1639425834628601,"flow_dst_last_pkt_time":1639425834628601,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":76,"pkt_l4_len":40,"thread_ts_usec":1639425834628601,"pkt":"AAQAAQAGAkKsEO4KAAAIAEUAADxNdkAAQAa5DqwQ7gqsEO4L4Y4FbXfaWIQAAAAAoAJyEDRmAAACBAW0BAIICvIpXGkAAAAAAQMDBw=="} @@ -61,10 +61,10 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6064195 bytes -~~ total memory freed........: 6064195 bytes -~~ total allocations/frees...: 121991/121991 +~~ total memory allocated....: 6065147 bytes +~~ total memory freed........: 6065147 bytes +~~ total allocations/frees...: 121998/121998 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 204 chars -~~ json string max len.......: 1514 chars -~~ json string avg len.......: 858 chars +~~ json string max len.......: 1913 chars +~~ json string avg len.......: 1057 chars diff --git a/test/results/long_tls_certificate.pcap.out b/test/results/long_tls_certificate.pcap.out index 37ce83b17..c35d8ce81 100644 --- a/test/results/long_tls_certificate.pcap.out +++ b/test/results/long_tls_certificate.pcap.out @@ -7,7 +7,7 @@ 01074{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756181681181,"flow_dst_last_pkt_time":1609756181671657,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1609756181681181,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01136{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756181681181,"flow_dst_last_pkt_time":1609756182035428,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1609756182035428,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 05273{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182035731,"flow_dst_last_pkt_time":1609756182035821,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":6858,"midstream":0,"thread_ts_usec":1609756182035821,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","alpn":"h2,http\/1.1","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}}} -01574{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":87039.9,"max":370939,"stddev":130477.0,"var":17024251904.0,"ent":3.4,"data": [370788,370939,9373,360927,2844,76,70,354425,123,125,124,131,8073,8089,5763,200299,194564,174299,34,174324,4,2275,71,66,101,117,94097,91476,274609,24,6]},"pktlen": {"min":54,"avg":384.7,"max":1506,"stddev":546.6,"var":298744.2,"ent":3.8,"data": [78,78,54,571,60,1506,1506,1506,54,1506,54,1104,54,1104,66,180,1506,66,105,123,54,54,107,110,96,128,92,123,66,66,66,66]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,1]}} +01970{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":87039.9,"max":370939,"stddev":130477.0,"var":17024251904.0,"ent":3.4,"data": [370788,370939,9373,360927,2844,76,70,354425,123,125,124,131,8073,8089,5763,200299,194564,174299,34,174324,4,2275,71,66,101,117,94097,91476,274609,24,6]},"pktlen": {"min":40,"avg":370.7,"max":1492,"stddev":546.6,"var":298744.2,"ent":3.7,"data": [64,64,40,557,46,1492,1492,1492,40,1492,40,1090,40,1090,52,166,1492,52,91,109,40,40,93,96,82,114,78,109,52,52,52,52]},"bins": {"c_to_s": [10,4,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0,0,0,0,0,0,0,1,0,1,1,1],"entropies": [4.353732109,4.287687778,4.680641651,4.404402256,4.565872192,6.234030724,4.660021305,4.709488392,4.630641460,6.835905075,4.680641651,7.511188984,4.580641747,7.512306690,4.740514278,6.280318737,6.238153934,4.870416164,5.914383888,6.170372486,4.680641651,4.680641651,5.707346439,5.695815086,5.241580486,6.007335186,5.319273472,6.145098209,4.778975964,5.063529015,5.025067329,5.063529015]}} 05275{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756182512712,"flow_dst_last_pkt_time":1609756182787262,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":906,"flow_dst_tot_l4_payload_len":9549,"midstream":0,"thread_ts_usec":1609756182787262,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"beacon-api.aliyuncs.com","tls": {"version":"TLSv1.2","server_names":"*.aliyun.com,manager.channel.aliyun.com,*.ace.aliyun.com,*.acs-internal.aliyuncs.com,*.acs.aliyun.com,*.aicrowd.aliyun.com,*.alibabacloud.co.in,*.alibabacloud.com,*.alibabacloud.com.au,*.alibabacloud.com.hk,*.alibabacloud.com.my,*.alibabacloud.com.sg,*.alibabacloud.com.tw,*.alicdn.com,*.alicloud.com,*.aligroup.aliyun.com,*.alimei.com,*.alink.aliyun.com,*.alios.aliyuncs.com,*.aliplus.com,*.alitranx.aliyun.com,*.aliyun-iot-share.com,*.aliyuncs.com,*.alyms.cn,*.ap-northeast-1.aliyuncs.com,*.ap-south-1.aliyuncs.com,*.ap-southeast-1.aliyuncs.com,*.ap-southeast-2.aliyuncs.com,*.ap-southeast-3.aliyuncs.com,*.ap-southeast-5.aliyuncs.com,*.api.aliyun.com,*.apm.aliyun.com,*.app.aliyun.com,*.asmlink.cn,*.banma.aliyuncs.com,*.base.shuju.aliyun.com,*.bi.aliyun.com,*.biz.aliyun.com,*.bridge.aliyun.com,*.ccc.aliyuncs.com,*.center.aliyun.com,*.citybrain.aliyun.com,*.cloudapp.aliyun.com,*.cloudeagle.cn,*.cloudgame.aliyun.com,*.cn-beijing.aliyuncs.com,*.cn-chengdu.aliyuncs.com,*.cn-guizhou.aliyuncs.com,*.cn-haidian.aliyuncs.com,*.cn-hangzhou-finance.aliyuncs.com,*.cn-hangzhou.aliyuncs.com,*.cn-hongkong.aliyuncs.com,*.cn-huhehaote.aliyuncs.com,*.cn-ningxia.aliyuncs.com,*.cn-north-2-gov-1.aliyuncs.com,*.cn-qingdao-nebula.aliyuncs.com,*.cn-qingdao.aliyuncs.com,*.cn-shanghai-finance-1.aliyuncs.com,*.cn-shanghai.aliyun.com,*.cn-shanghai.aliyuncs.com,*.cn-shenzhen-cloudstone.aliyuncs.com,*.cn-shenzhen-finance-1.aliyuncs.com,*.cn-shenzhen.aliyuncs.com,*.cn-sichuan.aliyuncs.com,*.cn-zhangjiakou.aliyuncs.com,*.connect.aliyun.com,*.console.alibabacloud.com,*.console.alicloud.com,*.console.aliyun.com,*.cs.aliyun.com,*.cschat-ccs.aliyun.com,*.data.aliyun.com,*.dataapi.aliyun.com,*.dataq.aliyuncs.com,*.datav.aliyun.com,*.datav.aliyuncs.com,*.devlops.aliyun.com,*.devops.aliyun.com,*.ditu.aliyun.com,*.domain.aliyun.com,*.dyiot.aliyun.com,*.ebs.aliyun.com,*.emas.aliyun.com,*.emr.aliyun.com,*.enterprise.aliyun.com,*.env.aliyun.com,*.et-industry.aliyun.com,*.eu-central-1.aliyuncs.com,*.eu-west-1.aliyuncs.com,*.fc.aliyun.com,*.feedback.console.aliyun.com,*.gts-x.aliyun.com,*.gts.aliyun.com,*.help-ccs.aliyun.com,*.ialicdn.com,*.in-mumbai.aliyuncs.com,*.iot.aliyun.com,*.jp-fudao.aliyuncs.com,*.linkedmall.aliyun.com,*.linkwan.aliyun.com,*.living.aliyun.com,*.luban.aliyun.com,*.m.aliyun.com,*.market.aliyun.com,*.maxcompute.aliyun.com,*.me-east-1.aliyuncs.com,*.media.aliyun.com,*.microdingtalk.aliyun.com,*.mit.aliyun.com,*.mobile.aliyun.com,*.msea.aliyun.com,*.mts.aliyun.com,*.mvp.aliyun.com,*.nebula.aliyun.com,*.nls.aliyuncs.com,*.odps.aliyun.com,*.ons.aliyun.com,*.ose.aliyun.com,*.pai.data.aliyun.com,*.pcs-gw-cn-beijing.aliyun.com,*.pcs-gw-cn-shanghai.aliyun.com,*.phpwind.com,*.phpwind.net,*.pre-sg-purchase.aliyun.com,*.prepub.aliyun.com,*.product.center.aliyun.com,*.pts.aliyun.com,*.r-app-cn-beijing-data.aliyun.com,*.r-app-cn-hangzhou-data.aliyun.com,*.r-app-cn-shenzhen-data.aliyun.com,*.r-app-data.aliyun.com,*.rdc.aliyun.com,*.rds.aliyun.com,*.reid.aliyun.com,*.sc-cmdb.aliyuncs.com,*.scsp.aliyun.com,*.sg.aliyuncs.com,*.shuju.aliyun.com,*.smart.aliyun.com,*.soc.aliyun.com,*.soc.aliyuncs.com,*.sparenode.com,*.supet.com,*.tburl.in,*.teambition.com,*.teambition.net,*.teambitionapis.com,*.tianchi.aliyun.com,*.toolkit.aliyun.com,*.tv.aliyun.com,*.tw-gaoxiong.aliyuncs.com,*.us-east-1.aliyuncs.com,*.us-west-1.aliyuncs.com,*.webide.aliyun.com,*.yuntu.aliyun.com,account.www.net.cn,alibabacloud.co.in,alibabacloud.com,alibabacloud.com.au,alibabacloud.com.hk,alibabacloud.com.my,alibabacloud.com.sg,alibabacloud.com.tw,alicdn.com,alicloud.com,alimei.com,aliyun-iot-share.com,aliyuncs.com,dc.www.net.cn,dmp.www.net.cn,dns.www.net.cn,panda.www.net.cn,pandavip.www.net.cn,phpwind.com,phpwind.net,scdnphi6.com,sparenode.com,supet.com,tburl.in,teambition.com,teambition.net,teambitionapis.com,tianchi-global.com,whois.www.net.cn,aliyun.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"eee3d2bf5f17d17548ac36ba1872951f","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign Organization Validation CA - SHA256 - G2","subjectDN":"C=CN, ST=ZheJiang, L=HangZhou, O=Alibaba (China) Technology Co., Ltd., CN=*.aliyun.com","alpn":"h2,http\/1.1","fingerprint":"2B:C6:82:22:E9:94:09:24:34:E1:5C:F1:24:76:98:75:45:78:53:DA"}}} 00931{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":47,"source":"long_tls_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":23,"flow_first_seen":1609756181300869,"flow_src_last_pkt_time":1609756183156414,"flow_dst_last_pkt_time":1609756183162351,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1073,"flow_dst_tot_l4_payload_len":11027,"midstream":0,"thread_ts_usec":1609756183162351,"l3_proto":"ip4","src_ip":"192.168.1.60","dst_ip":"106.15.100.123","src_port":55333,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Alibaba","proto_id":"91.274","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00573{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":47,"source":"long_tls_certificate.pcap","alias":"nDPId-test","packets-captured":47,"packets-processed":47,"total-skipped-flows":0,"total-l4-payload-len":12100,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1609756183162351} @@ -19,9 +19,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6436320 bytes -~~ total memory freed........: 6436320 bytes -~~ total allocations/frees...: 121728/121728 +~~ total memory allocated....: 6436456 bytes +~~ total memory freed........: 6436456 bytes +~~ total allocations/frees...: 121729/121729 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 505 chars ~~ json string max len.......: 5280 chars diff --git a/test/results/malformed_dns.pcap.out b/test/results/malformed_dns.pcap.out index 4a812a014..4139ed169 100644 --- a/test/results/malformed_dns.pcap.out +++ b/test/results/malformed_dns.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035862 bytes -~~ total memory freed........: 6035862 bytes -~~ total allocations/frees...: 121495/121495 +~~ total memory allocated....: 6035998 bytes +~~ total memory freed........: 6035998 bytes +~~ total allocations/frees...: 121496/121496 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 2714 chars diff --git a/test/results/malformed_icmp.pcap.out b/test/results/malformed_icmp.pcap.out index d0494e4f9..2e7d34f2a 100644 --- a/test/results/malformed_icmp.pcap.out +++ b/test/results/malformed_icmp.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035670 bytes -~~ total memory freed........: 6035670 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035806 bytes +~~ total memory freed........: 6035806 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars ~~ json string max len.......: 1001 chars diff --git a/test/results/malware.pcap.out b/test/results/malware.pcap.out index b1432975c..fdfbfbc74 100644 --- a/test/results/malware.pcap.out +++ b/test/results/malware.pcap.out @@ -37,9 +37,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6084283 bytes -~~ total memory freed........: 6084283 bytes -~~ total allocations/frees...: 121617/121617 +~~ total memory allocated....: 6084963 bytes +~~ total memory freed........: 6084963 bytes +~~ total allocations/frees...: 121622/121622 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2676 chars diff --git a/test/results/memcached.cap.out b/test/results/memcached.cap.out index 857db8bd3..1f3d0e32f 100644 --- a/test/results/memcached.cap.out +++ b/test/results/memcached.cap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037979 bytes -~~ total memory freed........: 6037979 bytes -~~ total allocations/frees...: 121498/121498 +~~ total memory allocated....: 6038115 bytes +~~ total memory freed........: 6038115 bytes +~~ total allocations/frees...: 121499/121499 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 909 chars diff --git a/test/results/mgcp.pcapng.out b/test/results/mgcp.pcapng.out index efbd61195..1416cca87 100644 --- a/test/results/mgcp.pcapng.out +++ b/test/results/mgcp.pcapng.out @@ -23,9 +23,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037845 bytes -~~ total memory freed........: 6037845 bytes -~~ total allocations/frees...: 121517/121517 +~~ total memory allocated....: 6038117 bytes +~~ total memory freed........: 6038117 bytes +~~ total allocations/frees...: 121519/121519 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 906 chars diff --git a/test/results/modbus.pcap.out b/test/results/modbus.pcap.out index 66036a8cc..79e6fe516 100644 --- a/test/results/modbus.pcap.out +++ b/test/results/modbus.pcap.out @@ -5,7 +5,7 @@ 00868{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541953927963,"flow_dst_last_pkt_time":1223541953927963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1223541953927963,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1223541953927963,"flow_dst_last_pkt_time":1223541953929098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1223541953929098,"pkt":"AArkxYMKABzAX0kKCABFAAAzO9pAAIAGYIzAqG6KwKhugwH2CBrhFTrOQdLq0lAY++v\/BAAAANEAAAAFAQMCAAA="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1223541953929171,"flow_dst_last_pkt_time":1223541953929098,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1223541953929171,"pkt":"ABzAX0kKAArkxYMKCABFAAA0i\/5AAIAGEGfAqG6DwKhuiggaAfZB0urS4RU62VAY\/LsAJgAAANIAAAAGAQMAAAAB"} -01717{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541960939284,"flow_dst_last_pkt_time":1223541960940128,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":176,"midstream":1,"thread_ts_usec":1223541960940128,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":835,"avg":452370.5,"max":1014211,"stddev":497296.8,"var":247304159232.0,"ent":3.8,"data": [1135,1208,905,1013603,1014211,1539,891,986516,986873,1217,900,1000224,1000513,1187,905,1000230,1000558,1232,911,1000222,1000609,1645,915,999845,1000447,1173,835,1000242,1000645,1238,912]},"pktlen": {"min":65,"avg":65.5,"max":66,"stddev":0.5,"var":0.2,"ent":5.0,"data": [66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65,66,65]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} +02116{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541960939284,"flow_dst_last_pkt_time":1223541960940128,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":192,"flow_dst_tot_l4_payload_len":176,"midstream":1,"thread_ts_usec":1223541960940128,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":835,"avg":452370.5,"max":1014211,"stddev":497296.8,"var":247304159232.0,"ent":3.8,"data": [1135,1208,905,1013603,1014211,1539,891,986516,986873,1217,900,1000224,1000513,1187,905,1000230,1000558,1232,911,1000222,1000609,1645,915,999845,1000447,1173,835,1000242,1000645,1238,912]},"pktlen": {"min":51,"avg":51.5,"max":52,"stddev":0.5,"var":0.2,"ent":5.0,"data": [52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51,52,51]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.526987553,4.730195045,4.438603878,4.877732754,4.429176807,4.636961937,4.429176331,4.877732754,4.622483730,4.730195045,4.589393616,4.838517189,4.622483730,4.730195045,4.550931931,4.916948318,4.569504738,4.769410610,4.627855301,4.916948318,4.622483730,4.730195045,4.627855301,4.916948795,4.622483730,4.769410610,4.627855301,4.862931252,4.607966423,4.769410610,4.627855301,4.916948318]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00915{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":102,"source":"modbus.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":51,"flow_first_seen":1223541953927963,"flow_src_last_pkt_time":1223541977036283,"flow_dst_last_pkt_time":1223541977037227,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":11,"flow_src_tot_l4_payload_len":612,"flow_dst_tot_l4_payload_len":561,"midstream":1,"thread_ts_usec":1223541977037227,"l3_proto":"ip4","src_ip":"192.168.110.131","dst_ip":"192.168.110.138","src_port":2074,"dst_port":502,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Modbus","proto_id":"44","encrypted":0,"breed":"Acceptable","category_id":31,"category":"IoT-Scada"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":102,"source":"modbus.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":102,"total-skipped-flows":0,"total-l4-payload-len":1173,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1223541977037227} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038599 bytes -~~ total memory freed........: 6038599 bytes -~~ total allocations/frees...: 121589/121589 +~~ total memory allocated....: 6038735 bytes +~~ total memory freed........: 6038735 bytes +~~ total allocations/frees...: 121590/121590 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1722 chars -~~ json string avg len.......: 1051 chars +~~ json string max len.......: 2121 chars +~~ json string avg len.......: 1226 chars diff --git a/test/results/monero.pcap.out b/test/results/monero.pcap.out index 4d5bbf944..816ed7160 100644 --- a/test/results/monero.pcap.out +++ b/test/results/monero.pcap.out @@ -10,8 +10,8 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1514196196437568,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1514196196745688,"pkt":"cIXCQ0+ifmgbW\/gUCABFAAA0AABAACEGefF006fDwKgClA0F0lYVgl9O8ygDlIASchDSRAAAAgQFpAEBBAIBAwMH"} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":18,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1514196196745729,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1514196196745729,"pkt":"fmgbW\/gUcIXCQ0+iCABFAAAoltdAAEAGxCXAqAKUdNOnw9JWDQXzKAOUFYJfT1AQAOWEMgAA"} 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196196745906,"flow_dst_last_pkt_time":1514196196745688,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":98,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":98,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1514196196745906,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -01980{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514196304559034,"flow_dst_last_pkt_time":1514196304640605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":8887,"flow_dst_tot_l4_payload_len":914,"midstream":0,"thread_ts_usec":1514196304640605,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":7499954.5,"max":71693099,"stddev":18613570.0,"var":346464978993152.0,"ent":2.4,"data": [80304,80325,101,83178,13,83088,126,80997,13,80884,278,117985,882322,1042483,71569648,189,71693099,19,725,81617,32242169,176,32323370,1466,82454,7432953,7432942,3511834,196,3592651,986]},"pktlen": {"min":66,"avg":372.8,"max":1514,"stddev":549.1,"var":301531.9,"ent":3.8,"data": [74,74,66,164,66,128,66,161,104,185,66,126,66,376,66,1514,1496,66,66,91,66,1514,1496,66,91,66,376,66,1514,1496,66,91]},"bins": {"c_to_s": [8,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0],"s_to_c": [10,2,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,0,0,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -02031{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196705571136,"flow_dst_last_pkt_time":1514196705879789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":2699,"midstream":0,"thread_ts_usec":1514196705879789,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":32857284.0,"max":170525395,"stddev":51784400.0,"var":2681624034541568.0,"ent":3.4,"data": [308120,308161,177,308150,13,308019,704,308743,11,308008,83,346736,653907,1043085,114411206,114368750,308565,308538,36863210,36863172,20419867,20419875,170525387,170525395,113243496,113243486,35871285,35871309,15564630,176,15873525]},"pktlen": {"min":54,"avg":237.6,"max":1498,"stddev":347.6,"var":120860.4,"ent":4.1,"data": [74,66,54,152,60,116,54,147,92,173,54,114,60,364,54,364,54,364,54,364,54,364,54,364,54,364,54,364,54,1498,1486,60]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0],"s_to_c": [4,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02378{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514196304559034,"flow_dst_last_pkt_time":1514196304640605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":8887,"flow_dst_tot_l4_payload_len":914,"midstream":0,"thread_ts_usec":1514196304640605,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":7499954.5,"max":71693099,"stddev":18613570.0,"var":346464978993152.0,"ent":2.4,"data": [80304,80325,101,83178,13,83088,126,80997,13,80884,278,117985,882322,1042483,71569648,189,71693099,19,725,81617,32242169,176,32323370,1466,82454,7432953,7432942,3511834,196,3592651,986]},"pktlen": {"min":52,"avg":358.8,"max":1500,"stddev":549.1,"var":301531.9,"ent":3.7,"data": [60,60,52,150,52,114,52,147,90,171,52,112,52,362,52,1500,1482,52,52,77,52,1500,1482,52,77,52,362,52,1500,1482,52,77]},"bins": {"c_to_s": [8,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,3,0,0],"s_to_c": [10,2,0,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,0,1,1,1,0,0,0,1,1,0,1,0,0,0,1,1],"entropies": [4.738464355,5.302482605,5.065449715,5.825911522,5.284871101,5.736679077,5.286791801,6.057295799,5.694644451,5.918534279,5.132945061,5.778033257,5.323332787,4.963134289,5.171406746,4.527909756,4.270138264,5.323332787,5.262846947,5.685556889,5.209868431,4.535019398,4.275704384,5.378232002,5.701727867,5.248330116,4.888409138,5.209868431,4.529169559,4.269546032,5.378231525,5.685557365]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02430{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":159,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514196705571136,"flow_dst_last_pkt_time":1514196705879789,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":2699,"midstream":0,"thread_ts_usec":1514196705879789,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":32857284.0,"max":170525395,"stddev":51784400.0,"var":2681624034541568.0,"ent":3.4,"data": [308120,308161,177,308150,13,308019,704,308743,11,308008,83,346736,653907,1043085,114411206,114368750,308565,308538,36863210,36863172,20419867,20419875,170525387,170525395,113243496,113243486,35871285,35871309,15564630,176,15873525]},"pktlen": {"min":40,"avg":223.6,"max":1484,"stddev":347.6,"var":120860.4,"ent":3.9,"data": [60,52,40,138,46,102,40,133,78,159,40,100,46,350,40,350,40,350,40,350,40,350,40,350,40,350,40,350,40,1484,1472,46]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0],"s_to_c": [4,2,0,1,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,0,1],"entropies": [4.792549610,4.894361019,4.784183979,5.672497272,4.457919598,5.436998844,4.834184170,5.898036003,5.357152462,5.674209595,4.784183979,5.535918236,4.457919598,4.810117245,4.834183693,4.788737297,4.784183979,4.732345104,4.834184170,4.767374516,4.831687450,4.791436195,4.931686878,4.784672737,4.931686878,4.672215462,4.881687164,4.744033337,4.812814713,4.485110283,4.206100941,4.457919598]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":199,"source":"monero.pcap","alias":"nDPId-test","packets-captured":199,"packets-processed":198,"total-skipped-flows":0,"total-l4-payload-len":82647,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":1514196819733875} 01148{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":319,"source":"monero.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":23,"flow_first_seen":1514196196437568,"flow_src_last_pkt_time":1514197261597871,"flow_dst_last_pkt_time":1514197261597824,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":3127,"flow_dst_tot_l4_payload_len":4584,"midstream":0,"thread_ts_usec":1514197279769698,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"116.211.167.195","src_port":53846,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 01150{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":319,"source":"monero.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":159,"flow_dst_packets_processed":113,"flow_first_seen":1514196188350524,"flow_src_last_pkt_time":1514197279769698,"flow_dst_last_pkt_time":1514197279769664,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":310,"flow_src_tot_l4_payload_len":132641,"flow_dst_tot_l4_payload_len":5738,"midstream":0,"thread_ts_usec":1514197279769698,"l3_proto":"ip4","src_ip":"192.168.2.148","dst_ip":"94.23.199.191","src_port":46838,"dst_port":3333,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} @@ -24,10 +24,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6058844 bytes -~~ total memory freed........: 6058844 bytes -~~ total allocations/frees...: 121820/121820 +~~ total memory allocated....: 6059116 bytes +~~ total memory freed........: 6059116 bytes +~~ total allocations/frees...: 121822/121822 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 2036 chars -~~ json string avg len.......: 1255 chars +~~ json string max len.......: 2435 chars +~~ json string avg len.......: 1452 chars diff --git a/test/results/mongo_false_positive.pcapng.out b/test/results/mongo_false_positive.pcapng.out index 777bacf7d..219b52b08 100644 --- a/test/results/mongo_false_positive.pcapng.out +++ b/test/results/mongo_false_positive.pcapng.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038415 bytes -~~ total memory freed........: 6038415 bytes -~~ total allocations/frees...: 121513/121513 +~~ total memory allocated....: 6038551 bytes +~~ total memory freed........: 6038551 bytes +~~ total allocations/frees...: 121514/121514 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 507 chars ~~ json string max len.......: 1803 chars diff --git a/test/results/mongodb.pcap.out b/test/results/mongodb.pcap.out index 4dbd5d9f0..a13ba0c23 100644 --- a/test/results/mongodb.pcap.out +++ b/test/results/mongodb.pcap.out @@ -43,9 +43,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045052 bytes -~~ total memory freed........: 6045052 bytes -~~ total allocations/frees...: 121558/121558 +~~ total memory allocated....: 6045732 bytes +~~ total memory freed........: 6045732 bytes +~~ total allocations/frees...: 121563/121563 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 1040 chars diff --git a/test/results/mpeg-dash.pcap.out b/test/results/mpeg-dash.pcap.out index bef9b585a..26131b4bb 100644 --- a/test/results/mpeg-dash.pcap.out +++ b/test/results/mpeg-dash.pcap.out @@ -33,9 +33,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6041395 bytes -~~ total memory freed........: 6041395 bytes -~~ total allocations/frees...: 121539/121539 +~~ total memory allocated....: 6041939 bytes +~~ total memory freed........: 6041939 bytes +~~ total allocations/frees...: 121543/121543 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2464 chars diff --git a/test/results/mpeg.pcap.out b/test/results/mpeg.pcap.out index e3d911af9..5f61d73aa 100644 --- a/test/results/mpeg.pcap.out +++ b/test/results/mpeg.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036250 bytes -~~ total memory freed........: 6036250 bytes -~~ total allocations/frees...: 121509/121509 +~~ total memory allocated....: 6036386 bytes +~~ total memory freed........: 6036386 bytes +~~ total allocations/frees...: 121510/121510 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 1027 chars diff --git a/test/results/mpegts.pcap.out b/test/results/mpegts.pcap.out index 66bee8352..086fc382e 100644 --- a/test/results/mpegts.pcap.out +++ b/test/results/mpegts.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035642 bytes -~~ total memory freed........: 6035642 bytes -~~ total allocations/frees...: 121487/121487 +~~ total memory allocated....: 6035778 bytes +~~ total memory freed........: 6035778 bytes +~~ total allocations/frees...: 121488/121488 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 2781 chars diff --git a/test/results/mqtt.pcap.out b/test/results/mqtt.pcap.out index 3e1596b19..5fa24af9e 100644 --- a/test/results/mqtt.pcap.out +++ b/test/results/mqtt.pcap.out @@ -19,9 +19,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037526 bytes -~~ total memory freed........: 6037526 bytes -~~ total allocations/frees...: 121506/121506 +~~ total memory allocated....: 6037798 bytes +~~ total memory freed........: 6037798 bytes +~~ total allocations/frees...: 121508/121508 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 916 chars diff --git a/test/results/mssql_tds.pcap.out b/test/results/mssql_tds.pcap.out index 182624146..1d08d9c78 100644 --- a/test/results/mssql_tds.pcap.out +++ b/test/results/mssql_tds.pcap.out @@ -66,9 +66,9 @@ ~~ total active/idle flows...: 12/12 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6056655 bytes -~~ total memory freed........: 6056655 bytes -~~ total allocations/frees...: 121636/121636 +~~ total memory allocated....: 6058287 bytes +~~ total memory freed........: 6058287 bytes +~~ total allocations/frees...: 121648/121648 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2476 chars diff --git a/test/results/mysql-8.pcap.out b/test/results/mysql-8.pcap.out index 2ee30a387..24df1d99a 100644 --- a/test/results/mysql-8.pcap.out +++ b/test/results/mysql-8.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035757 bytes -~~ total memory freed........: 6035757 bytes -~~ total allocations/frees...: 121491/121491 +~~ total memory allocated....: 6035893 bytes +~~ total memory freed........: 6035893 bytes +~~ total allocations/frees...: 121492/121492 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 902 chars diff --git a/test/results/natpmp.pcap.out b/test/results/natpmp.pcap.out index cedd00f8c..eb9a06f66 100644 --- a/test/results/natpmp.pcap.out +++ b/test/results/natpmp.pcap.out @@ -24,9 +24,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039092 bytes -~~ total memory freed........: 6039092 bytes -~~ total allocations/frees...: 121514/121514 +~~ total memory allocated....: 6039500 bytes +~~ total memory freed........: 6039500 bytes +~~ total allocations/frees...: 121517/121517 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 907 chars diff --git a/test/results/nats.pcap.out b/test/results/nats.pcap.out index d87a8149f..92ebf5f9d 100644 --- a/test/results/nats.pcap.out +++ b/test/results/nats.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042144 bytes -~~ total memory freed........: 6042144 bytes -~~ total allocations/frees...: 121526/121526 +~~ total memory allocated....: 6042416 bytes +~~ total memory freed........: 6042416 bytes +~~ total allocations/frees...: 121528/121528 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 898 chars diff --git a/test/results/ndpi_match_string_subprotocol__error.pcapng.out b/test/results/ndpi_match_string_subprotocol__error.pcapng.out index 7074709c4..cc67fa03c 100644 --- a/test/results/ndpi_match_string_subprotocol__error.pcapng.out +++ b/test/results/ndpi_match_string_subprotocol__error.pcapng.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036163 bytes -~~ total memory freed........: 6036163 bytes -~~ total allocations/frees...: 121505/121505 +~~ total memory allocated....: 6036299 bytes +~~ total memory freed........: 6036299 bytes +~~ total allocations/frees...: 121506/121506 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 523 chars ~~ json string max len.......: 2053 chars diff --git a/test/results/nest_log_sink.pcap.out b/test/results/nest_log_sink.pcap.out index af1d35378..642be90a4 100644 --- a/test/results/nest_log_sink.pcap.out +++ b/test/results/nest_log_sink.pcap.out @@ -5,7 +5,7 @@ 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1536712992228658,"flow_dst_last_pkt_time":1536712992289465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1536712992289465,"pkt":"GLQwJjRAAJD7JidrCABFAAAoNpRAAC0G7egjrlLtwKjyDytX92zEgGGFCKi\/QFAQgdDz\/QAA"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1536713052295189,"flow_dst_last_pkt_time":1536712992289465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536713052295189,"pkt":"AJD7JidrGLQwJjRACABFAAAoL2MAAP8GYxnAqPIPI65S7fdsK1cIqL8\/xIBhhVAQD+Vl6gAAAAAAAAAA"} 00559{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":51,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":51,"packets-processed":30,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":7,"global_ts_usec":1536713593921755} -01649{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":60807,"avg":38820860.0,"max":60122070,"stddev":28558074.0,"var":815563555209216.0,"ent":4.3,"data": [60807,60066531,60070988,444607,512208,60052382,60122070,60064103,60058548,139368,204086,59876012,59944753,60065849,60071735,305546,379257,59710128,59782330,60066153,60065042,470660,541865,60021230,60097006,60071977,60059874,163527,227320,59833996,59896720]},"pktlen": {"min":54,"avg":57.0,"max":60,"stddev":3.0,"var":9.0,"ent":5.0,"data": [60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54,60,54,54,60,60,54]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1]}} +02048{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":60807,"avg":38820860.0,"max":60122070,"stddev":28558074.0,"var":815563555209216.0,"ent":4.3,"data": [60807,60066531,60070988,444607,512208,60052382,60122070,60064103,60058548,139368,204086,59876012,59944753,60065849,60071735,305546,379257,59710128,59782330,60066153,60065042,470660,541865,60021230,60097006,60071977,60059874,163527,227320,59833996,59896720]},"pktlen": {"min":40,"avg":43.0,"max":46,"stddev":3.0,"var":9.0,"ent":5.0,"data": [46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40,46,40,40,46,46,40]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1,0,1,1,0,0,1],"entropies": [4.501398087,4.881687164,4.457920074,4.881687164,4.881687164,4.501398087,4.457919598,4.881687164,4.501398087,4.881687164,4.881687164,4.501398087,4.501398087,4.881687164,4.501398087,4.881687164,4.881687164,4.501398087,4.501398087,4.881687164,4.414441586,4.881687164,4.881687164,4.441509247,4.501398087,4.881687164,4.501398087,4.881687164,4.881687164,4.501398087,4.501398087,4.881687164]}} 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536713593921755,"flow_dst_last_pkt_time":1536713593982239,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536713593982239,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":101,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":101,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":0,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1536714195599741} @@ -19,7 +19,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":136,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1536714602612148,"flow_dst_last_pkt_time":1536714602681891,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536714602681891,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX927RT8zNCL8kJGASbvDKWAAAAgQFjA=="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1536714602684345,"flow_dst_last_pkt_time":1536714602681891,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536714602684345,"pkt":"AJD7JidrGLQwJjRACABFAAAoL4sAAP8GGxbAqPIPI7yauvduK1cIvyQk0U\/MzlAQEgA+3gAAAAAAAAAA"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":142,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714604778211,"flow_dst_last_pkt_time":1536714603395466,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":583,"flow_dst_tot_l4_payload_len":679,"midstream":0,"thread_ts_usec":1536714604778211,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714605710820,"flow_dst_last_pkt_time":1536714605694468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5203,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536714605710820,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":55,"avg":199386.8,"max":1490586,"stddev":353669.1,"var":125081829376.0,"ent":3.7,"data": [69743,72197,635648,708301,5274,110825,1347393,1490586,118042,84290,55,88866,80271,82780,83378,79961,79977,80201,79559,79635,80946,81395,80711,79963,79339,79335,79882,72223,8456,80008,81752]},"pktlen": {"min":54,"avg":255.9,"max":733,"stddev":219.8,"var":48330.3,"ent":4.5,"data": [60,58,60,585,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02152{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":166,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714605710820,"flow_dst_last_pkt_time":1536714605694468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5203,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536714605710820,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":55,"avg":199386.8,"max":1490586,"stddev":353669.1,"var":125081829376.0,"ent":3.7,"data": [69743,72197,635648,708301,5274,110825,1347393,1490586,118042,84290,55,88866,80271,82780,83378,79961,79977,80201,79559,79635,80946,81395,80711,79963,79339,79335,79882,72223,8456,80008,81752]},"pktlen": {"min":40,"avg":241.9,"max":719,"stddev":219.8,"var":48330.3,"ent":4.4,"data": [46,44,46,571,40,719,46,92,40,110,40,97,495,95,495,95,495,95,495,95,495,95,495,95,495,95,495,95,46,495,95,495]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0],"entropies": [4.347350597,4.921896935,4.434307098,6.926084995,4.831686974,7.091323376,4.544876099,5.377194881,4.981687069,5.869862556,4.981687069,5.670912743,7.483328342,5.698139191,7.522343636,5.745404720,7.484422207,5.740245342,7.506760597,5.790296078,7.525055408,5.637186527,7.521946430,5.669141293,7.561211109,5.642346382,7.582935333,5.811348438,4.434307575,7.459678173,5.698140144,7.522096634]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":211,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1536714607328073,"flow_dst_last_pkt_time":1536714602587655,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1536714607328073,"pkt":"AJD7JidrGLQwJjRACABFAABXL7IAAP8RJoHAqPIPwKjyAc5xADUAQyQGbMYBAAABAAAAAAAAB2N6ZmUxMDUHZnJvbnQwMQVpYWQwMQpwcm9kdWN0aW9uBG5lc3QDY29tAAABAAE="} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":214,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714607530778,"flow_dst_last_pkt_time":1536714607530778,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536714607530778,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":214,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1536714607530778,"flow_dst_last_pkt_time":1536714607530778,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536714607530778,"pkt":"AJD7JidrGLQwJjRACABFAAAsL7MAAP8GYsXAqPIPI65S7fdvK1cIymiPAAAAAGACEgDJ5gAAAgQEgAAA"} @@ -32,7 +32,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1536714610318069,"flow_dst_last_pkt_time":1536714610314466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536714610318069,"pkt":"AJD7JidrGLQwJjRACABFAAAoL78AAP8GGuLAqPIPI7yauvdwK1cI1a0IXLN8VlAQEgB69gAAAAAAAAAA"} 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":248,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":3,"flow_first_seen":1536714610253460,"flow_src_last_pkt_time":1536714615108363,"flow_dst_last_pkt_time":1536714613730371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536714615108363,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":268,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536714602587299,"flow_src_last_pkt_time":1536714607328073,"flow_dst_last_pkt_time":1536714607527675,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536714675297074,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01786{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":270,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714735302616,"flow_dst_last_pkt_time":1536714735750574,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":2066,"midstream":0,"thread_ts_usec":1536714735750574,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7081,"avg":8257794.5,"max":60077555,"stddev":19898212.0,"var":395938807939072.0,"ent":2.4,"data": [64103,66685,638775,711013,16458,201353,1246735,1463240,104910,69439,22020,94707,71220,78130,7081,87220,75789,84472,84342,76407,307337,280726,43263,5019615,5092313,178784,59560541,59727665,60063791,60077555,375945]},"pktlen": {"min":54,"avg":181.0,"max":731,"stddev":184.8,"var":34140.6,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,215,60,346,116,60,60,54,60,54,54]},"bins": {"c_to_s": [9,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02184{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":270,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536714607530778,"flow_src_last_pkt_time":1536714735302616,"flow_dst_last_pkt_time":1536714735750574,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":2066,"midstream":0,"thread_ts_usec":1536714735750574,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63343,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7081,"avg":8257794.5,"max":60077555,"stddev":19898212.0,"var":395938807939072.0,"ent":2.4,"data": [64103,66685,638775,711013,16458,201353,1246735,1463240,104910,69439,22020,94707,71220,78130,7081,87220,75789,84472,84342,76407,307337,280726,43263,5019615,5092313,178784,59560541,59727665,60063791,60077555,375945]},"pktlen": {"min":40,"avg":167.0,"max":717,"stddev":184.8,"var":34140.6,"ent":4.3,"data": [46,44,46,571,40,717,46,92,40,444,40,100,162,669,46,220,206,220,190,220,201,46,201,46,332,102,46,46,40,46,40,40]},"bins": {"c_to_s": [9,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1],"entropies": [4.390829086,5.012806416,4.434307098,6.983462334,4.981687546,7.117225647,4.501398087,5.460370064,5.031687260,7.387540817,4.981687069,5.670276642,6.393791676,7.723265171,4.434307098,6.722110748,6.670401573,6.819778442,6.529592991,6.835218430,6.697788239,4.303872108,6.701543808,4.347350597,7.229048729,5.808568001,4.347350597,4.390829086,4.934183598,4.347350597,4.934183598,4.884183884]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00939{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":42,"flow_dst_packets_processed":41,"flow_first_seen":1536712992228658,"flow_src_last_pkt_time":1536714607325706,"flow_dst_last_pkt_time":1536714607385830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":62,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":62,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63340,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"2":"Match by IP"},"proto":"NestLogSink.AmazonAWS","proto_id":"43.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":35,"flow_first_seen":1536714602612148,"flow_src_last_pkt_time":1536714607322501,"flow_dst_last_pkt_time":1536714607319686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":12610,"flow_dst_tot_l4_payload_len":2221,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63342,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":274,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":10,"flow_first_seen":1536714610253460,"flow_src_last_pkt_time":1536714615546363,"flow_dst_last_pkt_time":1536714615544009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":845,"midstream":0,"thread_ts_usec":1536714735752625,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63344,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -51,7 +51,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":409,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1536716402828004,"flow_dst_last_pkt_time":1536716402889007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536716402889007,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93El8kNOCOENtmASbvAVfwAAAgQFjA=="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":410,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1536716402894336,"flow_dst_last_pkt_time":1536716402889007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536716402894336,"pkt":"AJD7JidrGLQwJjRACABFAAAoL\/kAAP8GGqjAqPIPI7yauvdxK1cI4Q22JfJDT1AQEgCKBAAAAAAAAAAA"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":415,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716404974579,"flow_dst_last_pkt_time":1536716403590967,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536716404974579,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01764{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716405720045,"flow_dst_last_pkt_time":1536716405705936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536716405720045,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":33,"avg":186128.2,"max":1477502,"stddev":337855.8,"var":114146574336.0,"ent":3.6,"data": [61003,66332,638637,696721,5239,274658,1166948,1477502,96252,57032,33,69584,64878,63516,66188,66283,63911,64139,63928,63783,65164,65050,63165,63274,64227,64111,63788,54150,11824,65153,63500]},"pktlen": {"min":54,"avg":255.9,"max":732,"stddev":219.7,"var":48280.0,"ent":4.5,"data": [60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02152{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716405720045,"flow_dst_last_pkt_time":1536716405705936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536716405720045,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":33,"avg":186128.2,"max":1477502,"stddev":337855.8,"var":114146574336.0,"ent":3.6,"data": [61003,66332,638637,696721,5239,274658,1166948,1477502,96252,57032,33,69584,64878,63516,66188,66283,63911,64139,63928,63783,65164,65050,63165,63274,64227,64111,63788,54150,11824,65153,63500]},"pktlen": {"min":40,"avg":241.9,"max":718,"stddev":219.7,"var":48280.0,"ent":4.4,"data": [46,44,46,570,40,718,46,92,40,110,40,97,495,95,495,95,495,95,495,95,495,95,495,95,495,95,495,95,46,495,95,495]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0],"entropies": [4.390829086,4.967352390,4.390829086,6.899403095,4.781687260,7.121079922,4.338141918,5.373412609,4.731687546,5.826634884,4.712815285,5.642511845,7.549121857,5.698139191,7.531104088,5.727138519,7.473689079,5.677087307,7.561008930,5.663398743,7.514960289,5.642345905,7.526351929,5.637186050,7.499288082,5.719192982,7.509342194,5.656034470,4.390828609,7.483929634,5.727138996,7.595646381]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":483,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716402805070,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1536716407003782,"pkt":"AJD7JidrGLQwJjRACABFAABXMB8AAP8RJhTAqPIPwKjyAc5xADUAQ16pMiMBAAABAAAAAAAAB2N6ZmUxMDUHZnJvbnQwMQVpYWQwMQpwcm9kdWN0aW9uBG5lc3QDY29tAAABAAE="} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":486,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716407119984,"flow_dst_last_pkt_time":1536716407119984,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536716407119984,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1536716407119984,"flow_dst_last_pkt_time":1536716407119984,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536716407119984,"pkt":"AJD7JidrGLQwJjRACABFAAAsMCAAAP8GYljAqPIPI65S7fdyK1cI7G5zAAAAAGACEgDD3QAAAgQEgAAA"} @@ -68,7 +68,7 @@ 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":36,"flow_dst_packets_processed":35,"flow_first_seen":1536716402828004,"flow_src_last_pkt_time":1536716406969810,"flow_dst_last_pkt_time":1536716406967430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":12633,"flow_dst_tot_l4_payload_len":2220,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63345,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00925{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1536716409847406,"flow_src_last_pkt_time":1536716412657238,"flow_dst_last_pkt_time":1536716412651629,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":1413,"flow_dst_tot_l4_payload_len":846,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63347,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716407116756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536716532891336,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01789{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716592513963,"flow_dst_last_pkt_time":1536716532889304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":1905,"midstream":0,"thread_ts_usec":1536716592513963,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6654,"avg":10037526.0,"max":60065954,"stddev":21842106.0,"var":477077551710208.0,"ent":2.6,"data": [66203,68921,634989,702416,15391,245970,1210603,1481601,108755,76207,16822,97423,70982,72827,6654,85865,79238,75829,75050,77170,97357,2619475,2881135,371772,59569035,59778516,60065954,60063694,377489,447329,59622627]},"pktlen": {"min":54,"avg":176.2,"max":731,"stddev":185.8,"var":34538.8,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,54,60,60]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02187{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":543,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536716407119984,"flow_src_last_pkt_time":1536716592513963,"flow_dst_last_pkt_time":1536716532889304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1941,"flow_dst_tot_l4_payload_len":1905,"midstream":0,"thread_ts_usec":1536716592513963,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63346,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6654,"avg":10037526.0,"max":60065954,"stddev":21842106.0,"var":477077551710208.0,"ent":2.6,"data": [66203,68921,634989,702416,15391,245970,1210603,1481601,108755,76207,16822,97423,70982,72827,6654,85865,79238,75829,75050,77170,97357,2619475,2881135,371772,59569035,59778516,60065954,60063694,377489,447329,59622627]},"pktlen": {"min":40,"avg":162.2,"max":717,"stddev":185.8,"var":34538.8,"ent":4.3,"data": [46,44,46,571,40,717,46,92,40,444,40,100,162,669,46,220,206,220,190,220,201,46,332,102,46,46,40,46,40,40,46,46]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0],"entropies": [4.390829086,5.012806416,4.434307098,6.960905552,4.931687355,7.109922409,4.501398087,5.422218800,4.931687355,7.525271416,4.762814999,5.747631550,6.463061810,7.686710835,4.434307098,6.746978760,6.772123814,6.796743393,6.668047905,6.846702099,6.720046520,4.457919121,7.263835907,5.855727196,4.441509247,4.501398087,4.981687546,4.501398087,4.981687546,4.981687546,4.501398087,4.501398087]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":547,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1536716402804764,"flow_src_last_pkt_time":1536716407003782,"flow_dst_last_pkt_time":1536716407116756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":99,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536716592575967,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":547,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":547,"packets-processed":424,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":9,"total-detection-updates":2,"total-updates":4,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":73,"global_ts_usec":1536716652586979} 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":595,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":595,"packets-processed":452,"total-skipped-flows":0,"total-l4-payload-len":43270,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":9,"total-detection-updates":2,"total-updates":4,"current-active-flows":1,"total-active-flows":9,"total-idle-flows":8,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":74,"global_ts_usec":1536717254253428} @@ -83,7 +83,7 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":615,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1536717428089363,"flow_dst_last_pkt_time":1536717428146200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536717428146200,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93SD5IA7CQNADmASbvBIIgAAAgQFjA=="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":616,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1536717428152738,"flow_dst_last_pkt_time":1536717428146200,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536717428152738,"pkt":"AJD7JidrGLQwJjRACABFAAAoMFIAAP8GGk\/AqPIPI7yauvd0K1cJA0AOg+SAPFAQEgC8pwAAAAAAAAAA"} 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":621,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430226245,"flow_dst_last_pkt_time":1536717428843719,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":678,"midstream":0,"thread_ts_usec":1536717430226245,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":645,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430971296,"flow_dst_last_pkt_time":1536717430957587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536717430971296,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":41,"avg":185488.9,"max":1475007,"stddev":337125.5,"var":113653596160.0,"ent":3.6,"data": [56837,63375,631089,692531,4988,275292,1167126,1475007,94881,56956,41,68349,63598,63560,63263,63527,64323,71144,70310,64275,64470,63960,64294,64276,63689,63201,62870,53104,10769,65047,64005]},"pktlen": {"min":54,"avg":255.9,"max":732,"stddev":219.7,"var":48280.0,"ent":4.5,"data": [60,58,60,584,54,732,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02153{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":645,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717430971296,"flow_dst_last_pkt_time":1536717430957587,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1230,"midstream":0,"thread_ts_usec":1536717430971296,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":41,"avg":185488.9,"max":1475007,"stddev":337125.5,"var":113653596160.0,"ent":3.6,"data": [56837,63375,631089,692531,4988,275292,1167126,1475007,94881,56956,41,68349,63598,63560,63263,63527,64323,71144,70310,64275,64470,63960,64294,64276,63689,63201,62870,53104,10769,65047,64005]},"pktlen": {"min":40,"avg":241.9,"max":718,"stddev":219.7,"var":48280.0,"ent":4.4,"data": [46,44,46,570,40,718,46,92,40,110,40,97,495,95,495,95,495,95,495,95,495,95,495,95,495,95,495,95,46,495,95,495]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0],"entropies": [4.390829086,4.967351913,4.434307098,6.916602135,4.931686878,7.128376961,4.501398087,5.438629150,4.981687069,5.863207817,4.881687164,5.699314117,7.478340149,5.690193176,7.586304665,5.685032845,7.471494675,5.671344757,7.537241459,5.719192505,7.525679111,5.574028969,7.549623489,5.719192028,7.455665112,5.853453159,7.516324997,5.719192028,4.434307098,7.547780037,5.698139668,7.523346424]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":674,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450091191,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536717450091191,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":674,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450091191,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536717450091191,"pkt":"AJD7JidrGLQwJjRACABFAAAsMG8AAP8GYgnAqPIPI65S7fd1K1cJDrE1AAAAAGACEgCA9gAAAgQEgAAA"} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":675,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1536717450091191,"flow_dst_last_pkt_time":1536717450156309,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536717450156309,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAAC0GJHkjrlLtwKjyDytX93XProMNCQ6xNmASaQPV8QAAAgQFtA=="} @@ -94,7 +94,7 @@ 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":707,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":24,"flow_first_seen":1536717428089363,"flow_src_last_pkt_time":1536717431514012,"flow_dst_last_pkt_time":1536717431511560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":7728,"flow_dst_tot_l4_payload_len":1615,"midstream":0,"thread_ts_usec":1536717572672015,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63348,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00914{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":707,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717449934587,"flow_dst_last_pkt_time":1536717450088270,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":139,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536717572672015,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00912{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":711,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1536717427961883,"flow_src_last_pkt_time":1536717449934587,"flow_dst_last_pkt_time":1536717450088270,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":59,"flow_dst_max_l4_payload_len":127,"flow_src_tot_l4_payload_len":139,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1536717632764427,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01792{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":713,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717692809761,"flow_dst_last_pkt_time":1536717693064770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1560,"flow_dst_tot_l4_payload_len":1740,"midstream":0,"thread_ts_usec":1536717693064770,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4297,"avg":15667489.0,"max":60116188,"stddev":26141992.0,"var":683403720523776.0,"ent":3.1,"data": [65118,68086,678411,747347,17507,94704,1396423,1507704,104371,70568,14503,87690,68949,72988,7038,83601,72569,4297,74338,110547,112155,137112,59606094,59757940,60076789,60061094,60093385,60092412,60108066,60116188,184155]},"pktlen": {"min":54,"avg":159.1,"max":732,"stddev":181.0,"var":32752.9,"ent":4.3,"data": [60,58,60,584,54,732,60,106,54,258,54,114,176,683,60,234,204,60,234,215,346,116,60,60,54,60,54,60,54,60,54,54]},"bins": {"c_to_s": [10,1,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02190{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":713,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536717450091191,"flow_src_last_pkt_time":1536717692809761,"flow_dst_last_pkt_time":1536717693064770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1560,"flow_dst_tot_l4_payload_len":1740,"midstream":0,"thread_ts_usec":1536717693064770,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63349,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4297,"avg":15667489.0,"max":60116188,"stddev":26141992.0,"var":683403720523776.0,"ent":3.1,"data": [65118,68086,678411,747347,17507,94704,1396423,1507704,104371,70568,14503,87690,68949,72988,7038,83601,72569,4297,74338,110547,112155,137112,59606094,59757940,60076789,60061094,60093385,60092412,60108066,60116188,184155]},"pktlen": {"min":40,"avg":145.1,"max":718,"stddev":181.0,"var":32752.9,"ent":4.2,"data": [46,44,46,570,40,718,46,92,40,244,40,100,162,669,46,220,190,46,220,201,332,102,46,46,40,46,40,46,40,46,40,40]},"bins": {"c_to_s": [10,1,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1],"entropies": [4.303872585,4.967351913,4.390829086,7.000074863,4.931686878,7.083823204,4.501398087,5.370536327,4.981687069,6.850469589,4.881687164,5.621728897,6.422999859,7.639559269,4.347350597,6.781757832,6.666656017,4.544876099,6.837507248,6.783583164,7.269664764,5.833524227,4.501398087,4.390829086,4.931686878,4.457919598,4.931686878,4.501398087,4.931686878,4.501398087,4.931686878,4.981687069]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00570{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":727,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":727,"packets-processed":562,"total-skipped-flows":0,"total-l4-payload-len":56297,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":12,"total-detection-updates":3,"total-updates":6,"current-active-flows":1,"total-active-flows":12,"total-idle-flows":11,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":98,"global_ts_usec":1536717873194026} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":745,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718052990525,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536718052990525,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":745,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":1,"flow_src_last_pkt_time":1536718052990525,"flow_dst_last_pkt_time":1536718052990525,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536718052990525,"pkt":"AJD7JidrGLQwJjRACABFAAAsMIsAAP8GYe3AqPIPI65S7fd2K1cJGivXAAAAAGACEgAGSAAAAgQEgAAA"} @@ -112,10 +112,10 @@ 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":782,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1536718202984094,"flow_dst_last_pkt_time":1536718203039605,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536718203039605,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAADcG0p0jvJq6wKjyDytX93fElurmCSWo1mASbvAz1wAAAgQFjA=="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":783,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1536718203042198,"flow_dst_last_pkt_time":1536718203039605,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536718203042198,"pkt":"AJD7JidrGLQwJjRACABFAAAoMJwAAP8GGgXAqPIPI7yauvd3K1cJJajWxJbq51AQEgCoXAAAAAAAAAAA"} 00885{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":788,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205132060,"flow_dst_last_pkt_time":1536718203746505,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":582,"flow_dst_tot_l4_payload_len":679,"midstream":0,"thread_ts_usec":1536718205132060,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} -01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":812,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205917650,"flow_dst_last_pkt_time":1536718205903699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536718205917650,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":188811.6,"max":1484002,"stddev":352858.6,"var":124509216768.0,"ent":3.6,"data": [55511,58104,637607,698601,8299,132470,1319785,1484002,100866,62363,34,73666,66291,66062,64356,70801,72468,66245,63705,65435,67073,65571,63470,63974,64872,66987,66191,76434,5185,82369,64364]},"pktlen": {"min":54,"avg":255.9,"max":733,"stddev":219.8,"var":48309.8,"ent":4.5,"data": [60,58,60,584,54,733,60,106,54,124,54,111,509,109,509,109,509,109,509,109,509,109,509,109,509,109,509,109,60,509,109,509]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02153{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":812,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718205917650,"flow_dst_last_pkt_time":1536718205903699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":5202,"flow_dst_tot_l4_payload_len":1231,"midstream":0,"thread_ts_usec":1536718205917650,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":188811.6,"max":1484002,"stddev":352858.6,"var":124509216768.0,"ent":3.6,"data": [55511,58104,637607,698601,8299,132470,1319785,1484002,100866,62363,34,73666,66291,66062,64356,70801,72468,66245,63705,65435,67073,65571,63470,63974,64872,66987,66191,76434,5185,82369,64364]},"pktlen": {"min":40,"avg":241.9,"max":719,"stddev":219.8,"var":48309.8,"ent":4.4,"data": [46,44,46,570,40,719,46,92,40,110,40,97,495,95,495,95,495,95,495,95,495,95,495,95,495,95,495,95,46,495,95,495]},"bins": {"c_to_s": [4,1,1,0,0,0,0,0,0,0,0,0,0,0,10,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0],"entropies": [4.287461758,4.967351913,4.374418736,6.956398010,4.981687069,7.137421608,4.544876099,5.452163696,4.981687069,5.767633438,4.931687355,5.629675388,7.553267002,5.769243717,7.480807304,5.656034946,7.456930637,5.661194324,7.513911247,5.748190880,7.546221733,5.663398743,7.504794121,5.711246014,7.578598976,5.698748112,7.528614521,5.748191357,4.321323395,7.516432285,5.677087307,7.518935204]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":834,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206572751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1536718206572751,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":834,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206572751,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1536718206572751,"pkt":"AJD7JidrGLQwJjRACABFAAAsMLcAAP8GYcHAqPIPI65S7fd4K1cJMSXhAAAAAGACEgAMJQAAAgQEgAAA"} -01785{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":835,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718206570249,"flow_dst_last_pkt_time":1536718206634864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1623,"flow_dst_tot_l4_payload_len":1739,"midstream":0,"thread_ts_usec":1536718206634864,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1252,"avg":9910454.0,"max":60155801,"stddev":20689402.0,"var":428051338887168.0,"ent":2.7,"data": [68635,72232,634362,701888,15937,150934,1314255,1491295,109213,70989,18037,93450,70186,72141,7151,80030,74076,77118,76505,41618,115484,208508,59946855,60155801,60057740,60124304,30586012,30652885,66856,1252,68314]},"pktlen": {"min":54,"avg":161.1,"max":731,"stddev":180.1,"var":32452.7,"ent":4.4,"data": [60,58,60,585,54,731,60,106,54,258,54,114,176,683,60,234,204,234,215,60,346,116,60,60,54,54,60,116,54,60,60,54]},"bins": {"c_to_s": [10,2,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02183{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":835,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718052990525,"flow_src_last_pkt_time":1536718206570249,"flow_dst_last_pkt_time":1536718206634864,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":677,"flow_src_tot_l4_payload_len":1623,"flow_dst_tot_l4_payload_len":1739,"midstream":0,"thread_ts_usec":1536718206634864,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63350,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1252,"avg":9910454.0,"max":60155801,"stddev":20689402.0,"var":428051338887168.0,"ent":2.7,"data": [68635,72232,634362,701888,15937,150934,1314255,1491295,109213,70989,18037,93450,70186,72141,7151,80030,74076,77118,76505,41618,115484,208508,59946855,60155801,60057740,60124304,30586012,30652885,66856,1252,68314]},"pktlen": {"min":40,"avg":147.1,"max":717,"stddev":180.1,"var":32452.7,"ent":4.2,"data": [46,44,46,571,40,717,46,92,40,244,40,100,162,669,46,220,190,220,201,46,332,102,46,46,40,40,46,102,40,46,46,40]},"bins": {"c_to_s": [10,2,0,1,0,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1],"entropies": [4.260394096,4.921897411,4.434307098,6.934753895,4.931686878,7.082575321,4.501398087,5.325510979,4.981687546,6.942802429,4.981687069,5.756309986,6.493349075,7.689117908,4.434307098,6.784736156,6.532172680,6.853400707,6.767163754,4.457919598,7.212311268,5.867391586,4.501398087,4.544876099,5.031687260,5.031687260,4.544876099,5.644305706,5.031687260,4.544876099,4.588354588,5.031687260]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":836,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1536718206572751,"flow_dst_last_pkt_time":1536718206638073,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":1536718206638073,"pkt":"GLQwJjRAAJD7JidrCABFAAAsAABAAC0GJHkjrlLtwKjyDytX93jm8XvxCTEl4mASaQNQ+QAAAgQFtA=="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":837,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1536718206640512,"flow_dst_last_pkt_time":1536718206638073,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1536718206640512,"pkt":"AJD7JidrGLQwJjRACABFAAAoMLgAAP8GYcTAqPIPI65S7fd4K1cJMSXi5vF78lAQEgC\/uQAAAAAAAAAA"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":844,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718208745973,"flow_dst_last_pkt_time":1536718207366595,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":584,"flow_dst_tot_l4_payload_len":676,"midstream":0,"thread_ts_usec":1536718208745973,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -129,7 +129,7 @@ 00927{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":24,"flow_first_seen":1536718202984094,"flow_src_last_pkt_time":1536718206546300,"flow_dst_last_pkt_time":1536718206542604,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":679,"flow_src_tot_l4_payload_len":7843,"flow_dst_tot_l4_payload_len":1616,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63351,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00926{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1536718209313555,"flow_src_last_pkt_time":1536718211968199,"flow_dst_last_pkt_time":1536718211965770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":678,"flow_src_tot_l4_payload_len":1413,"flow_dst_tot_l4_payload_len":845,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.188.154.186","src_port":63353,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00911{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1536718202959606,"flow_src_last_pkt_time":1536718202959606,"flow_dst_last_pkt_time":1536718202959785,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1536718332214337,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01788{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718392321066,"flow_dst_last_pkt_time":1536718332214337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":1942,"flow_dst_tot_l4_payload_len":1904,"midstream":0,"thread_ts_usec":1536718392321066,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4658,"avg":10044835.0,"max":60173109,"stddev":21953530.0,"var":481957439864832.0,"ent":2.6,"data": [65322,67761,637540,709814,18708,293379,1174542,1481999,109107,72201,17976,90820,70287,73214,8669,96471,87696,75885,78977,77415,126677,2595650,2731016,150399,59910787,60056830,60173109,60107028,4658,60634,60165330]},"pktlen": {"min":54,"avg":176.2,"max":730,"stddev":185.8,"var":34529.8,"ent":4.4,"data": [60,58,60,586,54,730,60,106,54,458,54,114,176,683,60,234,220,234,204,234,215,60,346,116,60,60,54,60,54,60,54,60]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02186{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":892,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1536718206572751,"flow_src_last_pkt_time":1536718392321066,"flow_dst_last_pkt_time":1536718332214337,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":532,"flow_dst_max_l4_payload_len":676,"flow_src_tot_l4_payload_len":1942,"flow_dst_tot_l4_payload_len":1904,"midstream":0,"thread_ts_usec":1536718392321066,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"35.174.82.237","src_port":63352,"dst_port":11095,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4658,"avg":10044835.0,"max":60173109,"stddev":21953530.0,"var":481957439864832.0,"ent":2.6,"data": [65322,67761,637540,709814,18708,293379,1174542,1481999,109107,72201,17976,90820,70287,73214,8669,96471,87696,75885,78977,77415,126677,2595650,2731016,150399,59910787,60056830,60173109,60107028,4658,60634,60165330]},"pktlen": {"min":40,"avg":162.2,"max":716,"stddev":185.8,"var":34529.8,"ent":4.3,"data": [46,44,46,572,40,716,46,92,40,444,40,100,162,669,46,220,206,220,190,220,201,46,332,102,46,46,40,46,40,46,40,46]},"bins": {"c_to_s": [10,1,0,1,0,3,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,2,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0],"entropies": [4.347350597,4.967352390,4.434307098,6.920494080,4.981687546,7.105970383,4.544876099,5.378740311,4.881687164,7.440455914,4.812814713,5.615177631,6.437895298,7.618911266,4.434307098,6.860777378,6.737969398,6.892507076,6.603207111,6.959574699,6.884947777,4.457919598,7.273610592,5.848325729,4.414441586,4.501398087,4.831686974,4.544876099,4.881687164,4.501398087,4.881687164,4.544876099]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NestLogSink","proto_id":"43","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00909{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":896,"source":"nest_log_sink.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1536718202959606,"flow_src_last_pkt_time":1536718202959606,"flow_dst_last_pkt_time":1536718202959785,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1536718392405835,"l3_proto":"ip4","src_ip":"192.168.242.15","dst_ip":"192.168.242.1","src_port":52849,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":900,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":900,"packets-processed":713,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":4,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":134,"global_ts_usec":1536718512170528} 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":950,"source":"nest_log_sink.pcap","alias":"nDPId-test","packets-captured":950,"packets-processed":743,"total-skipped-flows":0,"total-l4-payload-len":75380,"total-not-detected-flows":0,"total-guessed-flows":1,"total-detected-flows":17,"total-detection-updates":4,"total-updates":8,"current-active-flows":1,"total-active-flows":17,"total-idle-flows":16,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":135,"global_ts_usec":1536719113902134} @@ -144,10 +144,10 @@ ~~ total active/idle flows...: 17/17 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6108647 bytes -~~ total memory freed........: 6108647 bytes -~~ total allocations/frees...: 122433/122433 +~~ total memory allocated....: 6110959 bytes +~~ total memory freed........: 6110959 bytes +~~ total allocations/frees...: 122450/122450 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars -~~ json string max len.......: 1797 chars -~~ json string avg len.......: 1146 chars +~~ json string max len.......: 2195 chars +~~ json string avg len.......: 1345 chars diff --git a/test/results/netbios.pcap.out b/test/results/netbios.pcap.out index 9aee9ca46..22a0ad686 100644 --- a/test/results/netbios.pcap.out +++ b/test/results/netbios.pcap.out @@ -16,7 +16,7 @@ 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":28,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772216537634,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537634,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1447772216537634,"l3_proto":"ip4","src_ip":"10.0.4.24","dst_ip":"10.0.4.131","src_port":139,"dst_port":1398,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537634,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":21,"thread_ts_usec":1447772216537634,"pkt":"ABj+bLz3ABzEEHkPCABFAAApQatAAIAGnIkKAAQYCgAEgwCLBXatXRk68Re6KFAQ96kjtgAAAAAAAAAA"} 00516{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"netbios.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1447772216537634,"flow_dst_last_pkt_time":1447772216537735,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1447772216537735,"pkt":"ABzEEHkPABj+bLz3CABFAAAoY6dAAIAGeo4KAASDCgAEGAV2AIvxF7oorV0ZO1AQ+ycgOAAAAAAAAAAA"} -01726{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":45,"source":"netbios.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772210350540,"flow_src_last_pkt_time":1447772220435262,"flow_dst_last_pkt_time":1447772210350540,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772220435262,"l3_proto":"ip4","src_ip":"10.0.4.131","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14022,"avg":325313.6,"max":749995,"stddev":214669.9,"var":46083158016.0,"ent":4.6,"data": [471274,14022,264705,470792,80220,113829,555812,80046,113289,146849,489849,113312,146439,749995,33651,749542,308595,441426,307586,628917,121033,628920,470970,278997,470688,458539,291466,334217,123758,93119,532865]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02125{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":45,"source":"netbios.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772210350540,"flow_src_last_pkt_time":1447772220435262,"flow_dst_last_pkt_time":1447772210350540,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772220435262,"l3_proto":"ip4","src_ip":"10.0.4.131","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14022,"avg":325313.6,"max":749995,"stddev":214669.9,"var":46083158016.0,"ent":4.6,"data": [471274,14022,264705,470792,80220,113829,555812,80046,113289,146849,489849,113312,146439,749995,33651,749542,308595,441426,307586,628917,121033,628920,470970,278997,470688,458539,291466,334217,123758,93119,532865]},"pktlen": {"min":78,"avg":78.0,"max":78,"stddev":0.0,"var":0.0,"ent":5.0,"data": [78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.124596119,4.134274006,4.159914970,4.089276791,4.134274006,4.134274006,4.134274006,4.134274006,4.159914970,4.159914970,4.159914970,4.159914970,4.159914970,4.159914970,4.159914970,4.124596119,4.124596119,4.159914970,4.124596119,4.159914970,4.134274006,4.159914970,4.134274006,4.159914970,4.134274006,4.159914970,4.159914970,4.159914970,4.134274006,4.159914970,4.159914970,4.159914970]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772221776592,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772221776592,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57836,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772221776592,"pkt":"ABzEEHkPACFislxDCABFAABOBFAAAH8RHeEKAAFXCgAEGOHsAIkAOqS0IKgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="} 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"netbios.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772221776592,"flow_src_last_pkt_time":1447772221776592,"flow_dst_last_pkt_time":1447772221776592,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772221776592,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57836,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"*"}} @@ -50,7 +50,7 @@ 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"netbios.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":1,"flow_src_last_pkt_time":1447772238721634,"flow_dst_last_pkt_time":1447772238721634,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772238721634,"pkt":"\/\/\/\/\/\/\/\/EGBLoLzrCABFAABOP6wAAIAR3OYKAAQOCgAF\/wCJAIkAOtzbuxABEAABAAAAAAAAIEVIRkZGQ0ZGQ0FDQUNBQ0FDQUNBQ0FDQUNBQ0FDQUFBAAAgAAE="} 00875{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":132,"source":"netbios.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772238721634,"flow_src_last_pkt_time":1447772238721634,"flow_dst_last_pkt_time":1447772238721634,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772238721634,"l3_proto":"ip4","src_ip":"10.0.4.14","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"guru"}} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"netbios.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1447772239929129,"flow_dst_last_pkt_time":1447772221882535,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772239929129,"pkt":"\/\/\/\/\/\/\/\/AOCBdSQGCABFAABOZPwAAIARtz8KAARlCgAF\/wCJAIkAOvRglzYBEAABAAAAAAAAIEVPRkdGQ0RKQ0FDQUNBQ0FDQUNBQ0FDQUNBQ0FDQUFBAAAgAAE="} -01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":144,"source":"netbios.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772211392771,"flow_src_last_pkt_time":1447772242251393,"flow_dst_last_pkt_time":1447772211392771,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772242251393,"l3_proto":"ip4","src_ip":"10.0.5.233","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":749128,"avg":995439.4,"max":1515990,"stddev":356068.3,"var":126784610304.0,"ent":4.9,"data": [749395,750108,1510862,749350,750084,1512101,749146,750073,1513657,749593,750165,1509201,749922,750117,1511084,749128,750100,1515990,749246,750060,1507974,749281,750095,1513465,749807,750021,1513052,749194,750091,1506879,749381]},"pktlen": {"min":92,"avg":92.0,"max":92,"stddev":0.0,"var":0.0,"ent":5.0,"data": [92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92,92]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02144{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":144,"source":"netbios.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1447772211392771,"flow_src_last_pkt_time":1447772242251393,"flow_dst_last_pkt_time":1447772211392771,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772242251393,"l3_proto":"ip4","src_ip":"10.0.5.233","dst_ip":"10.0.5.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":749128,"avg":995439.4,"max":1515990,"stddev":356068.3,"var":126784610304.0,"ent":4.9,"data": [749395,750108,1510862,749350,750084,1512101,749146,750073,1513657,749593,750165,1509201,749922,750117,1511084,749128,750100,1515990,749246,750060,1507974,749281,750095,1513465,749807,750021,1513052,749194,750091,1506879,749381]},"pktlen": {"min":78,"avg":78.0,"max":78,"stddev":0.0,"var":0.0,"ent":5.0,"data": [78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78,78]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [3.923101902,3.923101902,3.923101902,3.852463722,3.780971527,3.862141609,3.923101902,3.897460699,3.923101902,3.923101902,3.923101902,3.923101902,3.923101902,3.897460699,3.923101902,3.923101902,3.923101902,3.923101902,3.897460699,3.897460699,3.897460699,3.923101902,3.923101902,3.923101902,3.923101902,3.897460699,3.923101902,3.923101902,3.923101902,3.923101902,3.820537567,3.897460699]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":173,"source":"netbios.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1447772248480903,"flow_dst_last_pkt_time":1447772238479218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772248480903,"pkt":"ABzEEHkPAOCBt8asCABFAABORZkAAIAR1wUKAAXpCgAEGACJAIkAOgf2mjgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":186,"source":"netbios.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1447772251795162,"flow_src_last_pkt_time":1447772251795162,"flow_dst_last_pkt_time":1447772251795162,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1447772251795162,"l3_proto":"ip4","src_ip":"10.0.1.87","dst_ip":"10.0.4.24","src_port":57921,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":186,"source":"netbios.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1447772251795162,"flow_dst_last_pkt_time":1447772251795162,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1447772251795162,"pkt":"ABzEEHkPACFislxDCABFAABOJRwAAH8R\/RQKAAFXCgAEGOJBAIkAOqRfIKgAAAABAAAAAAAAIENLQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBAAAhAAE="} @@ -84,10 +84,10 @@ ~~ total active/idle flows...: 15/15 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6067713 bytes -~~ total memory freed........: 6067713 bytes -~~ total allocations/frees...: 121879/121879 +~~ total memory allocated....: 6069753 bytes +~~ total memory freed........: 6069753 bytes +~~ total allocations/frees...: 121894/121894 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1750 chars -~~ json string avg len.......: 1120 chars +~~ json string max len.......: 2149 chars +~~ json string avg len.......: 1319 chars diff --git a/test/results/netbios_wildcard_dns_query.pcap.out b/test/results/netbios_wildcard_dns_query.pcap.out index b9eaa286c..dbf6774f5 100644 --- a/test/results/netbios_wildcard_dns_query.pcap.out +++ b/test/results/netbios_wildcard_dns_query.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035670 bytes -~~ total memory freed........: 6035670 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035806 bytes +~~ total memory freed........: 6035806 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 511 chars ~~ json string max len.......: 1029 chars diff --git a/test/results/netflix.pcap.out b/test/results/netflix.pcap.out index 70efcdb55..e64ed1e24 100644 --- a/test/results/netflix.pcap.out +++ b/test/results/netflix.pcap.out @@ -48,8 +48,8 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1484319033259678,"flow_dst_last_pkt_time":1484319033258390,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319033259678,"pkt":"gCqoTGHM5JjWH70UCABFAAA0m4FAAEAG5U7AqAEHNCDEJM99AbszkZRh0pqER4AQEBVneAAAAQEICh9kuYW2m8Wo"} 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319033206431,"flow_src_last_pkt_time":1484319033261891,"flow_dst_last_pkt_time":1484319033258390,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319033261891,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53117,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":103,"source":"netflix.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319033206431,"flow_src_last_pkt_time":1484319033261891,"flow_dst_last_pkt_time":1484319033312558,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319033312558,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53117,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} -01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319032888907,"flow_src_last_pkt_time":1484319033506287,"flow_dst_last_pkt_time":1484319033504279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":5139,"midstream":0,"thread_ts_usec":1484319033506287,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":39766.2,"max":363670,"stddev":81851.3,"var":6699630080.0,"ent":3.2,"data": [46025,48575,597,54003,1611,989,54938,11050,13463,9437,301,377,58747,4648,50832,1878,237,59545,562,62143,8477,4734,310931,590,363670,5842,131,72,58058,152,137]},"pktlen": {"min":66,"avg":279.2,"max":1514,"stddev":396.8,"var":157454.8,"ent":4.0,"data": [78,74,66,274,66,1514,1514,66,229,66,141,72,111,66,117,66,422,376,66,1006,66,126,66,422,375,66,1006,121,100,66,66,66]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01580{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":191,"avg":34820.4,"max":199917,"stddev":47580.3,"var":2263883008.0,"ent":3.8,"data": [45497,51828,277,66352,510,13769,75518,25611,26489,15622,271,195,60990,421,44123,5113,191,57731,67780,234,2712,130987,13830,8367,10032,8058,2353,2270,141147,1238,199917]},"pktlen": {"min":66,"avg":444.8,"max":1514,"stddev":557.4,"var":310647.7,"ent":4.0,"data": [78,74,66,298,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,742,66,1514,429,1514,66,1130,66,275,66,115,66,1450,581,66]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0],"s_to_c": [5,2,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,0,0,1]}} +02106{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":133,"source":"netflix.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319032888907,"flow_src_last_pkt_time":1484319033506287,"flow_dst_last_pkt_time":1484319033504279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":5139,"midstream":0,"thread_ts_usec":1484319033506287,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53105,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":39766.2,"max":363670,"stddev":81851.3,"var":6699630080.0,"ent":3.2,"data": [46025,48575,597,54003,1611,989,54938,11050,13463,9437,301,377,58747,4648,50832,1878,237,59545,562,62143,8477,4734,310931,590,363670,5842,131,72,58058,152,137]},"pktlen": {"min":52,"avg":265.2,"max":1500,"stddev":396.8,"var":157454.8,"ent":3.9,"data": [64,60,52,260,52,1500,1500,52,215,52,127,58,97,52,103,52,408,362,52,992,52,112,52,408,361,52,992,107,86,52,52,52]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,4,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,0,1,0,0,0,1,1,1,1,0,0,0],"entropies": [4.566831589,5.323234081,5.131024837,5.723237514,5.246409416,7.251158237,7.324303627,5.131024837,6.880544662,5.169486523,6.374709129,5.113821983,6.051860332,5.246409416,5.890006065,5.169486523,7.472100735,7.415780067,5.176993370,7.832669258,5.131024837,6.117320061,5.131024361,7.427300930,7.397639751,5.246409416,7.802502632,6.080207348,5.833016396,5.207947731,5.207947731,5.131024361]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} +01978{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":191,"avg":34820.4,"max":199917,"stddev":47580.3,"var":2263883008.0,"ent":3.8,"data": [45497,51828,277,66352,510,13769,75518,25611,26489,15622,271,195,60990,421,44123,5113,191,57731,67780,234,2712,130987,13830,8367,10032,8058,2353,2270,141147,1238,199917]},"pktlen": {"min":52,"avg":430.8,"max":1500,"stddev":557.4,"var":310647.7,"ent":4.0,"data": [64,60,52,284,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,728,52,1500,415,1500,52,1116,52,261,52,101,52,1436,567,52]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0],"s_to_c": [5,2,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,1,0,1,0,1,0,1,0,0,0,1],"entropies": [4.598081589,5.335815907,5.169486523,5.856084347,5.169486523,7.248301983,7.321610928,5.246409893,7.068851471,5.132945538,6.268332958,5.113822460,5.960739613,5.092563629,6.027123928,5.207948208,7.879599094,7.736606598,5.169486523,7.866442680,7.495402336,7.875605583,5.207948208,7.821874619,5.092563152,7.123493671,5.131024837,6.085196495,5.169486523,7.864480019,7.601682663,5.169486523]}} 01612{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":134,"source":"netflix.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319032986624,"flow_src_last_pkt_time":1484319033498318,"flow_dst_last_pkt_time":1484319033554363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4381,"flow_dst_tot_l4_payload_len":7721,"midstream":0,"thread_ts_usec":1484319033554363,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.32.196.36","src_port":53116,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":143,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319033631945,"flow_dst_last_pkt_time":1484319033631945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319033631945,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":143,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1484319033631945,"flow_dst_last_pkt_time":1484319033631945,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319033631945,"pkt":"gCqoTGHM5JjWH70UCABFAABAVMpAAEAGIQjAqAEHNkXM8c9+AbvPvqpAAAAAALAC\/\/9MiwAAAgQFtAEDAwUBAQgKH2S67gAAAAAEAgAA"} @@ -97,7 +97,7 @@ 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":268,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1484319035399304,"flow_dst_last_pkt_time":1484319035397916,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319035399304,"pkt":"gCqoTGHM5JjWH70UCABFAAA0+2BAAEAGIdDAqAEHNFkni8+OAbvRf5R+2AMl5IAQEBW8GgAAAQEICh9kwZ2tiMk\/"} 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":269,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319035342783,"flow_src_last_pkt_time":1484319035401110,"flow_dst_last_pkt_time":1484319035397916,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319035401110,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01228{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":279,"source":"netflix.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319035342783,"flow_src_last_pkt_time":1484319035401110,"flow_dst_last_pkt_time":1484319035449894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319035449894,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53134,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} -01590{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":143,"avg":41275.9,"max":350146,"stddev":77246.2,"var":5966969856.0,"ent":3.5,"data": [50833,52103,3892,68860,549,14675,80527,16948,16635,16128,355,222,66675,773,50716,3176,284,61420,291182,143,350146,11846,12750,24110,12460,12309,13854,13662,2679,13302,16338]},"pktlen": {"min":66,"avg":544.2,"max":1514,"stddev":630.5,"var":397553.6,"ent":4.1,"data": [78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,686,66,1514,1514,66,1514,1416,66,1514,66,251,66,1514,1033,66]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0]}} +01988{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":143,"avg":41275.9,"max":350146,"stddev":77246.2,"var":5966969856.0,"ent":3.5,"data": [50833,52103,3892,68860,549,14675,80527,16948,16635,16128,355,222,66675,773,50716,3176,284,61420,291182,143,350146,11846,12750,24110,12460,12309,13854,13662,2679,13302,16338]},"pktlen": {"min":52,"avg":530.2,"max":1500,"stddev":630.5,"var":397553.6,"ent":4.0,"data": [64,60,52,260,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,672,52,1500,1500,52,1500,1402,52,1500,52,237,52,1500,1019,52]},"bins": {"c_to_s": [11,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,7,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0],"entropies": [4.598081589,5.235815525,5.131024837,6.023412704,5.154969215,7.255973339,7.303249359,5.092563152,7.001137733,5.056022167,6.255658627,5.007929802,6.001976490,5.169486523,5.942530632,5.054101467,7.891292572,7.683557510,5.169486523,7.859122753,7.883965492,5.131024837,7.876591682,7.866814137,5.092563152,7.900776386,4.979098797,7.052536488,5.054101467,7.870380402,7.793371201,5.131024361]}} 01692{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":306,"source":"netflix.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319035080111,"flow_src_last_pkt_time":1484319035720714,"flow_dst_last_pkt_time":1484319035719060,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2402,"flow_dst_tot_l4_payload_len":12882,"midstream":0,"thread_ts_usec":1484319035720714,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53133,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 00665{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":321,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1484319035889509,"flow_dst_last_pkt_time":1484319033886061,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":164,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":164,"pkt_l4_len":130,"thread_ts_usec":1484319035889509,"pkt":"AQBef\/\/65JjWH70UCABFAACW0KMAAAERNwrAqAEH7\/\/\/+tIQB2wAggqVTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMg0KU1Q6IHVybjptZHgtbmV0ZmxpeC1jb206c2VydmljZTp0YXJnZXQ6MA0KDQo="} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":323,"source":"netflix.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319036827113,"flow_src_last_pkt_time":1484319036827113,"flow_dst_last_pkt_time":1484319036827113,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319036827113,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57719,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -112,8 +112,8 @@ 01088{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":328,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036870445,"flow_dst_last_pkt_time":1484319036865722,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319036870445,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01148{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":330,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036870445,"flow_dst_last_pkt_time":1484319036889708,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1484319036889708,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01578{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":333,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036894463,"flow_dst_last_pkt_time":1484319036900382,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":3414,"midstream":0,"thread_ts_usec":1484319036900382,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-s.nflximg.net","tls": {"version":"TLSv1.2","server_names":"secure.cdn.nflximg.net,*.nflxext.com,*.nflxvideo.net,*.nflxsearch.net,*.nrd.nflximg.net,*.nflximg.net","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"ef6b224ce027c8e21e5a25d8a58255a3","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=Los Gatos, O=Netflix, Inc., OU=Content Delivery Operations, CN=secure.cdn.nflximg.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"0D:EF:D1:E6:29:11:1A:A5:88:B3:2F:04:65:D6:D7:AD:84:A2:52:26"}}} -01708{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":356,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036983563,"flow_dst_last_pkt_time":1484319036982334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1128,"flow_dst_tot_l4_payload_len":5359,"midstream":0,"thread_ts_usec":1484319036983563,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":8297.1,"max":40245,"stddev":10476.7,"var":109761248.0,"ent":3.9,"data": [11378,14427,1674,21129,2857,316,24018,10358,7406,16914,385,833,30795,4734,18083,26013,249,318,147,231,142,435,4518,193,40245,7107,5353,4161,461,364,1965]},"pktlen": {"min":66,"avg":269.3,"max":1514,"stddev":414.2,"var":171525.6,"ent":4.0,"data": [78,74,66,293,66,1514,1514,66,584,66,141,72,111,66,117,66,119,116,108,214,155,155,155,155,154,134,66,104,104,406,1514,66]},"bins": {"c_to_s": [8,5,6,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,2,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} -01582{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":147,"avg":501615.3,"max":7507819,"stddev":1826252.6,"var":3335198867456.0,"ent":1.4,"data": [49499,50871,4368,54319,2439,996,53513,42973,42827,12725,273,205,57417,5098,49336,4198,388,49955,75766,32147,2030,911,5107,4712,147,7402221,150,7507819,929,35745,990]},"pktlen": {"min":66,"avg":372.8,"max":1514,"stddev":520.7,"var":271128.8,"ent":3.9,"data": [78,74,66,274,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,675,66,66,198,110,100,66,66,66,1514,803,66,66,1514,488]},"bins": {"c_to_s": [10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,3,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,1]}} +02103{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":356,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319036983563,"flow_dst_last_pkt_time":1484319036982334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1128,"flow_dst_tot_l4_payload_len":5359,"midstream":0,"thread_ts_usec":1484319036983563,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":8297.1,"max":40245,"stddev":10476.7,"var":109761248.0,"ent":3.9,"data": [11378,14427,1674,21129,2857,316,24018,10358,7406,16914,385,833,30795,4734,18083,26013,249,318,147,231,142,435,4518,193,40245,7107,5353,4161,461,364,1965]},"pktlen": {"min":52,"avg":255.3,"max":1500,"stddev":414.2,"var":171525.6,"ent":3.9,"data": [64,60,52,279,52,1500,1500,52,570,52,127,58,97,52,103,52,105,102,94,200,141,141,141,141,140,120,52,90,90,392,1500,52]},"bins": {"c_to_s": [8,5,6,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,2,1,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0],"entropies": [4.555036545,5.323234081,5.207947731,5.708015442,5.315825462,7.096366405,7.275357246,5.207947731,7.575589180,5.169486046,6.308334827,5.148305416,5.977168083,5.315825462,5.945915222,5.169486046,6.131762028,6.032381535,6.018351078,6.868569851,6.437176704,6.436284542,6.462777138,6.552643299,6.572731972,6.440443993,5.193430901,5.968302250,5.976224422,7.489761353,7.869163990,5.284871101]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} +01978{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":147,"avg":501615.3,"max":7507819,"stddev":1826252.6,"var":3335198867456.0,"ent":1.4,"data": [49499,50871,4368,54319,2439,996,53513,42973,42827,12725,273,205,57417,5098,49336,4198,388,49955,75766,32147,2030,911,5107,4712,147,7402221,150,7507819,929,35745,990]},"pktlen": {"min":52,"avg":358.8,"max":1500,"stddev":520.7,"var":271128.8,"ent":3.8,"data": [64,60,52,260,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,661,52,52,184,96,86,52,52,52,1500,789,52,52,1500,474]},"bins": {"c_to_s": [10,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [6,3,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,0,1,1,1,0,0,0,0,0,1,1,1,1],"entropies": [4.566831589,5.335815907,5.094483852,6.025682926,5.169486523,7.256491661,7.325493813,5.092563152,7.129077435,5.092563152,6.393805504,5.100806713,6.014647961,5.169486523,5.965332508,5.169486523,7.872792244,7.651345730,5.207947731,5.207948208,6.796521664,6.094137192,5.926040173,5.169486523,5.207948208,5.169486046,7.868273258,7.747731686,5.169486046,5.169486523,7.861037254,7.536938190]}} 01691{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":596,"source":"netflix.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319035079531,"flow_src_last_pkt_time":1484319042786338,"flow_dst_last_pkt_time":1484319042922798,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4576,"flow_dst_tot_l4_payload_len":5220,"midstream":0,"thread_ts_usec":1484319042922798,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53132,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319042988806,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319042988806,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":59180,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":604,"source":"netflix.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1484319042988806,"flow_dst_last_pkt_time":1484319042988806,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1484319042988806,"pkt":"gCqoTGHM5JjWH70UCABFAABGkh4AAP8Rpi\/AqAEHwKgBAecsADUAMtLh8roBAAABAAAAAAAAB2FydHdvcmsEYWthbQduZmx4aW1nA25ldAAAAQAB"} @@ -135,7 +135,7 @@ 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":669,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1484319043665565,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319043688511,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADwG+Lm4GcwZwKgBBwBQz57u7DQucjxhCKAScSCMigAAAgQFtAQCCAr\/\/D2rH2ThCQEDAwU="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":670,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1484319043689999,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319043689999,"pkt":"gCqoTGHM5JjWH70UCABFAAA0VAZAAEAGoNvAqAEHuBnMGc+eAFByPGEI7uw0L4AQEBUcSAAAAQEICh9k4SH\/\/D2r"} 01071{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":671,"source":"netflix.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319043665565,"flow_src_last_pkt_time":1484319043691581,"flow_dst_last_pkt_time":1484319043688511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319043691581,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53150,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-2.nflximg.net","http": {"url":"art-2.nflximg.net\/87b33\/bed1223a0040fdc97bac4e906332e462c6e87b33.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}} -01776{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1484319043013015,"flow_src_last_pkt_time":1484319044532732,"flow_dst_last_pkt_time":1484319044504314,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":33304,"midstream":0,"thread_ts_usec":1484319044532732,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53149,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6882,"avg":97129.5,"max":1300093,"stddev":229777.6,"var":52797755392.0,"ent":3.4,"data": [22705,29125,36813,70338,13255,32378,25989,101810,6882,28009,25233,44994,56409,27146,27165,53793,54320,26078,52109,80662,53766,398536,54325,39942,109640,40469,26128,51507,108074,13323,1300093]},"pktlen": {"min":66,"avg":1115.9,"max":1514,"stddev":637.7,"var":406609.6,"ent":4.7,"data": [78,74,66,311,66,1514,1514,1514,66,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,94]},"bins": {"c_to_s": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02175{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1484319043013015,"flow_src_last_pkt_time":1484319044532732,"flow_dst_last_pkt_time":1484319044504314,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":33304,"midstream":0,"thread_ts_usec":1484319044532732,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53149,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6882,"avg":97129.5,"max":1300093,"stddev":229777.6,"var":52797755392.0,"ent":3.4,"data": [22705,29125,36813,70338,13255,32378,25989,101810,6882,28009,25233,44994,56409,27146,27165,53793,54320,26078,52109,80662,53766,398536,54325,39942,109640,40469,26128,51507,108074,13323,1300093]},"pktlen": {"min":52,"avg":1101.9,"max":1500,"stddev":637.7,"var":406609.6,"ent":4.6,"data": [64,60,52,297,52,1500,1500,1500,52,52,1500,1500,52,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,80]},"bins": {"c_to_s": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0],"entropies": [4.538909912,5.312702179,5.079966545,5.942044735,5.308815479,7.330718994,7.743900776,7.712044239,5.233813286,5.000318527,7.842275620,7.821234226,5.156889915,7.816409111,7.847937107,7.841120243,7.664994240,7.793088913,7.822535038,7.766201496,7.754564285,7.803048134,7.810695171,7.784301758,7.848053455,7.850491524,7.814136028,7.845249176,7.833446503,7.828612804,7.832110882,5.393421650]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":703,"source":"netflix.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1484319044993872,"flow_dst_last_pkt_time":1484319030789585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1484319044993872,"pkt":"gCqoTGHM5JjWH70UCABFAAAoz5tAAEAGHmfAqAEHNBhXBs7BAbvkIOdlTYzTZlAUEACWDAAAAAAAAAAA"} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":795,"source":"netflix.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319048757894,"flow_src_last_pkt_time":1484319048757894,"flow_dst_last_pkt_time":1484319048757894,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319048757894,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":58102,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":795,"source":"netflix.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_src_last_pkt_time":1484319048757894,"flow_dst_last_pkt_time":1484319048757894,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1484319048757894,"pkt":"gCqoTGHM5JjWH70UCABFAABBS2MAAP8R7O\/AqAEHwKgBAeL2ADUALZ5c\/mQBAAABAAAAAAAAB2FwcGJvb3QHbmV0ZmxpeANjb20AAAEAAQ=="} @@ -147,7 +147,7 @@ 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":798,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1484319048780859,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319048824981,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGmJ82yb+EwKgBBwBQz59tgW\/FOnvHe6ASRep1DwAAAgQFtAQCCApXXrqDH2T0hAEDAwg="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":799,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1484319048826457,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319048826457,"pkt":"gCqoTGHM5JjWH70UCABFAAA0VQxAAEAGLbvAqAEHNsm\/hM+fAFA6e8d7bYFvxoAQEBXZhAAAAQEICh9k9LFXXrqD"} 01105{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":800,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319048830359,"flow_dst_last_pkt_time":1484319048824981,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":313,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":313,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319048830359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"appboot.netflix.com","http": {"url":"appboot.netflix.com\/appboot\/NFAPPL-02-","code":0,"content_type":"","user_agent":"Argo\/900 CFNetwork\/808.2.16 Darwin\/16.3.0","request_content_type":"application\/x-www-form-urlencoded"}}} -01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":839,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319049236027,"flow_dst_last_pkt_time":1484319049229808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2612,"flow_dst_tot_l4_payload_len":21687,"midstream":0,"thread_ts_usec":1484319049236027,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":193,"avg":29165.1,"max":187154,"stddev":42322.7,"var":1791214592.0,"ent":4.0,"data": [44122,45598,3902,10660,193,60003,5736,990,135055,302,187154,5655,5706,13881,14022,13277,14383,27821,13324,13128,9212,13280,22521,13399,39251,13309,13303,13855,13324,13288,124463]},"pktlen": {"min":66,"avg":826.3,"max":1514,"stddev":674.9,"var":455511.9,"ent":4.4,"data": [78,74,66,379,1514,917,66,66,66,728,1514,66,1514,66,1514,66,1514,1514,66,1026,66,1514,1307,66,1514,1514,1514,1514,1514,1514,1514,78]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02149{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":839,"source":"netflix.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1484319048780859,"flow_src_last_pkt_time":1484319049236027,"flow_dst_last_pkt_time":1484319049229808,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2612,"flow_dst_tot_l4_payload_len":21687,"midstream":0,"thread_ts_usec":1484319049236027,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.201.191.132","src_port":53151,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":193,"avg":29165.1,"max":187154,"stddev":42322.7,"var":1791214592.0,"ent":4.0,"data": [44122,45598,3902,10660,193,60003,5736,990,135055,302,187154,5655,5706,13881,14022,13277,14383,27821,13324,13128,9212,13280,22521,13399,39251,13309,13303,13855,13324,13288,124463]},"pktlen": {"min":52,"avg":812.3,"max":1500,"stddev":674.9,"var":455511.9,"ent":4.4,"data": [64,60,52,365,1500,903,52,52,52,714,1500,52,1500,52,1500,52,1500,1500,52,1012,52,1500,1293,52,1500,1500,1500,1500,1500,1500,1500,64]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,0],"entropies": [4.538909912,5.279368401,5.156889915,5.705281258,5.964499474,6.056532860,5.272274971,5.272274494,5.310736179,6.005652428,5.696421623,5.094483852,6.091891766,5.233812809,5.866946220,5.038780212,5.796521664,5.782927513,5.195351601,5.831374168,5.233812809,5.802160263,5.817751884,5.195351124,5.813166142,5.771504402,5.781269550,5.780963898,5.817500591,5.785477638,5.779314995,5.163660049]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":861,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049465573,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049465573,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049465573,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.89.39.139","src_port":53152,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":861,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049465573,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319049465573,"pkt":"gCqoTGHM5JjWH70UCABFAABAjtZAAEAGjk7AqAEHNFkni8+gAFCVL\/AiAAAAALAC\/\/+toQAAAgQFtAEDAwUBAQgKH2T3IAAAAAAEAgAA"} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":863,"source":"netflix.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1484319049465573,"flow_dst_last_pkt_time":1484319049510947,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319049510947,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGMwk0WSeLwKgBBwBQz6CC\/YxQlS\/wI6ASRerkyQAAAgQFtAQCCAqtiNcHH2T3IAEDAwg="} @@ -160,7 +160,7 @@ 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049645637,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049645637,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52347,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":80,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":80,"pkt_l4_len":46,"thread_ts_usec":1484319049645637,"pkt":"gCqoTGHM5JjWH70UCABFAABCunsAAEARPNfAqAEHwKgBAcx7ADUALmwlX+cBAAABAAAAAAAAA2lvcwRuY2NwB25ldGZsaXgDY29tAAAcAAE="} 01000{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":887,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049645637,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049645637,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049645637,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52347,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"netflix.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319043012652,"flow_src_last_pkt_time":1484319049640319,"flow_dst_last_pkt_time":1484319049653906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":491,"flow_dst_tot_l4_payload_len":23168,"midstream":0,"thread_ts_usec":1484319049653906,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":590,"avg":428029.7,"max":6030936,"stddev":1231580.9,"var":1516791529472.0,"ent":2.3,"data": [22448,28943,26758,57708,590,13165,40076,31828,42757,26526,25526,50240,53221,30909,25521,54871,53768,27167,52693,79537,53772,544724,1519985,11557,27351,27280,28765,635381,3643850,6030936,1068]},"pktlen": {"min":66,"avg":809.6,"max":1514,"stddev":706.6,"var":499284.2,"ent":4.3,"data": [78,74,66,312,66,1514,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,94,94,94,86,78,66,66,311,1514,1514]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02166{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"netflix.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319043012652,"flow_src_last_pkt_time":1484319049640319,"flow_dst_last_pkt_time":1484319049653906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":491,"flow_dst_tot_l4_payload_len":23168,"midstream":0,"thread_ts_usec":1484319049653906,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.25","src_port":53148,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":590,"avg":428029.7,"max":6030936,"stddev":1231580.9,"var":1516791529472.0,"ent":2.3,"data": [22448,28943,26758,57708,590,13165,40076,31828,42757,26526,25526,50240,53221,30909,25521,54871,53768,27167,52693,79537,53772,544724,1519985,11557,27351,27280,28765,635381,3643850,6030936,1068]},"pktlen": {"min":52,"avg":795.6,"max":1500,"stddev":706.6,"var":499284.2,"ent":4.3,"data": [64,60,52,298,52,1500,1500,52,1500,52,1500,1500,52,1500,1500,1500,1500,1500,1500,1500,1500,1500,80,80,80,72,64,52,52,297,1500,1500]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1],"entropies": [4.570159912,5.187539101,5.118428230,5.866323471,5.308815956,7.539054394,7.823310852,5.094483852,7.811959267,5.038779736,7.799767494,7.796337128,5.156889439,7.762200832,7.778352737,7.834424973,7.823929787,7.799146652,7.830269337,7.869925976,7.880800724,7.877037048,5.357215405,5.224027157,5.307214737,5.376956940,5.259624004,5.233813286,5.195351601,5.825244904,7.190491676,7.824782848]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":891,"source":"netflix.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1484319049641053,"flow_dst_last_pkt_time":1484319049665892,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":112,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":112,"pkt_l4_len":78,"thread_ts_usec":1484319049665892,"pkt":"5JjWH70UgCqoTGHMCABFAABi4UdAAEAR1erAqAEBwKgBBwA1yhAATkFkBBqBgAABAAIAAAAABGE4MDMEZHNjZwZha2FtYWkDbmV0AAABAAHADAABAAEAAAAMAAS4GcwYwAwAAQABAAAADAAEuBnMKA=="} 01012{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":891,"source":"netflix.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319049641053,"flow_src_last_pkt_time":1484319049641053,"flow_dst_last_pkt_time":1484319049665892,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":70,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":70,"midstream":0,"thread_ts_usec":1484319049665892,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51728,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"a803.dscg.akamai.net","dns": {"num_queries":1,"num_answers":2,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"184.25.204.24"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":895,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319049672494,"flow_dst_last_pkt_time":1484319049672494,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319049672494,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -183,20 +183,20 @@ 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":970,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1484319050652467,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319050677236,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWmYX9guRwKgBBwBQz6susPTdvF5ArqAS\/\/\/2WQAAAgQFtAEDAwkEAggKRVwbeB9k+44="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":971,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1484319050678757,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319050678757,"pkt":"gCqoTGHM5JjWH70UCABFAAA0kSxAAEAGxGHAqAEHF\/YLkc+rAFC8XkCuLrD03oAQEBUU+gAAAQEICh9k+6dFXBt4"} 01354{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":972,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319050682551,"flow_dst_last_pkt_time":1484319050677236,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319050682551,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.145","http": {"url":"23.246.11.145\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=5xfYVtna3GdYXL71uNs6DZ-X84Y&random=3930708224","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} -01892{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1008,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319051912595,"flow_dst_last_pkt_time":1484319051940613,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":28027,"midstream":0,"thread_ts_usec":1484319051940613,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3794,"avg":82202.4,"max":651024,"stddev":153564.6,"var":23582076928.0,"ent":3.6,"data": [24769,26290,3794,42485,4828,43771,27157,40474,69366,43854,44827,78254,38808,79815,102619,28781,14718,354324,85041,14066,12423,12747,651024,22850,582496,8619,27490,16417,16392,14698,15077]},"pktlen": {"min":66,"avg":954.8,"max":1514,"stddev":683.5,"var":467159.1,"ent":4.5,"data": [78,74,66,422,581,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,94,1514,1514,1514,1514,78,66,1514,1514,66,1514,66,1514,1514]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,1,0,1,1,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02291{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1008,"source":"netflix.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":21,"flow_first_seen":1484319050652467,"flow_src_last_pkt_time":1484319051912595,"flow_dst_last_pkt_time":1484319051940613,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":28027,"midstream":0,"thread_ts_usec":1484319051940613,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.145","src_port":53163,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3794,"avg":82202.4,"max":651024,"stddev":153564.6,"var":23582076928.0,"ent":3.6,"data": [24769,26290,3794,42485,4828,43771,27157,40474,69366,43854,44827,78254,38808,79815,102619,28781,14718,354324,85041,14066,12423,12747,651024,22850,582496,8619,27490,16417,16392,14698,15077]},"pktlen": {"min":52,"avg":940.8,"max":1500,"stddev":683.5,"var":467159.1,"ent":4.5,"data": [64,60,52,408,567,1500,52,1500,1500,52,1500,52,1500,1500,1500,1500,1500,1500,80,1500,1500,1500,1500,64,52,1500,1500,52,1500,52,1500,1500]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,19,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,1,0,1,1,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,0,1,1],"entropies": [4.550704956,5.312702179,5.103910923,6.388577938,5.862974167,3.576230049,5.195351124,2.528419971,2.540967226,5.077241421,2.547356844,5.115703106,2.543488026,2.552008152,2.558917999,3.816826105,3.805565357,3.816280365,5.256690979,3.890866995,3.462315798,3.461706400,3.458227158,5.071470261,5.154164314,3.470844507,3.517976761,5.154164314,3.546975851,4.955154419,3.560742617,3.579237461]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1027,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052216458,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319052216458,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1027,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052216458,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319052216458,"pkt":"gCqoTGHM5JjWH70UCABFAABAN3hAAEAGHxDAqAEHF\/YKi8+sAFBgdy0VAAAAALAC\/\/\/UZQAAAgQFtAEDAwUBAQgKH2UBeQAAAAAEAgAA"} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1031,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1484319052216458,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319052235250,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGW2wX9gqLwKgBBwBQz6xlmlqWYHctFqAS\/\/8JBgAAAgQFtAEDAwkEAggKQI7bkB9lAXk="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1032,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":3,"flow_src_last_pkt_time":1484319052237833,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319052237833,"pkt":"gCqoTGHM5JjWH70UCABFAAA0JFZAAEAGMj7AqAEHF\/YKi8+sAFBgdy0WZZpal4AQEBUnrAAAAQEICh9lAYxAjtuQ"} 01355{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1033,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319052242977,"flow_dst_last_pkt_time":1484319052235250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319052242977,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.10.139","http": {"url":"23.246.10.139\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-djGXIcbFBNzyfugqEWcrgtCpyY&random=3407360776","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} -01892{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1073,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319053577715,"flow_dst_last_pkt_time":1484319053589492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":25132,"midstream":0,"thread_ts_usec":1484319053589492,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1043,"avg":88202.9,"max":638852,"stddev":151898.7,"var":23073200128.0,"ent":3.7,"data": [18792,21375,5144,35741,1043,5439,35508,13242,13983,20324,20435,13235,116191,170244,28107,56564,51631,31663,27571,12760,327583,131379,638852,579987,19881,15021,30035,13582,42286,118688,118005]},"pktlen": {"min":66,"avg":865.9,"max":1514,"stddev":697.4,"var":486427.5,"ent":4.4,"data": [78,74,66,422,582,1514,1514,66,1514,66,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,94,1514,94,1514,86,1514,78,66,1514,66,1514]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02291{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1073,"source":"netflix.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319052216458,"flow_src_last_pkt_time":1484319053577715,"flow_dst_last_pkt_time":1484319053589492,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":356,"flow_dst_tot_l4_payload_len":25132,"midstream":0,"thread_ts_usec":1484319053589492,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.10.139","src_port":53164,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1043,"avg":88202.9,"max":638852,"stddev":151898.7,"var":23073200128.0,"ent":3.7,"data": [18792,21375,5144,35741,1043,5439,35508,13242,13983,20324,20435,13235,116191,170244,28107,56564,51631,31663,27571,12760,327583,131379,638852,579987,19881,15021,30035,13582,42286,118688,118005]},"pktlen": {"min":52,"avg":851.9,"max":1500,"stddev":697.4,"var":486427.5,"ent":4.4,"data": [64,60,52,408,568,1500,1500,52,1500,52,1500,52,1500,52,1500,1500,1500,1500,1500,1500,1500,80,1500,80,1500,72,1500,64,52,1500,52,1500]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,0,1,0,1],"entropies": [4.451259136,5.200120449,5.003043175,6.363925457,5.826877117,3.573564768,2.540809155,5.079966545,2.553215742,4.950064659,2.546205282,4.961856842,2.557531357,4.985801220,2.554388523,2.558952808,3.302551985,3.777240515,3.820478201,3.802512646,3.817392588,5.302858829,3.877096891,5.277858257,3.521096945,5.267232895,3.547756672,5.124750137,4.947339535,3.545200109,4.894361019,3.575657606]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054101585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319054101585,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1100,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":1,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054101585,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319054101585,"pkt":"gCqoTGHM5JjWH70UCABFAABA9bFAAEAGZ9XAqAEHF\/YDjM+zAFBtwXYMAAAAALAC\/\/99\/AAAAgQFtAEDAwUBAQgKH2UImQAAAAAEAgAA"} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1101,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1484319054101585,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319054132376,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADgGZWsX9gOMwKgBBwBQz7OFwt93bcF2DaAS\/\/\/aJAAAAgQFtAEDAwkEAggKhKDK7B9lCJk="} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1102,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":3,"flow_src_last_pkt_time":1484319054134077,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319054134077,"pkt":"gCqoTGHM5JjWH70UCABFAAA0mQ1AAEAGxIXAqAEHF\/YDjM+zAFBtwXYNhcLfeIAQEBX4vQAAAQEICh9lCLmEoMrs"} 01351{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1103,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054139605,"flow_dst_last_pkt_time":1484319054132376,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319054139605,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.3.140","http": {"url":"23.246.3.140\/range\/0-65535?o=AQEfKq2oMrLRiWL-p-VeIZ6WKRq-X6LMvaLqgxWBCuFbh09MpreORUUOO5Tx1683HPnLY6BPjN_9mlDuYihGZoXu9u0ozH8RFioBN_JDNiRscidjvoSdWmlyZgPNansW0lkBr4X81HvloOi8BS_exVSPhMyJQTB5bg&v=3&e=1484347850&t=-8u4vlcPuFqcOLnLyb9DDtK-bB4&random=357509657","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} -01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054294236,"flow_dst_last_pkt_time":1484319054480080,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":29479,"midstream":0,"thread_ts_usec":1484319054480080,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2187,"avg":18424.1,"max":44333,"stddev":10032.7,"var":100655136.0,"ent":4.7,"data": [30791,32492,5528,44333,2187,41107,2921,12763,15575,14938,14982,12802,12713,26425,12767,11943,13284,17180,31033,13321,13566,25571,14329,13905,26660,13805,13288,27210,13255,13305,27167]},"pktlen": {"min":66,"avg":998.9,"max":1514,"stddev":672.7,"var":452466.1,"ent":4.5,"data": [78,74,66,420,585,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01890{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1140,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319054604684,"flow_dst_last_pkt_time":1484319054632485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":216,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":216,"flow_dst_tot_l4_payload_len":17376,"midstream":0,"thread_ts_usec":1484319054632485,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2986,"avg":319102.6,"max":4093620,"stddev":811857.0,"var":659111739392.0,"ent":2.8,"data": [24907,27714,2986,28468,27857,27840,80258,56838,56993,49295,90365,82473,40903,66540,53920,192092,80506,134732,711253,22984,31289,47833,1645394,40376,54849,160828,1864439,25699,40451,28479,4093620]},"pktlen": {"min":66,"avg":625.1,"max":1514,"stddev":689.4,"var":475329.8,"ent":4.1,"data": [78,74,66,282,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,94,94,94,94,94,94,94,94,86,78,78,66,1514]},"bins": {"c_to_s": [17,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1]},"ndpi": {"flow_risk": {"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02283{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1132,"source":"netflix.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1484319054101585,"flow_src_last_pkt_time":1484319054294236,"flow_dst_last_pkt_time":1484319054480080,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":354,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":354,"flow_dst_tot_l4_payload_len":29479,"midstream":0,"thread_ts_usec":1484319054480080,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53171,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2187,"avg":18424.1,"max":44333,"stddev":10032.7,"var":100655136.0,"ent":4.7,"data": [30791,32492,5528,44333,2187,41107,2921,12763,15575,14938,14982,12802,12713,26425,12767,11943,13284,17180,31033,13321,13566,25571,14329,13905,26660,13805,13288,27210,13255,13305,27167]},"pktlen": {"min":52,"avg":984.9,"max":1500,"stddev":672.7,"var":452466.1,"ent":4.5,"data": [64,60,52,406,571,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,1,1,1,1],"entropies": [4.527114868,5.266787052,5.118428230,6.362258911,5.831311226,3.571949720,5.233812809,2.540643215,2.558721066,5.195351124,2.550262213,5.038779736,2.557194710,2.582848072,5.195351124,2.547422886,5.038780212,2.553757429,2.570932388,5.195351124,2.541049719,5.115703106,3.780845165,3.769821644,3.779848337,3.819229603,3.784283876,3.803048134,3.786687374,3.790169001,3.883657932,3.464622736]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02289{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1140,"source":"netflix.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319049672494,"flow_src_last_pkt_time":1484319054604684,"flow_dst_last_pkt_time":1484319054632485,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":216,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":216,"flow_dst_tot_l4_payload_len":17376,"midstream":0,"thread_ts_usec":1484319054632485,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.24","src_port":53153,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2986,"avg":319102.6,"max":4093620,"stddev":811857.0,"var":659111739392.0,"ent":2.8,"data": [24907,27714,2986,28468,27857,27840,80258,56838,56993,49295,90365,82473,40903,66540,53920,192092,80506,134732,711253,22984,31289,47833,1645394,40376,54849,160828,1864439,25699,40451,28479,4093620]},"pktlen": {"min":52,"avg":611.1,"max":1500,"stddev":689.4,"var":475329.8,"ent":4.0,"data": [64,60,52,268,52,1500,1500,52,1500,52,1500,64,1500,1500,1500,1500,1500,1500,1500,80,80,80,80,80,80,80,80,72,64,64,52,1500]},"bins": {"c_to_s": [17,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1],"entropies": [4.570159912,5.312702179,5.132945538,5.890671253,5.308815479,5.345861435,5.004974365,5.272274494,6.923064709,5.053297043,7.872980118,5.163660049,7.695485115,7.810632706,7.851381779,7.826048851,7.839385986,7.837315559,7.867424488,5.267898560,5.317898273,5.317898273,5.283462048,5.393421650,5.418421745,5.418421268,5.387294292,5.247972012,5.216578960,5.247828960,5.156889915,7.848117828]},"ndpi": {"flow_risk": {"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1231,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319056204111,"flow_dst_last_pkt_time":1484319056204111,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056204111,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1231,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_src_last_pkt_time":1484319056204111,"flow_dst_last_pkt_time":1484319056204111,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319056204111,"pkt":"gCqoTGHM5JjWH70UCABFAABAfy9AAEAG1l7AqAEHF\/YLhc+0AFDwxwoWAAAAALAC\/\/9XEAAAAgQFtAEDAwUBAQgKH2UQewAAAAAEAgAA"} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1232,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319056210218,"flow_dst_last_pkt_time":1484319056210218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056210218,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -252,18 +252,18 @@ 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1283,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_src_last_pkt_time":1484319056327623,"flow_dst_last_pkt_time":1484319056326288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319056327623,"pkt":"gCqoTGHM5JjWH70UCABFAAA0Fj1AAEAGP1XAqAEHF\/YLjc++AFBtOQm7PQ6az4AQEBV4RwAAAQEICh9lEOzE7\/UM"} 01358{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1285,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319056336202,"flow_dst_last_pkt_time":1484319056326114,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056336202,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/range\/0-65535?o=AQEfKq2oMrLRiWL2puNQLJ2TIBepGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpPbiCFrUjHWqh5ipQCtzf4OVWQ&v=3&e=1484347850&t=tTXu3c6FnJtfi6z0IJp3hw8eDv8&random=129454076","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} 01357{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1286,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319056347066,"flow_dst_last_pkt_time":1484319056326288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319056347066,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/range\/0-65535?o=AQEfKq2oMrLRiWL2puNQJZ2VKhqgGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzTho_flHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=LQ7LyXSnZaXKEHAHaRRHk-S7dKE&random=4209810633","code":0,"content_type":"","user_agent":"netflix-ios-app"}}} -01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1458,"source":"netflix.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056241489,"flow_src_last_pkt_time":1484319059351882,"flow_dst_last_pkt_time":1484319059371795,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319059371795,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53180,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":394,"avg":201312.9,"max":2097549,"stddev":403399.4,"var":162731114496.0,"ent":3.6,"data": [61813,72267,473,134860,394,125851,1162295,73601,899,212949,11519,409208,101075,1892,70852,2097549,79500,52131,129820,120649,42895,59919,67076,69354,174355,284029,29385,65003,252681,150502,125903]},"pktlen": {"min":66,"avg":507.7,"max":1514,"stddev":638.1,"var":407212.3,"ent":3.9,"data": [78,74,66,426,584,1514,66,94,94,94,94,94,94,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,66,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01885{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1536,"source":"netflix.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056233255,"flow_src_last_pkt_time":1484319060551613,"flow_dst_last_pkt_time":1484319060618267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13563,"midstream":0,"thread_ts_usec":1484319060618267,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53177,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":135,"avg":280753.9,"max":1046959,"stddev":300914.6,"var":90549583872.0,"ent":4.2,"data": [43730,45845,23628,124789,4917,111637,635898,176069,176,135,41643,37401,940199,857,45449,434520,483806,1046959,74656,202356,418896,472205,955340,169880,525271,694311,167240,252312,98045,326303,148897]},"pktlen": {"min":66,"avg":504.1,"max":1514,"stddev":638.9,"var":408170.9,"ent":3.9,"data": [78,74,66,426,585,1514,66,86,86,78,78,78,66,102,1490,66,66,66,1514,1514,66,66,66,1514,66,66,1514,66,1514,1514,66,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01891{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1539,"source":"netflix.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056221799,"flow_src_last_pkt_time":1484319060594060,"flow_dst_last_pkt_time":1484319060664663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319060664663,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53175,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":569,"avg":284358.9,"max":1636184,"stddev":362564.9,"var":131453321216.0,"ent":4.0,"data": [16087,19422,23622,88585,4002,82236,1105315,26930,21843,19608,569,13093,381586,1636184,66410,119030,421421,408128,882662,90167,143374,490378,519431,92259,120978,487097,597701,217631,227512,270000,221864]},"pktlen": {"min":66,"avg":550.6,"max":1514,"stddev":657.9,"var":432827.8,"ent":4.0,"data": [78,74,66,423,584,1514,66,86,86,86,78,78,78,78,1514,1514,66,78,66,1514,1514,66,66,1514,1514,66,66,1514,66,1514,78,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01904{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1545,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319060695068,"flow_dst_last_pkt_time":1484319060746254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":20790,"midstream":0,"thread_ts_usec":1484319060746254,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4949,"avg":290996.3,"max":1397235,"stddev":314333.5,"var":98805530624.0,"ent":4.2,"data": [23914,25117,18248,72539,4949,71292,152183,249467,985618,26703,1397235,519076,299466,499851,482346,40528,55620,206768,137068,537495,535230,174291,571825,775969,198842,230534,89909,283953,128056,116304,110490]},"pktlen": {"min":66,"avg":730.2,"max":1514,"stddev":699.0,"var":488561.8,"ent":4.2,"data": [78,74,66,423,584,1514,66,1514,66,94,94,1514,86,1514,78,1514,1514,1514,66,1514,66,1514,66,66,1514,66,1514,1514,66,1514,66,1514]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1562,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319060916913,"flow_dst_last_pkt_time":1484319060915445,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319060916913,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":342,"avg":300105.7,"max":2716440,"stddev":539188.2,"var":290723889152.0,"ent":3.6,"data": [61747,63082,19443,172653,342,153906,1162512,94154,1429,12319,104280,65945,674747,41474,39967,488929,2716440,44869,75746,28743,32797,29468,133613,256105,742961,71312,1131465,569658,135441,73631,104098]},"pktlen": {"min":66,"avg":506.6,"max":1514,"stddev":638.8,"var":408052.9,"ent":3.9,"data": [78,74,66,424,584,1514,66,94,86,86,86,86,86,86,78,66,66,1514,1514,66,1514,66,1514,66,1514,78,66,1514,66,1514,1514,66]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1566,"source":"netflix.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056214323,"flow_src_last_pkt_time":1484319060947278,"flow_dst_last_pkt_time":1484319060861747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":12102,"midstream":0,"thread_ts_usec":1484319060947278,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":302592.9,"max":3094333,"stddev":556136.4,"var":309287714816.0,"ent":3.7,"data": [19993,22151,5332,69145,137,72224,626011,606979,26604,520264,51479,55493,593239,41657,80288,418048,3094333,65564,425655,469983,40810,84995,52141,54303,117697,383081,387305,709380,53664,73805,158619]},"pktlen": {"min":66,"avg":461.8,"max":1514,"stddev":616.5,"var":380048.7,"ent":3.9,"data": [78,74,66,424,584,1514,66,86,86,86,86,78,78,86,78,66,66,1514,78,78,1514,1514,66,1514,66,1514,66,78,1514,78,1514,66]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01878{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1585,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319061168059,"flow_dst_last_pkt_time":1484319060482194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":12101,"midstream":0,"thread_ts_usec":1484319061168059,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":266,"avg":294252.3,"max":2608516,"stddev":529173.0,"var":280024055808.0,"ent":3.5,"data": [61899,63035,8952,155118,266,150147,1152400,92133,498,591361,113696,141666,52293,522,39853,381137,2608516,28241,68204,27169,29555,26620,56459,81742,44814,43749,497350,496550,1208877,807442,91559]},"pktlen": {"min":66,"avg":463.2,"max":1514,"stddev":615.6,"var":378913.2,"ent":3.9,"data": [78,74,66,425,583,1514,66,94,94,94,94,86,78,78,78,66,78,1514,1514,66,1514,66,1514,1514,66,1514,66,78,66,1514,86,86]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,0,0,0,1,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1592,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319061128980,"flow_dst_last_pkt_time":1484319061270358,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061270358,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":79,"avg":322294.1,"max":3064500,"stddev":576519.8,"var":332375130112.0,"ent":3.6,"data": [11668,15660,2402,60224,1206,79,57126,107813,316921,313910,536684,811161,71198,122498,693690,84709,585634,3064500,52838,57895,98411,231468,526235,115101,671,585669,117652,1178873,25807,79129,64284]},"pktlen": {"min":66,"avg":509.0,"max":1514,"stddev":637.2,"var":406023.8,"ent":4.0,"data": [78,74,66,424,584,1514,1514,66,66,1514,66,94,94,94,94,86,78,86,1514,86,1514,78,1514,94,78,66,78,66,1514,66,1514,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01888{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1621,"source":"netflix.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056233602,"flow_src_last_pkt_time":1484319061706774,"flow_dst_last_pkt_time":1484319061794702,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061794702,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53178,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":240,"avg":355944.2,"max":3546297,"stddev":682699.4,"var":466078498816.0,"ent":3.5,"data": [43247,45294,13187,106701,4927,97880,1317695,102059,98186,240,515839,59813,1148424,57207,54890,165165,3546297,68400,92258,155981,131046,69975,95851,103962,104462,205130,729427,91959,551213,1189389,68168]},"pktlen": {"min":66,"avg":507.2,"max":1514,"stddev":638.4,"var":407523.4,"ent":3.9,"data": [78,74,66,423,584,1514,66,94,94,86,86,86,86,86,78,78,66,1514,66,1514,66,1514,1514,66,1514,66,1514,78,66,66,1514,1514]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01887{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056234960,"flow_src_last_pkt_time":1484319062638948,"flow_dst_last_pkt_time":1484319062680623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319062680623,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53179,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":414504.9,"max":4457097,"stddev":811357.3,"var":658300731392.0,"ent":3.6,"data": [41445,43452,2932,82082,72,78739,1252127,77707,132171,828,525346,100674,510044,513013,40289,4457097,87034,1392951,522404,574888,39602,91204,57625,58127,138968,449063,380142,69915,139503,473414,516793]},"pktlen": {"min":66,"avg":552.1,"max":1514,"stddev":656.8,"var":431419.8,"ent":4.0,"data": [78,74,66,424,584,1514,66,94,94,86,86,86,86,86,78,78,1514,1514,66,66,1514,1514,66,1514,66,1514,66,1514,1514,66,66,1514]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01882{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1725,"source":"netflix.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319056232857,"flow_src_last_pkt_time":1484319062946776,"flow_dst_last_pkt_time":1484319063015567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":10653,"midstream":0,"thread_ts_usec":1484319063015567,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53176,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":682,"avg":435375.1,"max":4431980,"stddev":814478.7,"var":663375511552.0,"ent":3.6,"data": [43856,45826,13429,88623,4898,81946,1250769,92472,118428,682,544165,69196,495457,501654,62886,1143862,28583,39116,4431980,82976,87813,169881,586445,795488,292945,509017,501170,1203523,55860,83014,70669]},"pktlen": {"min":66,"avg":418.2,"max":1514,"stddev":589.2,"var":347103.4,"ent":3.8,"data": [78,74,66,424,583,1514,66,94,94,86,86,86,86,86,78,78,78,78,78,1514,66,1514,78,66,1514,78,66,66,1514,1514,66,1514]},"bins": {"c_to_s": [22,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,1,0,0,0,1,1,0,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":136,"avg":1958267.8,"max":30086001,"stddev":7379834.5,"var":54461959503872.0,"ent":1.1,"data": [47011,48359,1676,53080,2562,989,62283,11050,5991,10798,261,350,60341,3416,50128,4429,893,563,55944,50485,306,42722,3984,5077,5232,136,57719,311,30033380,30086001,822]},"pktlen": {"min":66,"avg":394.0,"max":1514,"stddev":556.9,"var":310128.2,"ent":3.9,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,351,66,66,66,1007,126,66,66,66,97,66]},"bins": {"c_to_s": [9,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [9,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,1,1]}} +02280{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1458,"source":"netflix.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056241489,"flow_src_last_pkt_time":1484319059351882,"flow_dst_last_pkt_time":1484319059371795,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319059371795,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53180,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":394,"avg":201312.9,"max":2097549,"stddev":403399.4,"var":162731114496.0,"ent":3.6,"data": [61813,72267,473,134860,394,125851,1162295,73601,899,212949,11519,409208,101075,1892,70852,2097549,79500,52131,129820,120649,42895,59919,67076,69354,174355,284029,29385,65003,252681,150502,125903]},"pktlen": {"min":52,"avg":493.7,"max":1500,"stddev":638.1,"var":407212.3,"ent":3.9,"data": [64,60,52,412,570,1500,52,80,80,80,80,80,80,64,64,52,1500,52,1500,52,1500,1500,52,1500,52,1500,64,52,52,1500,52,1500]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,0,1],"entropies": [4.601409912,5.346035957,5.041505337,6.346901894,5.793770790,4.440931797,5.065449238,5.202858448,5.202857018,5.262294292,5.341651440,5.366651535,5.317899227,5.165874004,5.228374004,5.195351601,4.782721043,5.156889915,4.790072441,5.101186275,4.825405598,4.817777157,5.233812809,4.752513409,5.024262905,4.806689262,5.165874004,5.195351124,5.195351124,4.632717133,5.024262905,4.635102272]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02283{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1536,"source":"netflix.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056233255,"flow_src_last_pkt_time":1484319060551613,"flow_dst_last_pkt_time":1484319060618267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":360,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":13563,"midstream":0,"thread_ts_usec":1484319060618267,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53177,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":135,"avg":280753.9,"max":1046959,"stddev":300914.6,"var":90549583872.0,"ent":4.2,"data": [43730,45845,23628,124789,4917,111637,635898,176069,176,135,41643,37401,940199,857,45449,434520,483806,1046959,74656,202356,418896,472205,955340,169880,525271,694311,167240,252312,98045,326303,148897]},"pktlen": {"min":52,"avg":490.1,"max":1500,"stddev":638.9,"var":408170.9,"ent":3.9,"data": [64,60,52,412,571,1500,52,72,72,64,64,64,52,88,1476,52,52,52,1500,1500,52,52,52,1500,52,52,1500,52,1500,1500,52,1500]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,1,0,0,1,0,1,1,0,1],"entropies": [4.527114868,5.312702179,5.003043652,6.355251789,5.803568363,4.440690517,5.118427753,5.277718067,5.249940395,5.146419048,5.208919048,5.134624004,5.056021690,4.908463001,4.253908634,5.156889915,5.156889439,5.118427753,4.918218613,4.902011871,5.000318050,5.118427753,5.118427753,4.876659870,4.985801220,5.017560482,4.758782864,4.961856365,4.610503674,4.658255100,5.118427753,4.789437294]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02290{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1539,"source":"netflix.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056221799,"flow_src_last_pkt_time":1484319060594060,"flow_dst_last_pkt_time":1484319060664663,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319060664663,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53175,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":569,"avg":284358.9,"max":1636184,"stddev":362564.9,"var":131453321216.0,"ent":4.0,"data": [16087,19422,23622,88585,4002,82236,1105315,26930,21843,19608,569,13093,381586,1636184,66410,119030,421421,408128,882662,90167,143374,490378,519431,92259,120978,487097,597701,217631,227512,270000,221864]},"pktlen": {"min":52,"avg":536.6,"max":1500,"stddev":657.9,"var":432827.8,"ent":3.9,"data": [64,60,52,409,570,1500,52,72,72,72,64,64,64,64,1500,1500,52,64,52,1500,1500,52,52,1500,1500,52,52,1500,52,1500,64,1500]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1],"entropies": [4.538909912,5.333454132,5.142372608,6.390935421,5.823237419,4.453172207,5.118427753,5.333272934,5.385473251,5.387441158,5.216578960,5.208919048,5.216578960,5.228374004,3.805912256,4.418298721,5.156889915,5.072124004,5.233813286,4.401393414,4.419836998,5.233812809,5.195351124,4.383244514,4.387027740,5.233812809,5.209868431,4.311857224,5.000318527,4.386717796,5.240169048,4.585660934]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02303{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1545,"source":"netflix.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319056210218,"flow_src_last_pkt_time":1484319060695068,"flow_dst_last_pkt_time":1484319060746254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":20790,"midstream":0,"thread_ts_usec":1484319060746254,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53173,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4949,"avg":290996.3,"max":1397235,"stddev":314333.5,"var":98805530624.0,"ent":4.2,"data": [23914,25117,18248,72539,4949,71292,152183,249467,985618,26703,1397235,519076,299466,499851,482346,40528,55620,206768,137068,537495,535230,174291,571825,775969,198842,230534,89909,283953,128056,116304,110490]},"pktlen": {"min":52,"avg":716.2,"max":1500,"stddev":699.0,"var":488561.8,"ent":4.2,"data": [64,60,52,409,570,1500,52,1500,52,80,80,1500,72,1500,64,1500,1500,1500,52,1500,52,1500,52,52,1500,52,1500,1500,52,1500,52,1500]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,0,1,0,1,0,1,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1],"entropies": [4.601409912,5.266787052,5.036415577,6.391139984,5.809580326,4.456539154,5.041504860,4.186237812,4.961856842,5.322779179,5.322779179,4.373055458,5.331886292,4.362320423,5.228374004,4.324150085,4.463343143,4.271175385,5.118428230,4.316685200,5.142372608,4.338371277,5.077241421,5.195351124,4.538278103,5.038779736,4.711270332,4.737337112,5.079966545,4.685406208,5.233812809,4.710971355]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02285{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1562,"source":"netflix.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056264541,"flow_src_last_pkt_time":1484319060916913,"flow_dst_last_pkt_time":1484319060915445,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319060916913,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53182,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":342,"avg":300105.7,"max":2716440,"stddev":539188.2,"var":290723889152.0,"ent":3.6,"data": [61747,63082,19443,172653,342,153906,1162512,94154,1429,12319,104280,65945,674747,41474,39967,488929,2716440,44869,75746,28743,32797,29468,133613,256105,742961,71312,1131465,569658,135441,73631,104098]},"pktlen": {"min":52,"avg":492.6,"max":1500,"stddev":638.8,"var":408052.9,"ent":3.9,"data": [64,60,52,410,570,1500,52,80,72,72,72,72,72,72,64,52,52,1500,1500,52,1500,52,1500,52,1500,64,52,1500,52,1500,1500,52]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,0,1,0,0,1,0,1,1,0],"entropies": [4.601409912,5.379369259,5.103910923,6.382707119,5.801897049,4.439589024,5.156889439,5.282214642,5.359663963,5.304108143,5.359663963,5.304108143,5.263877869,5.293623924,5.290874004,5.156889915,5.038779736,4.572134495,4.543495178,5.115703106,4.553971767,4.993616104,4.540792465,4.955154419,4.553669930,5.177669048,5.079966545,4.316857815,4.961856842,4.387219906,4.488969326,5.079966545]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02280{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1566,"source":"netflix.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056214323,"flow_src_last_pkt_time":1484319060947278,"flow_dst_last_pkt_time":1484319060861747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":12102,"midstream":0,"thread_ts_usec":1484319060947278,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":302592.9,"max":3094333,"stddev":556136.4,"var":309287714816.0,"ent":3.7,"data": [19993,22151,5332,69145,137,72224,626011,606979,26604,520264,51479,55493,593239,41657,80288,418048,3094333,65564,425655,469983,40810,84995,52141,54303,117697,383081,387305,709380,53664,73805,158619]},"pktlen": {"min":52,"avg":447.8,"max":1500,"stddev":616.5,"var":380048.7,"ent":3.8,"data": [64,60,52,410,570,1500,52,72,72,72,72,64,64,72,64,52,52,1500,64,64,1500,1500,52,1500,52,1500,52,64,1500,64,1500,52]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,0],"entropies": [4.538909912,5.312702179,5.065449715,6.359480381,5.816523552,4.445319176,5.065449238,5.277717590,5.387441635,5.387441635,5.248553276,5.259624004,5.228374004,5.331886292,5.259624004,5.272274494,5.115703106,4.653451920,5.163660049,5.185328960,4.692939758,4.660350800,5.065449715,4.689436913,5.077241898,4.606202602,5.156889439,5.290874004,4.357360840,5.290874004,4.495481014,5.233812809]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02277{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1585,"source":"netflix.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319056264215,"flow_src_last_pkt_time":1484319061168059,"flow_dst_last_pkt_time":1484319060482194,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":359,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":359,"flow_dst_tot_l4_payload_len":12101,"midstream":0,"thread_ts_usec":1484319061168059,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53181,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":266,"avg":294252.3,"max":2608516,"stddev":529173.0,"var":280024055808.0,"ent":3.5,"data": [61899,63035,8952,155118,266,150147,1152400,92133,498,591361,113696,141666,52293,522,39853,381137,2608516,28241,68204,27169,29555,26620,56459,81742,44814,43749,497350,496550,1208877,807442,91559]},"pktlen": {"min":52,"avg":449.2,"max":1500,"stddev":615.6,"var":378913.2,"ent":3.8,"data": [64,60,52,411,569,1500,52,80,80,80,80,72,64,64,64,52,64,1500,1500,52,1500,52,1500,1500,52,1500,52,64,52,1500,72,72]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,1,1,0,1,0,0,0,1,0,0],"entropies": [4.570159912,5.346035480,5.065449715,6.363940239,5.804843426,4.442625046,5.142372608,5.362294197,5.337294102,5.312294006,5.287294388,5.333272934,5.197124004,5.240169048,5.240169048,5.156889439,5.152518272,4.990313053,4.973003864,5.195351124,4.964061737,5.000318050,4.996945381,4.996238232,5.156889439,4.959667683,5.038779736,5.146419048,5.003043175,4.680668831,5.247971535,5.333272934]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02280{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1592,"source":"netflix.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056204111,"flow_src_last_pkt_time":1484319061128980,"flow_dst_last_pkt_time":1484319061270358,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061270358,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53172,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":79,"avg":322294.1,"max":3064500,"stddev":576519.8,"var":332375130112.0,"ent":3.6,"data": [11668,15660,2402,60224,1206,79,57126,107813,316921,313910,536684,811161,71198,122498,693690,84709,585634,3064500,52838,57895,98411,231468,526235,115101,671,585669,117652,1178873,25807,79129,64284]},"pktlen": {"min":52,"avg":495.0,"max":1500,"stddev":637.2,"var":406023.8,"ent":3.9,"data": [64,60,52,410,570,1500,1500,52,52,1500,52,80,80,80,80,72,64,72,1500,72,1500,64,1500,80,64,52,64,52,1500,52,1500,1500]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,1,0,1,1],"entropies": [4.507659912,5.233454227,4.964581966,6.333802700,5.821110249,4.461877346,4.201263905,5.132945538,5.014835358,3.777186632,4.976373672,5.144669533,5.135233879,5.169670582,5.169669628,5.192996979,5.140319824,5.248552799,4.282153130,5.248552322,4.242815018,4.995864868,4.290421486,5.085232735,5.140319824,5.132945538,5.140319824,5.056022167,4.478749752,5.053297043,4.467899799,4.518882275]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02287{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1621,"source":"netflix.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1484319056233602,"flow_src_last_pkt_time":1484319061706774,"flow_dst_last_pkt_time":1484319061794702,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":357,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":13550,"midstream":0,"thread_ts_usec":1484319061794702,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53178,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":240,"avg":355944.2,"max":3546297,"stddev":682699.4,"var":466078498816.0,"ent":3.5,"data": [43247,45294,13187,106701,4927,97880,1317695,102059,98186,240,515839,59813,1148424,57207,54890,165165,3546297,68400,92258,155981,131046,69975,95851,103962,104462,205130,729427,91959,551213,1189389,68168]},"pktlen": {"min":52,"avg":493.2,"max":1500,"stddev":638.4,"var":407523.4,"ent":3.9,"data": [64,60,52,409,570,1500,52,80,80,72,72,72,72,72,64,64,52,1500,52,1500,52,1500,1500,52,1500,52,1500,64,52,52,1500,1500]},"bins": {"c_to_s": [20,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,1,0,1,0,1,0,0,0,1,1],"entropies": [4.515677452,5.333454132,5.041505337,6.377946854,5.816387177,4.450622082,5.118428230,5.366649628,5.366649628,5.359663963,5.333272934,5.387441635,5.387441635,5.293623924,5.290874004,5.322124004,5.272274494,4.440482140,5.209868431,4.489046574,5.014835358,4.480661392,4.471484184,5.233812809,4.471359730,5.062724590,4.458212852,5.290874004,5.233812809,5.000318527,4.395615101,4.444458961]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02286{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1694,"source":"netflix.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1484319056234960,"flow_src_last_pkt_time":1484319062638948,"flow_dst_last_pkt_time":1484319062680623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":14998,"midstream":0,"thread_ts_usec":1484319062680623,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53179,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":414504.9,"max":4457097,"stddev":811357.3,"var":658300731392.0,"ent":3.6,"data": [41445,43452,2932,82082,72,78739,1252127,77707,132171,828,525346,100674,510044,513013,40289,4457097,87034,1392951,522404,574888,39602,91204,57625,58127,138968,449063,380142,69915,139503,473414,516793]},"pktlen": {"min":52,"avg":538.1,"max":1500,"stddev":656.8,"var":431419.8,"ent":3.9,"data": [64,60,52,410,570,1500,52,80,80,72,72,72,72,72,64,64,1500,1500,52,52,1500,1500,52,1500,52,1500,52,1500,1500,52,52,1500]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1],"entropies": [4.538909912,5.312702179,5.026988029,6.353898048,5.812767506,4.447575092,5.118428230,5.316649437,5.391650200,5.387441635,5.387441635,5.361050606,5.333272934,5.331886292,5.228374004,5.228374004,4.410194397,4.460495949,5.079966545,5.195351124,4.415517807,4.454523087,5.195351601,4.441005707,5.077241421,4.548726559,5.156889915,4.299219608,4.319707394,5.195351601,5.156889439,4.440834999]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02281{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1725,"source":"netflix.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319056232857,"flow_src_last_pkt_time":1484319062946776,"flow_dst_last_pkt_time":1484319063015567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":358,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":358,"flow_dst_tot_l4_payload_len":10653,"midstream":0,"thread_ts_usec":1484319063015567,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53176,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":682,"avg":435375.1,"max":4431980,"stddev":814478.7,"var":663375511552.0,"ent":3.6,"data": [43856,45826,13429,88623,4898,81946,1250769,92472,118428,682,544165,69196,495457,501654,62886,1143862,28583,39116,4431980,82976,87813,169881,586445,795488,292945,509017,501170,1203523,55860,83014,70669]},"pktlen": {"min":52,"avg":404.2,"max":1500,"stddev":589.2,"var":347103.4,"ent":3.7,"data": [64,60,52,410,569,1500,52,80,80,72,72,72,72,72,64,64,64,64,64,1500,52,1500,64,52,1500,64,52,52,1500,1500,52,1500]},"bins": {"c_to_s": [22,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,1,0,0,0,1,1,0,1],"entropies": [4.570159912,5.166786671,4.974009037,6.366189480,5.841994762,4.452114582,5.079966545,5.252857208,5.332214355,5.359663963,5.387441635,5.293623924,5.359663486,5.276330948,5.290874004,5.144205093,5.290874004,5.259624004,5.154078960,4.322241306,5.038779736,4.343337059,5.163660049,5.156889439,4.373079300,5.208919048,5.180834293,5.195351124,4.324346066,4.345085144,5.195351124,4.404635906]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +01983{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":136,"avg":1958267.8,"max":30086001,"stddev":7379834.5,"var":54461959503872.0,"ent":1.1,"data": [47011,48359,1676,53080,2562,989,62283,11050,5991,10798,261,350,60341,3416,50128,4429,893,563,55944,50485,306,42722,3984,5077,5232,136,57719,311,30033380,30086001,822]},"pktlen": {"min":52,"avg":380.0,"max":1500,"stddev":556.9,"var":310128.2,"ent":3.8,"data": [64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1402,1500,1500,52,1500,337,52,52,52,993,112,52,52,52,83,52]},"bins": {"c_to_s": [9,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [9,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,0,0,0,1,1],"entropies": [4.484876633,5.289900780,5.078045845,5.808425426,5.131024837,7.255376339,7.317865372,5.092562675,6.901146412,5.131024361,6.124006748,5.004364967,6.039024830,5.169486046,6.007705688,5.169486046,7.873569965,7.881214619,7.864243507,5.169486046,7.845795155,7.405421257,5.116507530,5.078045845,5.131024361,7.806305885,6.290623188,5.169486046,5.092563152,5.094483852,5.825018406,5.132945538]}} 01584{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1851,"source":"netflix.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319033631945,"flow_src_last_pkt_time":1484319063959877,"flow_dst_last_pkt_time":1484319064010312,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6334,"flow_dst_tot_l4_payload_len":4142,"midstream":0,"thread_ts_usec":1484319064010312,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53118,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1907,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319064590230,"flow_dst_last_pkt_time":1484319064590230,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064590230,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1907,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1484319064590230,"flow_dst_last_pkt_time":1484319064590230,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319064590230,"pkt":"gCqoTGHM5JjWH70UCABFAABAVptAAEAGBuzAqAEHF\/YDjM+\/AFBrAzOSAAAAALAC\/\/+cMAAAAgQFtAEDAwUBAQgKH2UvkQAAAAAEAgAA"} @@ -286,7 +286,7 @@ 01020{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1930,"source":"netflix.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319064683828,"flow_src_last_pkt_time":1484319064683828,"flow_dst_last_pkt_time":1484319064699948,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":41,"flow_dst_max_l4_payload_len":206,"flow_src_tot_l4_payload_len":41,"flow_dst_tot_l4_payload_len":206,"midstream":0,"thread_ts_usec":1484319064699948,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":60962,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.geo.netflix.com","dns": {"num_queries":1,"num_answers":9,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"52.37.36.252"}}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1935,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064711690,"flow_dst_last_pkt_time":1484319064711690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319064711690,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1935,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1484319064711690,"flow_dst_last_pkt_time":1484319064711690,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319064711690,"pkt":"gCqoTGHM5JjWH70UCABFAABAfOpAAEAGov3AqAEHNCUk\/M\/TAbvE99WSAAAAALAC\/\/9grAAAAgQFtAEDAwUBAQgKH2UwAgAAAAAEAgAA"} -01582{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":74,"avg":1003326.9,"max":30431499,"stddev":5372888.5,"var":28867930619904.0,"ent":0.2,"data": [44924,46321,7446,58250,1844,979,55802,12140,9904,9342,287,206,60460,132,50780,11459,460,157,72134,60865,339,50757,444,15673,16944,136,74,82928,303,146,30431499]},"pktlen": {"min":66,"avg":393.5,"max":1514,"stddev":557.0,"var":310204.4,"ent":3.9,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1416,1514,1514,66,1514,336,66,66,66,1007,121,100,66,66,66,66]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [7,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,1,0,0,0,0]}} +01978{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":74,"avg":1003326.9,"max":30431499,"stddev":5372888.5,"var":28867930619904.0,"ent":0.2,"data": [44924,46321,7446,58250,1844,979,55802,12140,9904,9342,287,206,60460,132,50780,11459,460,157,72134,60865,339,50757,444,15673,16944,136,74,82928,303,146,30431499]},"pktlen": {"min":52,"avg":379.5,"max":1500,"stddev":557.0,"var":310204.4,"ent":3.8,"data": [64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1402,1500,1500,52,1500,322,52,52,52,993,107,86,52,52,52,52]},"bins": {"c_to_s": [10,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0],"s_to_c": [7,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,1,1,1,1,1,1,0,0,0,0],"entropies": [4.598081589,5.256567001,5.131024837,5.819132805,5.246409416,7.227420330,7.332920074,5.092563152,6.984497547,5.169486046,6.274277210,5.113821983,5.948767662,5.284871101,6.050486565,5.246409416,7.870395660,7.873335838,7.867392540,5.246409416,7.876014709,7.339691162,5.169486046,5.284871101,5.284871101,7.775086403,6.215628147,5.873826027,5.246409416,5.169486046,5.154969215,5.003043175]}} 01585{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1936,"source":"netflix.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1484319033943762,"flow_src_last_pkt_time":1484319064712006,"flow_dst_last_pkt_time":1484319034278653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":6319,"flow_dst_tot_l4_payload_len":4140,"midstream":0,"thread_ts_usec":1484319064712006,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.69.204.241","src_port":53119,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1937,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1484319064671268,"flow_dst_last_pkt_time":1484319064722112,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319064722112,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACoGRvs2vxEzwKgBBwG7z9JcNkhzU8YNlaASOJDYrwAAAgQFtAQCCAqtilitH2Uv3gEDAwg="} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1938,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1484319064669455,"flow_dst_last_pkt_time":1484319064722814,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319064722814,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAACkGR\/s2vxEzwKgBBwG7z8mqa43KKbVWHqASOJAmtQAAAgQFtAQCCAqtilitH2Uv3QEDAwg="} @@ -303,20 +303,20 @@ 01150{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1968,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064785302,"flow_dst_last_pkt_time":1484319064885811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":229,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":229,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1484319064885811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01569{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1969,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319064729673,"flow_dst_last_pkt_time":1484319064898548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2528,"midstream":0,"thread_ts_usec":1484319064898548,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}} 01580{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1977,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319064785302,"flow_dst_last_pkt_time":1484319064950196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":229,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":229,"flow_dst_tot_l4_payload_len":2896,"midstream":0,"thread_ts_usec":1484319064950196,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} -01596{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":47531.9,"max":266118,"stddev":57373.9,"var":3291763968.0,"ent":4.0,"data": [53359,54641,4455,73724,451,53617,123531,11602,72543,62717,1529,55777,52363,2209,208,426,218,96299,96364,227,131,105,82592,81689,880,205,155,38176,40581,146597,266118]},"pktlen": {"min":66,"avg":879.4,"max":1514,"stddev":680.5,"var":463015.4,"ent":4.4,"data": [78,74,66,583,66,1514,1146,66,192,117,66,1058,120,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,1514,1514,1514,86]},"bins": {"c_to_s": [5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0],"s_to_c": [5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1]}} +01995{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":47531.9,"max":266118,"stddev":57373.9,"var":3291763968.0,"ent":4.0,"data": [53359,54641,4455,73724,451,53617,123531,11602,72543,62717,1529,55777,52363,2209,208,426,218,96299,96364,227,131,105,82592,81689,880,205,155,38176,40581,146597,266118]},"pktlen": {"min":52,"avg":865.4,"max":1500,"stddev":680.5,"var":463015.4,"ent":4.4,"data": [64,60,52,569,52,1500,1132,52,178,103,52,1044,106,52,1500,1500,1500,1500,52,1500,1500,1500,1500,52,1500,1500,1500,1500,1500,1500,1500,72]},"bins": {"c_to_s": [5,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0],"s_to_c": [5,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1],"entropies": [4.578626633,5.335815907,5.207947731,4.350263596,5.169486523,7.184256554,7.647752762,5.207947731,6.566578865,6.006330490,5.169486046,7.810021400,6.234852314,5.215455055,7.860099316,7.858446598,7.850243568,7.875246525,5.284871101,7.867991447,7.875946045,7.875228882,7.851313114,5.246409416,7.892469883,7.867894650,7.855500698,7.875078678,7.889169693,7.874140739,7.858912468,5.388828278]}} 01573{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2040,"source":"netflix.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1484319064669455,"flow_src_last_pkt_time":1484319065388464,"flow_dst_last_pkt_time":1484319065423935,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":23355,"flow_dst_tot_l4_payload_len":2633,"midstream":0,"thread_ts_usec":1484319065423935,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53193,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}} -01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":182,"avg":52521.9,"max":282465,"stddev":58168.2,"var":3383536896.0,"ent":4.2,"data": [50844,52144,6261,61059,40719,74658,170395,11813,79420,67625,2032,57431,55801,1745,844,219,182,82546,79700,249,94600,127478,60574,282465,10583,27617,37968,39882,42871,7730,723]},"pktlen": {"min":66,"avg":566.5,"max":1514,"stddev":629.7,"var":396553.7,"ent":4.1,"data": [78,74,66,583,66,1514,1146,66,192,117,66,1057,120,66,1514,1514,1514,1514,66,1514,401,66,66,1257,66,1514,1500,66,115,66,97,66]},"bins": {"c_to_s": [10,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,0,0]}} +01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":182,"avg":52521.9,"max":282465,"stddev":58168.2,"var":3383536896.0,"ent":4.2,"data": [50844,52144,6261,61059,40719,74658,170395,11813,79420,67625,2032,57431,55801,1745,844,219,182,82546,79700,249,94600,127478,60574,282465,10583,27617,37968,39882,42871,7730,723]},"pktlen": {"min":52,"avg":552.5,"max":1500,"stddev":629.7,"var":396553.7,"ent":4.0,"data": [64,60,52,569,52,1500,1132,52,178,103,52,1043,106,52,1500,1500,1500,1500,52,1500,387,52,52,1243,52,1500,1486,52,101,52,83,52]},"bins": {"c_to_s": [10,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0],"s_to_c": [5,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,2,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,1,1,1,0,1,1,0,1,0,0,0],"entropies": [4.598081589,5.369149208,5.169486046,4.365832806,5.154969215,7.171761036,7.662086964,5.169486523,6.518167496,5.984750271,5.100070000,7.782325745,6.202902317,5.246409416,7.867114544,7.871539593,7.857532978,7.870780945,5.078046322,7.856834412,7.434062958,5.154969215,5.154969215,7.833981991,5.246409416,7.884502411,7.878024578,5.246409416,6.160539627,5.207947731,5.791826725,5.094483852]}} 01573{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2062,"source":"netflix.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1484319064671268,"flow_src_last_pkt_time":1484319065492035,"flow_dst_last_pkt_time":1484319065478679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":9240,"flow_dst_tot_l4_payload_len":6755,"midstream":0,"thread_ts_usec":1484319065492035,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"54.191.17.51","src_port":53202,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ios.nccp.netflix.com","tls": {"version":"TLSv1.2","server_names":"*.nccp.netflix.com","ja3":"dc67ac8aaf8d7f69ecd6598135448f24","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"CN=Primary Certificate Authority (2009), ST=California, C=US, O=Netflix Inc, OU=Electronic Delivery, L=Los Gatos","subjectDN":"CN=*.nccp.netflix.com, O=Netflix, Inc., OU=Operations, C=US, ST=California, L=Los Gatos","fingerprint":"97:F6:63:95:8F:F2:5E:E0:80:12:5A:FD:BF:B2:EB:FE:A2:FE:72:33"}}} -01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":59431.0,"max":332646,"stddev":83335.9,"var":6944879104.0,"ent":3.8,"data": [69450,70962,2650,55568,49103,64385,167918,331939,332646,26549,653,732,87677,534,60709,8817,7117,449,81078,62803,767,160,105,68135,67101,803,163,105,111161,109572,2549]},"pktlen": {"min":66,"avg":760.1,"max":1514,"stddev":703.8,"var":495333.0,"ent":4.3,"data": [78,74,66,295,66,1514,1514,66,229,66,141,72,111,66,117,66,1417,1514,1514,66,1514,1514,1514,1514,66,1514,1514,1514,1514,66,1514,1514]},"bins": {"c_to_s": [6,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,12,0,0],"s_to_c": [6,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0]}} +01991{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":105,"avg":59431.0,"max":332646,"stddev":83335.9,"var":6944879104.0,"ent":3.8,"data": [69450,70962,2650,55568,49103,64385,167918,331939,332646,26549,653,732,87677,534,60709,8817,7117,449,81078,62803,767,160,105,68135,67101,803,163,105,111161,109572,2549]},"pktlen": {"min":52,"avg":746.1,"max":1500,"stddev":703.8,"var":495333.0,"ent":4.2,"data": [64,60,52,281,52,1500,1500,52,215,52,127,58,97,52,103,52,1403,1500,1500,52,1500,1500,1500,1500,52,1500,1500,1500,1500,52,1500,1500]},"bins": {"c_to_s": [6,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,12,0,0],"s_to_c": [6,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0],"entropies": [4.578626633,5.323234081,5.169486046,5.810972691,5.131024837,7.231025219,7.326107502,5.154969215,6.940334797,5.169486523,6.230382919,5.079339504,6.149899960,5.207948208,5.992234230,5.193430901,7.859437466,7.874912739,7.853219032,5.207947731,7.901949883,7.848706245,7.875315189,7.851129055,5.207947731,7.874441147,7.863263607,7.860793114,7.870314598,5.207947731,7.870880127,7.866354465]}} 01585{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2094,"source":"netflix.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1484319064711690,"flow_src_last_pkt_time":1484319065635020,"flow_dst_last_pkt_time":1484319065630720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":19082,"flow_dst_tot_l4_payload_len":3110,"midstream":0,"thread_ts_usec":1484319065635020,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.37.36.252","src_port":53203,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"ichnaea.netflix.com","tls": {"version":"TLSv1.2","server_names":"ichnaea.netflix.com,beacon.netflix.com,presentationtracking.netflix.com,nmtracking.netflix.com,customerevents.netflix.com","ja3":"c07cb55f88702033a8f52c046d23e0b2","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=customerevents.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"50:D6:DB:AF:1D:A3:83:52:E6:0E:15:8F:98:78:EE:2F:23:FD:E2:3F"}}} -01885{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2131,"source":"netflix.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319064593980,"flow_src_last_pkt_time":1484319066015206,"flow_dst_last_pkt_time":1484319066064571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":19133,"midstream":0,"thread_ts_usec":1484319066064571,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2593,"avg":93284.4,"max":471964,"stddev":119313.2,"var":14235634688.0,"ent":4.1,"data": [26070,27491,2593,46530,5363,49411,29634,29502,8466,38422,5397,39840,38400,39693,140326,138333,356578,206910,471964,29274,417442,40849,81521,44012,43364,83015,187750,28619,25160,184386,25502]},"pktlen": {"min":66,"avg":698.8,"max":1514,"stddev":659.1,"var":434476.8,"ent":4.3,"data": [78,74,66,575,635,1514,66,677,66,581,643,1514,66,1514,66,1514,1514,94,1514,78,66,1514,1514,66,1514,66,1514,86,78,66,1514,1514]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01882{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2195,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319066598421,"flow_dst_last_pkt_time":1484319065741809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":17969,"midstream":0,"thread_ts_usec":1484319066598421,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5292,"avg":101928.1,"max":730898,"stddev":155663.8,"var":24231225344.0,"ent":4.0,"data": [30477,31515,13216,64005,5292,56409,6142,68156,5406,71534,109518,202677,164827,560321,47319,78954,279545,27696,94465,26601,26144,15824,70512,85885,39451,39774,41592,84438,730898,41457,39720]},"pktlen": {"min":66,"avg":662.3,"max":1514,"stddev":653.4,"var":426995.3,"ent":4.2,"data": [78,74,66,571,632,965,66,578,642,1514,66,1514,1514,1514,86,78,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,78,86,78,66]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,0,0,0,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02284{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2131,"source":"netflix.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319064593980,"flow_src_last_pkt_time":1484319066015206,"flow_dst_last_pkt_time":1484319066064571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":19133,"midstream":0,"thread_ts_usec":1484319066064571,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53184,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2593,"avg":93284.4,"max":471964,"stddev":119313.2,"var":14235634688.0,"ent":4.1,"data": [26070,27491,2593,46530,5363,49411,29634,29502,8466,38422,5397,39840,38400,39693,140326,138333,356578,206910,471964,29274,417442,40849,81521,44012,43364,83015,187750,28619,25160,184386,25502]},"pktlen": {"min":52,"avg":684.8,"max":1500,"stddev":659.1,"var":434476.8,"ent":4.2,"data": [64,60,52,561,621,1500,52,663,52,567,629,1500,52,1500,52,1500,1500,80,1500,64,52,1500,1500,52,1500,52,1500,72,64,52,1500,1500]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,0,0,0,1,1],"entropies": [4.570159912,5.266787052,5.065449715,6.275901794,5.797811985,4.453124046,5.118428230,4.223619461,5.089393616,6.289565086,5.782683849,3.849286318,5.103911400,6.893377781,5.000318050,7.605064869,7.871351719,5.248013020,7.860187054,5.187250137,5.077241421,7.867404461,7.859804153,5.065449238,7.885848045,5.000318527,7.863960743,5.267232895,5.115169048,5.079966545,7.857268333,7.882204533]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02281{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2195,"source":"netflix.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319064590230,"flow_src_last_pkt_time":1484319066598421,"flow_dst_last_pkt_time":1484319065741809,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":512,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":17969,"midstream":0,"thread_ts_usec":1484319066598421,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.3.140","src_port":53183,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5292,"avg":101928.1,"max":730898,"stddev":155663.8,"var":24231225344.0,"ent":4.0,"data": [30477,31515,13216,64005,5292,56409,6142,68156,5406,71534,109518,202677,164827,560321,47319,78954,279545,27696,94465,26601,26144,15824,70512,85885,39451,39774,41592,84438,730898,41457,39720]},"pktlen": {"min":52,"avg":648.3,"max":1500,"stddev":653.4,"var":426995.3,"ent":4.2,"data": [64,60,52,557,618,951,52,564,628,1500,52,1500,1500,1500,72,64,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,64,72,64,52]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,0,0,0,0],"entropies": [4.476409912,5.212701797,5.156889915,6.230133057,5.778679371,3.867035151,5.079966545,6.195135117,5.745929718,3.167200804,5.094483852,7.856627464,7.824065208,7.816611290,5.331886292,5.165874004,5.118428230,7.781126976,7.831735134,5.118428230,7.778219700,4.961856365,5.882567406,7.827349663,5.103910923,7.794489861,4.961856365,7.814080238,4.958919048,5.244518280,5.083919048,5.079966545]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2494,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070636683,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319070636683,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2494,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":1,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070636683,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1484319070636683,"pkt":"gCqoTGHM5JjWH70UCABFAABAs25AAEAGoh\/AqAEHF\/YLhc\/aAFBx1HGxAAAAALAC\/\/84uwAAAgQFtAEDAwUBAQgKH2VGAgAAAAAEAgAA"} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2497,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":2,"flow_src_last_pkt_time":1484319070636683,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319070655089,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWnIX9guFwKgBBwBQz9pdV1SucdRxsqAS\/\/+\/OwAAAgQFtAEDAwkEAggKgYtW3h9lRgI="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2499,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_packet_id":3,"flow_src_last_pkt_time":1484319070656558,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319070656558,"pkt":"gCqoTGHM5JjWH70UCABFAAA0S\/NAAEAGCafAqAEHF\/YLhc\/aAFBx1HGyXVdUr4AQEBXd4QAAAQEICh9lRhWBi1be"} 01383{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2501,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319070660268,"flow_dst_last_pkt_time":1484319070655089,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":509,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":509,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319070660268,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.133","http": {"url":"23.246.11.133\/?o=AQEfKq2oMrLRiWL1ouVaJpeQLBWjGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThp_7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=JfEef80K02ynIjLLoi-HZB1uQ10","code":0,"content_type":"","user_agent":"AppleCoreMedia\/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)"}}} -01890{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2608,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319072360005,"flow_dst_last_pkt_time":1484319072357645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":21986,"midstream":0,"thread_ts_usec":1484319072360005,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3710,"avg":111105.9,"max":530041,"stddev":160200.4,"var":25664157696.0,"ent":3.9,"data": [18406,19875,3710,28859,18073,45753,41559,39617,18474,45294,5405,31729,29350,29485,41132,41119,82225,87690,42083,64319,51529,299907,159779,515651,435957,526591,530041,39964,69880,40403,40425]},"pktlen": {"min":66,"avg":786.9,"max":1514,"stddev":666.8,"var":444580.8,"ent":4.4,"data": [78,74,66,575,634,1514,66,635,66,581,643,1514,66,1514,66,1514,1514,66,1514,1514,1514,1514,94,1514,78,1514,66,1514,1514,66,1514,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,1,1,1,0,1,0,1,0,1,1,0,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02289{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2608,"source":"netflix.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319070636683,"flow_src_last_pkt_time":1484319072360005,"flow_dst_last_pkt_time":1484319072357645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":515,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":21986,"midstream":0,"thread_ts_usec":1484319072360005,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.133","src_port":53210,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3710,"avg":111105.9,"max":530041,"stddev":160200.4,"var":25664157696.0,"ent":3.9,"data": [18406,19875,3710,28859,18073,45753,41559,39617,18474,45294,5405,31729,29350,29485,41132,41119,82225,87690,42083,64319,51529,299907,159779,515651,435957,526591,530041,39964,69880,40403,40425]},"pktlen": {"min":52,"avg":772.9,"max":1500,"stddev":666.8,"var":444580.8,"ent":4.3,"data": [64,60,52,561,620,1500,52,621,52,567,629,1500,52,1500,52,1500,1500,52,1500,1500,1500,1500,80,1500,64,1500,52,1500,1500,52,1500,52]},"bins": {"c_to_s": [12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,1,1,1,0,1,0,1,0,1,1,0,1,0],"entropies": [4.488204956,5.300120354,5.156889915,6.256848335,5.804110050,4.454978466,5.233812809,4.247903824,5.156889915,6.243398190,5.778408527,3.438887596,5.156889915,7.007576466,5.077241421,6.349354744,3.910008192,5.103911400,7.877290249,7.845316887,7.839955807,7.878695488,5.416651249,7.863180637,5.208919048,7.866981983,5.156889915,7.868912697,7.868783951,5.233812809,7.847263813,5.077241421]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00911{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3223,"source":"netflix.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":0,"flow_first_seen":1484319033886061,"flow_src_last_pkt_time":1484319068012841,"flow_dst_last_pkt_time":1484319033886061,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":122,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":125,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1235,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319080860682,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","src_port":53776,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00905{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3223,"source":"netflix.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1484319032865799,"flow_src_last_pkt_time":1484319032866374,"flow_dst_last_pkt_time":1484319032884052,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":329,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":562,"midstream":0,"thread_ts_usec":1484319080860682,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51543,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3223,"source":"netflix.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319035004050,"flow_src_last_pkt_time":1484319035004050,"flow_dst_last_pkt_time":1484319035024355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":55,"flow_dst_max_l4_payload_len":183,"flow_src_tot_l4_payload_len":55,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1484319080860682,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51949,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} @@ -328,7 +328,7 @@ 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4216,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1484319091296070,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1484319091309083,"pkt":"5JjWH70UgCqoTGHMCABFIAA8AABAADsGWmoX9guNwKgBBwBQz+FsswOfwIA2EaAS\/\/85DQAAAgQFtAEDAwkEAggK\/T5Cox9lk1E="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4217,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":3,"flow_src_last_pkt_time":1484319091310850,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319091310850,"pkt":"gCqoTGHM5JjWH70UCABFAAA00UpAAEAGhEfAqAEHF\/YLjc\/hAFDAgDYRbLMDoIAQEBVXuAAAAQEICh9lk1\/9PkKj"} 01383{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4218,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091314892,"flow_dst_last_pkt_time":1484319091309083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":509,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":509,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319091314892,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"23.246.11.141","http": {"url":"23.246.11.141\/?o=AQEfKq2oMrLRiWL2puNQJJ2TLhuiGLjSseu23V2HX6kIiU9JpbCaBxxaIoz21qQNKuDUaOIZwdTlx23DMVxabbCwmvEluipDW2tvFMlhMRtwdhhVlbv9KGFabiu5KH0Slx0VjOK_wzThpP7lHhWA4kW9gayYEWtjNNKe&v=3&e=1484347850&t=Dh278u2UpApOCGUj5RxV8azNWX8","code":0,"content_type":"","user_agent":"AppleCoreMedia\/1.0.0.14C92 (iPhone; U; CPU OS 10_2 like Mac OS X; en_us)"}}} -01876{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4263,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091784359,"flow_dst_last_pkt_time":1484319091750098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":518,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1027,"flow_dst_tot_l4_payload_len":23476,"midstream":0,"thread_ts_usec":1484319091784359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":186,"avg":30397.3,"max":286066,"stddev":49910.1,"var":2491019008.0,"ent":4.0,"data": [13013,14780,4042,30273,839,3652,30261,186,16542,35559,2040,21479,3192,3317,13322,13300,26482,13309,13526,13848,42739,56409,14727,15199,71007,25498,25497,25504,51553,55156,286066]},"pktlen": {"min":66,"avg":833.0,"max":1514,"stddev":665.8,"var":443241.7,"ent":4.4,"data": [78,74,66,575,634,1514,677,66,66,584,643,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,66,1514,66,1514,1514,1514,1514,1514,1514,86]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,0]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02275{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4263,"source":"netflix.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1484319091296070,"flow_src_last_pkt_time":1484319091784359,"flow_dst_last_pkt_time":1484319091750098,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":518,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1027,"flow_dst_tot_l4_payload_len":23476,"midstream":0,"thread_ts_usec":1484319091784359,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"23.246.11.141","src_port":53217,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":186,"avg":30397.3,"max":286066,"stddev":49910.1,"var":2491019008.0,"ent":4.0,"data": [13013,14780,4042,30273,839,3652,30261,186,16542,35559,2040,21479,3192,3317,13322,13300,26482,13309,13526,13848,42739,56409,14727,15199,71007,25498,25497,25504,51553,55156,286066]},"pktlen": {"min":52,"avg":819.0,"max":1500,"stddev":665.8,"var":443241.7,"ent":4.4,"data": [64,60,52,561,620,1500,663,52,52,570,629,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,52,1500,52,1500,1500,1500,1500,1500,1500,72]},"bins": {"c_to_s": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,1,1,1,1,1,0],"entropies": [4.538909912,5.333454132,5.156889439,6.262038231,5.768496513,4.449262142,4.226318359,5.012470722,5.065449238,6.248849392,5.763326645,4.335525513,5.142372608,7.149711609,4.961856842,7.863347054,7.873285294,5.156889915,7.863232136,5.000318050,7.860691547,7.874946594,5.195351124,7.870134830,5.038779736,7.881839275,7.859775066,7.865787983,7.856745243,7.858184338,7.871532917,5.415219307]},"ndpi": {"flow_risk": {"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00901{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":5060,"source":"netflix.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319049641053,"flow_src_last_pkt_time":1484319049641053,"flow_dst_last_pkt_time":1484319049665892,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":70,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":70,"midstream":0,"thread_ts_usec":1484319100899313,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":51728,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":5060,"source":"netflix.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319048757894,"flow_src_last_pkt_time":1484319048757894,"flow_dst_last_pkt_time":1484319048776187,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":150,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":150,"midstream":0,"thread_ts_usec":1484319100899313,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":58102,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":5060,"source":"netflix.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319049645637,"flow_src_last_pkt_time":1484319049645637,"flow_dst_last_pkt_time":1484319049681348,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":329,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":329,"midstream":0,"thread_ts_usec":1484319100899313,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":52347,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.NetFlix","proto_id":"5.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} @@ -378,7 +378,7 @@ 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6814,"source":"netflix.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319117827967,"flow_src_last_pkt_time":1484319117892631,"flow_dst_last_pkt_time":1484319117886937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319117892631,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53250,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6821,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319117885772,"flow_dst_last_pkt_time":1484319117930548,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319117930548,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01227{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6828,"source":"netflix.pcap","alias":"nDPId-test","flow_id":58,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1484319117827967,"flow_src_last_pkt_time":1484319117892631,"flow_dst_last_pkt_time":1484319117942410,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":145,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":145,"midstream":0,"thread_ts_usec":1484319117942410,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53250,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","ja3":"7e72698146290dd68239f788a452e7d8","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} -01857{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6875,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319118140455,"flow_dst_last_pkt_time":1484319118145946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2205,"flow_dst_tot_l4_payload_len":9578,"midstream":0,"thread_ts_usec":1484319118145946,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":140,"avg":20407.3,"max":141407,"stddev":28956.2,"var":838464256.0,"ent":3.9,"data": [52701,54230,4655,50068,892,45987,1145,402,2281,621,48897,36085,58570,140,1031,141407,13303,12185,4698,8739,8491,4498,3692,4536,12375,12816,15153,13884,6123,6182,6840]},"pktlen": {"min":66,"avg":434.8,"max":1514,"stddev":506.4,"var":256458.0,"ent":4.1,"data": [78,74,66,274,66,211,66,72,111,1514,564,66,66,1514,227,1514,66,559,66,1005,66,439,66,1306,66,1406,66,660,66,808,66,721]},"bins": {"c_to_s": [12,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,0,0,0,1,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} +02254{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6875,"source":"netflix.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1484319117826887,"flow_src_last_pkt_time":1484319118140455,"flow_dst_last_pkt_time":1484319118145946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2205,"flow_dst_tot_l4_payload_len":9578,"midstream":0,"thread_ts_usec":1484319118145946,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53249,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":140,"avg":20407.3,"max":141407,"stddev":28956.2,"var":838464256.0,"ent":3.9,"data": [52701,54230,4655,50068,892,45987,1145,402,2281,621,48897,36085,58570,140,1031,141407,13303,12185,4698,8739,8491,4498,3692,4536,12375,12816,15153,13884,6123,6182,6840]},"pktlen": {"min":52,"avg":420.8,"max":1500,"stddev":506.4,"var":256458.0,"ent":4.1,"data": [64,60,52,260,52,197,52,58,97,1500,550,52,52,1500,213,1500,52,545,52,991,52,425,52,1292,52,1392,52,646,52,794,52,707]},"bins": {"c_to_s": [12,1,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,0,0,0,1,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.494096756,5.269149303,5.100070000,6.003353119,5.215455055,6.547097206,5.138531685,5.182787418,6.044509888,7.866807461,7.609665394,5.140452385,5.215455055,7.873748302,6.994494438,7.847311020,5.138531685,7.632858276,5.138531685,7.760740280,5.176993370,7.540992260,5.061608315,7.843688965,5.176993370,7.880697250,5.138531685,7.689140797,5.100070000,7.779115677,5.138531685,7.737319469]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118629811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00546{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":1,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1484319118629811,"pkt":"gCqoTGHM5JjWH70UCABFAABDkmsAAP8RpeXAqAEHwKgBAd8FADUALzVHkfABAAABAAAAAAAABWExOTA3BGRzY2cGYWthbWFpA25ldAAAAQAB"} 00998{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6888,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118629811,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118629811,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"a1907.dscg.akamai.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -394,10 +394,10 @@ 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6905,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_packet_id":3,"flow_src_last_pkt_time":1484319118675789,"flow_dst_last_pkt_time":1484319118674728,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1484319118675789,"pkt":"gCqoTGHM5JjWH70UCABFAAA0us1AAEAGOiPAqAEHuBnMCtAEAFDFgkYiq+D9DIAQEBUYOwAAAQEICh9l+cH\/\/WqN"} 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6906,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319118676250,"flow_dst_last_pkt_time":1484319118672865,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118676250,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-1.nflximg.net","http": {"url":"art-1.nflximg.net\/4e36d\/6289889020d6cc6dfb3038c35564a41e1ca4e36d.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}} 01072{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6908,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118687774,"flow_dst_last_pkt_time":1484319118674728,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319118687774,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video","hostname":"art-1.nflximg.net","http": {"url":"art-1.nflximg.net\/8b1fa\/eaa1b78cd72ca4dbdcab527691d2fcab37c8b1fa.jpg","code":0,"content_type":"","user_agent":"Argo\/9.1.0 (iPhone; iOS 10.2; Scale\/2.00)"}}} -01579{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":63539.0,"max":500942,"stddev":121518.7,"var":14766798848.0,"ent":3.3,"data": [58292,61223,1798,70566,2939,1016,71265,11570,12325,13054,147,95,65707,781,52265,3649,191,91649,51753,301,140150,3732,3446,3903,5462,6438,5030,437212,863,500942,291945]},"pktlen": {"min":66,"avg":456.8,"max":1514,"stddev":552.3,"var":305076.8,"ent":4.1,"data": [78,74,66,583,66,1514,1514,66,259,66,141,72,111,66,117,66,1514,803,66,1514,490,66,462,66,765,66,100,66,1514,686,66,1514]},"bins": {"c_to_s": [10,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,2,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,1,0,1,0,0,0,1,1]}} +01976{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":63539.0,"max":500942,"stddev":121518.7,"var":14766798848.0,"ent":3.3,"data": [58292,61223,1798,70566,2939,1016,71265,11570,12325,13054,147,95,65707,781,52265,3649,191,91649,51753,301,140150,3732,3446,3903,5462,6438,5030,437212,863,500942,291945]},"pktlen": {"min":52,"avg":442.8,"max":1500,"stddev":552.3,"var":305076.8,"ent":4.0,"data": [64,60,52,569,52,1500,1500,52,245,52,127,58,97,52,103,52,1500,789,52,1500,476,52,448,52,751,52,86,52,1500,672,52,1500]},"bins": {"c_to_s": [10,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [5,2,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,0,0,1,1,0,0,0,1,1,1,0,1,0,1,0,1,0,0,0,1,1],"entropies": [4.586286545,5.335815430,5.169486523,4.098951340,5.025067329,7.251211166,7.301212311,5.207947731,7.012731075,5.246409416,6.273766041,5.113821983,5.990005016,5.132945538,5.992234230,5.246409893,7.870625973,7.755266190,5.171407223,7.853860855,7.522392750,5.169486046,7.574260712,5.131024361,7.742949009,5.207947731,5.956426620,5.207947731,7.856410503,7.668289185,5.038780212,7.883280277]}} 01612{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6921,"source":"netflix.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1484319117605859,"flow_src_last_pkt_time":1484319118414034,"flow_dst_last_pkt_time":1484319118767393,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":4896,"flow_dst_tot_l4_payload_len":7589,"midstream":0,"thread_ts_usec":1484319118767393,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"52.41.30.5","src_port":53239,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video","hostname":"api-global.netflix.com","tls": {"version":"TLSv1.2","server_names":"api-latam.netflix.com,htmltvui.netflix.com,api-eu.netflix.com,uiboot.netflix.com,api-global.netflix.com,api-user.netflix.com,api-us.netflix.com,api.netflix.com","ja3":"d8bfad189bd26664e04570c104ee8418","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=US, ST=California, L=los gatos, O=Netflix, Inc., OU=Ops, CN=api.netflix.com","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"FC:5B:F6:86:AE:E5:22:0D:60:0C:C3:DF:8F:02:80:3F:A3:60:0E:3C"}}} -01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6965,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118854817,"flow_dst_last_pkt_time":1484319119584735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":34752,"midstream":0,"thread_ts_usec":1484319119584735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":508,"avg":36240.5,"max":99830,"stddev":21554.2,"var":464585632.0,"ent":4.7,"data": [16679,17740,11985,38478,508,12702,40101,27115,27112,58536,99830,81106,33879,23672,53768,53762,65076,48010,65429,13865,30914,13324,28733,40448,54528,28786,29443,29431,27518,25487,25489]},"pktlen": {"min":66,"avg":1160.7,"max":1514,"stddev":613.3,"var":376142.5,"ent":4.7,"data": [78,74,66,311,66,1514,1514,66,1514,66,1514,78,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514]},"bins": {"c_to_s": [5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} -01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6990,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319120611345,"flow_dst_last_pkt_time":1484319120609765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":22387,"midstream":0,"thread_ts_usec":1484319120611345,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":241,"avg":126007.9,"max":1416280,"stddev":340787.6,"var":116136157184.0,"ent":2.6,"data": [15432,16762,2055,27228,957,1055,27336,38112,39355,39938,44658,83445,40664,236734,277719,1389753,1416280,268,12835,48683,241,12768,12757,15934,13837,16300,12778,12746,23173,13285,13156]},"pktlen": {"min":66,"avg":781.5,"max":1514,"stddev":698.9,"var":488505.9,"ent":4.3,"data": [78,74,66,311,66,1514,1514,66,1514,66,1514,1514,66,1514,733,66,311,1514,1514,1514,66,66,1514,1514,66,1514,66,1514,1514,66,1514,66]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02165{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6965,"source":"netflix.pcap","alias":"nDPId-test","flow_id":61,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":26,"flow_first_seen":1484319118658049,"flow_src_last_pkt_time":1484319118854817,"flow_dst_last_pkt_time":1484319119584735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":245,"flow_dst_tot_l4_payload_len":34752,"midstream":0,"thread_ts_usec":1484319119584735,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53252,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":508,"avg":36240.5,"max":99830,"stddev":21554.2,"var":464585632.0,"ent":4.7,"data": [16679,17740,11985,38478,508,12702,40101,27115,27112,58536,99830,81106,33879,23672,53768,53762,65076,48010,65429,13865,30914,13324,28733,40448,54528,28786,29443,29431,27518,25487,25489]},"pktlen": {"min":52,"avg":1146.7,"max":1500,"stddev":613.3,"var":376142.5,"ent":4.7,"data": [64,60,52,297,52,1500,1500,52,1500,52,1500,64,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,24,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.495864868,5.233453751,5.156889915,5.883365631,5.270353794,7.005603790,7.481070995,5.118428230,7.677317619,5.077241421,7.654481411,5.151865005,7.832942486,7.813632965,7.788673401,7.782803535,7.834435940,7.821334362,7.827250957,7.843655586,7.828696728,7.842951298,7.865435123,7.847778320,7.855163097,7.835734844,7.856423378,7.842322826,7.854029179,7.863353252,7.834544182,7.849704266]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} +02157{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":6990,"source":"netflix.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1484319118657433,"flow_src_last_pkt_time":1484319120611345,"flow_dst_last_pkt_time":1484319120609765,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":490,"flow_dst_tot_l4_payload_len":22387,"midstream":0,"thread_ts_usec":1484319120611345,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"184.25.204.10","src_port":53251,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":241,"avg":126007.9,"max":1416280,"stddev":340787.6,"var":116136157184.0,"ent":2.6,"data": [15432,16762,2055,27228,957,1055,27336,38112,39355,39938,44658,83445,40664,236734,277719,1389753,1416280,268,12835,48683,241,12768,12757,15934,13837,16300,12778,12746,23173,13285,13156]},"pktlen": {"min":52,"avg":767.5,"max":1500,"stddev":698.9,"var":488505.9,"ent":4.3,"data": [64,60,52,297,52,1500,1500,52,1500,52,1500,1500,52,1500,719,52,297,1500,1500,1500,52,52,1500,1500,52,1500,52,1500,1500,52,1500,52]},"bins": {"c_to_s": [12,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,15,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,1,1,0,0,1,1,1,0,0,1,1,0,1,0,1,1,0,1,0],"entropies": [4.464614868,5.187539101,5.079966545,5.914007187,5.270354271,7.264070511,7.801600933,5.195351601,7.847749710,5.032077789,7.834869862,7.811845303,5.118427753,7.846868038,7.676549435,5.195351124,5.834331989,6.944043159,7.534036636,7.785680771,5.062724590,4.993616104,7.810704231,7.840629101,5.024262428,7.853393078,4.863714218,7.836608410,7.849914551,5.062724113,7.841484547,5.053297043]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.NetFlix","proto_id":"7.133","encrypted":0,"breed":"Fun","category_id":26,"category":"Video"}} 00917{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":147,"flow_first_seen":1484319036854344,"flow_src_last_pkt_time":1484319110605814,"flow_dst_last_pkt_time":1484319110632202,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1427,"flow_dst_tot_l4_payload_len":193037,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"104.86.97.179","src_port":53141,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.NetFlix","proto_id":"91.133","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00865{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1484319034890998,"flow_src_last_pkt_time":1484319034890998,"flow_dst_last_pkt_time":1484319034890998,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":8,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":8,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":8,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"239.255.255.250","l4_proto":2,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"IGMP","proto_id":"82","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00899{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":6999,"source":"netflix.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1484319118629811,"flow_src_last_pkt_time":1484319118629811,"flow_dst_last_pkt_time":1484319118652959,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":71,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":71,"midstream":0,"thread_ts_usec":1484319120726362,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"192.168.1.1","src_port":57093,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -469,10 +469,10 @@ ~~ total active/idle flows...: 61/61 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6808310 bytes -~~ total memory freed........: 6808310 bytes -~~ total allocations/frees...: 129497/129497 +~~ total memory allocated....: 6816606 bytes +~~ total memory freed........: 6816606 bytes +~~ total allocations/frees...: 129558/129558 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1909 chars -~~ json string avg len.......: 1200 chars +~~ json string max len.......: 2308 chars +~~ json string avg len.......: 1400 chars diff --git a/test/results/netflow-fritz.pcap.out b/test/results/netflow-fritz.pcap.out index bd8a806af..d9dcd1b64 100644 --- a/test/results/netflow-fritz.pcap.out +++ b/test/results/netflow-fritz.pcap.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035670 bytes -~~ total memory freed........: 6035670 bytes -~~ total allocations/frees...: 121488/121488 +~~ total memory allocated....: 6035806 bytes +~~ total memory freed........: 6035806 bytes +~~ total allocations/frees...: 121489/121489 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 915 chars diff --git a/test/results/netflowv9.pcap.out b/test/results/netflowv9.pcap.out index f0db5c217..2afbec4ab 100644 --- a/test/results/netflowv9.pcap.out +++ b/test/results/netflowv9.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035931 bytes -~~ total memory freed........: 6035931 bytes -~~ total allocations/frees...: 121497/121497 +~~ total memory allocated....: 6036067 bytes +~~ total memory freed........: 6036067 bytes +~~ total allocations/frees...: 121498/121498 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2362 chars diff --git a/test/results/nfsv2.pcap.out b/test/results/nfsv2.pcap.out index bb812f091..937d04bf9 100644 --- a/test/results/nfsv2.pcap.out +++ b/test/results/nfsv2.pcap.out @@ -21,7 +21,7 @@ 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":9,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":124,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":124,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338490000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00618{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":10,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":944207338490000,"pkt":"AMCV4Bm+AMCV+E3TCABFAAB8jl8AAP8R6naLGRZmixkWAggBA\/8AaNSdXh0LlAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAEHtAAAAAgAAAAAAAAABAAAAYAAAQAAAAAAAAAAAAAAQEIUAALJaOEd1QgAFMCA4R3VCAAd6EDhHdUIAB3oQ"} 00659{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":944207338490000,"flow_dst_last_pkt_time":944207338490000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":166,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":166,"pkt_l4_len":132,"thread_ts_usec":944207338490000,"pkt":"AMCV+E3TAMCV4Bm+CABFAACYZMcAAP8RE\/OLGRYCixkWZgP\/CAEAhHghXh0LlQAAAAAAAAACAAGGowAAAAIAAAARAAAAAQAAADQ4R3XQAAAACXdlcnJtc2NoZQAAAAAAAAAAAAABAAAABQAAAAEAAAAAAAAAAgAAAAMAAAARAAAAAAAAAAAAEBCFAAAD5wAKAAAAALJaAAAAKQAKAAAAALJaAAAAKQ=="} -01620{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338580000,"flow_dst_last_pkt_time":944207338580000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":128,"flow_src_tot_l4_payload_len":2168,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":944207338580000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10000,"avg":15000.0,"max":40000,"stddev":11180.3,"var":125000000.0,"ent":3.3,"data": [40000,40000,10000,10000,10000,10000,10000,10000,10000,10000,10000,10000]},"pktlen": {"min":70,"avg":147.5,"max":214,"stddev":43.1,"var":1860.8,"ent":4.9,"data": [166,138,166,90,174,70,174,70,206,170,166,138,166,138,174,170,198,138,174,170,174,70,174,70,174,170,174,70,214,70,166,138]},"bins": {"c_to_s": [0,0,0,5,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} +02019{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207338490000,"flow_src_last_pkt_time":944207338580000,"flow_dst_last_pkt_time":944207338580000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":128,"flow_src_tot_l4_payload_len":2168,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":944207338580000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1023,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10000,"avg":15000.0,"max":40000,"stddev":11180.3,"var":125000000.0,"ent":3.3,"data": [40000,40000,10000,10000,10000,10000,10000,10000,10000,10000,10000,10000]},"pktlen": {"min":56,"avg":133.5,"max":200,"stddev":43.1,"var":1860.8,"ent":4.9,"data": [152,124,152,76,160,56,160,56,192,156,152,124,152,124,160,156,184,124,160,156,160,56,160,56,160,156,160,56,200,56,152,124]},"bins": {"c_to_s": [0,0,0,5,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [3.371484280,3.525987864,3.379018784,3.466069698,3.343606710,3.300534248,3.343606710,3.300534248,3.290571213,3.348722219,3.371484280,3.323238611,3.371484280,3.487642050,3.331106663,3.335901976,3.693611860,3.362390041,3.331106663,3.362183094,3.365244627,3.300534248,3.365244627,3.215625525,3.331106663,3.379842520,3.352744579,3.300534248,3.235463142,3.225106239,3.358326435,3.513812542]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338880000,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338880000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3293,"dst_port":111,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":944207338880000,"pkt":"AMCV+E3TAMCV4Bm+CABFAABcZRAAAEAR0uaLGRYCixkWZgzdAG8ASKDlOErjjgAAAAAAAAACAAGGoAAAAAMAAAADAAAAAAAAAAAAAAAAAAAAAAABhqUAAAABAAAAA3VkcAAAAAAAAAAAAA=="} 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":153,"source":"nfsv2.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207338880000,"flow_src_last_pkt_time":944207338880000,"flow_dst_last_pkt_time":944207338880000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207338880000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3293,"dst_port":111,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} @@ -46,10 +46,10 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6049909 bytes -~~ total memory freed........: 6049909 bytes -~~ total allocations/frees...: 121703/121703 +~~ total memory allocated....: 6050861 bytes +~~ total memory freed........: 6050861 bytes +~~ total allocations/frees...: 121710/121710 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 1625 chars -~~ json string avg len.......: 1056 chars +~~ json string max len.......: 2024 chars +~~ json string avg len.......: 1256 chars diff --git a/test/results/nfsv3.pcap.out b/test/results/nfsv3.pcap.out index 4a0044246..3eca2228c 100644 --- a/test/results/nfsv3.pcap.out +++ b/test/results/nfsv3.pcap.out @@ -25,7 +25,7 @@ 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":128,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397400000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00643{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":944207397400000,"pkt":"AMCV4Bm+AMCV+E3TCABFAACM5FMAAP8RlHKLGRZmixkWAggBA\/4AeFlmXh0L3AAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAIAAEHtAAAAAgAAAAAAAAABAAAAAAAAAGAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQEIUAAAAAAACyWjhHdgwUQ\/0COEd16jDgNQI4R3XqMOA1Ag=="} 00661{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":944207397400000,"flow_dst_last_pkt_time":944207397400000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":170,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":170,"pkt_l4_len":136,"thread_ts_usec":944207397400000,"pkt":"AMCV+E3TAMCV4Bm+CABFAACcZUIAAP8RE3SLGRYCixkWZgP+CAEAiHd0Xh0L3QAAAAAAAAACAAGGowAAAAMAAAATAAAAAQAAADQ4R3YLAAAACXdlcnJtc2NoZQAAAAAAAAAAAAABAAAABQAAAAEAAAAAAAAAAgAAAAMAAAARAAAAAAAAAAAAAAAgABAQhQAAA+cACgAAAACyWgAAACkACgAAAACyWgAAACk="} -01622{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397500000,"flow_dst_last_pkt_time":944207397500000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":2256,"flow_dst_tot_l4_payload_len":2044,"midstream":0,"thread_ts_usec":944207397500000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10000,"avg":16666.7,"max":50000,"stddev":14907.1,"var":222222224.0,"ent":3.2,"data": [10000,10000,50000,50000,10000,10000,10000,10000,10000,10000,10000,10000]},"pktlen": {"min":74,"avg":176.4,"max":314,"stddev":63.4,"var":4021.9,"ent":4.9,"data": [170,154,170,206,170,210,170,182,178,74,178,74,226,314,170,154,206,186,178,74,178,74,178,282,178,74,222,302,178,282,178,74]},"bins": {"c_to_s": [0,0,0,0,13,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,6,0,2,2,2,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} +02021{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":944207397400000,"flow_src_last_pkt_time":944207397500000,"flow_dst_last_pkt_time":944207397500000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":128,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":2256,"flow_dst_tot_l4_payload_len":2044,"midstream":0,"thread_ts_usec":944207397500000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":1022,"dst_port":2049,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10000,"avg":16666.7,"max":50000,"stddev":14907.1,"var":222222224.0,"ent":3.2,"data": [10000,10000,50000,50000,10000,10000,10000,10000,10000,10000,10000,10000]},"pktlen": {"min":60,"avg":162.4,"max":300,"stddev":63.4,"var":4021.9,"ent":4.9,"data": [156,140,156,192,156,196,156,168,164,60,164,60,212,300,156,140,192,172,164,60,164,60,164,268,164,60,208,288,164,268,164,60]},"bins": {"c_to_s": [0,0,0,0,13,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,6,0,2,2,2,0,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [3.326711178,3.327016592,3.326071262,3.163861752,3.338891745,3.169299841,3.334052563,3.097134829,3.262883663,3.180556774,3.262883902,3.113889694,2.862895966,3.295031309,3.326711178,3.137918949,3.170489788,3.257602215,3.320102930,3.147223234,3.332298279,3.147223234,3.250688314,3.172522783,3.332298279,3.180556774,3.225916147,3.296354771,3.267486334,3.381330967,3.502039671,3.180556774]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397740000,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397740000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3299,"dst_port":111,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":944207397740000,"pkt":"AMCV+E3TAMCV4Bm+CABFAABcZXwAAEAR0nqLGRYCixkWZgzjAG8ASDjzOExLeQAAAAAAAAACAAGGoAAAAAMAAAADAAAAAAAAAAAAAAAAAAAAAAABhqUAAAABAAAAA3VkcAAAAAAAAAAAAA=="} 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":125,"source":"nfsv3.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":944207397740000,"flow_src_last_pkt_time":944207397740000,"flow_dst_last_pkt_time":944207397740000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":64,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":944207397740000,"l3_proto":"ip4","src_ip":"139.25.22.2","dst_ip":"139.25.22.102","src_port":3299,"dst_port":111,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"NFS","proto_id":"11","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} @@ -51,10 +51,10 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6050721 bytes -~~ total memory freed........: 6050721 bytes -~~ total allocations/frees...: 121685/121685 +~~ total memory allocated....: 6051809 bytes +~~ total memory freed........: 6051809 bytes +~~ total allocations/frees...: 121693/121693 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 1627 chars -~~ json string avg len.......: 1057 chars +~~ json string max len.......: 2026 chars +~~ json string avg len.......: 1257 chars diff --git a/test/results/nintendo.pcap.out b/test/results/nintendo.pcap.out index e9ece0913..1f210f4a9 100644 --- a/test/results/nintendo.pcap.out +++ b/test/results/nintendo.pcap.out @@ -25,7 +25,7 @@ 00859{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731323269434,"flow_src_last_pkt_time":1500731323269434,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731323269434,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":52119,"dst_port":33335,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1500731323270842,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731323270842,"pkt":"AA6OGXEMfLuKifuECABFAABoEWAAAEARLjDAqAxyI55KPcuXgjcAVAoAMquYZAIAAACgRQAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjfL9\/FaWie4QujpeJZMzmHA=="} 00602{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":62,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1500731323270871,"flow_dst_last_pkt_time":1500731323269434,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731323270871,"pkt":"AA6OGXEMfLuKifuECABFAABoEWEAAEARLi\/AqAxyI55KPcuXgjcAVCUqMquYZAIAAACgRgAAPD+rAYcrvhgZcqXY4tF4R087lVXf\/uabOP7DTtPl\/Z68o2TwyTMiy\/1PT8Q0PYJjeofEEG4mAZPKsmIYZ3XQPw=="} -01748{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":69,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1500731320644357,"flow_src_last_pkt_time":1500731323575958,"flow_dst_last_pkt_time":1500731323714896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":812,"flow_src_tot_l4_payload_len":1264,"flow_dst_tot_l4_payload_len":2736,"midstream":0,"thread_ts_usec":1500731323714896,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"91.8.243.35","src_port":52119,"dst_port":49432,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":53,"avg":193617.4,"max":1729670,"stddev":331922.2,"var":110172323840.0,"ent":3.6,"data": [87919,239629,335441,89838,30639,131192,103304,499986,507312,130872,234805,19308,15810,5164,16850,12585,53490,8758,197,60833,14170,505639,501514,5142,514446,94641,233,1729670,53,52619,81]},"pktlen": {"min":102,"avg":167.0,"max":854,"stddev":179.5,"var":32207.0,"ent":4.5,"data": [102,102,198,230,118,102,150,118,102,118,150,134,118,118,118,854,118,854,102,102,118,102,102,102,102,102,118,118,118,118,118,118]},"bins": {"c_to_s": [0,7,7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,4,8,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,0,1,1,0,1,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +02135{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":69,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1500731320644357,"flow_src_last_pkt_time":1500731323575958,"flow_dst_last_pkt_time":1500731323714896,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":188,"flow_dst_max_l4_payload_len":812,"flow_src_tot_l4_payload_len":1264,"flow_dst_tot_l4_payload_len":2736,"midstream":0,"thread_ts_usec":1500731323714896,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"91.8.243.35","src_port":52119,"dst_port":49432,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":53,"avg":193617.4,"max":1729670,"stddev":331922.2,"var":110172323840.0,"ent":3.6,"data": [87919,239629,335441,89838,30639,131192,103304,499986,507312,130872,234805,19308,15810,5164,16850,12585,53490,8758,197,60833,14170,505639,501514,5142,514446,94641,233,1729670,53,52619,81]},"pktlen": {"min":88,"avg":153.0,"max":840,"stddev":179.5,"var":32207.0,"ent":4.5,"data": [88,88,184,216,104,88,136,104,88,104,136,120,104,104,104,840,104,840,88,88,104,88,88,88,88,88,104,104,104,104,104,104]},"bins": {"c_to_s": [0,7,7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,4,8,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,1,0,1,0,1,1,0,1,0,0,1,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1],"entropies": [6.054771423,6.070055008,6.784899235,6.928938866,6.170448780,6.114374638,6.682166576,6.236359596,6.114374638,6.332513809,6.593932629,6.402483463,6.228141308,6.167903423,6.240113258,6.264906406,6.300350189,5.915572166,5.837212563,5.851361752,6.208909988,5.936699867,6.078633785,6.168406963,6.024600983,5.979146481,6.063282490,6.067996502,6.005589962,6.166695118,6.181211948,6.193184376]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731326270619,"flow_src_last_pkt_time":1500731326270619,"flow_dst_last_pkt_time":1500731326270619,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":688,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":688,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":688,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731326270619,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"52.10.205.177","src_port":52119,"dst_port":34343,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01453{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1500731326270619,"flow_dst_last_pkt_time":1500731326270619,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":730,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":730,"pkt_l4_len":696,"thread_ts_usec":1500731326270619,"pkt":"AA6OGXEMfLuKifuECABFAALMEW8AAEARl9zAqAxyNArNscuXhicCuLNGMquYZAEAAACsAAAACAICgAAAAAAAZU1IgACGJwAAAAAPAfz\/AmL\/\/\/\/\/\/\/\/\/\/\/\/\/DNhnHrgUDeqh96EJudpqr7HTWmwuyiNXAoN8EJ3L9Q9BYy53b12QoycQBbgF0+MGumCDqya3DRDi\/FgfUDp8jmtF0eLtdJawWMd0Uh7gRi0nJAedvr+L4LDG+1PkKHdQjXkwcc63uSwXLbhZGs5rZ8pLuCki3H7JLOG5CI96WiAzLSOgOT5MmMOkBR9lHnUbly8I57OvnsPjzu2ZoGj750rOuJoq4PDp+HTtcuUkR\/yuCERU5DE5fS3WD79Od2EljENI\/Aj0rbyEoWaVKXUGbMeIN\/PHtUKEKwxkiH\/DZpj\/dOZVZle2A+wpaUtVb5Kkq8m0M0sj8U0Nr8\/f9iy5nCcQHobd29hf9qcfXx\/tCnteI0cP0tyykizOxpnlPK2I0STXsPD0wxOnU\/OOfu8Wm3V94s2PEbCeAbRx8PvXHbjtAm8AnmQMBMeFM6TQwwpijOYTfaXxrgmiFU\/AHPdepp0ILcWD5QSKt4MWDsJ\/eC61SjGvCVRvXn2JW5KB\/4JQcfZHw4S\/auTmIFCllOyidDXFohQ4NU8A9vt0e5qrI\/cou3U09qQhgu6ncsvX+jQusCyJhx1EpdaFLaOseb4xo0IjeHtTg5uKzMiP+l3dg6BJfcICpsS0fKy4Lvcxzq4iHlV\/CkZw5k\/5qPEe1WClYIIYAQ1QuHKqZOMgl0qEP1biit38pQoNuI5A\/WZ4yptUyrSpaVacwxp5yZkU47ddcg7lId\/wkwQjzVN9BmlVIcEupSyiP64T8RypU57m5OsmKDUV8cUXr\/nGnwi\/96TbsG+A6i29VkTJzG6j04DbRd\/2rnSbi4lJUC2\/\/AUQQJGvBPVxZ\/JcWHrRv6UUWsmJyg=="} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":89,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731326599476,"flow_src_last_pkt_time":1500731326599476,"flow_dst_last_pkt_time":1500731326599476,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731326599476,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":18874,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -77,7 +77,7 @@ 01200{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":156,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341241134,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731341246098,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01260{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":158,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341285479,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":1348,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":1348,"midstream":0,"thread_ts_usec":1500731341285479,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01577{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":159,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1500731341201471,"flow_src_last_pkt_time":1500731341246098,"flow_dst_last_pkt_time":1500731341285901,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":1348,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":2696,"midstream":0,"thread_ts_usec":1500731341285901,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"54.192.27.8","src_port":31329,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Nintendo","proto_id":"91.173","encrypted":1,"breed":"Fun","category_id":8,"category":"Game","hostname":"e0d67c509fb203858ebcb2fe3f88c2aa.baas.nintendo.com","tls": {"version":"TLSv1.2","server_names":"*.baas.nintendo.com,baas.nintendo.com","ja3":"200a99534ce50d35cf40cc3cce4c69b5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=JP, ST=Kyoto, L=Minami-ku, O=Nintendo Co., Ltd., CN=*.baas.nintendo.com","fingerprint":"8A:0A:1D:D3:A8:96:7A:55:C5:75:B2:2B:3E:45:15:54:0A:B0:FC:94"}}} -01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1500731322454625,"flow_src_last_pkt_time":1500731342015923,"flow_dst_last_pkt_time":1500731342041758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":1090,"flow_dst_tot_l4_payload_len":1094,"midstream":1,"thread_ts_usec":1500731342041758,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":1262852.6,"max":14019058,"stddev":3442938.0,"var":11853821378560.0,"ent":2.4,"data": [6277,307132,3508675,3481620,246,43,276417,18546,55237,145,35743,210876,214177,255332,13944464,14019058,757,51,5265,332523,29922,280387,254222,215658,3394,13561,231064,4335,258992,453544,730768]},"pktlen": {"min":66,"avg":134.2,"max":471,"stddev":98.4,"var":9678.6,"ent":4.7,"data": [166,117,66,133,66,124,113,66,117,166,166,66,66,117,66,471,66,113,400,166,66,117,66,382,66,123,113,66,117,66,166,117]},"bins": {"c_to_s": [8,5,0,5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,6,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,0,1,1,0,1,0,0,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02159{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1500731322454625,"flow_src_last_pkt_time":1500731342015923,"flow_dst_last_pkt_time":1500731342041758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":334,"flow_dst_max_l4_payload_len":405,"flow_src_tot_l4_payload_len":1090,"flow_dst_tot_l4_payload_len":1094,"midstream":1,"thread_ts_usec":1500731342041758,"l3_proto":"ip4","src_ip":"54.187.10.185","dst_ip":"192.168.12.114","src_port":443,"dst_port":48328,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":1262852.6,"max":14019058,"stddev":3442938.0,"var":11853821378560.0,"ent":2.4,"data": [6277,307132,3508675,3481620,246,43,276417,18546,55237,145,35743,210876,214177,255332,13944464,14019058,757,51,5265,332523,29922,280387,254222,215658,3394,13561,231064,4335,258992,453544,730768]},"pktlen": {"min":52,"avg":120.2,"max":457,"stddev":98.4,"var":9678.6,"ent":4.6,"data": [152,103,52,119,52,110,99,52,103,152,152,52,52,103,52,457,52,99,386,152,52,103,52,368,52,109,99,52,103,52,152,103]},"bins": {"c_to_s": [8,5,0,5,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,6,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,0,1,1,0,0,1,0,1,0,1,0,0,0,0,1,1,0,1,0,0,0,1,1,0,0,1],"entropies": [6.479545116,5.785408020,5.038780212,5.979954243,4.955154419,6.040005207,6.008045197,5.003043652,5.726619720,6.592999458,6.614606380,4.988526344,5.077241898,5.668902874,5.000318527,7.493407249,5.115703106,6.091131687,7.370351791,6.507602692,5.003043175,5.784872532,5.077241898,7.341584682,5.077241898,6.192684174,5.995468616,5.079966545,5.751333237,5.077241898,6.654079914,5.719826698]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731342849734,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00601{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":84,"thread_ts_usec":1500731342849734,"pkt":"AA6OGXEMfLuKifuECABFAABoEaUAAAQRdQ7AqAxyuXapQdpra4AAVCIdMquYZAIAAADswAAAiVxWTHQXYLkMmEhv3TFhCo9D90XwqWXbgOlZDx\/Hd+4rX5hDUY6wfFQBAZE4XnJazusJzbVQnhevgQppjVzdvQ=="} 00863{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":187,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731342849734,"flow_dst_last_pkt_time":1500731342849734,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":76,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":76,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731342849734,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} @@ -103,9 +103,9 @@ 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":226,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1500731343274328,"flow_src_last_pkt_time":1500731343274328,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1500731343274328,"l3_proto":"ip4","src_ip":"151.6.184.98","dst_ip":"192.168.12.114","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":227,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1500731343274498,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1500731343274498,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsAs38AAAAARQAAaBG2AAABEertwKgMclE9noraa8o5AFSchg=="} 00534{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":228,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1500731343274660,"flow_dst_last_pkt_time":1500731343274328,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1500731343274660,"pkt":"fLuKifuEAA6OGXEMCABFAAA4AAAAAPwBokGXBrhiwKgMcgsA7ykAAAAARQAAaBG3AAABEerswKgMclE9noraa8o5AFRg3A=="} -01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":310,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731344006747,"flow_dst_last_pkt_time":1500731344120690,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2472,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344120690,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":78321.6,"max":754134,"stddev":152593.1,"var":23284658176.0,"ent":3.2,"data": [280,397,210011,243,431,203806,304,212,311877,2339,183,754134,1127,30674,588,242272,245592,5517,2752,1899,125604,98,25,109131,222,10721,20118,10437,105846,2222,28907]},"pktlen": {"min":102,"avg":168.0,"max":886,"stddev":186.2,"var":34652.0,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,102,118,118,118,118,886,102,886,118,118,102]},"bins": {"c_to_s": [0,2,18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,1,1,1,0,0,1,0,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} -01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731343061460,"flow_src_last_pkt_time":1500731344751616,"flow_dst_last_pkt_time":1500731344671142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":4168,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344751616,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"93.237.131.235","src_port":55915,"dst_port":56066,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":106446.4,"max":757918,"stddev":188381.8,"var":35487694848.0,"ent":3.4,"data": [726,2728,200750,236,363,313750,216,309,757918,67,245897,246,38434,238,116689,3047,25905,110485,1189,79734,7959,87905,10077,91853,20145,506365,607064,9714,10174,12917,36738]},"pktlen": {"min":102,"avg":221.0,"max":886,"stddev":231.8,"var":53743.0,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,182,102,886,102,886,102,118,118,102,358,854,486,486]},"bins": {"c_to_s": [0,3,13,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,0,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} -01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1500731343266581,"flow_src_last_pkt_time":1500731344811760,"flow_dst_last_pkt_time":1500731344805333,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2304,"flow_dst_tot_l4_payload_len":1712,"midstream":0,"thread_ts_usec":1500731344811760,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"81.61.158.138","src_port":55915,"dst_port":51769,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":99481.6,"max":649265,"stddev":183756.7,"var":33766533120.0,"ent":3.2,"data": [295,399,313495,260,289,284287,137,381,629371,5230,43658,5349,61371,137,131610,65365,7948,186,836,31052,435,67583,2946,484,7525,105852,5669,103301,9836,549379,649265]},"pktlen": {"min":102,"avg":167.5,"max":886,"stddev":186.3,"var":34709.8,"ent":4.5,"data": [118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,182,102,118,118,182,118,118,102,118,118,886,102,886,102,118,118,102]},"bins": {"c_to_s": [0,3,15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,8,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +02124{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":310,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731342849734,"flow_src_last_pkt_time":1500731344006747,"flow_dst_last_pkt_time":1500731344120690,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2472,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344120690,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"185.118.169.65","src_port":55915,"dst_port":27520,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":78321.6,"max":754134,"stddev":152593.1,"var":23284658176.0,"ent":3.2,"data": [280,397,210011,243,431,203806,304,212,311877,2339,183,754134,1127,30674,588,242272,245592,5517,2752,1899,125604,98,25,109131,222,10721,20118,10437,105846,2222,28907]},"pktlen": {"min":88,"avg":154.0,"max":872,"stddev":186.2,"var":34652.0,"ent":4.5,"data": [104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,168,88,104,104,168,88,104,104,104,104,872,88,872,104,104,88]},"bins": {"c_to_s": [0,2,18,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,1,1,1,0,0,1,0,0,1,1,1],"entropies": [6.027614594,6.162230015,5.955404758,6.008383274,6.027614117,5.981129169,5.969922066,6.066075802,6.046844959,5.974635601,6.058817387,6.054103374,6.103913307,6.176122665,6.046596527,6.109002590,6.645735741,5.936699867,6.072710037,6.149633408,6.658484459,6.054296017,6.158073902,6.254228115,6.048765182,6.142750740,5.609991074,5.891245842,5.565810204,6.126870632,6.246969700,5.874088764]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +02131{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1500731343061460,"flow_src_last_pkt_time":1500731344751616,"flow_dst_last_pkt_time":1500731344671142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":4168,"flow_dst_tot_l4_payload_len":1560,"midstream":0,"thread_ts_usec":1500731344751616,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"93.237.131.235","src_port":55915,"dst_port":56066,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":106446.4,"max":757918,"stddev":188381.8,"var":35487694848.0,"ent":3.4,"data": [726,2728,200750,236,363,313750,216,309,757918,67,245897,246,38434,238,116689,3047,25905,110485,1189,79734,7959,87905,10077,91853,20145,506365,607064,9714,10174,12917,36738]},"pktlen": {"min":88,"avg":207.0,"max":872,"stddev":231.8,"var":53743.0,"ent":4.4,"data": [104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,168,88,168,88,872,88,872,88,104,104,88,344,840,472,472]},"bins": {"c_to_s": [0,3,13,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,6,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,0,1,1,1,0,0,0,0,0],"entropies": [6.039587021,6.058817387,5.969922066,6.032328129,6.054103374,6.019590855,6.073334694,6.111796379,6.092565060,6.168863773,6.214584351,6.109002590,6.140205860,6.123519897,6.154723167,6.208508015,6.138843060,6.726152897,5.973575592,6.683043003,5.940660000,5.584841251,5.973575592,5.570620537,5.787140369,6.150815010,6.182018280,6.004880905,7.315718174,5.846724510,6.181584358,6.204835892]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +02123{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":388,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1500731343266581,"flow_src_last_pkt_time":1500731344811760,"flow_dst_last_pkt_time":1500731344805333,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":60,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":844,"flow_dst_max_l4_payload_len":844,"flow_src_tot_l4_payload_len":2304,"flow_dst_tot_l4_payload_len":1712,"midstream":0,"thread_ts_usec":1500731344811760,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"81.61.158.138","src_port":55915,"dst_port":51769,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":99481.6,"max":649265,"stddev":183756.7,"var":33766533120.0,"ent":3.2,"data": [295,399,313495,260,289,284287,137,381,629371,5230,43658,5349,61371,137,131610,65365,7948,186,836,31052,435,67583,2946,484,7525,105852,5669,103301,9836,549379,649265]},"pktlen": {"min":88,"avg":153.5,"max":872,"stddev":186.3,"var":34709.8,"ent":4.4,"data": [104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,168,88,104,104,168,104,104,88,104,104,872,88,872,88,104,104,88]},"bins": {"c_to_s": [0,3,15,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,8,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0],"entropies": [6.066075802,6.142999172,6.123768806,6.032328606,6.188719273,6.181460857,6.181460857,6.169488430,6.111796379,6.038962364,6.065451622,6.120974541,6.128233433,6.053479195,6.116261482,6.740974426,6.004880905,6.097030163,6.166695118,6.774616718,6.150815487,6.220480442,5.905394077,6.170046329,6.234997272,5.541868210,5.928121090,5.589448929,6.027608395,6.189277172,6.140205860,6.004880905]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Nintendo","proto_id":"173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00881{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1500731340831670,"flow_src_last_pkt_time":1500731340837106,"flow_dst_last_pkt_time":1500731340889684,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":16,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":80,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"AmazonAWS","proto_id":"265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00765{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1500731340831670,"flow_src_last_pkt_time":1500731340837106,"flow_dst_last_pkt_time":1500731340889684,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":16,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":80,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"35.158.74.61","src_port":55915,"dst_port":10025,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00908{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"nintendo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1500731341194858,"flow_src_last_pkt_time":1500731341194858,"flow_dst_last_pkt_time":1500731341194969,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":68,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":68,"flow_dst_max_l4_payload_len":239,"flow_src_tot_l4_payload_len":68,"flow_dst_tot_l4_payload_len":239,"midstream":0,"thread_ts_usec":1500731348756457,"l3_proto":"ip4","src_ip":"192.168.12.114","dst_ip":"192.168.12.1","src_port":51035,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Nintendo","proto_id":"5.173","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} @@ -142,10 +142,10 @@ ~~ total active/idle flows...: 21/21 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6115005 bytes -~~ total memory freed........: 6115005 bytes -~~ total allocations/frees...: 122701/122701 +~~ total memory allocated....: 6117861 bytes +~~ total memory freed........: 6117861 bytes +~~ total allocations/frees...: 122722/122722 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars -~~ json string max len.......: 1768 chars -~~ json string avg len.......: 1130 chars +~~ json string max len.......: 2164 chars +~~ json string avg len.......: 1328 chars diff --git a/test/results/nntp.pcap.out b/test/results/nntp.pcap.out index 609aa8d95..0668f0cb8 100644 --- a/test/results/nntp.pcap.out +++ b/test/results/nntp.pcap.out @@ -5,7 +5,7 @@ 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1258844926423672,"flow_dst_last_pkt_time":1258844926423829,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1258844926423829,"pkt":"ABQqM3R+AEBj1fcCCABFAAA8AABAAEAGPVHAqL4FwKi+FAB32U6dVo1l2dJVlaASFqBxAwAAAgQFtAQCCAoKz1tgAMgoAwEDAwQ="} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1258844926423850,"flow_dst_last_pkt_time":1258844926423829,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1258844926423850,"pkt":"AEBj1fcCABQqM3R+CABFAAA0fZhAAEAGv8DAqL4UwKi+BdlOAHfZ0lWVnVaNZoAQAFy2EAAAAQEICgDIKAMKz1tg"} 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844926441100,"flow_dst_last_pkt_time":1258844926440830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":124,"flow_src_tot_l4_payload_len":13,"flow_dst_tot_l4_payload_len":124,"midstream":0,"thread_ts_usec":1258844926441100,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} -01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":29,"avg":4345908.0,"max":25684268,"stddev":7782391.0,"var":60565611347968.0,"ent":3.1,"data": [157,178,17001,17072,178,379,673149,673694,608,343,40452,19518042,19565845,7986,4770071,4784435,14326,95,29,25683555,25684268,770,12078373,12090740,12467,209,55,4543973,116,4544308,283]},"pktlen": {"min":54,"avg":219.9,"max":1514,"stddev":397.4,"var":157950.1,"ent":3.7,"data": [74,74,66,190,66,79,66,113,92,66,115,66,79,1294,66,79,1514,66,186,66,97,116,66,77,1514,66,332,66,72,66,94,54]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02129{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":29,"avg":4345908.0,"max":25684268,"stddev":7782391.0,"var":60565611347968.0,"ent":3.1,"data": [157,178,17001,17072,178,379,673149,673694,608,343,40452,19518042,19565845,7986,4770071,4784435,14326,95,29,25683555,25684268,770,12078373,12090740,12467,209,55,4543973,116,4544308,283]},"pktlen": {"min":40,"avg":205.9,"max":1500,"stddev":397.4,"var":157950.1,"ent":3.6,"data": [60,60,52,176,52,65,52,99,78,52,101,52,65,1280,52,65,1500,52,172,52,83,102,52,63,1500,52,318,52,58,52,80,40]},"bins": {"c_to_s": [19,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,1,0,0,1,0,0,1,0,1,0,0,1,0,0,1,0,1,0,0,0,1,0],"entropies": [4.471673489,4.918822765,4.878231525,5.476410866,4.931209564,5.179985523,4.961856842,5.561774254,5.435857296,5.000318050,5.478010178,4.892747879,5.210754871,5.673897266,4.969671249,5.291449070,5.852569103,4.878231049,5.413592815,4.878231049,5.543476105,5.549430847,4.931209564,5.298630238,5.766685963,4.767184258,5.374790192,4.825252533,4.982897282,4.817437172,5.532413483,3.670482159]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00904{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1258844926423672,"flow_src_last_pkt_time":1258844993785292,"flow_dst_last_pkt_time":1258844993785209,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":113,"flow_dst_tot_l4_payload_len":4808,"midstream":0,"thread_ts_usec":1258844993785292,"l3_proto":"ip4","src_ip":"192.168.190.20","dst_ip":"192.168.190.5","src_port":55630,"dst_port":119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Usenet","proto_id":"93","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":32,"source":"nntp.pcap","alias":"nDPId-test","packets-captured":32,"packets-processed":32,"total-skipped-flows":0,"total-l4-payload-len":4921,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1258844993785292} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038617 bytes -~~ total memory freed........: 6038617 bytes -~~ total allocations/frees...: 121520/121520 +~~ total memory allocated....: 6038753 bytes +~~ total memory freed........: 6038753 bytes +~~ total allocations/frees...: 121521/121521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1736 chars -~~ json string avg len.......: 1053 chars +~~ json string max len.......: 2134 chars +~~ json string avg len.......: 1227 chars diff --git a/test/results/no_sni.pcap.out b/test/results/no_sni.pcap.out index 654b2782d..4cfd6d397 100644 --- a/test/results/no_sni.pcap.out +++ b/test/results/no_sni.pcap.out @@ -13,12 +13,12 @@ 01149{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444629799,"flow_dst_last_pkt_time":1604822444807971,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":682,"midstream":0,"thread_ts_usec":1604822444807971,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network","hostname":"mozilla.cloudflare-dns.com","tls": {"version":"TLSv1.3","ja3":"f14ec85ee5580a29f6523e24e5d3d527","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":36,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822444913120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822444913120,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822444913120,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1604822444913120,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGlCjAqAF3aBB8YMmcAbs\/DuN6AAAAALAC\/\/+FPgAAAgQFtAEDAwYBAQgKKlLy+gAAAAAEAgAA"} -01693{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444918595,"flow_dst_last_pkt_time":1604822444918472,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":1416,"midstream":0,"thread_ts_usec":1604822444918595,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":27858.2,"max":180261,"stddev":53974.2,"var":2913210624.0,"ent":3.0,"data": [137944,138022,4673,280,93,180261,3035,178242,156,4,141,2334,6395,1417,5511,15440,136,687,115,1388,73966,13479,4177,2946,6,76790,62,5422,2521,12,7950]},"pktlen": {"min":54,"avg":141.2,"max":736,"stddev":163.8,"var":26828.9,"ent":4.4,"data": [78,66,54,670,60,224,60,736,54,116,60,54,138,60,85,54,205,140,114,146,85,60,60,60,380,85,54,54,60,307,85,54]},"bins": {"c_to_s": [10,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} +02092{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":40,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1604822444486731,"flow_src_last_pkt_time":1604822444918595,"flow_dst_last_pkt_time":1604822444918472,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":616,"flow_dst_max_l4_payload_len":682,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":1416,"midstream":0,"thread_ts_usec":1604822444918595,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.249.249","src_port":51606,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":27858.2,"max":180261,"stddev":53974.2,"var":2913210624.0,"ent":3.0,"data": [137944,138022,4673,280,93,180261,3035,178242,156,4,141,2334,6395,1417,5511,15440,136,687,115,1388,73966,13479,4177,2946,6,76790,62,5422,2521,12,7950]},"pktlen": {"min":40,"avg":127.2,"max":722,"stddev":163.8,"var":26828.9,"ent":4.2,"data": [64,52,40,656,46,210,46,722,40,102,46,40,124,46,71,40,191,126,100,132,71,46,46,46,366,71,40,40,46,293,71,40]},"bins": {"c_to_s": [10,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,0,0,1,1,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0],"entropies": [4.396777153,4.868495941,4.453056812,7.114666462,4.555532932,6.968688488,4.414441109,7.666847229,4.630641460,6.135609627,4.457919598,4.630641460,6.314809799,4.414441109,5.619441509,4.511769772,6.797011852,6.413628101,6.156311035,6.369709969,5.547562122,4.414441109,4.414441109,4.414441109,7.324114323,5.703947544,4.630641460,4.630641460,4.457919598,7.272934914,5.647610664,4.630641460]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DoH_DoT","proto_id":"91.196","encrypted":1,"breed":"Fun","category_id":14,"category":"Network"}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":43,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1604822444913120,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1604822445034293,"pkt":"eDHBvV4kEBMxuRBeCABFAAA0AABAADkGmzRoEHxgwKgBdwG7yZyEa\/jPPw7je4AS\/\/9djQAAAgQFeAEBBAIBAwMK"} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1604822445034393,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1604822445034393,"pkt":"EBMxuRBeeDHBvV4kCABFAAAoAABAAEAGlEDAqAF3aBB8YMmcAbs\/DuN7hGv40FAQEACOJgAA"} 01084{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":45,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445039824,"flow_dst_last_pkt_time":1604822445034293,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":947,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822445039824,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"76ec527d45e3a2a9093484446d7d3264","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01127{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445039824,"flow_dst_last_pkt_time":1604822445135087,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":232,"flow_src_tot_l4_payload_len":947,"flow_dst_tot_l4_payload_len":232,"midstream":0,"thread_ts_usec":1604822445135087,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"76ec527d45e3a2a9093484446d7d3264","ja3s":"2b0648ab686ee45e0e7c35fcfb0eea7e","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01721{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":73,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445694881,"flow_dst_last_pkt_time":1604822445694834,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2075,"flow_dst_tot_l4_payload_len":8322,"midstream":0,"thread_ts_usec":1604822445694881,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":120,"avg":50434.7,"max":472643,"stddev":107031.5,"var":11455736832.0,"ent":3.0,"data": [121173,121273,5431,100429,365,95332,957,4750,120,77068,533,71774,182,427,594,188,76917,15494,380381,472643,2763,2757,2091,2075,1637,1645,1367,284,1629,603,593]},"pktlen": {"min":54,"avg":381.0,"max":1514,"stddev":489.4,"var":239474.4,"ent":4.0,"data": [78,66,54,1001,60,286,54,118,224,917,60,566,54,60,85,54,85,60,60,1092,54,844,54,1445,54,1445,54,1514,407,54,1178,54]},"bins": {"c_to_s": [12,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,1,1,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02119{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":73,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1604822444913120,"flow_src_last_pkt_time":1604822445694881,"flow_dst_last_pkt_time":1604822445694834,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":947,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2075,"flow_dst_tot_l4_payload_len":8322,"midstream":0,"thread_ts_usec":1604822445694881,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.16.124.96","src_port":51612,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":120,"avg":50434.7,"max":472643,"stddev":107031.5,"var":11455736832.0,"ent":3.0,"data": [121173,121273,5431,100429,365,95332,957,4750,120,77068,533,71774,182,427,594,188,76917,15494,380381,472643,2763,2757,2091,2075,1637,1645,1367,284,1629,603,593]},"pktlen": {"min":40,"avg":367.0,"max":1500,"stddev":489.4,"var":239474.4,"ent":3.9,"data": [64,52,40,987,46,272,40,104,210,903,46,552,40,46,71,40,71,46,46,1078,40,830,40,1431,40,1431,40,1500,393,40,1164,40]},"bins": {"c_to_s": [12,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,2,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,1,1,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,1,0,1,0],"entropies": [4.459277153,4.906957626,4.434184551,7.493985176,4.501398087,6.837790012,4.611769199,6.011372089,6.893880844,7.790526867,4.501398087,7.625611782,4.561769009,4.501398087,5.703947067,4.561769009,5.575730801,4.457919598,4.501398087,7.808494568,4.611769199,7.795384884,4.611769199,7.862168789,4.611769199,7.876565933,4.611769199,7.855591774,7.425184250,4.611769199,7.806784630,4.611769199]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":778,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822447227531,"flow_src_last_pkt_time":1604822447227531,"flow_dst_last_pkt_time":1604822447227531,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822447227531,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51635,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":778,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1604822447227531,"flow_dst_last_pkt_time":1604822447227531,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1604822447227531,"pkt":"EBMxuRBeeDHBvV4kCABFAABAAABAAEAGSmLAqAF3aBHGJcmzAbtjbUROAAAAALAC\/\/+t4gAAAgQFtAEDAwYBAQgKKlL7RgAAAAAEAgAA"} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":789,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1604822447249969,"flow_src_last_pkt_time":1604822447249969,"flow_dst_last_pkt_time":1604822447249969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1604822447249969,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.17.198.37","src_port":51636,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -49,7 +49,7 @@ 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":944,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447374307,"flow_dst_last_pkt_time":1604822447500011,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447500011,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":948,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287617,"flow_src_last_pkt_time":1604822447380742,"flow_dst_last_pkt_time":1604822447506495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447506495,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01130{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":952,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1604822447287254,"flow_src_last_pkt_time":1604822447386869,"flow_dst_last_pkt_time":1604822447515088,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":712,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1604822447515088,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"62a4a00de930bd0a5bee0309cc8362ed","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1051,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447783794,"flow_dst_last_pkt_time":1604822447783495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5882,"midstream":0,"thread_ts_usec":1604822447783794,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":32040.9,"max":143742,"stddev":43042.9,"var":1852691072.0,"ent":3.8,"data": [81926,82025,5271,129371,1703,673,126443,63976,9103,148,11896,1581,143742,57056,79239,1596,80830,1627,14677,255,13311,11856,23,12136,91,25357,25014,814,775,5252,5500]},"pktlen": {"min":54,"avg":285.3,"max":1514,"stddev":409.4,"var":167573.6,"ent":4.0,"data": [78,66,54,766,60,1514,1385,54,118,224,380,129,129,1385,66,60,566,54,85,60,85,54,581,85,54,54,368,54,85,54,368,54]},"bins": {"c_to_s": [12,0,3,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,0,1,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1051,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447783794,"flow_dst_last_pkt_time":1604822447783495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5882,"midstream":0,"thread_ts_usec":1604822447783794,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":32040.9,"max":143742,"stddev":43042.9,"var":1852691072.0,"ent":3.8,"data": [81926,82025,5271,129371,1703,673,126443,63976,9103,148,11896,1581,143742,57056,79239,1596,80830,1627,14677,255,13311,11856,23,12136,91,25357,25014,814,775,5252,5500]},"pktlen": {"min":40,"avg":271.3,"max":1500,"stddev":409.4,"var":167573.6,"ent":3.8,"data": [64,52,40,752,46,1500,1371,40,104,210,366,115,115,1371,52,46,552,40,71,46,71,40,567,71,40,40,354,40,71,40,354,40]},"bins": {"c_to_s": [12,0,3,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,0,1,1,0,0,1,1,0,1,1,0,0,1,0,1,0,1,0],"entropies": [4.459277153,4.906957626,4.521928787,7.339107990,4.501398087,7.864248276,7.833704948,4.680641651,5.877521515,6.990070820,7.449111938,6.292889118,6.375582218,7.833081245,4.709867954,4.544876099,7.609548569,4.680641651,5.444761276,4.457919598,5.626344681,4.680641651,7.643690109,5.580639362,4.630641460,4.630641460,7.406938553,4.680641651,5.636977673,4.680641651,7.347516537,4.680641651]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00922{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":16,"flow_first_seen":1604822447287011,"flow_src_last_pkt_time":1604822447785923,"flow_dst_last_pkt_time":1604822447869770,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1453,"flow_dst_tot_l4_payload_len":5913,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51637,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":10,"flow_first_seen":1604822447287254,"flow_src_last_pkt_time":1604822447844256,"flow_dst_last_pkt_time":1604822447844195,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":3333,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51638,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1185,"source":"no_sni.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":10,"flow_first_seen":1604822447287617,"flow_src_last_pkt_time":1604822447839595,"flow_dst_last_pkt_time":1604822447839532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":712,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":3333,"midstream":0,"thread_ts_usec":1604822448604804,"l3_proto":"ip4","src_ip":"192.168.1.119","dst_ip":"104.22.72.170","src_port":51639,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -67,10 +67,10 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6127678 bytes -~~ total memory freed........: 6127678 bytes -~~ total allocations/frees...: 122780/122780 +~~ total memory allocated....: 6128766 bytes +~~ total memory freed........: 6128766 bytes +~~ total allocations/frees...: 122788/122788 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1728 chars -~~ json string avg len.......: 1108 chars +~~ json string max len.......: 2127 chars +~~ json string avg len.......: 1308 chars diff --git a/test/results/ocs.pcap.out b/test/results/ocs.pcap.out index 90b1e6b26..318f63003 100644 --- a/test/results/ocs.pcap.out +++ b/test/results/ocs.pcap.out @@ -59,7 +59,7 @@ 01150{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":59,"source":"ocs.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":0,"flow_first_seen":1449652788109953,"flow_src_last_pkt_time":1449652788195073,"flow_dst_last_pkt_time":1449652788109953,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":208,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":208,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652788195073,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":36680,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.OCS","proto_id":"91.218","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"ocs.labgency.ws","tls": {"version":"TLSv1","ja3":"0534a22b266a64a5cc9a90f7b5c483cc","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"ocs.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1449652788595794,"flow_dst_last_pkt_time":1449652787596837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652788595794,"pkt":"RQAAPDy5QABABnycwKi0AomHgzS0VhQCr\/++QwAAAACgAjkI02AAAAIEBbQEAggKADWDYAAAAAABAwMG"} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"ocs.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1449652790602154,"flow_dst_last_pkt_time":1449652787596837,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652790602154,"pkt":"RQAAPDy6QABABnybwKi0AomHgzS0VhQCr\/++QwAAAACgAjkI0pgAAAIEBbQEAggKADWEKAAAAAABAwMG"} -01696{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"ocs.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652787983929,"flow_src_last_pkt_time":1449652790713183,"flow_dst_last_pkt_time":1449652787983929,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":663,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652790713183,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":49881,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":450,"avg":88040.5,"max":928563,"stddev":172609.9,"var":29794174976.0,"ent":3.5,"data": [83797,14275,246872,572,450,68391,1837,71492,506,5433,4137,41728,146026,90832,71054,77421,63432,3718,80468,1653,86121,564,67336,32599,43283,386587,73735,2510,928563,31722,2140]},"pktlen": {"min":52,"avg":83.1,"max":715,"stddev":113.8,"var":12942.2,"ent":4.5,"data": [60,52,715,64,72,72,80,72,72,72,72,72,64,52,64,64,64,52,52,52,52,64,64,64,64,52,52,64,64,52,64,64]},"bins": {"c_to_s": [31,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +02095{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":112,"source":"ocs.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652787983929,"flow_src_last_pkt_time":1449652790713183,"flow_dst_last_pkt_time":1449652787983929,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":663,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":663,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652790713183,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.54","src_port":49881,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":450,"avg":88040.5,"max":928563,"stddev":172609.9,"var":29794174976.0,"ent":3.5,"data": [83797,14275,246872,572,450,68391,1837,71492,506,5433,4137,41728,146026,90832,71054,77421,63432,3718,80468,1653,86121,564,67336,32599,43283,386587,73735,2510,928563,31722,2140]},"pktlen": {"min":52,"avg":83.1,"max":715,"stddev":113.8,"var":12942.2,"ent":4.5,"data": [60,52,715,64,72,72,80,72,72,72,72,72,64,52,64,64,64,52,52,52,52,64,64,64,64,52,52,64,64,52,64,64]},"bins": {"c_to_s": [31,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.517588139,5.123517990,6.025798798,5.070159912,5.236322403,5.173415184,5.239589214,5.201192856,5.264100075,5.236322403,5.236322403,5.182154179,5.152114868,5.091758728,5.194910049,5.194910049,5.132410049,5.154164791,5.115703106,5.115703106,5.032077789,5.132410049,5.163660049,5.132410049,5.163660049,5.115703106,5.168681622,5.220060349,5.169355392,5.008133411,5.120864868,5.077819824]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"ocs.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1449652792355546,"flow_dst_last_pkt_time":1449652784341686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652792355546,"pkt":"RQAAPKb0QABABiV3wKi0AkDpuLy6UxRsAv3YCQAAAACgAjkIcdQAAAIEBbQEAggKADWE2AAAAAABAwMG"} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":241,"source":"ocs.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1449652797357367,"flow_src_last_pkt_time":1449652797357367,"flow_dst_last_pkt_time":1449652797357367,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652797357367,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"64.233.184.188","src_port":32946,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3} 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":241,"source":"ocs.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1449652797357367,"flow_dst_last_pkt_time":1449652797357367,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":60,"pkt_l4_len":40,"thread_ts_usec":1449652797357367,"pkt":"RQAAPAMUQABABslXwKi0AkDpuLyAsgG7QZiF2AAAAACgAjkIz8gAAAIEBbQEAggKADWGzAAAAAABAwMG"} @@ -88,7 +88,7 @@ 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":865,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1449652842700226,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":52,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":52,"pkt_l4_len":32,"thread_ts_usec":1449652842700226,"pkt":"RQAAND8aQABABgM0wKi0ArL40NKmXgBQrzCnZDkypeeAEADlhQYAAAEBCAoANZiCGkFpBQ=="} 00708{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":866,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1449652842701752,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":204,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":204,"pkt_l4_len":184,"thread_ts_usec":1449652842701752,"pkt":"RQAAzD8bQABABgKbwKi0ArL40NKmXgBQrzCnZDkypeeAGADlkB4AAAEBCAoANZiCGkFpBUdFVCAvZGF0YV9wbGF0ZWZvcm1lL3Byb2dyYW0vMTg0OTYvdHZfZGV0YWlsX21vcnRkdW5wb3VydzAwMTIyMzZfNzJmNmMuanBnIEhUVFAvMS4xDQpBY2NlcHQtRW5jb2Rpbmc6IGd6aXANCkhvc3Q6IHd3dy5vY3MuZnINCkNvbm5lY3Rpb246IEtlZXAtQWxpdmUNCg0K"} 01030{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":866,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652842701752,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652842701752,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.ocs.fr","http": {"url":"www.ocs.fr\/data_plateforme\/program\/18496\/tv_detail_mortdunpourw0012236_72f6c.jpg","code":0,"content_type":"","user_agent":""}}} -01679{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":895,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652843470951,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652843470951,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":77,"avg":27165.3,"max":79495,"stddev":29589.7,"var":875550464.0,"ent":4.0,"data": [71399,1526,54762,1106,3570,59902,605,77,5328,64776,1667,1533,79495,5458,58361,1849,64604,1987,67520,26503,42864,25995,65439,972,48553,1253,1960,1270,75524,1445,4821]},"pktlen": {"min":52,"avg":63.9,"max":204,"stddev":26.3,"var":690.5,"ent":4.9,"data": [60,52,204,52,52,52,52,52,64,64,64,64,72,64,64,72,72,72,64,64,64,52,52,52,52,52,52,52,52,52,64,72]},"bins": {"c_to_s": [31,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +02078{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":895,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652843470951,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":152,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652843470951,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":77,"avg":27165.3,"max":79495,"stddev":29589.7,"var":875550464.0,"ent":4.0,"data": [71399,1526,54762,1106,3570,59902,605,77,5328,64776,1667,1533,79495,5458,58361,1849,64604,1987,67520,26503,42864,25995,65439,972,48553,1253,1960,1270,75524,1445,4821]},"pktlen": {"min":52,"avg":63.9,"max":204,"stddev":26.3,"var":690.5,"ent":4.9,"data": [60,52,204,52,52,52,52,52,64,64,64,64,72,64,64,72,72,72,64,64,64,52,52,52,52,52,52,52,52,52,64,72]},"bins": {"c_to_s": [31,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.550921917,5.046595097,5.875504971,5.154164791,5.115703106,5.154164791,5.192625999,5.154164791,5.194910049,5.226160049,5.194910049,5.226160049,5.329917908,5.226160049,5.251310349,5.296718597,5.391922951,5.336368084,5.251310349,5.294355392,5.294355392,5.207143307,5.154164314,5.168681622,5.091758728,5.168681622,5.168681622,5.130220413,5.168681622,5.207143307,5.313810349,5.324496269]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00751{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":938,"source":"ocs.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1449652798230623,"flow_src_last_pkt_time":1449652798230623,"flow_dst_last_pkt_time":1449652798230623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652845277546,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"8.8.8.8","src_port":11793,"dst_port":53,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3} 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":946,"source":"ocs.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":0,"flow_first_seen":1449652842628827,"flow_src_last_pkt_time":1449652846380718,"flow_dst_last_pkt_time":1449652842628827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":156,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":308,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652846380718,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"178.248.208.210","src_port":42590,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCS","proto_id":"7.218","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00756{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":946,"source":"ocs.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":0,"flow_first_seen":1449652786395470,"flow_src_last_pkt_time":1449652787578542,"flow_dst_last_pkt_time":1449652786395470,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":84,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1449652846380718,"l3_proto":"ip4","src_ip":"192.168.180.2","dst_ip":"137.135.129.206","src_port":44959,"dst_port":80,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3} @@ -121,10 +121,10 @@ ~~ total active/idle flows...: 20/20 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6105021 bytes -~~ total memory freed........: 6105021 bytes -~~ total allocations/frees...: 122656/122656 +~~ total memory allocated....: 6107741 bytes +~~ total memory freed........: 6107741 bytes +~~ total allocations/frees...: 122676/122676 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1701 chars -~~ json string avg len.......: 1094 chars +~~ json string max len.......: 2100 chars +~~ json string avg len.......: 1294 chars diff --git a/test/results/ocsp.pcapng.out b/test/results/ocsp.pcapng.out index 110db02cd..73e2cbf54 100644 --- a/test/results/ocsp.pcapng.out +++ b/test/results/ocsp.pcapng.out @@ -17,8 +17,8 @@ 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1623222785863296,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623222785875339,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADgGxC5cel\/rwKgBgABQqtACFmIrx0ULW6AScSDxGwAAAgQFtAQCCAqrs6x4tFZ4oAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB8kYB7"} 00598{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":51,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1623222785879381,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623222785879381,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0JGJAAEAGl9TAqAGAXHpf66rQAFDHRQtbAhZiLIAQAfaPAgAAAQEICrRWeLCrs6x4GYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcxJlyw=="} 01122{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":52,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222785879661,"flow_dst_last_pkt_time":1623222785875339,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623222785879661,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"r3.o.lencr.org","http": {"url":"r3.o.lencr.org\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}} -01820{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":70,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222699655905,"flow_src_last_pkt_time":1623222817722827,"flow_dst_last_pkt_time":1623222807485567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":394,"flow_dst_max_l4_payload_len":702,"flow_src_tot_l4_payload_len":788,"flow_dst_tot_l4_payload_len":1404,"midstream":0,"thread_ts_usec":1623222817722827,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3376,"avg":7529886.0,"max":10243102,"stddev":4272061.0,"var":18250505125888.0,"ent":4.5,"data": [3376,7013,7440,102951,109262,10007824,10012989,10151666,10151973,10240500,10240566,10243102,10242877,10236097,10235872,10239925,10240468,10239857,10239497,5617732,5617894,102927,109302,10148797,10155034,10236056,10236089,10239827,10239709,10239962]},"pktlen": {"min":118,"avg":187.0,"max":820,"stddev":189.1,"var":35745.5,"ent":4.5,"data": [126,126,118,512,118,820,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,512,118,820,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":13,"category":"Cloud"}} -01828{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":105,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222906298417,"flow_dst_last_pkt_time":1623222896069773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":889,"flow_src_tot_l4_payload_len":772,"flow_dst_tot_l4_payload_len":1778,"midstream":0,"thread_ts_usec":1623222906298417,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":280,"avg":7440051.5,"max":10244049,"stddev":4398639.5,"var":19348030750720.0,"ent":4.5,"data": [12043,16085,280,19618,157130,176931,7779779,7796085,1344,16621,10045906,10060740,10239929,10239733,10239821,10240037,10244027,10243851,10239937,10239981,10236031,10236118,10243927,10244049,10235957,10235895,10239975,10239809,10240030,10240044,10239885]},"pktlen": {"min":118,"avg":198.2,"max":1007,"stddev":228.7,"var":52281.3,"ent":4.4,"data": [126,126,118,504,118,1007,118,504,118,1007,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +02219{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":70,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222699655905,"flow_src_last_pkt_time":1623222817722827,"flow_dst_last_pkt_time":1623222807485567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":394,"flow_dst_max_l4_payload_len":702,"flow_src_tot_l4_payload_len":788,"flow_dst_tot_l4_payload_len":1404,"midstream":0,"thread_ts_usec":1623222817722827,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"142.250.184.99","src_port":54154,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3376,"avg":7529886.0,"max":10243102,"stddev":4272061.0,"var":18250505125888.0,"ent":4.5,"data": [3376,7013,7440,102951,109262,10007824,10012989,10151666,10151973,10240500,10240566,10243102,10242877,10236097,10235872,10239925,10240468,10239857,10239497,5617732,5617894,102927,109302,10148797,10155034,10236056,10236089,10239827,10239709,10239962]},"pktlen": {"min":104,"avg":173.0,"max":806,"stddev":189.1,"var":35745.5,"ent":4.5,"data": [112,112,104,498,104,806,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,498,104,806,104,104,104,104,104,104,104,104]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0],"entropies": [3.897244453,4.342274189,4.040620327,6.236268997,4.387147903,7.122592449,4.465434074,4.446203232,4.328273296,4.336050510,4.381251812,4.426972389,4.335968971,4.426972389,4.400482655,4.446203232,4.335968971,4.446203232,4.400482655,4.446203232,4.369279861,6.204105377,4.350049019,7.039563656,4.419713497,4.426972389,4.419713497,4.369279861,4.419713497,4.381252289,4.407741547,4.381689072]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":13,"category":"Cloud"}} +02224{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":105,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623222785863296,"flow_src_last_pkt_time":1623222906298417,"flow_dst_last_pkt_time":1623222896069773,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":889,"flow_src_tot_l4_payload_len":772,"flow_dst_tot_l4_payload_len":1778,"midstream":0,"thread_ts_usec":1623222906298417,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"92.122.95.235","src_port":43728,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":280,"avg":7440051.5,"max":10244049,"stddev":4398639.5,"var":19348030750720.0,"ent":4.5,"data": [12043,16085,280,19618,157130,176931,7779779,7796085,1344,16621,10045906,10060740,10239929,10239733,10239821,10240037,10244027,10243851,10239937,10239981,10236031,10236118,10243927,10244049,10235957,10235895,10239975,10239809,10240030,10240044,10239885]},"pktlen": {"min":104,"avg":184.2,"max":993,"stddev":228.7,"var":52281.3,"ent":4.4,"data": [112,112,104,490,104,993,104,490,104,993,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [3.854789734,4.210582733,4.061213493,6.305238724,4.330295086,6.969508171,4.388510704,6.307199955,4.399959564,6.995585918,4.388510704,4.446203232,4.362458229,4.407741547,4.380728722,4.362020969,4.380728722,4.407741547,4.342267036,4.388510704,4.335008621,4.362458229,4.335008621,4.381251812,4.373470306,4.369279861,4.335008621,4.407741547,4.354239464,4.400482655,4.354321003,4.343227386]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623223090984057,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223090984057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623223090984057,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223090984057,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623223090984057,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8WOFAAEAGCBnAqAGAl4uADoYQAFC9BO7MAAAAAKAC+vBq5AAAAgQFtAQCCArLCQstAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAABk1G4o"} 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1623223090984057,"flow_dst_last_pkt_time":1623223091009779,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623223091009779,"pkt":"PKn0qB\/spJGxgjQ5CABFAAA8AABAADAGcPqXi4AOwKgBgABQhhCFN\/R2vQTuzaAS\/ohuswAAAgQFtAQCCAoBgn1XywkLLQEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADKwfqN"} @@ -39,7 +39,7 @@ 01129{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":161,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226796057242,"flow_dst_last_pkt_time":1623226796050182,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":387,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623226796057242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.digicert.com","http": {"url":"ocsp.digicert.com\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}} 00910{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":165,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623223090984057,"flow_src_last_pkt_time":1623223156058732,"flow_dst_last_pkt_time":1623223156084748,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":393,"flow_dst_max_l4_payload_len":728,"flow_src_tot_l4_payload_len":393,"flow_dst_tot_l4_payload_len":1199,"midstream":0,"thread_ts_usec":1623226796065242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34320,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00909{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":165,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623223091709422,"flow_src_last_pkt_time":1623223156773701,"flow_dst_last_pkt_time":1623223156800666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":389,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":389,"flow_dst_tot_l4_payload_len":917,"midstream":0,"thread_ts_usec":1623226796065242,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.139.128.14","src_port":34340,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01808{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":189,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226898935296,"flow_dst_last_pkt_time":1623226888697884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623226898935296,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":297,"avg":6307708.5,"max":10240173,"stddev":4932344.5,"var":24328020164608.0,"ent":4.3,"data": [3075,7547,2588,10413,297,8000,10198565,10205648,10239932,10239686,10240046,10239807,10240147,10240173,10239675,10239894,594543,595404,7786,346,7916,7271,10142015,10148632,10239909,10240023,10239943,10239865,10239954,10239944,10239922]},"pktlen": {"min":118,"avg":229.7,"max":917,"stddev":247.8,"var":61420.8,"ent":4.4,"data": [126,126,118,505,118,917,118,118,118,118,118,118,118,118,118,118,118,505,917,118,505,917,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +02207{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":189,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226898935296,"flow_dst_last_pkt_time":1623226888697884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623226898935296,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":297,"avg":6307708.5,"max":10240173,"stddev":4932344.5,"var":24328020164608.0,"ent":4.3,"data": [3075,7547,2588,10413,297,8000,10198565,10205648,10239932,10239686,10240046,10239807,10240147,10240173,10239675,10239894,594543,595404,7786,346,7916,7271,10142015,10148632,10239909,10240023,10239943,10239865,10239954,10239944,10239922]},"pktlen": {"min":104,"avg":215.7,"max":903,"stddev":247.8,"var":61420.8,"ent":4.3,"data": [112,112,104,491,104,903,104,104,104,104,104,104,104,104,104,104,104,491,903,104,491,903,104,104,104,104,104,104,104,104,104,104]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,1,0],"entropies": [3.868270159,4.279380798,4.030010700,6.270659924,4.342348576,7.048072815,4.407741547,4.407741547,4.327831268,4.388510704,4.373551369,4.383797169,4.361579418,4.395769119,4.336050510,4.388510704,4.327831268,6.267565727,7.008815289,4.357307434,6.261363029,7.018546581,4.348686218,4.395769119,4.303886890,4.330818176,4.342348576,4.395769119,4.342348576,4.414999962,4.272684097,4.376538277]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":208,"packets-processed":207,"total-skipped-flows":0,"total-l4-payload-len":19557,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":43,"global_ts_usec":1623227471703092} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227471703092,"flow_dst_last_pkt_time":1623227471703092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623227471703092,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":208,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1623227471703092,"flow_dst_last_pkt_time":1623227471703092,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623227471703092,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA8CDlAAEAGLKrAqAGANFUPXMDmAFDpM3mLAAAAAKAC+vAljwAAAgQFtAQCCArD2jnWAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAU0JsT"} @@ -52,8 +52,8 @@ 00599{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":217,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1623227472218439,"flow_dst_last_pkt_time":1623227472214417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623227472218439,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0cD1AAEAGbnTAqAGAl2UCheoSAFClxR9WcxTjBIAQAfagEQAAAQEIClxJqx0CSmlaGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAyyO91A=="} 01149{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":218,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227472219362,"flow_dst_last_pkt_time":1623227472214417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623227472219362,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.globalsign.com","http": {"url":"ocsp.globalsign.com\/gsrsaovsslca2018","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}} 00910{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":224,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":23,"flow_first_seen":1623226796047107,"flow_src_last_pkt_time":1623226963037756,"flow_dst_last_pkt_time":1623226963033362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":799,"flow_src_tot_l4_payload_len":1161,"flow_dst_tot_l4_payload_len":2397,"midstream":0,"thread_ts_usec":1623227472228502,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"93.184.220.29","src_port":47904,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01810{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227587349174,"flow_dst_last_pkt_time":1623227584757187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":1998,"midstream":0,"thread_ts_usec":1623227587349174,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":615,"avg":7851182.5,"max":10240632,"stddev":4240709.0,"var":17983611076608.0,"ent":4.5,"data": [3378,7400,923,8114,615,9140,10126876,10134843,10240392,10240491,10239169,10239578,10239933,10239705,10239910,10239519,10239942,10240185,10239877,10240084,10240632,10240175,10239571,10239443,10239518,10240005,10239975,10240013,2594877]},"pktlen": {"min":118,"avg":193.5,"max":1462,"stddev":263.0,"var":69147.6,"ent":4.3,"data": [126,126,118,519,118,1462,772,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01829{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":274,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227587366039,"flow_dst_last_pkt_time":1623227587361645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":1006,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":1006,"midstream":0,"thread_ts_usec":1623227587366039,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":379,"avg":7461984.0,"max":10240568,"stddev":4364520.0,"var":19049033498624.0,"ent":4.6,"data": [11963,16479,379,17094,109967,126649,9996419,10012379,10239928,10239783,10239896,10240232,10239903,10239633,10239951,10239961,10239904,10240133,10239949,10239714,10239909,10239972,10240568,10240566,10239801,10239750,10239347,10239527,3107000,3107879,16865]},"pktlen": {"min":118,"avg":162.3,"max":1124,"stddev":185.9,"var":34567.0,"ent":4.5,"data": [126,126,118,514,118,1124,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +02209{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227472211039,"flow_src_last_pkt_time":1623227587349174,"flow_dst_last_pkt_time":1623227584757187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":401,"flow_dst_max_l4_payload_len":1344,"flow_src_tot_l4_payload_len":401,"flow_dst_tot_l4_payload_len":1998,"midstream":0,"thread_ts_usec":1623227587349174,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"151.101.2.133","src_port":59922,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":615,"avg":7851182.5,"max":10240632,"stddev":4240709.0,"var":17983611076608.0,"ent":4.5,"data": [3378,7400,923,8114,615,9140,10126876,10134843,10240392,10240491,10239169,10239578,10239933,10239705,10239910,10239519,10239942,10240185,10239877,10240084,10240632,10240175,10239571,10239443,10239518,10240005,10239975,10240013,2594877]},"pktlen": {"min":104,"avg":179.5,"max":1448,"stddev":263.0,"var":69147.6,"ent":4.2,"data": [112,112,104,505,104,1448,758,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [3.821438313,4.185985565,4.099675179,6.228553295,4.350049019,6.867750645,7.448840618,4.438944817,4.354762554,4.362021446,4.304766178,4.350049019,4.400483131,4.381252289,4.400483131,4.354762554,4.328273296,4.342790604,4.381252289,4.419713974,4.400483131,4.419713974,4.373993397,4.347504139,4.362021446,4.362021446,4.400483131,4.400483131,4.400483131,4.354762554,4.381252289,4.362021446]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +02228{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":274,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623227471703092,"flow_src_last_pkt_time":1623227587366039,"flow_dst_last_pkt_time":1623227587361645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":396,"flow_dst_max_l4_payload_len":1006,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":1006,"midstream":0,"thread_ts_usec":1623227587366039,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"52.85.15.92","src_port":49382,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":379,"avg":7461984.0,"max":10240568,"stddev":4364520.0,"var":19049033498624.0,"ent":4.6,"data": [11963,16479,379,17094,109967,126649,9996419,10012379,10239928,10239783,10239896,10240232,10239903,10239633,10239951,10239961,10239904,10240133,10239949,10239714,10239909,10239972,10240568,10240566,10239801,10239750,10239347,10239527,3107000,3107879,16865]},"pktlen": {"min":104,"avg":148.3,"max":1110,"stddev":185.9,"var":34567.0,"ent":4.5,"data": [112,112,104,500,104,1110,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104,104]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [3.872647047,4.259160519,4.034724236,6.288679600,4.284656048,6.962940216,4.381252289,4.381252289,4.315859318,4.362021446,4.250907898,4.362021446,4.335090160,4.354762554,4.277397633,4.283735275,4.335090160,4.381252289,4.315859318,4.362021446,4.284656048,4.381252289,4.284656048,4.323559761,4.335090160,4.335531712,4.296628475,4.362021446,4.315859318,4.329455853,4.250907898,4.369279861]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00560{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":275,"packets-processed":274,"total-skipped-flows":0,"total-l4-payload-len":23358,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":8,"total-detection-updates":0,"total-updates":0,"current-active-flows":2,"total-active-flows":8,"total-idle-flows":6,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":57,"global_ts_usec":1623229632695852} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1623229632695852,"flow_src_last_pkt_time":1623229632695852,"flow_dst_last_pkt_time":1623229632695852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623229632695852,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":275,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1623229632695852,"flow_dst_last_pkt_time":1623229632695852,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":126,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":126,"pkt_l4_len":40,"thread_ts_usec":1623229632695852,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA82G5AAEAGQmzAqAGAbUbwcrHKAFDtwUNWAAAAAKAC+vAcMQAAAgQFtAQCCAoRKRyhAAAAAAEDAwcZgREJACAAIAEAAAEAAAAIAAAAAAAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAAAAAADZRLNb"} @@ -68,7 +68,7 @@ 00601{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":301,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1623229850972935,"flow_dst_last_pkt_time":1623229850968545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":118,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":118,"pkt_l4_len":32,"thread_ts_usec":1623229850972935,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0+slAAEAGBjXAqAGAFwxgkb+KAFDAJRPi2VU1H4AQAfZ\/KgAAAQEICo4eQkQG1UJIGYERCQAgACABAAABAAAACAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAV7trsA=="} 01127{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":302,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229850973410,"flow_dst_last_pkt_time":1623229850968545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":386,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":386,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623229850973410,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network","hostname":"ocsp.entrust.net","http": {"url":"ocsp.entrust.net\/","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko\/20100101 Firefox\/89.0","request_content_type":"application\/ocsp-request","detected_os":"Ubuntu"}}} 00911{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":320,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1623229632695852,"flow_src_last_pkt_time":1623229697731607,"flow_dst_last_pkt_time":1623229697742645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":399,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":399,"flow_dst_tot_l4_payload_len":2325,"midstream":0,"thread_ts_usec":1623229853240025,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"109.70.240.114","src_port":45514,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01765{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":330,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229914599193,"flow_dst_last_pkt_time":1623229904370774,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229914599193,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":475,"avg":4682294.0,"max":10241196,"stddev":4928712.5,"var":24292207099904.0,"ent":3.6,"data": [12234,16624,475,17773,3362,21718,1169650,1186786,9796,24736,1031529,1046686,2550,18982,10158449,10174381,10240180,10240467,10240694,10240443,10239931,10239902,10238718,10240083,10241196]},"pktlen": {"min":118,"avg":338.2,"max":1566,"stddev":431.7,"var":186386.9,"ent":4.2,"data": [126,126,118,504,118,1566,627,118,118,504,118,1566,627,118,118,505,118,1566,628,118,118,118,118,118,118,118,118,118,118,118,118,118]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +02164{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":330,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229914599193,"flow_dst_last_pkt_time":1623229904370774,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229914599193,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":475,"avg":4682294.0,"max":10241196,"stddev":4928712.5,"var":24292207099904.0,"ent":3.6,"data": [12234,16624,475,17773,3362,21718,1169650,1186786,9796,24736,1031529,1046686,2550,18982,10158449,10174381,10240180,10240467,10240694,10240443,10239931,10239902,10238718,10240083,10241196]},"pktlen": {"min":104,"avg":324.2,"max":1552,"stddev":431.7,"var":186386.9,"ent":4.1,"data": [112,112,104,490,104,1552,613,104,104,490,104,1552,613,104,104,491,104,1552,614,104,104,104,104,104,104,104,104,104,104,104,104,104]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,0,1,0,1,0,1,0],"entropies": [3.854789734,4.239557266,4.034724236,6.314732075,4.338077068,7.042398453,7.244339943,4.381252289,4.362021446,6.303278446,4.335968971,7.031822681,7.242278576,4.270580769,4.335531712,6.231549740,4.350049019,7.030226231,7.237232208,4.342790604,4.323559761,4.400483131,4.426972389,4.400483131,4.426972389,4.362021446,4.426972389,4.335532188,4.388510704,4.400482655,4.426972389,4.400482655]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00911{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":344,"source":"ocsp.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":22,"flow_first_seen":1623229850956311,"flow_src_last_pkt_time":1623229968257993,"flow_dst_last_pkt_time":1623229968253231,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":387,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":5872,"midstream":0,"thread_ts_usec":1623229968257993,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"23.12.96.145","src_port":49034,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.OCSP","proto_id":"7.63","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":344,"source":"ocsp.pcapng","alias":"nDPId-test","packets-captured":344,"packets-processed":344,"total-skipped-flows":0,"total-l4-payload-len":33113,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":10,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":10,"total-idle-flows":10,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":73,"global_ts_usec":1623229968257993} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -79,10 +79,10 @@ ~~ total active/idle flows...: 10/10 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6061865 bytes -~~ total memory freed........: 6061865 bytes -~~ total allocations/frees...: 121969/121969 +~~ total memory allocated....: 6063225 bytes +~~ total memory freed........: 6063225 bytes +~~ total allocations/frees...: 121979/121979 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1834 chars -~~ json string avg len.......: 1162 chars +~~ json string max len.......: 2233 chars +~~ json string avg len.......: 1361 chars diff --git a/test/results/ookla.pcap.out b/test/results/ookla.pcap.out index 2fe3a4564..d7da01be7 100644 --- a/test/results/ookla.pcap.out +++ b/test/results/ookla.pcap.out @@ -10,7 +10,7 @@ 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":22,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1491069115107460,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1491069115144245,"pkt":"xCwDBkn+gCqojWksCABFAAA8AABAADMGWiUuLP27wKgBBx+QyA8qkdUorSOsy6ASOJC7tQAAAgQFrAQCCAp\/4XceDd4f9gEDAwU="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1491069115144357,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1491069115144357,"pkt":"gCqojWksxCwDBkn+CABFAAA0VElAAEAGAADAqAEHLiz9u8gPH5CtI6zLKpHVKYAQECztvQAAAQEICg3eIBp\/4Xce"} 00861{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069115172347,"flow_dst_last_pkt_time":1491069115144245,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":3,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491069115172347,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} -01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069116003131,"flow_dst_last_pkt_time":1491069115908957,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":186,"midstream":0,"thread_ts_usec":1491069116003131,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":54747.4,"max":137734,"stddev":32631.2,"var":1064798016.0,"ent":4.7,"data": [36785,36897,27990,64017,72,36059,38392,72665,34304,27134,61863,34745,97665,133205,35538,27694,63063,35336,68477,103729,35275,26006,61113,35107,103239,137734,34506,32637,67251,34614,94056]},"pktlen": {"min":66,"avg":77.9,"max":100,"stddev":9.7,"var":93.7,"ent":5.0,"data": [78,74,66,69,66,100,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85,85,66,85]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]},"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} +02106{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":52,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069116003131,"flow_dst_last_pkt_time":1491069115908957,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":186,"midstream":0,"thread_ts_usec":1491069116003131,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":72,"avg":54747.4,"max":137734,"stddev":32631.2,"var":1064798016.0,"ent":4.7,"data": [36785,36897,27990,64017,72,36059,38392,72665,34304,27134,61863,34745,97665,133205,35538,27694,63063,35336,68477,103729,35275,26006,61113,35107,103239,137734,34506,32637,67251,34614,94056]},"pktlen": {"min":52,"avg":63.9,"max":86,"stddev":9.7,"var":93.7,"ent":5.0,"data": [64,60,52,55,52,86,52,71,71,52,71,71,52,71,71,52,71,71,52,71,71,52,71,71,52,71,71,52,71,71,52,71]},"bins": {"c_to_s": [21,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [4.484427452,5.279368877,5.115703106,5.192151546,5.207948208,5.516513824,5.077241421,5.383457661,5.524891853,5.024262905,5.400994301,5.542428493,5.077241421,5.485500813,5.524891853,5.077241421,5.439795971,5.648200035,5.077241421,5.411627769,5.609398842,5.115703106,5.485501289,5.524892330,4.961856365,5.485501289,5.648200035,5.115703106,5.496133804,5.530390263,5.000318050,5.390362263]},"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00924{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":2202,"flow_dst_packets_processed":2864,"flow_first_seen":1491069115107460,"flow_src_last_pkt_time":1491069155086298,"flow_dst_last_pkt_time":1491069155251079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":883752,"flow_dst_tot_l4_payload_len":3462381,"midstream":0,"thread_ts_usec":1491069155251079,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51215,"dst_port":8080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"Ookla","proto_id":"191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00909{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":8,"flow_first_seen":1491069108756336,"flow_src_last_pkt_time":1491069114050266,"flow_dst_last_pkt_time":1491069114084923,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":364,"flow_dst_max_l4_payload_len":457,"flow_src_tot_l4_payload_len":1434,"flow_dst_tot_l4_payload_len":1546,"midstream":0,"thread_ts_usec":1491069155251079,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"46.44.253.187","src_port":51207,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Ookla","proto_id":"7.191","encrypted":0,"breed":"Safe","category_id":14,"category":"Network"}} 00566{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":5086,"source":"ookla.pcap","alias":"nDPId-test","packets-captured":5086,"packets-processed":5086,"total-skipped-flows":0,"total-l4-payload-len":4349113,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":16,"global_ts_usec":1491069155251079} @@ -22,10 +22,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6195055 bytes -~~ total memory freed........: 6195055 bytes -~~ total allocations/frees...: 126587/126587 +~~ total memory allocated....: 6195327 bytes +~~ total memory freed........: 6195327 bytes +~~ total allocations/frees...: 126589/126589 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 1714 chars -~~ json string avg len.......: 1076 chars +~~ json string max len.......: 2111 chars +~~ json string avg len.......: 1261 chars diff --git a/test/results/openvpn.pcap.out b/test/results/openvpn.pcap.out index 3b60dc208..aa7560a4d 100644 --- a/test/results/openvpn.pcap.out +++ b/test/results/openvpn.pcap.out @@ -5,14 +5,14 @@ 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1467904946700231,"flow_dst_last_pkt_time":1467904946755145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1467904946755145,"pkt":"AA6OGXEMhCYVLjtSCABFoAA8AABAADQGbecuZefawKgBTQG76uxsxVWWvpV7n6AScSBx2QAAAgQFtAQCCAoANCgCAA17SwEDAwE="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1467904946755184,"flow_dst_last_pkt_time":1467904946755145,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1467904946755184,"pkt":"hCYVLjtSAA6OGXEMCABFAAA0ANZAAEAGYbnAqAFNLmXn2ursAbu+lXufbMVVl4AQOQjYsgAAAQEICgANe1AANCgC"} 00994{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904947700508,"flow_dst_last_pkt_time":1467904947753377,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":56,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":56,"midstream":0,"thread_ts_usec":1467904947753377,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01845{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904948037674,"flow_dst_last_pkt_time":1467904948077757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":305,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":1940,"midstream":0,"thread_ts_usec":1467904948077757,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":87579.6,"max":997748,"stddev":233509.3,"var":54526590976.0,"ent":2.7,"data": [54914,54953,945324,997748,484,52895,181,76406,76231,41001,2720,125,43907,139,238,305,40498,40497,41001,40993,125,124,261,41001,40990,40292,40328,460,133,578,40117]},"pktlen": {"min":66,"avg":154.3,"max":371,"stddev":75.3,"var":5671.5,"ent":4.8,"data": [74,74,66,110,66,122,66,118,66,371,66,222,210,118,210,210,66,210,222,210,118,210,210,66,210,222,210,118,210,210,66,210]},"bins": {"c_to_s": [6,5,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02243{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467904948037674,"flow_dst_last_pkt_time":1467904948077757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":305,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":1940,"midstream":0,"thread_ts_usec":1467904948077757,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":124,"avg":87579.6,"max":997748,"stddev":233509.3,"var":54526590976.0,"ent":2.7,"data": [54914,54953,945324,997748,484,52895,181,76406,76231,41001,2720,125,43907,139,238,305,40498,40497,41001,40993,125,124,261,41001,40990,40292,40328,460,133,578,40117]},"pktlen": {"min":52,"avg":140.3,"max":357,"stddev":75.3,"var":5671.5,"ent":4.8,"data": [60,60,52,96,52,108,52,104,52,357,52,208,196,104,196,196,52,196,208,196,104,196,196,52,196,208,196,104,196,196,52,196]},"bins": {"c_to_s": [6,5,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,1,0,1,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,1],"entropies": [4.584255219,5.060977936,4.931210041,5.511040688,5.118428230,5.631525517,4.931210518,5.754630089,5.118428230,5.666812420,5.079966545,5.957755566,6.109939575,5.713871956,6.450070858,6.737315655,4.969671726,6.613219261,6.182499886,6.423310280,5.735399246,6.659830093,6.680945873,4.839769840,6.074276447,6.127354145,6.415046692,5.795508862,6.625069141,6.833714008,5.008133411,6.392446995]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00556{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":96,"packets-processed":95,"total-skipped-flows":0,"total-l4-payload-len":9094,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1470218591746723} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591746723,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1470218591746723,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":96,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591746723,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1470218591746723,"pkt":"mAyC0zx8AAjKQoXqCABFAABG3rhAAEARTXXAqCsMizuXiaIjNXAAMosJOLAsz\/G18BdPwJFmbjsSS62jkXMxe5OXItH+Y74AAAABV6HBXwAAAAAA"} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":97,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":96,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":96,"pkt_l4_len":62,"thread_ts_usec":1470218591941902,"pkt":"AAjKQoXqmAyC0zx8CABFAABSYIhAADIR2ZmLO5eJwKgrDDVwoiMAPhWBQPd\/wu\/b4j9X3sTI1WVNByO\/jAvlQThWMnDPrhMAAAABV6HBXwEAAAAAsCzP8bXwF08AAAAA"} 00998{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":97,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218591746723,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":54,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":54,"midstream":0,"thread_ts_usec":1470218591941902,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":98,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1470218591942539,"flow_dst_last_pkt_time":1470218591941902,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1470218591942539,"pkt":"mAyC0zx8AAjKQoXqCABFAABO3uZAAEARTT\/AqCsMizuXiaIjNXAAOpZEKLAsz\/G18BdPyDdJemqNaU65YLasCHjnV9mH+DAAAAACV6HBXwEAAAAA93\/C79viP1c="} -01849{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":127,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218592449269,"flow_dst_last_pkt_time":1470218592448973,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":2054,"midstream":0,"thread_ts_usec":1470218592449269,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":395,"avg":45316.0,"max":195816,"stddev":59561.3,"var":3547546112.0,"ent":3.9,"data": [195179,195816,838,177248,176180,535,476,500,395,473,450,98532,98585,29601,29590,19812,19831,411,519,50093,49983,29934,29992,20280,20221,9484,9461,38312,38344,31856,31865]},"pktlen": {"min":84,"avg":140.4,"max":345,"stddev":58.6,"var":3436.1,"ent":4.9,"data": [84,96,92,345,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92]},"bins": {"c_to_s": [0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02248{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":127,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218592449269,"flow_dst_last_pkt_time":1470218592448973,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1095,"flow_dst_tot_l4_payload_len":2054,"midstream":0,"thread_ts_usec":1470218592449269,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":395,"avg":45316.0,"max":195816,"stddev":59561.3,"var":3547546112.0,"ent":3.9,"data": [195179,195816,838,177248,176180,535,476,500,395,473,450,98532,98585,29601,29590,19812,19831,411,519,50093,49983,29934,29992,20280,20221,9484,9461,38312,38344,31856,31865]},"pktlen": {"min":70,"avg":126.4,"max":331,"stddev":58.6,"var":3436.1,"ent":4.9,"data": [70,82,78,331,182,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78]},"bins": {"c_to_s": [0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [5.343287468,5.472147942,5.659653187,5.646926403,5.923888206,5.609391689,6.040631294,5.680029869,6.625756264,5.669331551,6.739820004,5.680030346,6.600285530,5.721633911,6.436116695,5.670351982,6.646757126,5.644711018,6.586377144,5.654388905,6.016889572,5.609391689,6.426263332,5.705670357,6.638464928,5.644710541,6.632380486,5.644710541,6.345944881,5.680030346,6.544235229,5.654388905]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01044{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":51,"flow_first_seen":1467904946700231,"flow_src_last_pkt_time":1467905010834916,"flow_dst_last_pkt_time":1467905010834882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":4602,"flow_dst_tot_l4_payload_len":4492,"midstream":0,"thread_ts_usec":1470218600860349,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"46.101.231.218","src_port":60140,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":179,"packets-processed":178,"total-skipped-flows":0,"total-l4-payload-len":19167,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1472334890224928} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":179,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334890224928,"flow_dst_last_pkt_time":1472334890224928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":42,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1472334890224928,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -20,7 +20,7 @@ 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":180,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334890224928,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":84,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":84,"pkt_l4_len":50,"thread_ts_usec":1472334892420816,"pkt":"mAyC0zx8MFLLbJwbCABFAABGfNNAAEARr1TAqCsSizuXiTVwNXAAMg7DOGYO4pqkkLBZptsOrY2Z8Me\/lrzRmp5vsU3x26QAAAACV8IMKgAAAAAA"} 00564{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334892467380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":96,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":96,"pkt_l4_len":62,"thread_ts_usec":1472334892467380,"pkt":"MFLLbJwbmAyC0zx8CABFAABSgmRAADERuLeLO5eJwKgrEjVwNXAAPoh1QDWQheTdAi5E5ZNzw1yvtD56Ix7qRbnOSoCURYgAAAABV8IMLQEAAAAAZg7imqSQsFkAAAAA"} 00999{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":181,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334892420816,"flow_dst_last_pkt_time":1472334892467380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":42,"flow_dst_max_l4_payload_len":54,"flow_src_tot_l4_payload_len":84,"flow_dst_tot_l4_payload_len":54,"midstream":0,"thread_ts_usec":1472334892467380,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01857{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":210,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334893134977,"flow_dst_last_pkt_time":1472334893134900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1087,"flow_dst_tot_l4_payload_len":1962,"midstream":0,"thread_ts_usec":1472334893134977,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":187742.6,"max":2242452,"stddev":537269.1,"var":288658030592.0,"ent":2.4,"data": [2195888,2242452,46716,128,203103,15136,218070,621,558,521,518,3451,3482,185164,185172,417,398,39454,39467,9396,9396,82274,82279,3757,3775,34199,34189,15722,15714,74305,74299]},"pktlen": {"min":84,"avg":137.3,"max":345,"stddev":58.9,"var":3466.4,"ent":4.9,"data": [84,84,96,92,345,92,196,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92,184,92]},"bins": {"c_to_s": [0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02256{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":210,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334893134977,"flow_dst_last_pkt_time":1472334893134900,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":303,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":1087,"flow_dst_tot_l4_payload_len":1962,"midstream":0,"thread_ts_usec":1472334893134977,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":187742.6,"max":2242452,"stddev":537269.1,"var":288658030592.0,"ent":2.4,"data": [2195888,2242452,46716,128,203103,15136,218070,621,558,521,518,3451,3482,185164,185172,417,398,39454,39467,9396,9396,82274,82279,3757,3775,34199,34189,15722,15714,74305,74299]},"pktlen": {"min":70,"avg":123.3,"max":331,"stddev":58.9,"var":3466.4,"ent":4.9,"data": [70,70,82,78,331,78,182,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78,170,78]},"bins": {"c_to_s": [0,16,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,0,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [5.229001999,5.275360584,5.380565643,5.531448364,5.602619648,5.454524517,5.838843346,5.558109283,6.079430580,5.548431396,6.588905811,5.542146206,6.663234234,5.567787170,6.550342560,5.532467842,6.371866703,5.558108807,6.659762859,5.532467842,6.541461945,5.593428135,5.988543987,5.567787170,6.300799370,5.583750248,6.642903805,5.567787170,6.638377190,5.532467842,6.413649559,5.583750248]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01047{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":248,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":49,"flow_dst_packets_processed":34,"flow_first_seen":1470218591746723,"flow_src_last_pkt_time":1470218600860349,"flow_dst_last_pkt_time":1470218600859207,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1172,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":5802,"flow_dst_tot_l4_payload_len":4271,"midstream":0,"thread_ts_usec":1472334896789781,"l3_proto":"ip4","src_ip":"192.168.43.12","dst_ip":"139.59.151.137","src_port":41507,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01049{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":298,"source":"openvpn.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":58,"flow_first_seen":1472334890224928,"flow_src_last_pkt_time":1472334909464448,"flow_dst_last_pkt_time":1472334909465454,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1172,"flow_dst_max_l4_payload_len":1245,"flow_src_tot_l4_payload_len":8904,"flow_dst_tot_l4_payload_len":14228,"midstream":0,"thread_ts_usec":1472334909465454,"l3_proto":"ip4","src_ip":"192.168.43.18","dst_ip":"139.59.151.137","src_port":13680,"dst_port":13680,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":298,"source":"openvpn.pcap","alias":"nDPId-test","packets-captured":298,"packets-processed":298,"total-skipped-flows":0,"total-l4-payload-len":42299,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":3,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":3,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":26,"global_ts_usec":1472334909465454} @@ -32,10 +32,10 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6049601 bytes -~~ total memory freed........: 6049601 bytes -~~ total allocations/frees...: 121807/121807 +~~ total memory allocated....: 6050009 bytes +~~ total memory freed........: 6050009 bytes +~~ total allocations/frees...: 121810/121810 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars -~~ json string max len.......: 1862 chars -~~ json string avg len.......: 1176 chars +~~ json string max len.......: 2261 chars +~~ json string avg len.......: 1375 chars diff --git a/test/results/oracle12.pcapng.out b/test/results/oracle12.pcapng.out index 646fed964..359a2ad09 100644 --- a/test/results/oracle12.pcapng.out +++ b/test/results/oracle12.pcapng.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038269 bytes -~~ total memory freed........: 6038269 bytes -~~ total allocations/frees...: 121508/121508 +~~ total memory allocated....: 6038405 bytes +~~ total memory freed........: 6038405 bytes +~~ total allocations/frees...: 121509/121509 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 885 chars diff --git a/test/results/os_detected.pcapng.out b/test/results/os_detected.pcapng.out index 867de6712..e09d2f9dd 100644 --- a/test/results/os_detected.pcapng.out +++ b/test/results/os_detected.pcapng.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045924 bytes -~~ total memory freed........: 6045924 bytes -~~ total allocations/frees...: 121511/121511 +~~ total memory allocated....: 6046060 bytes +~~ total memory freed........: 6046060 bytes +~~ total allocations/frees...: 121512/121512 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 2214 chars diff --git a/test/results/ospfv2_add_new_prefix.pcap.out b/test/results/ospfv2_add_new_prefix.pcap.out index a13dd5197..7258e8a4d 100644 --- a/test/results/ospfv2_add_new_prefix.pcap.out +++ b/test/results/ospfv2_add_new_prefix.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035699 bytes -~~ total memory freed........: 6035699 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6035835 bytes +~~ total memory freed........: 6035835 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 506 chars ~~ json string max len.......: 879 chars diff --git a/test/results/pgm.pcap.out b/test/results/pgm.pcap.out index a523c2768..3d7bfbd60 100644 --- a/test/results/pgm.pcap.out +++ b/test/results/pgm.pcap.out @@ -5,7 +5,7 @@ 00820{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564815455078,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564815455078,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1654564816295763,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":129,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":129,"pkt_l4_len":95,"thread_ts_usec":1654564816295763,"pkt":"AQBeAAEviFH7P19UCABFAABzDnBAABRxH+0K9ECa6wABL9YlAHsEAAH0CvRAmtYlAF8AUenoAFHoKENTQQCABAAAbQAFAFBSSUNFAAAAAAAAAAAAAAAAAAAAAP\/\/AADXyjEBAQAAAAr0QJoAAAAANH8AAAAAAAABAAAAAQAAACoA"} 00607{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1654564816316549,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":127,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":127,"pkt_l4_len":93,"thread_ts_usec":1654564816316549,"pkt":"AQBeAAEviFH7P19UCABFAABxDoBAABRxH98K9ECa6wABL9YlAHsEAE8tCvRAmtYlAF0AUenpAFHoKENTQQCABAAAbQADAExPRwAAAAAAAAAAAAAAAAAAAAD\/\/wAA18oxAQEAAAAK9ECaAAAAAEJ\/AAAAAAAAAQAAAAEAAAAqAA=="} -01679{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564817394846,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564817394846,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":16,"avg":62573.2,"max":840685,"stddev":155726.8,"var":24250839040.0,"ent":2.9,"data": [840685,20786,25,36771,5581,109,6559,20,17008,16,14904,14731,16,37275,29,168236,95027,1618,67043,1565,11009,51225,29,243023,25455,15996,6391,15033,3510,84,240009]},"pktlen": {"min":70,"avg":203.2,"max":1344,"stddev":214.8,"var":46132.5,"ent":4.6,"data": [70,129,127,321,1344,206,126,130,170,285,252,333,179,131,227,313,129,141,148,128,129,144,146,145,128,135,133,134,133,135,126,127]},"bins": {"c_to_s": [0,1,9,12,2,1,2,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02078{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564817394846,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5416,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564817394846,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":16,"avg":62573.2,"max":840685,"stddev":155726.8,"var":24250839040.0,"ent":2.9,"data": [840685,20786,25,36771,5581,109,6559,20,17008,16,14904,14731,16,37275,29,168236,95027,1618,67043,1565,11009,51225,29,243023,25455,15996,6391,15033,3510,84,240009]},"pktlen": {"min":56,"avg":189.2,"max":1330,"stddev":214.8,"var":46132.5,"ent":4.5,"data": [56,115,113,307,1330,192,112,116,156,271,238,319,165,117,213,299,115,127,134,114,115,130,132,131,114,121,119,120,119,121,112,113]},"bins": {"c_to_s": [0,1,9,12,2,1,2,1,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.207933426,3.772077084,3.737904549,4.289524555,3.977143764,4.305780411,3.733274460,3.889899492,4.148006916,4.292365074,4.336574078,4.226692677,4.062590599,3.930770159,4.197418690,4.412383080,3.835077763,3.796297789,4.342565060,3.788575172,3.851600647,4.257427692,4.309153080,4.246764660,3.757787228,3.886102915,3.938454628,3.971912861,3.968787670,3.964792728,3.751131535,3.773303032]},"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00871{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1000,"source":"pgm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1000,"flow_dst_packets_processed":0,"flow_first_seen":1654564815455078,"flow_src_last_pkt_time":1654564894361003,"flow_dst_last_pkt_time":1654564815455078,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1310,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":162302,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1654564894361003,"l3_proto":"ip4","src_ip":"10.244.64.154","dst_ip":"235.0.1.47","l4_proto":113,"flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"PGM","proto_id":"296","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":1000,"source":"pgm.pcap","alias":"nDPId-test","packets-captured":1000,"packets-processed":1000,"total-skipped-flows":0,"total-l4-payload-len":162302,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1654564894361003} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6064613 bytes -~~ total memory freed........: 6064613 bytes -~~ total allocations/frees...: 122486/122486 +~~ total memory allocated....: 6064749 bytes +~~ total memory freed........: 6064749 bytes +~~ total allocations/frees...: 122487/122487 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1684 chars -~~ json string avg len.......: 1030 chars +~~ json string max len.......: 2083 chars +~~ json string avg len.......: 1204 chars diff --git a/test/results/pgsql.pcap.out b/test/results/pgsql.pcap.out index 8b8120642..b32d2c67c 100644 --- a/test/results/pgsql.pcap.out +++ b/test/results/pgsql.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042492 bytes -~~ total memory freed........: 6042492 bytes -~~ total allocations/frees...: 121538/121538 +~~ total memory allocated....: 6042764 bytes +~~ total memory freed........: 6042764 bytes +~~ total allocations/frees...: 121540/121540 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 912 chars diff --git a/test/results/pim.pcap.out b/test/results/pim.pcap.out index 8e76effc2..2d077d4e3 100644 --- a/test/results/pim.pcap.out +++ b/test/results/pim.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035903 bytes -~~ total memory freed........: 6035903 bytes -~~ total allocations/frees...: 121496/121496 +~~ total memory allocated....: 6036039 bytes +~~ total memory freed........: 6036039 bytes +~~ total allocations/frees...: 121497/121497 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 872 chars diff --git a/test/results/pinterest.pcap.out b/test/results/pinterest.pcap.out index f3bf6e8b4..1cb770a8b 100644 --- a/test/results/pinterest.pcap.out +++ b/test/results/pinterest.pcap.out @@ -13,7 +13,7 @@ 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713761745,"flow_dst_last_pkt_time":1605289713761186,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289713761745,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01217{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713761745,"flow_dst_last_pkt_time":1605289713802900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289713802900,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 02997{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713802981,"flow_dst_last_pkt_time":1605289713803139,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289713803139,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} -01562{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13934.5,"max":172415,"stddev":32920.5,"var":1083758080.0,"ent":2.7,"data": [17629,17683,505,39969,1745,1,2,41182,41,13,234,2,175,23,26,7012,281,424,41621,1,1,33877,492,1,473,243,41960,172415,2,1]},"pktlen": {"min":86,"avg":378.1,"max":1134,"stddev":421.4,"var":177613.6,"ent":4.2,"data": [94,94,86,603,86,1134,1134,1134,86,86,86,1134,1134,168,86,86,86,179,185,451,86,86,344,86,152,86,86,124,86,1134,1134,563]},"bins": {"c_to_s": [10,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,1,1]}} +01961{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13934.5,"max":172415,"stddev":32920.5,"var":1083758080.0,"ent":2.7,"data": [17629,17683,505,39969,1745,1,2,41182,41,13,234,2,175,23,26,7012,281,424,41621,1,1,33877,492,1,473,243,41960,172415,2,1]},"pktlen": {"min":72,"avg":364.1,"max":1120,"stddev":421.4,"var":177613.6,"ent":4.2,"data": [80,80,72,589,72,1120,1120,1120,72,72,72,1120,1120,154,72,72,72,165,171,437,72,72,330,72,138,72,72,110,72,1120,1120,549]},"bins": {"c_to_s": [10,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,0,1,1,1,1],"entropies": [4.847575665,5.229952335,5.179864883,4.532552719,5.045369625,6.786690235,4.454385281,6.617737293,5.179864883,5.207642555,5.263197899,7.131698132,7.585322857,6.331103802,5.207642555,5.150118828,5.137001514,6.091404438,6.368394852,7.380807877,5.073147297,5.045369625,7.067039967,5.263197899,6.187361240,5.128702641,5.207642555,5.611329079,5.128702641,7.815224648,7.838888168,7.557251453]}} 03000{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":36,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289713743557,"flow_src_last_pkt_time":1605289713845515,"flow_dst_last_pkt_time":1605289714059633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1112,"flow_dst_tot_l4_payload_len":8219,"midstream":0,"thread_ts_usec":1605289714059633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.pinterest.fr","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":79,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714142423,"flow_dst_last_pkt_time":1605289714142423,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714142423,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":79,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714142423,"flow_dst_last_pkt_time":1605289714142423,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714142423,"pkt":"qtsDr8lk5EKm5WPyht1gBvDPACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAACElnABu5Qp1R0AAAAAoAL9IJUzAAACBAWgBAIICtZiIAMAAAAAAQMDBw=="} @@ -63,7 +63,7 @@ 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":160,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714250997,"flow_dst_last_pkt_time":1605289714250997,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714250997,"pkt":"qtsDr8lk5EKm5WPyht1gCIReACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAC5WYBu2PBi7kDA7Y3gBAB9bhLAAABAQgKDEf\/5cK4cls="} 00789{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":161,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714251006,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714251006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289714251006,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:13e2","src_port":34626,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":161,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714251006,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714251006,"pkt":"qtsDr8lk5EKm5WPyht1gCQO3ACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RPih0IBu\/o5BzSfc9\/MgBAB9chlAAABAQgK4ziLg8K4a4Y="} -01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":193,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714260622,"flow_dst_last_pkt_time":1605289714260607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":954,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2837,"flow_dst_tot_l4_payload_len":7034,"midstream":0,"thread_ts_usec":1605289714260622,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7879.4,"max":53871,"stddev":14938.4,"var":223155888.0,"ent":3.0,"data": [29210,29304,461,30605,2146,1,1,1,32223,44,9,7,7205,255,2012,156,139,311,354,53871,1,222,1,43618,1326,1,1343,231,798,527]},"pktlen": {"min":86,"avg":395.0,"max":1474,"stddev":486.9,"var":237029.2,"ent":4.1,"data": [94,94,86,603,86,1474,1474,1474,1244,86,86,86,86,179,185,377,397,364,1040,342,86,86,86,344,86,152,86,86,86,124,1474,86]},"bins": {"c_to_s": [9,1,1,1,0,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02111{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":193,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714142423,"flow_src_last_pkt_time":1605289714260622,"flow_dst_last_pkt_time":1605289714260607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":954,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":2837,"flow_dst_tot_l4_payload_len":7034,"midstream":0,"thread_ts_usec":1605289714260622,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38512,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7879.4,"max":53871,"stddev":14938.4,"var":223155888.0,"ent":3.0,"data": [29210,29304,461,30605,2146,1,1,1,32223,44,9,7,7205,255,2012,156,139,311,354,53871,1,222,1,43618,1326,1,1343,231,798,527]},"pktlen": {"min":72,"avg":381.0,"max":1460,"stddev":486.9,"var":237029.2,"ent":4.1,"data": [80,80,72,589,72,1460,1460,1460,1230,72,72,72,72,165,171,363,383,350,1026,328,72,72,72,330,72,138,72,72,72,110,1460,72]},"bins": {"c_to_s": [9,1,1,1,0,0,0,0,2,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,0,1,1,1,0,0,1,0],"entropies": [4.621765614,5.087494850,5.064152718,4.449456215,4.904376030,6.379762650,5.172341347,7.343800068,7.630727291,5.109223843,5.043183804,5.081446171,5.109223843,6.011801243,6.221057415,7.200978279,7.082930088,6.925302982,7.362153053,6.891495228,4.942638397,4.914860725,4.942638397,7.062083721,5.109223843,6.069666862,4.887083054,4.970416069,5.109223843,5.576783180,7.859548092,5.109223843]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":212,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714250965,"flow_dst_last_pkt_time":1605289714281312,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714281312,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAJdleFQqAcsBIEmLB5kd7IUo3\/YpAbuBhOqRBG+Jl1nfgBAm9NLhAAABAQgKwrkiYM+oHbQ="} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":213,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714250997,"flow_dst_last_pkt_time":1605289714288930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714288930,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgLAAAAAAAAIAIqAcsBIEmLB5kd7IUo3\/YpAbvlZgMDtjdjwYu6gBAMIRHEAAABAQgKwrkiZwxF7DU="} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":214,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714251006,"flow_dst_last_pkt_time":1605289714288932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714288932,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAKzZE+IqAcsBIEmLB5kd7IUo3\/YpAbuHQp9z38z6OQc1gBALjSOBAAABAQgKwrkiaOM2b+4="} @@ -84,20 +84,20 @@ 00572{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":542,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714658043,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714697878,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleFQqAcsBIEmLB5kd7IUo3\/YpAbuCAAsx4c9qQ0l9oBJXgI0UAAACBAV4AQMDAwQCCArCuSQBz6oz\/w=="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":543,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1605289714697936,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714697936,"pkt":"qtsDr8lk5EKm5WPyht1gCBesACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXhUggABu2pDSX0LMeHQgBAB+xD+AAABAQgKz6o0J8K5JAE="} 01165{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":544,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714698324,"flow_dst_last_pkt_time":1605289714697878,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714698324,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01716{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":573,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289714590794,"flow_src_last_pkt_time":1605289714712098,"flow_dst_last_pkt_time":1605289714737758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":4645,"midstream":0,"thread_ts_usec":1605289714737758,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9250.6,"max":43788,"stddev":14140.2,"var":199945248.0,"ent":3.4,"data": [26021,26034,177,34476,9474,43788,3,51,24,2375,110,130,39176,1,238,310,37117,263,3095,2873,7183,1,7144,49,3,681,625,589,26257]},"pktlen": {"min":86,"avg":265.0,"max":1294,"stddev":327.8,"var":107441.1,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,303,86,150,178,409,86,86,86,666,86,117,117,86,507,832,281,86,86,86,125,86,125,86]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,0,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02115{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":573,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289714590794,"flow_src_last_pkt_time":1605289714712098,"flow_dst_last_pkt_time":1605289714737758,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":4645,"midstream":0,"thread_ts_usec":1605289714737758,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2004","src_port":40694,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9250.6,"max":43788,"stddev":14140.2,"var":199945248.0,"ent":3.4,"data": [26021,26034,177,34476,9474,43788,3,51,24,2375,110,130,39176,1,238,310,37117,263,3095,2873,7183,1,7144,49,3,681,625,589,26257]},"pktlen": {"min":72,"avg":251.0,"max":1280,"stddev":327.8,"var":107441.1,"ent":4.1,"data": [80,80,72,589,72,1280,1280,72,72,289,72,136,164,395,72,72,72,652,72,103,103,72,493,818,267,72,72,72,111,72,111,72]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,0,0,0,1,0,0,1],"entropies": [4.845952034,5.276737213,5.243131161,4.473354340,5.090543747,7.802321434,7.843567848,5.288201809,5.260424137,7.108726978,5.260424137,6.180178165,6.552865028,7.368058681,5.107836723,5.135614395,5.097352028,7.652834892,5.232646942,5.827667713,5.769781590,5.232646942,7.502712727,7.757375717,7.029527187,5.232646465,5.260424137,5.288201809,5.925748348,5.260424137,5.889372826,5.107836723]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01225{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":575,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714698324,"flow_dst_last_pkt_time":1605289714739608,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289714739608,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03005{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":583,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":7,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714739677,"flow_dst_last_pkt_time":1605289714740234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289714740234,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714782619,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714782619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714782619,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714782619,"pkt":"qtsDr8lk5EKm5WPyht1gCp8uACgGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3toBu85LuqIAAAAAoAL9IEOtAAACBAWgBAIICnRgZN4AAAAAAQMDBw=="} -01697{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":639,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714558209,"flow_src_last_pkt_time":1605289714795031,"flow_dst_last_pkt_time":1605289714793606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1778,"flow_dst_tot_l4_payload_len":5802,"midstream":0,"thread_ts_usec":1605289714795031,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16865.0,"max":132689,"stddev":30676.7,"var":941058048.0,"ent":3.1,"data": [23500,23520,222,32278,1902,1,33966,35,25,324,242,8,1731,75,102,35078,5741,3731,1,42641,14,135,39228,93613,132689,1225,118,74]},"pktlen": {"min":86,"avg":323.4,"max":1294,"stddev":401.1,"var":160869.7,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,86,86,86,1294,187,86,86,150,178,465,86,86,666,117,86,86,86,117,86,344,86,125,243,585]},"bins": {"c_to_s": [11,1,2,0,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02096{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":639,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289714558209,"flow_src_last_pkt_time":1605289714795031,"flow_dst_last_pkt_time":1605289714793606,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1778,"flow_dst_tot_l4_payload_len":5802,"midstream":0,"thread_ts_usec":1605289714795031,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:1901::7a0b::","src_port":47032,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16865.0,"max":132689,"stddev":30676.7,"var":941058048.0,"ent":3.1,"data": [23500,23520,222,32278,1902,1,33966,35,25,324,242,8,1731,75,102,35078,5741,3731,1,42641,14,135,39228,93613,132689,1225,118,74]},"pktlen": {"min":72,"avg":309.4,"max":1280,"stddev":401.1,"var":160869.7,"ent":4.1,"data": [80,80,72,589,72,1280,1280,1280,72,72,72,1280,173,72,72,136,164,451,72,72,652,103,72,72,72,103,72,330,72,111,229,571]},"bins": {"c_to_s": [11,1,2,0,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,0,0],"entropies": [4.656593323,5.123788357,5.017778397,4.494572163,4.850525856,7.806178570,7.820445061,7.825618267,4.990000248,4.985159874,5.017777920,7.793226242,6.582598209,5.045556068,5.045556068,6.051473618,6.341272354,7.424715996,4.850525856,4.812263489,7.613498688,5.540113449,4.850525856,5.073333740,5.073333740,5.737332821,4.822747707,7.185048103,5.017778397,5.884420395,6.843392372,7.591670513]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":692,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1605289714782619,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289714832909,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoETkIAHQAAAAAAAAAAByAqAcsBIEmLB5kd7IUo3\/YpAbve2qyyOFrOS7qjoBJXgB0bAAACBAV4AQMDAwQCCArCuSSHdGBk3g=="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":693,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1605289714832956,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289714832956,"pkt":"qtsDr8lk5EKm5WPyht1gCp8uACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3toBu85LuqOssjhbgBAB+6D6AAABAQgKdGBlEMK5JIc="} 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":694,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714833176,"flow_dst_last_pkt_time":1605289714832909,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289714833176,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01198{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":870,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714833176,"flow_dst_last_pkt_time":1605289714867730,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605289714867730,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03423{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":876,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714868409,"flow_dst_last_pkt_time":1605289714869584,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5552,"midstream":0,"thread_ts_usec":1605289714869584,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}}} -01562{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15923.9,"max":89623,"stddev":23339.0,"var":544706624.0,"ent":3.3,"data": [39835,39893,388,39880,1850,1,41296,35,60,18,4,565,563,29,2922,2605,564,39805,119,1086,1924,36819,15,203,49740,40102,89623]},"pktlen": {"min":86,"avg":314.8,"max":1134,"stddev":374.8,"var":140490.0,"ent":4.2,"data": [94,94,86,603,86,1134,1134,86,86,1134,1134,86,86,1134,168,86,86,179,185,382,86,86,86,344,152,86,86,124,86,530,260,86]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0]}} +01961{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15923.9,"max":89623,"stddev":23339.0,"var":544706624.0,"ent":3.3,"data": [39835,39893,388,39880,1850,1,41296,35,60,18,4,565,563,29,2922,2605,564,39805,119,1086,1924,36819,15,203,49740,40102,89623]},"pktlen": {"min":72,"avg":300.8,"max":1120,"stddev":374.8,"var":140490.0,"ent":4.1,"data": [80,80,72,589,72,1120,1120,72,72,1120,1120,72,72,1120,154,72,72,165,171,368,72,72,72,330,138,72,72,110,72,516,246,72]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0],"entropies": [4.759509563,5.142373085,5.117740154,4.564804554,4.953123093,6.789499283,4.442035198,5.175263882,5.103079796,6.610801220,7.126421452,5.203041553,5.203041553,7.603042603,6.151700974,5.175263882,5.175263882,6.101224422,6.300935745,7.262635231,4.980900764,5.036456108,4.980900764,7.043718815,6.196548939,5.175263882,5.175263882,5.631328106,5.036456108,7.479037762,6.852047443,5.230819225]}} 03008{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714658043,"flow_src_last_pkt_time":1605289714873020,"flow_dst_last_pkt_time":1605289714873010,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1043,"flow_dst_tot_l4_payload_len":6264,"midstream":0,"thread_ts_usec":1605289714873020,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7854","src_port":33280,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"accounts.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} -01551{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9244.2,"max":50337,"stddev":16381.3,"var":268348496.0,"ent":2.9,"data": [50290,50337,220,31719,3102,34561,13,675,659,1179,1,1182,11,2643,116,155,32346,1,29460,6,548,1,514,15,6,589]},"pktlen": {"min":86,"avg":512.7,"max":1474,"stddev":595.9,"var":355070.7,"ent":4.1,"data": [94,94,86,603,86,1474,1474,86,86,1474,86,1474,1219,86,86,179,185,454,86,86,86,344,152,86,86,1474,1474,1474,86,86,86,1474]},"bins": {"c_to_s": [12,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0,0,0,1]}} +01950{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9244.2,"max":50337,"stddev":16381.3,"var":268348496.0,"ent":2.9,"data": [50290,50337,220,31719,3102,34561,13,675,659,1179,1,1182,11,2643,116,155,32346,1,29460,6,548,1,514,15,6,589]},"pktlen": {"min":72,"avg":498.7,"max":1460,"stddev":595.9,"var":355070.7,"ent":4.0,"data": [80,80,72,589,72,1460,1460,72,72,1460,72,1460,1205,72,72,165,171,440,72,72,72,330,138,72,72,1460,1460,1460,72,72,72,1460]},"bins": {"c_to_s": [12,0,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,1,1,1,0,0,0,1],"entropies": [4.703702927,5.136080265,5.124309540,4.545345783,5.017591953,6.717867374,4.853471756,5.096531868,5.124309540,7.395221710,5.124309540,7.321218014,7.643990993,5.124309540,5.152087212,5.949683189,6.333797455,7.364598274,5.017591953,5.017591953,4.989814281,7.067564487,6.163845539,5.152087212,5.124309540,7.852941513,7.865815639,7.871354580,5.096531868,5.124309540,5.053668499,7.834792614]}} 03428{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1116,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289714782619,"flow_src_last_pkt_time":1605289714902517,"flow_dst_last_pkt_time":1605289714903070,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1077,"flow_dst_tot_l4_payload_len":12561,"midstream":0,"thread_ts_usec":1605289714903070,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":57050,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"images.unsplash.com","tls": {"version":"TLSv1.2","server_names":"imgix2.map.fastly.net,*.camp-fire.jp,*.carwow.co.uk,*.carwow.de,*.carwow.es,*.catchandrelease.com,*.dorothee-schumacher.com,*.footway.com,*.img-ikyu.com,*.imgix.drizly.com,*.instamotor.com,*.microdinc.com,*.msastaging.com,*.peddle.com,*.remax.ca,*.ustudio.com,*.vaping360.com,*.weber.com,article-image-ix.nikkei.com,assets.eberhardt-travel.de,assets.verishop.com,assets.verishop.xyz,cdn.airstream.com,cdn.elementthree.com,cdn.hashnode.com,cdn.naturalhealthyconcepts.com,cdn.parent.eu,cdn.phonehouse.es,cdn.shiplus.co.il,i.drop-cdn.com,i.upworthy.com,image.volunteerworld.com,imageproxy.themaven.net,images-dev.takeshape.io,images.101cookbooks.com,images.beano.com,images.businessoffashion.com,images.congstar.de,images.diesdas.digital,images.fandor.com,images.greetingsisland.com,images.malaecuia.com.br,images.omaze.com,images.roulottesgagnon.com,images.takeshape.io,images.thewanderful.co,images.unsplash.com,images.victoriaplum.com,images.vraiandoro.com,img-1.homely.com.au,img-stack.imagereflow.com,img.badshop.se,img.bernieandphyls.com,img.bioopticsworld.com,img.broadbandtechreport.com,img.broadwaybox.com,img.bygghemma.se,img.bygghjemme.no,img.byggshop.se,img.cablinginstall.com,img.dentaleconomics.com,img.dentistryiq.com,img.evaluationengineering.com,img.golvshop.se,img.grudado.com.br,img.industrial-lasers.com,img.induux.de,img.intelligent-aerospace.com,img.inturn.co,img.laserfocusworld.com,img.ledsmagazine.com,img.lightwaveonline.com,img.militaryaerospace.com,img.mychannels.video,img.officer.com,img.offshore-mag.com,img.ogj.com,img.perioimplantadvisory.com,img.plasticsmachinerymagazine.com,img.prevu.com,img.rdhmag.com,img.speedcurve.com,img.strategies-u.com,img.utilityproducts.com,img.vision-systems.com,img.waterworld.com,img.workbook.com,img.xlhemma.se,img1.nowpurchase.com,iw.induux.de,m.22slides.com,media.sailrace.com,media.useyourlocal.com,pictures.hideaways.dk,raven.contrado.com,resources.intuitive.com,static.doorsuperstore.co.uk","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=imgix2.map.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1F:BC:A1:79:48:96:70:32:B8:08:C1:38:D4:20:12:BE:D9:6F:14:B6"}}} 00796{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2206,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715133578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715133578,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2206,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1605289715133578,"flow_dst_last_pkt_time":1605289715133578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715133578,"pkt":"qtsDr8lk5EKm5WPyht1gAUyOACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACADyX4Bu+HPmfcAAAAAoAL9IJHxAAACBAWgBAIICjiITggAAAAAAQMDBw=="} @@ -117,9 +117,9 @@ 01175{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3667,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715301671,"flow_dst_last_pkt_time":1605289715301345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715301671,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"connect.facebook.net","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01204{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3797,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715274121,"flow_dst_last_pkt_time":1605289715321807,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289715321807,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01220{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3820,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715301671,"flow_dst_last_pkt_time":1605289715333684,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1380,"midstream":0,"thread_ts_usec":1605289715333684,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"connect.facebook.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01686{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715335705,"flow_dst_last_pkt_time":1605289715335669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":9735,"midstream":0,"thread_ts_usec":1605289715335705,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16842.4,"max":76867,"stddev":27411.8,"var":751406272.0,"ent":2.8,"data": [76818,76867,1845,47286,29961,75361,6,2,2110,577,1618,47934,88,1,1,1,1,43713,12,4,2,3,3,4]},"pktlen": {"min":86,"avg":421.6,"max":1294,"stddev":486.0,"var":236213.0,"ent":4.2,"data": [94,94,86,603,86,1294,1294,356,86,86,86,150,178,400,86,86,86,666,117,484,1294,1294,1294,1294,1294,86,86,86,86,86,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4871,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715430506,"flow_dst_last_pkt_time":1605289715430565,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10223,"midstream":0,"thread_ts_usec":1605289715430565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13919.2,"max":79486,"stddev":22440.7,"var":503587040.0,"ent":3.3,"data": [51607,51735,639,27991,20462,1,47699,14,8,3349,184,136,69956,1,28,13172,79486,329,8681,8388,16746,3,2,2,16717,40,14,21,164,2]},"pktlen": {"min":86,"avg":436.1,"max":1294,"stddev":496.1,"var":246097.6,"ent":4.2,"data": [94,94,86,603,86,1294,1294,326,86,86,86,150,178,347,86,86,86,666,86,117,117,86,1002,1294,1294,1294,86,86,86,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5465,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715471680,"flow_dst_last_pkt_time":1605289715427326,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1347,"flow_dst_tot_l4_payload_len":5004,"midstream":0,"thread_ts_usec":1605289715471680,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11676.3,"max":93180,"stddev":22011.3,"var":484498880.0,"ent":3.0,"data": [26987,27077,236,32338,1,32042,17,3873,399,116,64739,93180,2,1,290,2,3,2,24343,46,12,9,157,3,2,82,23,41,4388,39879]},"pktlen": {"min":86,"avg":285.0,"max":1466,"stddev":368.4,"var":135732.3,"ent":4.2,"data": [94,94,86,603,86,1466,993,86,86,150,178,344,344,86,86,86,265,166,130,667,86,86,86,86,497,1466,128,86,86,86,117,213]},"bins": {"c_to_s": [12,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02085{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3889,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715133578,"flow_src_last_pkt_time":1605289715335705,"flow_dst_last_pkt_time":1605289715335669,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":9735,"midstream":0,"thread_ts_usec":1605289715335705,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16842.4,"max":76867,"stddev":27411.8,"var":751406272.0,"ent":2.8,"data": [76818,76867,1845,47286,29961,75361,6,2,2110,577,1618,47934,88,1,1,1,1,43713,12,4,2,3,3,4]},"pktlen": {"min":72,"avg":407.6,"max":1280,"stddev":486.0,"var":236213.0,"ent":4.1,"data": [80,80,72,589,72,1280,1280,342,72,72,72,136,164,386,72,72,72,652,103,470,1280,1280,1280,1280,1280,72,72,72,72,72,72,72]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0],"entropies": [4.791396141,5.261173248,5.175122738,4.488063812,5.118321419,7.805737019,7.818699837,7.306349754,5.164638519,5.175123215,5.175123215,6.012620926,6.475091934,7.352373600,5.107836723,5.135614395,5.163392067,7.573746204,5.684781551,7.517905235,7.836332798,7.835289955,7.831481934,7.851193428,7.838675499,5.164638519,5.126376152,5.230678558,5.185607433,5.230678558,5.175123215,5.230678558]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4871,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715221747,"flow_src_last_pkt_time":1605289715430506,"flow_dst_last_pkt_time":1605289715430565,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10223,"midstream":0,"thread_ts_usec":1605289715430565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54416,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13919.2,"max":79486,"stddev":22440.7,"var":503587040.0,"ent":3.3,"data": [51607,51735,639,27991,20462,1,47699,14,8,3349,184,136,69956,1,28,13172,79486,329,8681,8388,16746,3,2,2,16717,40,14,21,164,2]},"pktlen": {"min":72,"avg":422.1,"max":1280,"stddev":496.1,"var":246097.6,"ent":4.1,"data": [80,80,72,589,72,1280,1280,312,72,72,72,136,164,333,72,72,72,652,72,103,103,72,988,1280,1280,1280,72,72,72,72,1280,1280]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,1,1,0,0,0,0,1,1],"entropies": [4.905388832,5.201737404,5.194384098,4.447809696,5.069574356,7.796703339,7.816472054,7.245393753,5.222161770,5.194384098,5.194384098,6.221469402,6.666475773,7.225831985,5.059089661,5.086867332,5.097352028,7.629415512,5.222161770,5.833802700,5.730946064,5.211677074,7.792719841,7.812408924,7.862325191,7.810635090,5.211677074,5.249939442,5.222161770,5.222161770,7.816607952,7.836236000]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02118{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5465,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605289715274358,"flow_src_last_pkt_time":1605289715471680,"flow_dst_last_pkt_time":1605289715427326,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1347,"flow_dst_tot_l4_payload_len":5004,"midstream":0,"thread_ts_usec":1605289715471680,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f030:13:face:b00c::3","src_port":51292,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11676.3,"max":93180,"stddev":22011.3,"var":484498880.0,"ent":3.0,"data": [26987,27077,236,32338,1,32042,17,3873,399,116,64739,93180,2,1,290,2,3,2,24343,46,12,9,157,3,2,82,23,41,4388,39879]},"pktlen": {"min":72,"avg":271.0,"max":1452,"stddev":368.4,"var":135732.3,"ent":4.1,"data": [80,80,72,589,72,1452,979,72,72,136,164,330,330,72,72,72,251,152,116,653,72,72,72,72,483,1452,114,72,72,72,103,199]},"bins": {"c_to_s": [12,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1,1,0,0,0,0,0],"entropies": [5.086080074,5.358260632,5.421088219,4.582517624,5.325077534,7.824724197,7.800261974,5.487128258,5.459350586,6.217577457,6.494597435,7.339631081,7.344889641,5.269522190,5.231259823,5.286815166,7.021345615,6.361854553,5.947217464,7.648275852,5.393310547,5.421088219,5.393310547,5.448865891,7.531715393,7.878327370,6.086453915,5.448865891,5.421088219,5.365532398,5.884278774,6.731818199]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":6497,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715782853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289715782853,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6497,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715782853,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715782853,"pkt":"qtsDr8lk5EKm5WPyht1gAWIEACgGQCoBywEgSYsHmR3shSjf9ikqAyiA8R8Ag\/rOsAwAACXe67QBu2RbtWoAAAAAoAL9IBbyAAACBAWgBAIICmcfa8wAAAAAAQMDBw=="} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6878,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":2,"flow_src_last_pkt_time":1605289715782853,"flow_dst_last_pkt_time":1605289715833903,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289715833903,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoDKIDxHwCD+s6wDAAAJd4qAcsBIEmLB5kd7IUo3\/YpAbvrtAAp+EJkW7VroBJXgNkoAAACBAV4AQMDAwQCCArCuShfZx9rzA=="} @@ -137,16 +137,16 @@ 00896{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":9522,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716168715,"flow_dst_last_pkt_time":1605289716168715,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":158,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":158,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289716168715,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00729{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9523,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1605289716168917,"flow_dst_last_pkt_time":1605289716168715,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":209,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":209,"pkt_l4_len":155,"thread_ts_usec":1605289716168917,"pkt":"qtsDr8lk5EKm5WPyht1gB32\/AJsGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACADqioBu9lanJS\/4e68gBgE1YEBAAABAQgKZPSVcMK4jAQXAwMAT0+KQ56NjlMHGW+d6G5ddduewRHnDyQJNOhFGSBeS16m4KVAja7XHlyuQrxKoq24Sn8bLVvUYgiRl0ogV926yAF+\/eBnK0DefdFCPgWpP6kXAwMAIh\/Eke2gVwnwKuWIWa9HbFAoJdRk5f1TigycRztSwvhmbFo="} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9663,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1605289716168917,"flow_dst_last_pkt_time":1605289716192184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289716192184,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgFAAAAAAAAIAMqAcsBIEmLB5kd7IUo3\/YpAbuqKr\/h7rzZWpyUgBALf8h0AAABAQgKwrkp2GT0lXA="} -01677{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9768,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716199465,"flow_dst_last_pkt_time":1605289716199511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":281,"flow_dst_tot_l4_payload_len":21058,"midstream":1,"thread_ts_usec":1605289716199511,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2461.8,"max":28590,"stddev":7061.6,"var":49866864.0,"ent":1.8,"data": [202,23469,160,5107,2,28590,251,1,1,2,214,4,31,19,391,1,1,397,8,1304,1,1316,72,1,1]},"pktlen": {"min":86,"avg":752.8,"max":1294,"stddev":578.2,"var":334348.7,"ent":4.5,"data": [244,209,86,86,277,1294,86,1294,1294,1294,1294,86,86,1294,1294,86,1294,1294,1294,1294,86,86,1294,1294,251,125,213,86,1294,1294,1294,1294]},"bins": {"c_to_s": [7,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02076{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9768,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1605289716168715,"flow_src_last_pkt_time":1605289716199465,"flow_dst_last_pkt_time":1605289716199511,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":158,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":281,"flow_dst_tot_l4_payload_len":21058,"midstream":1,"thread_ts_usec":1605289716199511,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2003","src_port":43562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2461.8,"max":28590,"stddev":7061.6,"var":49866864.0,"ent":1.8,"data": [202,23469,160,5107,2,28590,251,1,1,2,214,4,31,19,391,1,1,397,8,1304,1,1316,72,1,1]},"pktlen": {"min":72,"avg":738.8,"max":1280,"stddev":578.2,"var":334348.7,"ent":4.5,"data": [230,195,72,72,263,1280,72,1280,1280,1280,1280,72,72,1280,1280,72,1280,1280,1280,1280,72,72,1280,1280,237,111,199,72,1280,1280,1280,1280]},"bins": {"c_to_s": [7,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,0,1,1,1,1,0,0,1,1,0,1,1,1,1,0,0,1,1,1,1,1,0,1,1,1,1],"entropies": [6.948834896,6.675073147,5.125129700,5.125129700,6.977108479,7.855700493,5.182512760,7.824506283,7.846910477,7.827116013,7.838431835,5.116472721,5.137442112,7.839233875,7.849976540,5.154735088,7.852743149,7.835449219,7.826992035,7.859686375,5.182512760,5.182512760,7.806921482,7.824195862,6.883517742,5.810838699,6.706934929,5.109664440,7.833899021,7.836830139,7.838667870,7.830160618]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00797{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14612,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717548570,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289717548570,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14612,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":1,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717548570,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289717548570,"pkt":"qtsDr8lk5EKm5WPyht1gD67DACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACANn74Bu+7PaD4AAAAAoAL9ID+FAAACBAWgBAIICjGG9eUAAAAAAQMDBw=="} 00573{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14613,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1605289717548570,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289717572004,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgWAAAAAAAAIA0qAcsBIEmLB5kd7IUo3\/YpAbufvovR75juz2g\/oBJXgHfiAAACBAV4AQMDAwQCCArCuS86MYb15Q=="} 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14614,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1605289717572182,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289717572182,"pkt":"qtsDr8lk5EKm5WPyht1gD67DACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACANn74Bu+7PaD+L0e+ZgBAB+\/vbAAABAQgKMYb1\/cK5Lzo="} 01164{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":14615,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717572787,"flow_dst_last_pkt_time":1605289717572004,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289717572787,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"accounts.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01209{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14617,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717572787,"flow_dst_last_pkt_time":1605289717605090,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289717605090,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"accounts.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01743{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14635,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289715966342,"flow_src_last_pkt_time":1605289717653626,"flow_dst_last_pkt_time":1605289716195463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":4020,"midstream":0,"thread_ts_usec":1605289717653626,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200a","src_port":47790,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":68443.0,"max":1485939,"stddev":273484.9,"var":74793992192.0,"ent":1.6,"data": [55481,55557,2604,45080,17803,15,60231,16,286,275,9398,2484,606,42880,228,1,30633,193,14864,14650,23014,23014,8,85,70,1606,29384,1485939]},"pktlen": {"min":86,"avg":252.1,"max":1294,"stddev":317.7,"var":100919.6,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,587,86,150,178,458,86,86,86,666,86,117,117,86,476,149,86,86,125,86,86,125,86,251]},"bins": {"c_to_s": [11,1,2,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14645,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717681759,"flow_dst_last_pkt_time":1605289717681662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":10121,"midstream":0,"thread_ts_usec":1605289717681759,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9182.1,"max":42968,"stddev":13199.7,"var":174232352.0,"ent":3.5,"data": [23434,23612,605,27825,5261,2,32335,48,7,3191,171,159,42968,880,1,157,40413,894,3393,2534,21369,1,21337,22,7799,1,1,7829,32]},"pktlen": {"min":86,"avg":432.8,"max":1294,"stddev":492.4,"var":242485.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,336,86,86,86,150,178,341,86,86,86,666,86,117,117,86,890,1294,86,86,1294,1294,1294,1294,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14705,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289717682629,"flow_dst_last_pkt_time":1605289717754541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1620,"flow_dst_tot_l4_payload_len":4362,"midstream":0,"thread_ts_usec":1605289717754541,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":133498.8,"max":1522186,"stddev":376551.6,"var":141791068160.0,"ent":2.3,"data": [51050,51117,702,184290,1,183671,66,7538,8559,3870,48706,3,10603,1,1,39192,55,6,1700,5826,4025,34675,42375,77042,1489773,1522186,1,32460,71970]},"pktlen": {"min":86,"avg":273.4,"max":1466,"stddev":363.6,"var":132225.8,"ent":4.1,"data": [94,94,86,603,86,1466,994,86,86,150,178,456,86,86,86,257,166,117,86,86,86,117,121,86,86,506,86,632,86,121,86,1388]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02142{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14635,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289715966342,"flow_src_last_pkt_time":1605289717653626,"flow_dst_last_pkt_time":1605289716195463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":4020,"midstream":0,"thread_ts_usec":1605289717653626,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200a","src_port":47790,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":68443.0,"max":1485939,"stddev":273484.9,"var":74793992192.0,"ent":1.6,"data": [55481,55557,2604,45080,17803,15,60231,16,286,275,9398,2484,606,42880,228,1,30633,193,14864,14650,23014,23014,8,85,70,1606,29384,1485939]},"pktlen": {"min":72,"avg":238.1,"max":1280,"stddev":317.7,"var":100919.6,"ent":4.1,"data": [80,80,72,589,72,1280,1280,72,72,573,72,136,164,444,72,72,72,652,72,103,103,72,462,135,72,72,111,72,72,111,72,237]},"bins": {"c_to_s": [11,1,2,0,0,1,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,0,0,1,0],"entropies": [4.830388546,5.236173153,5.083273411,4.664566517,5.024503708,7.801916599,7.849427700,5.232646465,5.204868793,7.603487968,5.204868793,6.090775967,6.470489025,7.520395279,5.107836723,5.107836723,5.080059052,7.600295067,5.194384098,5.756132126,5.672693253,5.166606426,7.483500957,6.249640465,5.177091122,5.204868793,5.886195660,5.135614395,5.204868793,5.955920696,5.135614395,6.860337257]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02121{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14645,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289717548570,"flow_src_last_pkt_time":1605289717681759,"flow_dst_last_pkt_time":1605289717681662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":10121,"midstream":0,"thread_ts_usec":1605289717681759,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::200d","src_port":40894,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9182.1,"max":42968,"stddev":13199.7,"var":174232352.0,"ent":3.5,"data": [23434,23612,605,27825,5261,2,32335,48,7,3191,171,159,42968,880,1,157,40413,894,3393,2534,21369,1,21337,22,7799,1,1,7829,32]},"pktlen": {"min":72,"avg":418.8,"max":1280,"stddev":492.4,"var":242485.9,"ent":4.1,"data": [80,80,72,589,72,1280,1280,322,72,72,72,136,164,327,72,72,72,652,72,103,103,72,876,1280,72,72,1280,1280,1280,1280,72,72]},"bins": {"c_to_s": [12,0,2,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,1,0,0,1,1,1,1,0,0],"entropies": [4.905389309,5.361174107,5.232646465,4.557852268,5.107836723,7.817549706,7.840916157,7.180346489,5.232646465,5.260424137,5.260424137,6.185771942,6.393667221,7.196280479,5.107836723,5.107836723,5.107836723,7.630718231,5.204868793,5.782878876,5.796528339,5.222161770,7.750598431,7.833017826,5.260424137,5.260424137,7.845281124,7.848848343,7.857541561,7.841633797,5.194384098,5.232646465]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02156{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":14705,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289715782853,"flow_src_last_pkt_time":1605289717682629,"flow_dst_last_pkt_time":1605289717754541,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1380,"flow_src_tot_l4_payload_len":1620,"flow_dst_tot_l4_payload_len":4362,"midstream":0,"thread_ts_usec":1605289717754541,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a03:2880:f11f:83:face:b00c::25de","src_port":60340,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":133498.8,"max":1522186,"stddev":376551.6,"var":141791068160.0,"ent":2.3,"data": [51050,51117,702,184290,1,183671,66,7538,8559,3870,48706,3,10603,1,1,39192,55,6,1700,5826,4025,34675,42375,77042,1489773,1522186,1,32460,71970]},"pktlen": {"min":72,"avg":259.4,"max":1452,"stddev":363.6,"var":132225.8,"ent":4.1,"data": [80,80,72,589,72,1452,980,72,72,136,164,442,72,72,72,243,152,103,72,72,72,103,107,72,72,492,72,618,72,107,72,1374]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0,0,1,1,0,1],"entropies": [5.147778988,5.386569977,5.363564491,4.530324936,5.275225163,7.856009483,7.774714947,5.419119835,5.348239422,6.266700268,6.486256123,7.484294891,5.260424137,5.260424137,5.232646465,6.926154137,6.485898972,5.898414135,5.275390625,5.325302124,5.275390625,5.898528576,5.995410442,5.391342163,5.286815166,7.551696301,5.363564491,7.633099079,5.342370510,6.001532078,5.391342163,7.830712318]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Facebook","proto_id":"91.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14833,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289718346936,"flow_src_last_pkt_time":1605289718346936,"flow_dst_last_pkt_time":1605289718346936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289718346936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::720","src_port":56940,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14833,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1605289718346936,"flow_dst_last_pkt_time":1605289718346936,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605289718346936,"pkt":"qtsDr8lk5EKm5WPyht1gDn7LACAGQCoBywEgSYsHmR3shSjf9ikqBE5CAB0AAAAAAAAAAAcg3mwBu1MbKQQ2nwhTgBBf5ZGnAAABAQgKdGByysK4e5A="} 00797{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":14834,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289718347032,"flow_src_last_pkt_time":1605289718347032,"flow_dst_last_pkt_time":1605289718347032,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289718347032,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2003","src_port":51472,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -193,8 +193,8 @@ 01223{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16214,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733006105,"flow_dst_last_pkt_time":1605289733059043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605289733059043,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03003{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16230,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733059060,"flow_dst_last_pkt_time":1605289733060311,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5322,"midstream":0,"thread_ts_usec":1605289733060311,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 01226{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":16506,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733019850,"flow_dst_last_pkt_time":1605289733177092,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605289733177092,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"www.google-analytics.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":16731,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733216831,"flow_dst_last_pkt_time":1605289733216812,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":969,"flow_dst_tot_l4_payload_len":9927,"midstream":0,"thread_ts_usec":1605289733216831,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":18775.5,"max":157269,"stddev":37764.8,"var":1426178688.0,"ent":2.7,"data": [46894,46909,201,112030,45428,2,157269,9,5,2935,270,2964,37660,1,1100,1,32562,12,3,631,955,1,308,7,3,3]},"pktlen": {"min":86,"avg":427.0,"max":1294,"stddev":486.7,"var":236885.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,563,86,86,86,150,178,351,86,86,86,666,500,1294,86,86,86,117,1294,1294,1294,1294,86,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} -01559{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":27300.3,"max":135965,"stddev":41843.3,"var":1750865408.0,"ent":3.2,"data": [46509,46553,392,49783,3591,52945,10,1267,1,1272,3,2358,266,496,109019,1,1,105909,5,6,6499,35807,111148,135965,1,2]},"pktlen": {"min":86,"avg":444.6,"max":1474,"stddev":544.3,"var":296293.8,"ent":4.1,"data": [94,94,86,603,86,1474,1474,86,86,1474,1244,86,86,179,185,352,86,86,344,152,86,584,86,86,86,124,86,224,86,1474,1474,1474]},"bins": {"c_to_s": [9,1,1,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,1,1]}} +02113{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":16731,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605289732972740,"flow_src_last_pkt_time":1605289733216831,"flow_dst_last_pkt_time":1605289733216812,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":969,"flow_dst_tot_l4_payload_len":9927,"midstream":0,"thread_ts_usec":1605289733216831,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200e","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":18775.5,"max":157269,"stddev":37764.8,"var":1426178688.0,"ent":2.7,"data": [46894,46909,201,112030,45428,2,157269,9,5,2935,270,2964,37660,1,1100,1,32562,12,3,631,955,1,308,7,3,3]},"pktlen": {"min":72,"avg":413.0,"max":1280,"stddev":486.7,"var":236885.8,"ent":4.1,"data": [80,80,72,589,72,1280,1280,549,72,72,72,136,164,337,72,72,72,652,486,1280,72,72,72,103,1280,1280,1280,1280,72,72,72,72]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0],"entropies": [4.855388165,5.286173344,5.149313450,4.600729942,5.080059052,7.797164440,7.832664490,7.507453918,5.138828754,5.081305504,5.166606903,6.092433929,6.575641632,7.259848118,5.043183804,5.097352505,5.052281380,7.626473904,7.461633682,7.832756042,5.149313450,5.132019997,5.083273411,5.775549889,7.833918095,7.851273537,7.839205742,7.857754707,5.121535778,5.177091122,5.111051083,5.177091122]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +01958{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":27300.3,"max":135965,"stddev":41843.3,"var":1750865408.0,"ent":3.2,"data": [46509,46553,392,49783,3591,52945,10,1267,1,1272,3,2358,266,496,109019,1,1,105909,5,6,6499,35807,111148,135965,1,2]},"pktlen": {"min":72,"avg":430.6,"max":1460,"stddev":544.3,"var":296293.8,"ent":4.0,"data": [80,80,72,589,72,1460,1460,72,72,1460,1230,72,72,165,171,338,72,72,330,138,72,570,72,72,72,110,72,210,72,1460,1460,1460]},"bins": {"c_to_s": [9,1,1,1,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,0,1,1,1,1],"entropies": [4.684510231,5.128057957,5.091930866,4.525407314,4.980900764,6.391155720,5.165083408,5.175263882,5.175263882,7.346390247,7.633969307,5.175263882,5.109223843,6.098253250,6.329233170,7.209453583,5.008678436,4.970416069,7.086939812,6.058278084,4.925345421,7.519527912,5.175263882,5.147486210,5.175263882,5.594966412,4.980900764,6.689027309,4.980900764,7.853739262,7.845409870,7.847467899]}} 03007{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17210,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605289732959160,"flow_src_last_pkt_time":1605289733287022,"flow_dst_last_pkt_time":1605289733341107,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1151,"flow_dst_tot_l4_payload_len":10308,"midstream":0,"thread_ts_usec":1605289733341107,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a04:4e42:1d::84","src_port":38546,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Pinterest","proto_id":"91.183","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"assets.pinterest.com","tls": {"version":"TLSv1.2","server_names":"*.pinterest.com,pinterest.in,*.pinterest.co,pinterest.co,*.pinterest.pe,pinterest.pe,*.pinterest.be,pinterest.be,*.pinterest.in,*.pinterest.ph,*.pinterest.ec,pinterest.ph,*.pinterest.cl,*.pinimg.com,*.pinterest.es,pinterest.es,*.pinterest.nz,pinterest.nz,pinterest.ec,pinterest.hu,pinterest.ca,pinterest.id,*.pinterest.nl,pinterest.nl,*.pinterest.tw,pinterest.tw,*.pinterest.th,pinterest.th,*.pinterest.id,*.pinterest.vn,*.pinterest.hu,pinterest.vn,*.pinterest.uk,pinterest.uk,*.pinterest.ru,pinterest.ru,*.pinterest.it,pinterest.it,pinterest.fr,pinterest.cl,*.pinterest.fr,*.pinterest.jp,*.pinterest.ca,pinterest.com,pin.it,*.pinterest.se,*.pinterest.pt,*.pinterest.mx,*.pinterest.kr,*.pinterest.ie,pinterest.engineering,*.pinterest.dk,*.pinterest.de,*.pinterest.ch,*.pinterest.at,*.pinterestmail.com,*.pinterest.engineering,*.pinterest.info,pinterest.info,pinimg.com,pinterestmail.com,pinterest.de,pinterest.dk,pinterest.ie,pinterest.jp,pinterest.kr,pinterest.mx,pinterest.pt,pinterest.se,pinterest.at,pinterest.ch,pinterest.co.at,*.pinterest.com.uy,pinterest.co.kr,pinterest.co.uk,*.pinterest.com.au,pinterest.com.au,pinterest.com.mx,*.pinterest.co.nz,pinterest.co.nz,pinterest.com.pe,pinterest.com.uy,*.pinterest.co.in,pinterest.com.py,*.pinterest.com.py,pinterest.com.bo,*.pinterest.com.bo,pinterest.com.ec,*.pinterest.com.ec,pinterest.co.in,*.pinterest.com.pe,*.pinterest.com.mx,pinterest.com.vn,*.pinterest.com.vn,*.pinterest.co.uk,*.pinterest.co.kr,*.pinterest.co.at,*.testing.pinterest.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Pinterest, Inc., CN=*.pinterest.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"1E:D0:5D:9F:0D:82:46:B3:60:5F:11:FB:64:D5:28:35:37:40:7A:4E"}}} 00791{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":17592,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733399863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289733399863,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00571{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":17592,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1605289733399863,"flow_dst_last_pkt_time":1605289733399863,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605289733399863,"pkt":"qtsDr8lk5EKm5WPyht1gBe6sACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXpunLIBuwBxlgkAAAAAoAL9IKzvAAACBAWgBAIICsW6TI0AAAAAAQMDBw=="} @@ -203,7 +203,7 @@ 01143{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":17597,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733421383,"flow_dst_last_pkt_time":1605289733420828,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605289733421383,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17600,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733421383,"flow_dst_last_pkt_time":1605289733466833,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605289733466833,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 03067{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17606,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733466898,"flow_dst_last_pkt_time":1605289733468841,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5240,"midstream":0,"thread_ts_usec":1605289733468841,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}}} -01565{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":6845.7,"max":45476,"stddev":12150.2,"var":147627232.0,"ent":3.2,"data": [20965,21014,506,37100,8905,1,45476,39,2004,2,1,1,1959,29,12,7,90,33,7803,454,394,31006,1,387,1,22756,38,359,8296,2575,2]},"pktlen": {"min":86,"avg":391.7,"max":1134,"stddev":441.2,"var":194656.5,"ent":4.2,"data": [94,94,86,603,86,1134,1134,86,86,1134,1134,1134,1134,86,86,86,86,127,86,179,185,356,86,86,344,152,86,86,124,86,1134,1134]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1]}} +01964{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":6845.7,"max":45476,"stddev":12150.2,"var":147627232.0,"ent":3.2,"data": [20965,21014,506,37100,8905,1,45476,39,2004,2,1,1,1959,29,12,7,90,33,7803,454,394,31006,1,387,1,22756,38,359,8296,2575,2]},"pktlen": {"min":72,"avg":377.7,"max":1120,"stddev":441.2,"var":194656.5,"ent":4.1,"data": [80,80,72,589,72,1120,1120,72,72,1120,1120,1120,1120,72,72,72,72,113,72,165,171,342,72,72,330,138,72,72,110,72,1120,1120]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,0,1,1,1],"entropies": [4.809510231,5.143908501,5.203041553,4.540377140,5.064233780,6.870509624,5.058271885,5.230819225,5.230819225,6.720662117,7.193079948,7.346520901,7.621092319,5.230819225,5.137001038,5.203041553,5.175263882,5.649272442,5.175263405,6.019917488,6.380431175,7.094295502,5.064233780,5.064233780,7.049797535,6.150704861,5.203041077,5.203041553,5.667691708,5.008678436,7.799199581,7.796170235]}} 03070{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":17626,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605289733399863,"flow_src_last_pkt_time":1605289733500742,"flow_dst_last_pkt_time":1605289733511200,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":8749,"midstream":0,"thread_ts_usec":1605289733511200,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:7a6e","src_port":40114,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"js-agent.newrelic.com","tls": {"version":"TLSv1.2","server_names":"f4.shared.global.fastly.net,*.500px.com,*.500px.net,*.500px.org,*.acceptance.habitat.sh,*.api.swiftype.com,*.art19.com,*.brave.com,*.chef.co,*.chef.io,*.cookpad.com,*.evbstatic.com,*.eventbrite.com,*.experiencepoint.com,*.fs.pastbook.com,*.fs.quploads.com,*.ftcdn.net,*.fubo.tv,*.getchef.com,*.githash.fubo.tv,*.habitat.sh,*.inspec.io,*.issuu.com,*.isu.pub,*.jimdo-dev-staging.com,*.jimdo-stable-staging.com,*.lulus.com,*.mansion-market.com,*.marfeel.com,*.massrel.io,*.meetu.ps,*.meetup.com,*.meetupstatic.com,*.newrelic.com,*.opscode.com,*.perimeterx.net,*.production.cdn.art19.com,*.staging.art19.com,*.staging.cdn.art19.com,*.swiftype.com,*.tissuu.com,*.video.franklyinc.com,*.wikihow.com,*.worldnow.com,500px.com,500px.net,500px.org,a1.awin1.com,acceptance.habitat.sh,api.swiftype.com,app.birchbox.com,app.staging.birchbox.com,app.staging.birchbox.es,art19.com,brave.com,cdn-f.adsmoloco.com,cdn.evbuc.com,cdn.polyfills.io,chef.co,chef.io,content.gamefuel.info,evbuc.com,experiencepoint.com,fast.appcues.com,fast.wistia.com,fast.wistia.net,fast.wistia.st,fubo.tv,getchef.com,githash.fubo.tv,habitat.sh,hbbtv.6play.fr,houstontexans.com,insight.atpi.com,inspec.io,jimdo-dev-staging.com,jimdo-stable-staging.com,link.sg.booking.com,mansion-market.com,media.bunited.com,meetu.ps,meetup.com,meetupstatic.com,onairhls.malimarcdn.net,opscode.com,perimeterx.net,polyfill.webservices.ft.com,qa.polyfills.io,raiders.com,s.sg.booking.com,s.swiftypecdn.com,static.birchbox.com,swiftype.com,viverepiusani.it,wikihow.com,wistia.com,www.dwin2.com,www.houstontexans.com,www.raiders.com,www.wada-ama.org","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=f4.shared.global.fastly.net","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"BE:28:82:77:5B:06:41:1F:70:84:BD:A4:B9:FB:F0:BC:B1:B5:E3:A0"}}} 00899{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289712203025,"flow_src_last_pkt_time":1605289712203025,"flow_dst_last_pkt_time":1605289712420176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289734948586,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00797{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":17657,"source":"pinterest.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1605289712203025,"flow_src_last_pkt_time":1605289712203025,"flow_dst_last_pkt_time":1605289712420176,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605289734948586,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:807::200a","src_port":40876,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -267,9 +267,9 @@ ~~ total active/idle flows...: 37/37 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7678994 bytes -~~ total memory freed........: 7678994 bytes -~~ total allocations/frees...: 140736/140736 +~~ total memory allocated....: 7684026 bytes +~~ total memory freed........: 7684026 bytes +~~ total allocations/frees...: 140773/140773 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 3433 chars diff --git a/test/results/pluralsight.pcap.out b/test/results/pluralsight.pcap.out index 11bddd1e9..e8d9bb6cd 100644 --- a/test/results/pluralsight.pcap.out +++ b/test/results/pluralsight.pcap.out @@ -55,9 +55,9 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6103371 bytes -~~ total memory freed........: 6103371 bytes -~~ total allocations/frees...: 121633/121633 +~~ total memory allocated....: 6104187 bytes +~~ total memory freed........: 6104187 bytes +~~ total allocations/frees...: 121639/121639 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars ~~ json string max len.......: 1522 chars diff --git a/test/results/pop3.pcap.out b/test/results/pop3.pcap.out index 207df7a39..618eb2c80 100644 --- a/test/results/pop3.pcap.out +++ b/test/results/pop3.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038631 bytes -~~ total memory freed........: 6038631 bytes -~~ total allocations/frees...: 121520/121520 +~~ total memory allocated....: 6038767 bytes +~~ total memory freed........: 6038767 bytes +~~ total allocations/frees...: 121521/121521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 1059 chars diff --git a/test/results/pop3_stls.pcap.out b/test/results/pop3_stls.pcap.out index 2c3501a92..5921c50fe 100644 --- a/test/results/pop3_stls.pcap.out +++ b/test/results/pop3_stls.pcap.out @@ -8,7 +8,7 @@ 01116{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":13,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810351879,"flow_dst_last_pkt_time":1346096810349671,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":149,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":225,"midstream":0,"thread_ts_usec":1346096810351879,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01118{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":14,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":8,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810351879,"flow_dst_last_pkt_time":1346096810420652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":1685,"midstream":0,"thread_ts_usec":1346096810420652,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":18,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":11,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096810421794,"flow_dst_last_pkt_time":1346096810490233,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":186,"flow_dst_tot_l4_payload_len":4965,"midstream":0,"thread_ts_usec":1346096810490233,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -01600{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":215,"avg":262973.8,"max":2072094,"stddev":524859.6,"var":275477528576.0,"ent":3.3,"data": [68193,68972,68661,120626,119751,1003135,1075317,72544,524,70840,70284,69545,70981,215,69915,69104,262,69187,6957,114416,36010,229437,154000,2002867,2072094,69067,658,117241,116699,68875,75810]},"pktlen": {"min":54,"avg":248.5,"max":1514,"stddev":417.0,"var":173868.9,"ent":3.8,"data": [66,66,54,65,60,60,82,60,60,203,60,91,222,1514,1514,54,1514,414,54,368,60,292,85,60,107,85,60,222,98,103,96,103]},"bins": {"c_to_s": [9,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,0,0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1]}} +01996{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":215,"avg":262973.8,"max":2072094,"stddev":524859.6,"var":275477528576.0,"ent":3.3,"data": [68193,68972,68661,120626,119751,1003135,1075317,72544,524,70840,70284,69545,70981,215,69915,69104,262,69187,6957,114416,36010,229437,154000,2002867,2072094,69067,658,117241,116699,68875,75810]},"pktlen": {"min":40,"avg":234.5,"max":1500,"stddev":417.0,"var":173868.9,"ent":3.7,"data": [52,52,40,51,46,46,68,46,46,189,46,77,208,1500,1500,40,1500,400,40,354,46,278,71,46,93,71,46,208,84,89,82,89]},"bins": {"c_to_s": [9,2,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,0,0,1,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1,1,0,1,0,1],"entropies": [4.492581844,4.801308632,4.734183788,5.157432556,4.996070385,4.501398087,5.447610855,4.952592373,4.501398087,5.483742237,5.012480259,5.432518482,5.539906025,7.142385483,7.103268623,4.734183788,6.899816990,7.242932796,4.784183979,7.363773823,4.501398087,6.985215187,5.760285378,4.501398087,5.843768597,5.665146351,4.501398087,6.988708973,5.939931870,5.954314232,5.674627304,5.896972179]}} 01120{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096812985585,"flow_dst_last_pkt_time":1346096813059760,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":648,"flow_dst_tot_l4_payload_len":5522,"midstream":0,"thread_ts_usec":1346096813059760,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01150{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":53,"source":"pop3_stls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":30,"flow_first_seen":1346096808946579,"flow_src_last_pkt_time":1346096814309972,"flow_dst_last_pkt_time":1346096814377321,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":314,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":805,"flow_dst_tot_l4_payload_len":7462,"midstream":0,"thread_ts_usec":1346096814377321,"l3_proto":"ip4","src_ip":"192.168.20.18","dst_ip":"72.249.41.52","src_port":50583,"dst_port":110,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"POPS","proto_id":"23","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":53,"source":"pop3_stls.pcap","alias":"nDPId-test","packets-captured":53,"packets-processed":53,"total-skipped-flows":0,"total-l4-payload-len":8267,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1346096814377321} @@ -20,10 +20,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6055464 bytes -~~ total memory freed........: 6055464 bytes -~~ total allocations/frees...: 121552/121552 +~~ total memory allocated....: 6055600 bytes +~~ total memory freed........: 6055600 bytes +~~ total allocations/frees...: 121553/121553 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars -~~ json string max len.......: 1605 chars -~~ json string avg len.......: 1032 chars +~~ json string max len.......: 2001 chars +~~ json string avg len.......: 1218 chars diff --git a/test/results/pops.pcapng.out b/test/results/pops.pcapng.out index 2aafed055..60ddc94c7 100644 --- a/test/results/pops.pcapng.out +++ b/test/results/pops.pcapng.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042313 bytes -~~ total memory freed........: 6042313 bytes -~~ total allocations/frees...: 121496/121496 +~~ total memory allocated....: 6042449 bytes +~~ total memory freed........: 6042449 bytes +~~ total allocations/frees...: 121497/121497 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 1003 chars diff --git a/test/results/pps.pcap.out b/test/results/pps.pcap.out index ad46df5c4..a2bbe734b 100644 --- a/test/results/pps.pcap.out +++ b/test/results/pps.pcap.out @@ -25,16 +25,16 @@ 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136440581,"flow_dst_last_pkt_time":1467353136440165,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1467353136440581,"pkt":"TF4M6gNlABxCjnAxCABFAABBf0AAAIARQDrAqHMI2+RrnFkJBOIALQK82oCeu7tQQPUjL7WiHx8fHhoTSt7f39\/fs\/\/\/\/\/\/\/\/\/\/7O8Q7\/w=="} 01929{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136439495,"flow_dst_last_pkt_time":1467353136451735,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136451735,"pkt":"ABxCjnAxTF4M6gNlCABFAARFKL0AAHkRbnJyKgCewKhzCB4kWQkEMQAA5YSwlpa05Mz2MVewhoaCw8Hl+3pZtoju6+vr60s2NjY2NjY2Mvku7QuOheQK9+NWgE7h2muxGM8D4DLm\/5x\/1\/JkPV6l86b3frCbpFSV7e2oOEkA4r\/bSCXhW8qYH5FqZgI6H822zV3AiRFliRCzdnIUkAPC4PeWFP8SV27xJ8xbxdt32Kzd8xhvmCkAgFUGD2aDXcaHo\/t3xxnKLSSA2No89lgZtTN6aTV4hYqd8hyVjK50Td7AS5rauDqcBz+RRXO4T+EAR5e7iDWXURHfR8EdQTfwsVkGPPWQFWZnZXoFkiluRuLCi6QTHJ\/wv2anzG520CpgomFFVPifWxBY1yo+25yZEvPeAFUPD9JwFSkkY+renkyqaouITdp\/U5xCqpe0AiGnlKCVH+BXW1qBJEl+erh8fAIyCpGCzFIqJ4Pmf9KyHWQyO4dZwZwHlnZ9L\/lCDYLl+5l+PyECs5D7mp401ix6MgQniSKHDqSvAoHhct48Iil039ISc4jtlzQP8VPwMzO9dm5pliz3vR0jeva2ymZtvGZZHTgf3Z20dDWyQbeaMA4XFPN2Dgy4dZttatnu9U\/U8ZcatdkKiTvqlJM38cgX5B7bCcpaNF6r3DNkDbHSWu4IAdS0k86zdu0VLwc0p8Sl4c42gst9OSqI2bgJaWokPPfPasrMJYfwhCW3ctsOEbYyz0tCOtujPD4KQzVdsNsD0KynxPfIWPXEi4xkfSsHXTRIuDUuPSCaFsBafpHRF0UphHR7Pno40CdJL751OfYk6pKOpNzNQbZZEehR+La+0h5w1JnTzl9xMmPBQfRhxB4vL3mFDo0xuCa+sNfqgmrXE4E39PE8sZpsHdLuGNschu3yhzgir1zABCnBIEcAyJ82rPj3RhxSQcuNkKpNPC9UtYHqYQAABjUJAANMAPSIAAAAACcBAAAAAAADQwGe+7MifwCEzAhiIBeWLxdoIrozlE8XeJKfA0uhUzS6uAS7Ddrnl5s0qHmNYhCP2pZ1KZuNwa9ptwEToJwndi6+1zT0Em8ViTT0l\/PGSsXOdNwvfrI1hMghxy4hD5qdkALJ90LEYzn1\/xjQkHRWjEqhjaHkpFzfnyr5yWlcpJ2H9l+D4J2fKYI45G95h2VWJS7e1cWbomHCJsHbzbwx2JxLcpC+eYkeCHz\/iclfVtYP\/E28eKUh+dQCQYHOCX1RgjhnndoYo4d9RCXRRhGqFWhuoX9Qkc6+q3FSYirrEYByX9CjozjqMmFBqri7DW7e\/A+Gtc1g4ZuGpzSVp4JMgIJcfPSA7z3zPWPYvTFuhpOQgZePdrYomcO3Fkae11rDSLaGWDnRLMyo5ZgKRiA5vOsVB0rF\/WA2Lanl39fkOuqzI5Mbb9\/2jAmNrToXgJUbWeGPhzwYtVlwp5b6KSwdvPQ0HH0AAAAA"} 01940{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440581,"flow_dst_last_pkt_time":1467353136470091,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136470091,"pkt":"ABxCjnAxTF4M6gNlCABFKARFVaEAAGURgK3b5GucwKhzCATiWQkEMdtFzISZv79URPEnK7GmGxsfXlyX4U4GsCimp6enp++jo6Ojo6OjpwDlWJTX1\/VR7NYrdZ8iw9hBVil1k3qsvepXHXvuMV4G4bY\/7FqHvHs6hWOCtrl3tuHHM3btfKlPjHjmmUJV9saYFG3shSVoHte4TwNPMs8Ihb+6CEl1C4ObFOV4cpEdSIpnRG\/HdCceK8v\/Yg4PX\/Y3QMZhvFEU\/aVfhwhsv41eQ1iaeG2UXEuD2KZKuPG0Tgd2x\/\/tZFf\/VtlLdZpCBJDKFeYnvEIiDsaQ7dS9bFDybOYNbQRsYlx4vdyTOQyZ9dWmPET9vKjX1C1s5QZnSJoAVU1k1fd+paH9lthbdOTYV7CKfmZy3IzKX6sKff+RpApDAs9XUVsB\/Kp1xnqFYTqzs3FAeAm8rVpI58rJM8tLYvBzAVaqwWhzIf0knXhYOVChXWhxhnaR46DwmBmHtJbiZv7kcOHpGmw+JJHvLbH\/9nhmnSxbGrTLXYrvdoMK+D4qHDYoKhCNTIqWr1x293NU\/irKFwQ77pDnFDMZGstHu45rqJzQRBnDBT\/RxyhgJlDUXZwbrBOWk54R3+0H9X8sCxCU0jByFfSreAvTxm9L5EmXKYI8LBBvn\/d30\/LgaB6FNc4qu7jT84ssBEc4Sde9KkWIkQ9UcCUBqIo85pR8QX8kwMAUE9Vcnxj57ZjyFlfvbMafZbPzw+dZdNM9fJdU8+vQ+8KnnRDAUrxC0dliIt8ifC7hLDk3kAHMA7BE6g0bZ4gKU2bjGJ5eqtWzSHnyBo9+hOrXUdoMDG36GRAle0bMitZabac6i0\/+Mrc9jBP2RSaKhfdrf32XNFopOiSbtB8JEk62kQAwm3uKD\/cndXhTvcem\/vXUa6xKv1Frofj24dy17GRlDqkS8zOCOsgMmzcCqauXneUes0mhMZCc9njZscArmdX7uWek8HqED71jcZoIG1kr11Cg3WkHBfBWlPOeDTI0fJIwZxYbBfKfY7EMdzylN\/T3aJ\/sPvpdQK4lQzeH+aKhhm7ycILBiO3aKE1LvOZknkff\/LsUxbrtpRqj1ADo4brAsYbrHyBbLtaVTGouvIRQUlMIYcYFiFwkOQDQMNEIKnN+TSbLptXblUGCNwJpX5f5Uk0\/QKmerhQPRa0UsG5OCykWNYoPSuMcfAD2GFF3wbR9U2X2Dk7cPApHN7NPhHT+sX\/QASfuLzjacAvs7KnfBVDkcL+5ODhe7XfUHprXAEc9YbqO3IYocMewPBVwRrw3TVJ5IZApjiX3IvBTM7IR1VIPJyyWgHQvzKJoZqrxDWR17vV38taeyJFoOUGl5V1tf+ulF2vCSr3JRzT5Tl+zLn+Qs\/hENB\/LIaOr0SiIhS\/XloJHeYuFn+yTXg8JXdPPH4UKKpKyF6kn+u\/7tG6FjsqJRu3WcAEAAAAA"} -01540{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":2605.6,"max":13556,"stddev":4035.9,"var":16288762.0,"ent":3.7,"data": [306,331,2951,1986,4674,337,125,2,561,612,2012,866,221,1880,1060,119,11920,11824,91,13556,13473,115,2750,2611,216,1278,998,122,1608,1850,320]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [1107,79,79,1107,1107,79,79,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]}} +01939{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":2605.6,"max":13556,"stddev":4035.9,"var":16288762.0,"ent":3.7,"data": [306,331,2951,1986,4674,337,125,2,561,612,2012,866,221,1880,1060,119,11920,11824,91,13556,13473,115,2750,2611,216,1278,998,122,1608,1850,320]},"pktlen": {"min":65,"avg":386.2,"max":1093,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [1093,65,65,1093,1093,65,65,65,65,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1],"entropies": [7.828674316,5.137356281,5.137356281,7.824265003,7.825281143,5.179738998,5.101225376,5.179738998,5.101225376,5.154975891,5.154975891,7.796083450,5.137356281,5.137356281,7.808646679,5.210508347,5.210508347,7.801303864,5.079889774,5.079889774,7.813374043,5.210508823,5.210508823,7.793810368,5.112839222,5.112839222,7.648104191,5.179739475,5.179739475,7.828240871,5.179739475,5.179739475]}} 00809{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":77,"source":"pps.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136432546,"flow_src_last_pkt_time":1467353136472487,"flow_dst_last_pkt_time":1467353136473380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136473380,"l3_proto":"ip4","src_ip":"1.173.5.226","dst_ip":"192.168.115.8","src_port":22636,"dst_port":22793,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} -01544{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":107,"avg":2455.7,"max":12554,"stddev":3705.5,"var":13730790.0,"ent":3.8,"data": [314,12554,12553,190,1137,940,141,1586,1472,244,2060,1844,332,694,598,286,1704,1051,140,3586,5819,415,11908,9064,111,1248,1392,110,1452,1075,107]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0]}} +01943{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":107,"avg":2455.7,"max":12554,"stddev":3705.5,"var":13730790.0,"ent":3.8,"data": [314,12554,12553,190,1137,940,141,1586,1472,244,2060,1844,332,694,598,286,1704,1051,140,3586,5819,415,11908,9064,111,1248,1392,110,1452,1075,107]},"pktlen": {"min":65,"avg":386.2,"max":1093,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65]},"bins": {"c_to_s": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0],"entropies": [5.119737148,5.119737148,7.751015663,5.162120342,5.162120342,7.728781223,5.025249004,5.025249004,7.800218105,5.162120342,5.162120342,7.811382294,5.100581169,5.100581169,7.798585892,5.131350517,5.131350517,7.812101364,5.131350517,5.131350517,7.815410614,5.052836418,5.052836418,7.801507473,5.069812298,5.069812298,7.767622948,5.162119865,5.162119865,7.797546387,5.162120342,5.162120342]}} 00807{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":92,"source":"pps.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1467353136439181,"flow_src_last_pkt_time":1467353136477379,"flow_dst_last_pkt_time":1467353136477110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":814,"flow_dst_tot_l4_payload_len":10650,"midstream":0,"thread_ts_usec":1467353136477379,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"114.42.0.158","src_port":22793,"dst_port":7716,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":104,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136483217,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483217,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353136483217,"l3_proto":"ip4","src_ip":"183.228.182.44","dst_ip":"192.168.115.8","src_port":13913,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"thread_ts_usec":1467353136483217,"pkt":"ABxCjnAxTF4M6gNlCABFAABJGboAAG4RkSi35LYswKhzCDZZWQkANUuZLYBpf39e0v7fca+OwsfHOTl\/IikLCQkWAAkJKytvb9HBysr2yjYJCAYGBiUA"} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":106,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483414,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1467353136483414,"pkt":"TF4M6gNlABxCjnAxCABFAABHf1sAAIARGYnAqHMIt+S2LFkJNlkAMzZRK4B+aGhJxenIZriZ1dfXqamg+fjwxMU1UFBQXFw8PHdzc3Nzc\/PMztbWAA=="} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"pps.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136483217,"flow_dst_last_pkt_time":1467353136483605,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1467353136483605,"pkt":"TF4M6gNlABxCjnAxCABFAABHf1sAAIARGYnAqHMIt+S2LFkJNlkAMzZRK4B+aGhJxenIZriZ1dfXqamg+fjwxMU1UFBQXFw8PHdzc3Nzc\/PMztbWAA=="} 01930{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440579,"flow_dst_last_pkt_time":1467353136492484,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1107,"pkt_l4_len":1073,"thread_ts_usec":1467353136492484,"pkt":"ABxCjnAxTF4M6gNlCABFKARFCXUAAGcRqYjexYoMwKhzCBssWQkEMdp11oSDpaWH1\/\/FAmSDtbWx8PLexT66472RkJCQkDRPT09PT09PS5jNKDDUtGPhLFjohGWYT2j8j83amDkrhZ3C\/2FQ5mdZnyaSlXvpTSw4QxzPKc\/1ppy0r1eRZI5oJ+p2dayL0dtYIRXg5e6MWgrC2be0L7w5uHO8F004aYCv4P9CJMUAHJpWAbSrTZTMfEtWFyfDkj7YkHwaP5UymM6nR48L2gXFeKkUsAfFE4YdqOFx0jp7Or60QKwF28+F5JlmKheAIJYQf2G3TqQY5Z0GTRcqhNLIOvYwJHCg1nj9RsIaYrnxmJ6DxwmjdzptTsT9sVdTMbkTg\/n2nGJhiOefKm8zFCoYHgU+C28Gf5sas1vu\/kt+OthMjccEo9wtGlC0ASPJ0qzS1sLHzYCsHMKDTYi9DD4foBrLZIc7pPx6JY6jOITQrc3efMsbAqZ1ZQQ9kAdp5K3mgsg3YJ0Q8Y0QZBWPHmxflGMFEMjHsP3GqPpnIAikccEmWg4o7+4F7KjVV7AVvTEyzA+8jQ1VrBrX5u+RVR9KG1O2SE5Cyq01BIwBHkezcDDf26H5C97IBIVRHEUN9a1I634tVX2hvonn9B8R7ucHFtbPm8v8XEfv5vsQiUBxdkQr4DEWqI+9efmJ7QzhmvbgsfQT\/lgyVKjuV7xATyGBulDT7mIFhQJis3fW7N6AP3W7D2NaqruF2RCWxjuAfiDF7FqVCRQStQiec12qDWggWFa5YJPYeAg3DNJYZLcxFww8J70\/Eg39+xjHkW\/GOLYez3x9FJNy88bzEiJFYwCTWUZnK3jDBLUaCFieNDFzqoKVzt+\/kSz+C3mshabnALJ2aYVnyWRkGVGRIw3S0WoTq9YykqwMV24Kk34rk9VX0xjIdoKqUAQsTP2sFY10R\/tU6R54Bq6N20vbHw0423rQBfXYTLF76muZ+5yrUbSgYHUxbnjBnVjpbbDNFDv1NDIURH8hFLeWNAsNZtLNHUp97veG5JCgSoBcNWrf5g+qs\/mmuRkZFHQLGQXlFjnHqt7DW7888AHgw3u4CiGUSrJzphDpfCWP0RgDn299d2Ril0LC8MhkTRLsCefsDfyp9t55XHR0+9rQ12xOawr2Gfk1nM+UlkyzEfd1uzpXju7BlNw\/XaM1RcvL26zFCGpLkhelssxeXpe1oStGT9+fgo5vRALSMf096AIfzKDk\/NbnZpnXY4r7ISHMeE5wJVp6Hs0TJswp0xbpQzaMzYGEvxoAbPu5kOZ9OipaPQfGALzzv2q6QmKKpdI3AnIh4LIO1vipAjAuDPqLWlCAnhJDj80pV4njf5FGejVXyupeYtcRvfudhBQ8G2H+16vYuNtcP3OV14wpgh5uQQEZwbFNlX+Dnyt\/qoHM45o25wYs9\/IAm40Qt01817PU8SGdpYVifHQAgAAA"} -01558{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":8516.5,"max":26979,"stddev":8440.4,"var":71240384.0,"ent":4.1,"data": [354,233,4927,176,24291,18871,121,5388,6873,160,19127,17570,126,13829,13759,135,13082,15439,116,26979,24414,172,9012,10973,385,1993,887,14115,8282,98,12123]},"pktlen": {"min":79,"avg":400.2,"max":1107,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [1107,79,79,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,1,0,1,1,0]}} +01957{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":8516.5,"max":26979,"stddev":8440.4,"var":71240384.0,"ent":4.1,"data": [354,233,4927,176,24291,18871,121,5388,6873,160,19127,17570,126,13829,13759,135,13082,15439,116,26979,24414,172,9012,10973,385,1993,887,14115,8282,98,12123]},"pktlen": {"min":65,"avg":386.2,"max":1093,"stddev":476.5,"var":227043.4,"ent":4.0,"data": [1093,65,65,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,22,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,1,1,0,1,1,0],"entropies": [7.718708038,5.110659122,5.110659122,5.055125713,5.055125713,7.786316872,5.085895061,5.085895061,7.777331829,5.172197342,5.172197342,7.830995560,5.055125713,5.055125713,7.799821854,5.043511868,5.043511868,7.781206608,5.055126190,5.055126190,7.756371021,5.172197819,5.172197819,7.778749943,5.141428471,5.141428471,5.018351555,5.018351555,7.782123089,5.141428471,5.141428471,7.801887989]}} 00811{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":259,"source":"pps.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1467353136433806,"flow_src_last_pkt_time":1467353136571752,"flow_dst_last_pkt_time":1467353136559870,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1065,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1065,"flow_dst_max_l4_payload_len":37,"flow_src_tot_l4_payload_len":10650,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1467353136571752,"l3_proto":"ip4","src_ip":"118.171.15.56","dst_ip":"192.168.115.8","src_port":5544,"dst_port":22793,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":340,"source":"pps.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136616772,"flow_src_last_pkt_time":1467353136616772,"flow_dst_last_pkt_time":1467353136616772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353136616772,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50462,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"pps.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136616772,"flow_dst_last_pkt_time":1467353136616772,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1467353136616772,"pkt":"TF4M6gNlABxCjnAxCABFAAAof6tAAIAGbhvAqHMIymwO7MUeAFC+iLxRSK1JylAQQRKO+AAA"} @@ -42,7 +42,7 @@ 01942{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":387,"source":"pps.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1467353136440580,"flow_dst_last_pkt_time":1467353136640432,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1109,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1109,"pkt_l4_len":1075,"thread_ts_usec":1467353136640432,"pkt":"ABxCjnAxTF4M6gNlCABFKARHPvMAAGwRBbvKxgdZwKhzCD6nWQkEM7bwtIThx8fltZ2nYAbh19fDgoHFsbOz05H7ys7Ozs7OUjMzMzMzMzM3d32QGgSgl3utg\/Lr9hRf++0ikCQTv4qzjqE0Vwx53Ozi5DZHrUJ0D9ld80WV2ev0tZtZRKXgAoVPxGV\/sVzgH4xC6HL79R7mq5iPtdzW66QMOgYGr3SE8p+G4rKdTYea586Ro7AY6bM28Jh0I5r5TVTI2fUcSzHV34y5S7zxuN9s2gdR+G2nAQ9di580b0fnOVMCMbQS0YymBcyPOk\/TMuDcu3jPoKDTMgO9S0s0IYLNh3NTzcMZuYatUE10g0vqD2WlKxR1edSPZQFM4WX\/I8oWPKSn5CmnWCJgNchgz7RCWXFcarMT+ited1xm8MkWOvZ2PeUCHfQ1MuOuLpD7j5mhw07uokSIlTUFQAnPCELFA5Psd1zbcuid+es8QtEP8h5Pg5ROnoUYgwG\/AmXnw02rh0T218tbI40AgvHe3fXoohnR3eOl8fPl6Tin6Gi3A066NBegsFeRPVSX+gHnt5FK1bZ00Z5WDtXOvCRcLb\/+iWvY\/Ph9J25OZG\/H6f9hZv6bNXwaaIuHTCkt2zE30xNgGrL5fP\/qsPXo4QVw4df\/AHUUWn7DNhotAyglmhZHHHx2D76uvfRLfpDX45nAOTU0aQzIlAkbjeL9MiunISwrfsUiGGi77jizTx7AZjJwIN9X0xB729dePDFW3iOjEJKi6wwqiXtgjp0Qn4ycT8aj3higqkAdmCf6viBeUxA4Ey0XJs8LeWlBWrWLGrAVX\/syUvSc0Qnt7hgTis34opRC9MgH7uPb+CPcACWQ4PyqMfFoB93v48Hj+r9dC9ONTO9C\/ktt3YfWgupPKQW8qdqTDsSYNY4LtVldBymEKQFgcafM+ACwgYLH3rkh38VWSezZwGc\/KyCgGlonrmjhRAudSNJrjk2I5hAwMjl3+Su91K1EqYBwzJUW5Alu89DYvHVV54Y1uiDfno+vg9g2pOTv9qD\/obGNrCOfIKiGoGknOiYUYI9eRr\/Qs1peKBmW\/7D5fFEEUzXzGE\/77OK829Wr420Sgnl\/\/9UHV4dxNEpg7Umuc4f16HFagvn7eaQRFd2LphIs7VvTz82qi7A\/OZJVG8fQa21CCaNp\/VwpaOYvMyyVi6a19f21I+oFHfTzAOIIV1wwifq0aAqUb5BxGVtvBKoejKKSwLl6F5F2DDKztCmxmzs\/WdQTTScN896khxt4jB6c6Mtj512hCjnKbeZFmlvfg6SdAKpUxQ3Gx6Yz3l9WLMoFQ3S6GdtYorTUz4zvLoxi+9EUFhpvg1ZrQIfeIXH93JJ0H9uwkye148Sa+dodTKDlcRbxOKd9fiM3Owhw5\/cz2k47y3guqZHbBfAcDjAReQ92\/933ihS1JB7je3wazbY+fsqer0ZQzO0QaggAAAA="} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":644,"source":"pps.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136757007,"flow_src_last_pkt_time":1467353136757007,"flow_dst_last_pkt_time":1467353136757007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353136757007,"l3_proto":"ip4","src_ip":"192.168.5.15","dst_ip":"68.233.253.133","src_port":65125,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":644,"source":"pps.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136757007,"flow_dst_last_pkt_time":1467353136757007,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1467353136757007,"pkt":"TF4M6gNlKDc3Alz6CABFAAA0AHFAAEAGMi3AqAUPROn9hf5lAFBsGPTh5ZgTx4AREAFu8AAAAQEICiYbPvkrIgZe"} -01560{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":23509.2,"max":69635,"stddev":21390.8,"var":457567520.0,"ent":4.2,"data": [416,29926,29688,118,32027,32808,298,45715,281,69635,23035,67,41991,41569,116,35956,327,59526,23042,142,31796,32196,302,44442,309,68337,22748,167,30877,30767,160]},"pktlen": {"min":79,"avg":336.0,"max":1107,"stddev":445.1,"var":198147.0,"ent":4.0,"data": [79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79]},"bins": {"c_to_s": [0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0]}} +01959{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":23509.2,"max":69635,"stddev":21390.8,"var":457567520.0,"ent":4.2,"data": [416,29926,29688,118,32027,32808,298,45715,281,69635,23035,67,41991,41569,116,35956,327,59526,23042,142,31796,32196,302,44442,309,68337,22748,167,30877,30767,160]},"pktlen": {"min":65,"avg":322.0,"max":1093,"stddev":445.1,"var":198147.0,"ent":3.9,"data": [65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65]},"bins": {"c_to_s": [0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0],"entropies": [5.112839222,5.112839222,7.812224865,5.155221939,5.155221939,7.822898388,5.222122192,5.222122192,5.222122192,5.222122192,7.815716267,5.252891541,5.252891541,7.813511848,5.068920135,5.068920135,5.148970604,5.148970604,7.791888237,5.150506973,5.150506973,7.805237770,5.160583973,5.160583973,5.192889690,5.192889690,7.800968647,5.088968277,5.088968277,7.814544201,4.920591831,4.920591831]}} 00809{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":725,"source":"pps.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136440165,"flow_src_last_pkt_time":1467353136804834,"flow_dst_last_pkt_time":1467353136804280,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":8520,"midstream":0,"thread_ts_usec":1467353136804834,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"219.228.107.156","src_port":22793,"dst_port":1250,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":765,"source":"pps.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353136833095,"flow_src_last_pkt_time":1467353136833095,"flow_dst_last_pkt_time":1467353136833095,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":108,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":108,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":108,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353136833095,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"218.61.39.103","src_port":22793,"dst_port":17788,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00637{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":765,"source":"pps.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1467353136833095,"flow_dst_last_pkt_time":1467353136833095,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":150,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":150,"pkt_l4_len":116,"thread_ts_usec":1467353136833095,"pkt":"TF4M6gNlABxCjnAxCABFAACIADsAAIARBNXAqHMI2j0nZ1kJRXwAdM6LbABEsXEiUCg6x2bnNgAAAQADAAAAwKhzCAlZCtIsqwEGdAZ0b\/pmQpw8UwQ938xDXiteKyTtmkXcENwQJOknUZ5InkhvdWVRsieyJz3jqlgDTwNPynAfWaJVkHF5+IVd1THVMQGvgGhBFEEU"} @@ -124,7 +124,7 @@ 00611{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":819,"source":"pps.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838373,"flow_dst_last_pkt_time":1467353136837852,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838373,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFQAAIARBODAqHMI2j0nV1kJRXwAYC8EWABVcnEAAAAAx2bnNgcAAAAAAAAAFJfHSwLp2roy68F8GXs9tGoAAAAAGAAAAAYAAAANKAICAAAAAwAYAMCocwgJWRcAAAsKAAAAAAAlAfAI8dQdAAAAAA=="} 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":820,"source":"pps.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838373,"flow_dst_last_pkt_time":1467353136838051,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838373,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFUAAIARCQHAqHMId7yFtlkJRXwAYCbMWABVcnEAAAAA4pCy\/AcAAAAAAAAAFAQbslmKl2DoSDdZBZ9sSucAAAAAAAAAAAYIAAANKAICAAAADQAYAMCocwgJWRcAABIKAAAAAAAlAcgIZPMJAAAAAA=="} 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":821,"source":"pps.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1467353136838374,"flow_dst_last_pkt_time":1467353136838171,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":130,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":130,"pkt_l4_len":96,"thread_ts_usec":1467353136838374,"pkt":"TF4M6gNlABxCjnAxCABFAAB0AFYAAIARp8zAqHMItz2naFkJRXwAYEeGWABVcnEAAAAAyMXU\/wcAAAAAAAAAFADpSP+bPHc9KoW3YGEXtKMAAAAAAAAAAAYIAAANKAIBAAAACAAYAMCocwgJWRcAACUKAAAAAAAlActw35cdAAAAAA=="} -01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":28697.5,"max":108044,"stddev":30689.6,"var":941853376.0,"ent":4.0,"data": [939,52844,52258,255,55452,67,77746,21970,217,78270,79276,484,437,117,46524,44383,93,18436,18537,325,35971,83,108044,71536,720,28274,507,45891,16142,358,33466]},"pktlen": {"min":61,"avg":303.3,"max":1107,"stddev":425.3,"var":180865.5,"ent":3.9,"data": [79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,1107,79,79,79,79,1107,79,79,79,79,1107,79,79,61]},"bins": {"c_to_s": [0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1]}} +01954{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":28697.5,"max":108044,"stddev":30689.6,"var":941853376.0,"ent":4.0,"data": [939,52844,52258,255,55452,67,77746,21970,217,78270,79276,484,437,117,46524,44383,93,18436,18537,325,35971,83,108044,71536,720,28274,507,45891,16142,358,33466]},"pktlen": {"min":47,"avg":289.3,"max":1093,"stddev":425.3,"var":180865.5,"ent":3.8,"data": [65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,1093,65,65,65,65,1093,65,65,65,65,1093,65,65,47]},"bins": {"c_to_s": [0,24,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1],"entropies": [5.252891541,5.252891541,7.807993889,5.259143829,5.259143829,5.252891541,5.252891541,7.789888382,5.197358608,5.197358608,7.823671818,4.976612091,4.976612091,5.056662560,5.056662560,7.801744938,5.179739475,5.179739475,7.702906132,5.148970127,5.148970127,5.069812298,5.069812298,7.822528839,5.131350994,5.131350994,5.119737625,5.119737625,7.810484409,5.131350517,5.131350517,4.884167194]}} 00808{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":921,"source":"pps.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":24,"flow_dst_packets_processed":8,"flow_first_seen":1467353136439640,"flow_src_last_pkt_time":1467353136868041,"flow_dst_last_pkt_time":1467353136900861,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":1065,"flow_src_tot_l4_payload_len":888,"flow_dst_tot_l4_payload_len":7474,"midstream":0,"thread_ts_usec":1467353136900861,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"222.197.138.12","src_port":22793,"dst_port":6956,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":994,"source":"pps.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353138757317,"flow_src_last_pkt_time":1467353138757317,"flow_dst_last_pkt_time":1467353138757317,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1260,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1260,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353138757317,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"101.227.200.11","src_port":50463,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 02195{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":994,"source":"pps.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1467353138757317,"flow_dst_last_pkt_time":1467353138757317,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353138757317,"pkt":"TF4M6gNlABxCjnAxCABFAAUUA1lAAIAGkOvAqHMIZePIC8UfAFBKp6EFWDmKmFAQ\/\/B9QgAAR0VUIC90cmFjazI\/YT0xJmFzPTE7MiwzOzQsNSZiPTE0NjczNTMxMzgmYz1hZTg3Y2IzY2ZkZjQ5NGFhNDhkYzYwODkwOWY2OTI1MCZjdj01LjIuMTUuMjI0MCZkPTUwMDAwMDA4NTg4NzQmZHI9MjE3NSZmPTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4Jmc9MF9hYW9lZmR0cWdmZGVweGMydG52M3BpdWNnY2I0ZW9mbiZoPSZpPXFjXzEwMDAwMV8xMDAxNDAmaXY9MCZqPTMxJms9MTgwOTMyMzAxJmtwPTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4Jm49NDc5NTMxMDAwJm89MSZwPTEwMDAwMDAwMDAzODEmcT01MDAwMDAwOTI3NTU4JnI9YzQ4ODllNjRhZDlkOWVlYjlmZjQzODkxMDg1MGM0NDImcnQ9MTQ2NzM1MzExMyZzPWFlYTU2YTgwOGZjOTJlZjM2MDUxOTEyMTk0OGUwZjI3JnN2PTQuMTAuMDA0JnU9MSZ1cD0mdj01MDAwMDAwODU5MTI0JnZlPTEmdz0yLDMgSFRUUC8xLjENCkFjY2VwdC1MYW5ndWFnZTogemgtQ04NClJlZmVyZXI6IGh0dHA6Ly93d3cuaXFpeWkuY29tL2NvbW1vbi9mbGFzaHBsYXllci8yMDE0MDkyNC9NYWluUGxheWVyXzVfMl8zX2MzXzJfMV82LnN3Zg0KcXlpZDogYWFvZWZkdHFnZmRlcHhjMnRudjNwaXVjZ2NiNGVvZm4NCnF5cGlkOiBfMjAxMg0KcXlwbGF0Zm9ybTogMC0yDQp4LWZsYXNoLXZlcnNpb246IDEyLDAsMCw3MA0KQWNjZXB0OiAqLyoNClByYWdtYTogbm8tY2FjaGUNCkNhY2hlLUNvbnRyb2w6IG5vLWNhY2hlDQpDb25uZWN0aW9uOiBLZWVwLUFsaXZlDQpVc2VyLUFnZW50OiBNb3ppbGxhLzQuMCAoY29tcGF0aWJsZTsgTVNJRSA4LjA7IFdpbmRvd3MgTlQgNi4xOyBXT1c2NDsgVHJpZGVudC80LjA7IFNMQ0MyOyAuTkVUIENMUiAyLjAuNTA3Mjc7IC5ORVQgQ0xSIDMuNS4zMDcyOTsgLk5FVCBDTFIgMy4wLjMwNzI5OyBNZWRpYSBDZW50ZXIgUEMgNi4wKS9RWS1QbGF5ZXItV2luZG93cy8yLjAuMTAyDQpIb3N0OiBhcGkuY3VwaWQuaXFpeWkuY29tDQpDb29raWU6IHBwc19jbGllbnRfdmVyMj01LjIuMTUuMjI0MDsgVDAwNDA0PTRlM2FlNDE1YTU4NDc0OGFjOWFhMzE2MjhmMzlkMWU4OyBfcHBzX2l2aT1WazQ5TVRZd05UQTFMYVcvcFBtaFJ6OC9QNlRhcEVlbXVEOC9wTSt3Wmo4dHBMV3gzemd3cGxvL3BHYW9jU1pXVUQweEpsWkRQVDgvUHo4K3BMV3gzemd3cGxvL3BHYW9jU1pXU2owdE1TWldVejFRSmxaRVBTWldWRnRCWFQweU1UYzFKbFpOUFNaV1ZqMDFMakl1TVRVdU1qSTBNQ1pXVlQxb2RIUndPaTh2ZDNkM0xtbHhhWGxwTG1OdmJTOTJYekU1Y25K"} @@ -355,7 +355,7 @@ 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189363217,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":892,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":892,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":892,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353189363217,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50504,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01702{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_packet_id":1,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":946,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":946,"pkt_l4_len":912,"thread_ts_usec":1467353189363217,"pkt":"TF4M6gNlABxCjnAxCABFAAOkLbJAAIAGvJjAqHMIymwO7MVIAFBYgFOZMQ8QiVAYQTddVQAAR0VUIC9jcDIuZ2lmP2E9NGUzYWU0MTVhNTg0NzQ4YWM5YWEzMTYyOGYzOWQxZTgmYWk9JmFzPTE6NDU6MjN8NDUmYXY9NC4xMC4wMDQmYj0xODA5MzIzMDEmYz0zMSZjdD01MDAwMDAwOTIzNDQ3JmQ9MjE3NSZkaT0mZHA9NzEwMDAwMDEmZT1jNDg4OWU2NGFkOWQ5ZWViOWZmNDM4OTEwODUwYzQ0MiZlYz0mZW09JmZpPSZnPTAmbD1NVEU0TGpFMk15NDRMamt3Jm1rPSZudz0mb2Q9NTAwMDAwMDg1NDkzNCZvaT0mcD1hJnBwPSZyYz0mcmQ9JnJpPSZzPTE0NjczNTMxODcwNTMmc2g9JnNxPSZzdz0mdD0zcSZ1PTBfYWFvZWZkdHFnZmRlcHhjMnRudjNwaXVjZ2NiNGVvZm4mdj00Nzk1MzEwMDAmdnY9NS4yLjE1LjIyNDAmeD0meT1xY18xMDAwMDFfMTAwMTQwIEhUVFAvMS4xDQpBY2NlcHQtTGFuZ3VhZ2U6IHpoLUNODQpSZWZlcmVyOiBodHRwOi8vd3d3LmlxaXlpLmNvbS9jb21tb24vZmxhc2hwbGF5ZXIvMjAxNDA5MjQvTWFpblBsYXllcl81XzJfM19jM18yXzFfNi5zd2YNCnF5aWQ6IGFhb2VmZHRxZ2ZkZXB4YzJ0bnYzcGl1Y2djYjRlb2ZuDQpxeXBpZDogXzIwMTINCnF5cGxhdGZvcm06IDAtMg0KeC1mbGFzaC12ZXJzaW9uOiAxMiwwLDAsNzANCkFjY2VwdDogKi8qDQpQcmFnbWE6IG5vLWNhY2hlDQpDYWNoZS1Db250cm9sOiBuby1jYWNoZQ0KQ29ubmVjdGlvbjogS2VlcC1BbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS80LjAgKGNvbXBhdGlibGU7IE1TSUUgOC4wOyBXaW5kb3dzIE5UIDYuMTsgV09XNjQ7IFRyaWRlbnQvNC4wOyBTTENDMjsgLk5FVCBDTFIgMi4wLjUwNzI3OyAuTkVUIENMUiAzLjUuMzA3Mjk7IC5ORVQgQ0xSIDMuMC4zMDcyOTsgTWVkaWEgQ2VudGVyIFBDIDYuMCkvUVktUGxheWVyLVdpbmRvd3MvMi4wLjEwMg0KSG9zdDogbXNnLjcxLmFtDQoNCg=="} 01543{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1149,"source":"pps.pcap","alias":"nDPId-test","flow_id":82,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189363217,"flow_src_last_pkt_time":1467353189363217,"flow_dst_last_pkt_time":1467353189363217,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":892,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":892,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":892,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353189363217,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"202.108.14.236","src_port":50504,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming","hostname":"msg.71.am","http": {"url":"msg.71.am\/cp2.gif?a=4e3ae415a584748ac9aa31628f39d1e8&ai=&as=1:45:23|45&av=4.10.004&b=180932301&c=31&ct=5000000923447&d=2175&di=&dp=71000001&e=c4889e64ad9d9eeb9ff438910850c442&ec=&em=&fi=&g=0&l=MTE4LjE2My44Ljkw&mk=&nw=&od=5000000854934&oi=&p=a&pp=&rc=&rd=&ri=&s=1467353187053&sh=&sq=&sw=&t=3q&u=0_aaoefdtqgfdepxc2tnv3piucgcb4eofn&v=479531000&vv=5.2.15.2240&x=&y=qc_100001_100140","code":0,"content_type":"","user_agent":"Mozilla\/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident\/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0)\/QY-Player-Windows\/2.0.102","detected_os":"Windows 7"}}} -01659{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1178,"source":"pps.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1467353189325739,"flow_src_last_pkt_time":1467353189360764,"flow_dst_last_pkt_time":1467353189374572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":292,"flow_dst_tot_l4_payload_len":37052,"midstream":1,"thread_ts_usec":1467353189374572,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.19","src_port":50505,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3105.9,"max":35765,"stddev":9210.9,"var":84839944.0,"ent":1.8,"data": [2901,35025,35765,2,54,1038,2,1,1,1,1,1,4098,1,1,1,1,557,2,1,1,4317,82,1,1,1,1]},"pktlen": {"min":198,"avg":1221.0,"max":1314,"stddev":293.9,"var":86398.0,"ent":4.9,"data": [198,566,202,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02058{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1178,"source":"pps.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":30,"flow_first_seen":1467353189325739,"flow_src_last_pkt_time":1467353189360764,"flow_dst_last_pkt_time":1467353189374572,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":148,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":292,"flow_dst_tot_l4_payload_len":37052,"midstream":1,"thread_ts_usec":1467353189374572,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.19","src_port":50505,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3105.9,"max":35765,"stddev":9210.9,"var":84839944.0,"ent":1.8,"data": [2901,35025,35765,2,54,1038,2,1,1,1,1,1,4098,1,1,1,1,557,2,1,1,4317,82,1,1,1,1]},"pktlen": {"min":184,"avg":1207.0,"max":1300,"stddev":293.9,"var":86398.0,"ent":4.9,"data": [184,552,188,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300]},"bins": {"c_to_s": [0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,29,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.565698147,5.713972092,5.579771042,4.387238026,0.303162068,0.301623583,3.732781410,6.116701126,5.907885075,6.110567570,6.000755787,6.220743179,6.106208801,5.965834141,6.086260319,5.932269096,6.297639847,6.179096699,6.268159389,6.412519932,5.845352650,6.157920837,6.009664059,6.058042526,6.120846272,6.430628300,6.278068542,5.995249271,6.119624615,6.003195763,6.359897137,6.283394337]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189784236,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":431,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":431,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353189784236,"l3_proto":"ip4","src_ip":"192.168.5.38","dst_ip":"239.255.255.250","src_port":1900,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01075{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":1,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":473,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":473,"pkt_l4_len":439,"thread_ts_usec":1467353189784236,"pkt":"AQBef\/\/6cBiLE+IdCABFAAHLI6UAAAER3rTAqAUm7\/\/\/+gdsB2wBt3SETk9USUZZICogSFRUUC8xLjENCkhvc3Q6MjM5LjI1NS4yNTUuMjUwOjE5MDANCk5UOnVwbnA6cm9vdGRldmljZQ0KTlRTOnNzZHA6YWxpdmUNCkxvY2F0aW9uOmh0dHA6Ly8xOTIuMTY4LjUuMzg6Mjg2OS91cG5waG9zdC91ZGhpc2FwaS5kbGw\/Y29udGVudD11dWlkOjJmNjg4ZWNlLWMwYjEtNDEwNC1iOWU1LWNiY2VlNTAzZTZiNA0KVVNOOnV1aWQ6MmY2ODhlY2UtYzBiMS00MTA0LWI5ZTUtY2JjZWU1MDNlNmI0Ojp1cG5wOnJvb3RkZXZpY2UNCkNhY2hlLUNvbnRyb2w6bWF4LWFnZT05MDANClNlcnZlcjpNaWNyb3NvZnQtV2luZG93cy82LjIgVVBuUC8xLjAgVVBuUC1EZXZpY2UtSG9zdC8xLjANCk9QVDoiaHR0cDovL3NjaGVtYXMudXBucC5vcmcvdXBucC8xLzAvIjsgbnM9MDENCjAxLU5MUzowMDI4NWJjM2MzYmEyMDcwMDdlMWMzYjc2MjFjODQ3Ng0KDQo="} 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1393,"source":"pps.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353189784236,"flow_src_last_pkt_time":1467353189784236,"flow_dst_last_pkt_time":1467353189784236,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":431,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":431,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":431,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353189784236,"l3_proto":"ip4","src_ip":"192.168.5.38","dst_ip":"239.255.255.250","src_port":1900,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}} @@ -441,7 +441,7 @@ 01085{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1461,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196856069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353196856069,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"preimage1.qiyipic.com","http": {"url":"preimage1.qiyipic.com\/preimage\/20160506\/f0\/1f\/v_110359998_m_611_160_90_1.jpg?no=1","code":0,"content_type":"","user_agent":"Qiyi List Client PC 5.2.15.2240"}}} 02213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1462,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_packet_id":2,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196917508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353196917508,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUDjVAADgGss\/fGmoUwKhzCABQxlp7yE3nmzJ751AQAB9cGQAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFFXUw0KRGF0ZTogRnJpLCAwMSBKdWwgMjAxNiAwNjowNjozNiBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDY2MTIxMQ0KQ29ubmVjdGlvbjogY2xvc2UNCkV4cGlyZXM6IEZyaSwgMDUgTWF5IDIwMTcgMTc6MzU6NTUgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTMxNTM2MDAwDQpBY2NlcHQtUmFuZ2VzOiBieXRlcw0KTGFzdC1Nb2RpZmllZDogVGh1LCAwNSBNYXkgMjAxNiAxNjoyMzo1NSBHTVQNClgtQ2FjaGU6IGZyb20gMTI3LjAuMC4xDQpBZ2U6IDQ4ODM0NDENClZpYTogaHR0cC8xLjEgUVRTIChRVFMgW2NIcyBmIF0pDQpYLUNhY2hlOiBmcm9tIDEwLjIyMS4zMi4yMTYNClgtQ2FjaGU6IE1JU1MgZnJvbSAyMjMuMjYuMTA2LjIwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU\/9sAQwEDBAQFBAUJBQUJFA0LDRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU\/\/4AC3FpeWkxLjAuM\/\/AABEIA4QGQAMBIgACEQEDEQH\/xAAeAAACAwADAQEBAAAAAAAAAAAGBwQFCAIDCQABCv\/EAHAQAAEDAwMCAwUEBAoDCgcAIwECAwQFBhEAEiEHMRMiQQgUUWFxFSMygUKRobEJFiQzUmJywdHwJYLhFzRDc5KywsTS1CY1U2Oiw\/EYNkR0g4aTlKSz01RWZGZ1doSjtBknRUZVhZWWxdW14jdXZf\/EAB0BAAIDAQEBAQEAAAAAAAAAAAUGAwQHAgEIAAn\/xABKEQACAQMDAQUEBwYFAwQBAQkBAgMABBEFEiExBhMiQVEUYXGRIzKBobHB0QcVJELh8DM0UmJyFiXxJjU2Q4KSF0RTc6LCY7LS\/9oADAMBAAIRAxEAPwDytAyeNWtFoU6vyTFgRlSXcbsJ9B8fl+eqxHqdN32eupf+5vW5UmPVHaHUHUpMapNHCmlDdxnBxnP7NTSEouRRHT4I7mdYpW2g0MdQukl49JKsmm3fb0+gS3BuZ97aKUPpwDubWPK4MKHKVEc6GfB+71qP21vapV7RkmgxSmNKRQ8iNNSkh8JU22lxLigdq962\/E4T5c4BOs+RYyXt+9GvEJIzXtxb9zIY85++q2mvKhvb0f6yf6Q1fvM+8sb2vwajqp2x9KEaMLI6f1e5vG9xjq92\/SfdVsZCvmo9z8k5+mpopSG2jmvYSyHaelDtuyUwH0vLXs82ngvqqxcNDk0eP4PljJZU\/wCH5nMjBx9B66X\/AFL6K3H04lNe+x25cNxhuQ3JiKK0bVDI3DgpPxyPz0GUyqzaa9vjp93WrCfER6D4jRLayjnijVvclPAKOG4EOlTUKQvwv6qv0vppy2vUkLpxXv3o2+XSltd5ittlC0KkPf8ACSZPJ47AZ9NGTdbjURtq"} 02220{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1463,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_packet_id":3,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196917511,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353196917511,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUDjZAADgGss7fGmoUwKhzCABQxlp7yFLTmzJ751AQAB+1AQAAFHWnfu3ebsPmflqKi8LbOppt0aSln8a0oQnzOKX6fXTzo\/s7tX30MrdPrafdJ9wOpqEVa0+eCttATGWR8cDKh8HCNIf2Y7kse++qsW3Z9ZRJmISqRHhlv7ua8gbtu88KwMqCRndtPwwr0FYe3t6IW8WfGaEajdpKO6T7a8f7q6eXHYM73S46PKpTyVFtK32z4SyP6Dn4VD6HUejUGdXqrT6VTI\/vdSmvtxYrHiJaC1rVtGVnhKfUlR4AJ16QVv3OsV+5oM2OzU4HhtpejSW0raWT2G05\/CnHPx0obh9myNSbjod09Pap\/FmsUupt1BtqSFvxFhIVlBSDuGc4POMZxg6\/XEcyITHyaXYrUM4B6Gst3D0dv22KjesSo2u6f4mtIdrsiFKafZjNrwULQrI8Tck7ylIyACVAaiTOjt7U2gUet1O2pFNpVZYVKp8lx5twPNBIWVHYo+Gdp3bV4OAT6a0xfk3q\/SqN1XjzmEVOHe7qXEyae+XGKY3w2pLbYTkbmQG1KIB8iTyd2lNevUKq1roxZ9hNOOsfYa1eNIShLQeSlstNIGw5O1CnASr8W7nOlh7u7jOGFMEOl2hfEkoApQO9P60p+VHRCeW9Ec2SG0srUtlWCdqwE+U4B4Vj8OhesUp+lSlx5aPCeR+JH6Q5wQfgc8YOmdXrjbcYne5Ux2lTJLiXHJbVVkuLOM\/i3K8xIJGVZ+Whhi7ZNK97Rs94XJTtcddcO4\/iJyfiSrOdXLa6mdvGK5v7Kygi320m41QWoypc57\/iT+8apK8zsqsv\/jDpm2pcKnrVl09bSdkbwvvd310AXb\/41P8AxaP3aMQybnNCnTFuDTCmX\/AehhjDIbSAPKnVJGrkeoyvd4EUynsZ2oT6D4nPH5n5aB6xc36KEI3fQaNvZ9v2pWncEydBmyKVU3Ep92qEfylsjdxnHGd37OdCJbRljMvU0q6Zo8N7cql0+1T5129VKLc\/Syqil3Xa9Qt6Y4kqZEyPtQ+njzNODyuDBTkpJxuGdLxuRMrLm2NCed3f0Ua2H7T3WGX7SU6g\/bURj3OhpKYcnGJKkqabS6HFA7Vblo8TAAx2ydKmO5DpLKWocZKNv6WdWraPwBzwa8vLeGwmMKDcR6HNLKkWS6k+LPgSD8vTRRGTIZ2tQ6a6P7RGNXc64okVKlPvo+m7QlVup7Dfkjqb\/I6u7iPOh+55T9XirgVKTSfPK4\/qJc1El3vLmJU2xD\/1lk6Cn788Zwq2hav62Tr4Xw5t8qUj\/V1x3j\/y8VaEMnklWFQg1yY2l9X3TKzhPwOO\/wCrOulNLqCW9q5pS38E5xrn\/HR+bQfdURl+9Ik+MiUCQkp27S3t7ZJwd2dc7URUalWIrlTZe+yVFXiOKSdnrjJHzx664DsR1oitrcEgAYqJ4K4v4Xx+rXwlFKfM\/wDs0YdYLVi2\/R6VPpjS\/DlZS67HytltSOVZVk4J3JIB+fOlYZC9vm8356mTGM1O9q8bbSc1bSFNq3bXV7tdLCXHlbfHA4yVHOAB+v8AdqvebmNspfcQUtr7HXFp7wVbtxV6HUrHCHb1qxDGAw39KNZfTyrU1Q94TGRmImaFLfH8yr8Kvz+HfUumWDVqp44YfiL8BxDToEgJCFKKgkHPx2q5Hw510nqOxJTJT\/Fqmp8SP7sOM+HyrCx\/X8xyeO6vUjFt"} -01674{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1492,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196981279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353196981279,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":4815.8,"max":61439,"stddev":13558.3,"var":183828400.0,"ent":1.8,"data": [61439,3,3,1,1,30336,2,1,1,25868,1,484,2,1,1,574,2,3519,3,772,1,1,1,1,1,2191]},"pktlen": {"min":303,"avg":1282.4,"max":1314,"stddev":175.9,"var":30943.1,"ent":5.0,"data": [303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02073{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1492,"source":"pps.pcap","alias":"nDPId-test","flow_id":102,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353196856069,"flow_src_last_pkt_time":1467353196856069,"flow_dst_last_pkt_time":1467353196981279,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353196981279,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50778,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":4815.8,"max":61439,"stddev":13558.3,"var":183828400.0,"ent":1.8,"data": [61439,3,3,1,1,30336,2,1,1,25868,1,484,2,1,1,574,2,3519,3,772,1,1,1,1,1,2191]},"pktlen": {"min":289,"avg":1268.4,"max":1300,"stddev":175.9,"var":30943.1,"ent":5.0,"data": [289,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300]},"bins": {"c_to_s": [0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.680209637,7.104508400,7.815409660,7.799874306,7.795087337,7.821745396,7.813271046,7.853199959,7.800473690,7.816552639,7.802090645,7.825591564,7.808625698,7.787723064,7.801823139,7.815733910,7.747669697,7.812804699,7.828133106,7.820801258,7.831765652,7.796298027,7.782429695,7.798837185,7.797708988,7.815753460,7.803283215,7.828951836,7.803116322,7.810623646,7.793246269,7.812668324]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353197131515,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353197131515,"l3_proto":"ip4","src_ip":"192.168.115.1","dst_ip":"239.255.255.250","src_port":50945,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00680{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_packet_id":1,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1467353197131515,"pkt":"AQBef\/\/6dNArkea6CABFAAChc\/sAAAERIa3AqHMB7\/\/\/+scBB2wAjWbYTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSG9zdDoyMzkuMjU1LjI1NS4yNTA6MTkwMA0KU1Q6dXJuOnNjaGVtYXMtdXBucC1vcmc6ZGV2aWNlOkludGVybmV0R2F0ZXdheURldmljZToxDQpNYW46InNzZHA6ZGlzY292ZXIiDQpNWDozDQoNCg=="} 00901{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1601,"source":"pps.pcap","alias":"nDPId-test","flow_id":103,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353197131515,"flow_src_last_pkt_time":1467353197131515,"flow_dst_last_pkt_time":1467353197131515,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353197131515,"l3_proto":"ip4","src_ip":"192.168.115.1","dst_ip":"239.255.255.250","src_port":50945,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}} @@ -457,7 +457,7 @@ 01085{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1998,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198532645,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353198532645,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming","hostname":"preimage1.qiyipic.com","http": {"url":"preimage1.qiyipic.com\/preimage\/20160506\/f0\/1f\/v_110359998_m_611_160_90_2.jpg?no=2","code":0,"content_type":"","user_agent":"Qiyi List Client PC 5.2.15.2240"}}} 02225{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1999,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_packet_id":2,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198595498,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353198595498,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUAJVAADgGwG\/fGmoUwKhzCABQxlwKAEr9wq8jr1AQAB\/+YwAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFFXUw0KRGF0ZTogRnJpLCAwMSBKdWwgMjAxNiAwNjowNjozOCBHTVQNCkNvbnRlbnQtVHlwZTogaW1hZ2UvanBlZw0KQ29udGVudC1MZW5ndGg6IDY4MDQ1Mw0KQ29ubmVjdGlvbjogY2xvc2UNCkV4cGlyZXM6IEZyaSwgMDUgTWF5IDIwMTcgMTc6MzU6NTYgR01UDQpDYWNoZS1Db250cm9sOiBtYXgtYWdlPTMxNTM2MDAwDQpBY2NlcHQtUmFuZ2VzOiBieXRlcw0KTGFzdC1Nb2RpZmllZDogVGh1LCAwNSBNYXkgMjAxNiAxNjoyMzo1NSBHTVQNClgtQ2FjaGU6IGZyb20gMTI3LjAuMC4xDQpBZ2U6IDQ4ODM0NDINClZpYTogaHR0cC8xLjEgUVRTIChRVFMgW2NIcyBmIF0pDQpYLUNhY2hlOiBmcm9tIDEwLjIyMS4zMi4yMTYNClgtQ2FjaGU6IE1JU1MgZnJvbSAyMjMuMjYuMTA2LjIwDQoNCv\/Y\/+AAEEpGSUYAAQEAAAEAAQAA\/9sAQwADAgIDAgIDAwMDBAMDBAUIBQUEBAUKBwcGCAwKDAwLCgsLDQ4SEA0OEQ4LCxAWEBETFBUVFQwPFxgWFBgSFBUU\/9sAQwEDBAQFBAUJBQUJFA0LDRQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQUFBQU\/\/4AC3FpeWkxLjAuM\/\/AABEIA4QGQAMBIgACEQEDEQH\/xAAeAAACAwADAQEBAAAAAAAAAAAGBwQFCAIDCQABCv\/EAG8QAAEDAwMCBAMEBAgGDQUCHwECAwQFBhEAEiEHMQgTIkEUUWEVMnGBI0KRoQkWJFJyscHRJTNigsPwFyY0Q3OSssLE0tTh8TVThqKz0xg2RGODhIWTo6S0J1RkdHWURnYZN0VVVmVmlZbF4tUp\/8QAHQEAAgMBAQEBAQAAAAAAAAAABQYDBAcCAQgACf\/EAEcRAAIBAwMBBgMGAwcEAQMCBwECAwAEEQUSITEGEyJBUWEUcYEjMpGhsdEVweEHJDNCUmLwFiVy8SY0Q1NzNYKyosJjg9L\/2gAMAwEAAhEDEQA\/APMptJVH130SjzK1ODEJhT7nfaPYfU\/36sLbZpa5kcVlcxmmZPnLp7aFPYwcbQogZzjufnpudML6tTppWVy7NuK4oNWd+7OqUFmN5GAcbVNvOHnPOQB9dazqvexW8bxLlgK902GK6uRDM20HzpX9Quk14dJ6+mm3hbs635Lw8xn4xrah5PHqbX91wcpyUk9+dVO39FrVXio8T1teJOo0iFdEycw1Qk4p82j0xuVIUFNoS8h5S32knctsODaDjdjSXTR+mhR\/8EV3\/wCdb0Q\/9O132ZlLRu0gOSfSoNQiW2mMQOflzSwqSfu64U5Pq0xp1E6YHG+6LuT\/AOjUX\/t+umJROmSVei6rsV+Nsxv+36hlUfxbf5VSDjZ0oKmp\/Qq120RP8lV+OjiVR+nKm1brouhH\/ozGP\/T9fU2j9O0x1eXdVzrTnv8AxYj8f\/R+j\/fKmqCTB+6fKoi+UxQFTU+pz8TqJKZP2n+f9+mRBo\/Tncry7suVfJ\/\/AAYYH\/T9R36H02+L3Ku250q+"} 02234{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2000,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_packet_id":3,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198595505,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1314,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1314,"pkt_l4_len":1280,"thread_ts_usec":1467353198595505,"pkt":"ABxCjnAxTF4M6gNlCABFAAUUAJZAADgGwG7fGmoUwKhzCABQxlwKAE\/pwq8jr1AQAB8TPwAAQtiP\/X8fofczLJZRL\/v\/AJ10rgMaH2Gf0Z1VVRnTPjUywEtnbclzqH\/4txv+36rp9H6bKz5tz3WP6Nsxj\/0\/TXrE0cmn7QD09DVaNjvoBpjfp1znU2VIcOxhxTO3cpxDZUEjnvgfQ9\/kdMGm0bpqlI2XLdrn\/o5FH\/T9HQ6yUG2uklRsGHVriXDly3XBJfo0UFplaUZbSBKJGVpWo+rH6Q8ZJ0lao8w0NVtwc5GeOMfOiVqYmnxKcCg6odBbrtWm0V+ox2Gm6o0XGFCU2spISpRQ4kEqaWEDdtWEn8+Nc5fQi6E7EFMNCluIaAMtGQpRwnPJ4ORydHnUzrNSes\/2KupyKzGZp0NDO+PSY6nZDqRtLrizKHcfvJ1Uzn6DNoUaGmnXP5aWkJakx7dYSp1KVbgorEkhWT3Iz31Qgve0ENiqumF8sjyo+kejk5Lkmq1fhC6hU9DqlM0xzccFLc9ClcKAPGP8odtLOv2vPs6vzKPUUoTMiq2u+UrekH6Ht+zTeVVqHU0T0NWpcm6WzjezbzSVoHqTvQQ7nPqwT+3Vr0XtGkXqK5FtuDc9TktNIVML8unxEoQd4QEl1RGSQc89wNRaRfTWzCa7P2a+f1qneLaFMW2S1Z3nt418lHoT+Gtf0\/wxVG94D1sU62a09IhOtMeWu5qQlYdU0h0cc7glDyCvafzJ1lao0ldLnTYT6C29FecYcRuC9qkKKVDI4OCDyANaFpeo2mrXEq27ZIFBGR41BcYodQCY6tSKJSJlZnCPBjqfe+8Up9h+P9+rC3GqUufH+2lzG6Zk+caelCnsYONoUQO+O5+em50yvu0umdZVMs64rip1Wd5TOqMNmP5GAcbVNuuHnPO4AfXSjqxlggSSJcsBRTTYYrq5EMzbQfOlb1E6TXh0kryKbeFuz7flPArZ+MaKUPp49Ta\/uuD1J5ST351UJb9OtW+KrxO2z4lKjR4d0TZzTVCTtp02jU5qTIUFtoS8l5a32knctsLG1JxuxnSURR+mpSn\/AA\/d6f8A5QxD\/wBN1x2ZlLJIzqck+lQ6hCLeXuwQcenNLCop241wgJ3uaZU2i9MDjfct3J\/9HIh\/6frpi0bpilz0XPdh\/G2ov\/b9cygfxbd5VSD+DFA0xH6PUijJ\/krn46NplG6cKbO66LpH4WzGP\/T9cqZSOnaWHPKue6Fc\/wD7Mxh\/0\/R8TKmqB8H7p8jUJbKYoCpbf6RzPz\/t1Ekt\/wCESPqNMaDRunO9zy7nuhfz\/wBrMf8A7frpfofTb4w7rqugOZ7fxZjH9\/x+hlzMr2US\/wC\/+ddK\/iPFDjDPp1VVNs86aLFM6fBO1Nx3Qf8A0cjf9v1XzaN02P8Ajbmuwf0bai\/9v026vPFLp+1c9PQ1DGWDcil9SmztPOu6bTZMhYUhhxTIG5TiW1KCRz3wD\/qNHtOpHTNI\/RXDdzv\/AKOxU\/8ATjo5HWShW10lqVgw6ncTkOXLecTJk0mNlthaEZbAEknJWlajzj1n3J0l6o8x0RVtwc5GeOMfOiFr3bT4mOBQhUOgl1WpTaK\/UY0dpuqtFxgolNrUkhKlFDiAoqaVtGcLA\/brnK6FXQnCFIhoUtxLQCpSM7lHCQRk98jv20ddTes1M60fYqqm9WIrNOhts741LjqdkOgbS64syR3H7yc6qZ0mhzKDFi\/ZdylkMIQ1"} -01675{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2029,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198686720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353198686720,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":5706.5,"max":62853,"stddev":16390.1,"var":268635424.0,"ent":1.7,"data": [62853,7,1,1,1,1,28633,3,1,57886,1,1,29,1,1,276,1,311,1,3236,49,2,773,2,1,1,2]},"pktlen": {"min":303,"avg":1282.4,"max":1314,"stddev":175.9,"var":30943.1,"ent":5.0,"data": [303,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314,1314]},"bins": {"c_to_s": [0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} +02074{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2029,"source":"pps.pcap","alias":"nDPId-test","flow_id":105,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":1467353198532645,"flow_src_last_pkt_time":1467353198532645,"flow_dst_last_pkt_time":1467353198686720,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":1260,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":39060,"midstream":1,"thread_ts_usec":1467353198686720,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50780,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":5706.5,"max":62853,"stddev":16390.1,"var":268635424.0,"ent":1.7,"data": [62853,7,1,1,1,1,28633,3,1,57886,1,1,29,1,1,276,1,311,1,3236,49,2,773,2,1,1,2]},"pktlen": {"min":289,"avg":1268.4,"max":1300,"stddev":175.9,"var":30943.1,"ent":5.0,"data": [289,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300,1300]},"bins": {"c_to_s": [0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,31,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.692187786,7.093656063,7.763891220,7.770260334,7.793470383,7.754670143,7.762333870,7.736806870,7.762505054,7.806702614,7.785463810,7.806148052,7.807487488,7.792947292,7.799264908,7.823724270,7.810103416,7.827909470,7.809601784,7.808609962,7.806282997,7.797142029,7.799598694,7.803467274,7.787366390,7.806374073,7.817587852,7.813340664,7.816604614,7.807970047,7.816948891,7.823331356]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.PPStream","proto_id":"7.54","encrypted":0,"breed":"Fun","category_id":17,"category":"Streaming"}} 00906{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2397,"source":"pps.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":0,"flow_first_seen":1467353152692906,"flow_src_last_pkt_time":1467353167734702,"flow_dst_last_pkt_time":1467353152692906,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":798,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1467353199312861,"l3_proto":"ip4","src_ip":"192.168.5.57","dst_ip":"239.255.255.250","src_port":59648,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00806{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2456,"source":"pps.pcap","alias":"nDPId-test","flow_id":98,"flow_packet_id":2,"flow_src_last_pkt_time":1467353196348641,"flow_dst_last_pkt_time":1467353199417673,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":275,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":275,"pkt_l4_len":241,"thread_ts_usec":1467353199417673,"pkt":"ABxCjnAxTF4M6gNlCABFAAEF4D5AADEGSkB7fW9GwKhzCABQxlcB794psg4Z21AYPLiOgAAASFRUUC8xLjEgMjAwIE9LDQpTZXJ2ZXI6IFRlbmdpbmUNCkRhdGU6IEZyaSwgMDEgSnVsIDIwMTYgMDY6MDY6MzggR01UDQpDb250ZW50LVR5cGU6IHRleHQvcGxhaW47Y2hhcnNldD1VVEYtOA0KQ29udGVudC1MZW5ndGg6IDI5DQpDb25uZWN0aW9uOiBjbG9zZQ0KQWNjZXNzLUNvbnRyb2wtQWxsb3ctQ3JlZGVudGlhbHM6IHRydWUNCg0KeyJkYXRhIjp0cnVlLCJjb2RlIjoiQTAwMDAwIn0="} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2545,"source":"pps.pcap","alias":"nDPId-test","flow_id":106,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1467353200271229,"flow_src_last_pkt_time":1467353200271229,"flow_dst_last_pkt_time":1467353200271229,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":249,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":249,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":249,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1467353200271229,"l3_proto":"ip4","src_ip":"192.168.115.8","dst_ip":"223.26.106.20","src_port":50781,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -616,9 +616,9 @@ ~~ total active/idle flows...: 107/107 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6323258 bytes -~~ total memory freed........: 6323258 bytes -~~ total allocations/frees...: 126038/126038 +~~ total memory allocated....: 6337810 bytes +~~ total memory freed........: 6337810 bytes +~~ total allocations/frees...: 126145/126145 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 2241 chars diff --git a/test/results/pptp.pcap.out b/test/results/pptp.pcap.out index e298ae155..efd813c1b 100644 --- a/test/results/pptp.pcap.out +++ b/test/results/pptp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038385 bytes -~~ total memory freed........: 6038385 bytes -~~ total allocations/frees...: 121512/121512 +~~ total memory allocated....: 6038521 bytes +~~ total memory freed........: 6038521 bytes +~~ total allocations/frees...: 121513/121513 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 906 chars diff --git a/test/results/psiphon3.pcap.out b/test/results/psiphon3.pcap.out index 054b58d7a..0cf97c13b 100644 --- a/test/results/psiphon3.pcap.out +++ b/test/results/psiphon3.pcap.out @@ -7,7 +7,7 @@ 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":6,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079143404,"flow_dst_last_pkt_time":1613865079140404,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1613865079143404,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"2d703033628575a99d44820c43b84876","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01233{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079144402,"flow_dst_last_pkt_time":1613865079168363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1613865079168363,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Cloudflare","proto_id":"91.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01528{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079144402,"flow_dst_last_pkt_time":1613865079168363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":2422,"midstream":0,"thread_ts_usec":1613865079168363,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"","tls": {"version":"TLSv1.2","server_names":"sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3","subjectDN":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com","alpn":"h2,http\/1.1","fingerprint":"49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C"}}} -01517{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":998,"avg":10543.0,"max":46102,"stddev":11726.4,"var":137508352.0,"ent":3.6,"data": [6003,17375,14372,998,15961,7000,4998,3002,27963,1997,2998,1002,7002,25852,1389,4047,20760,1037,46102,1001]},"pktlen": {"min":40,"avg":277.5,"max":1500,"stddev":421.9,"var":177964.3,"ent":3.8,"data": [60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048]},"bins": {"c_to_s": [10,1,3,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0]}} +01916{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":998,"avg":10543.0,"max":46102,"stddev":11726.4,"var":137508352.0,"ent":3.6,"data": [6003,17375,14372,998,15961,7000,4998,3002,27963,1997,2998,1002,7002,25852,1389,4047,20760,1037,46102,1001]},"pktlen": {"min":40,"avg":277.5,"max":1500,"stddev":421.9,"var":177964.3,"ent":3.8,"data": [60,60,52,52,40,208,40,208,40,40,1500,1002,1500,1002,40,40,40,40,133,133,40,40,298,109,298,109,40,40,133,417,78,1048]},"bins": {"c_to_s": [10,1,3,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,2,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0]},"directions": [0,0,1,1,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,0,0],"entropies": [4.559092522,4.559092522,4.801308632,4.801308632,4.780641556,5.412927151,4.780641556,5.412927151,4.780641079,4.780641079,6.953819275,7.189953327,6.953819275,7.189953327,4.780641556,4.780641556,4.780641556,4.780641556,5.944580555,5.944580555,4.780641079,4.780641079,7.039272308,5.966729164,7.039272308,5.966729164,4.730641365,4.730641365,6.272472382,7.310267448,5.370555401,7.811244488]}} 01532{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079254264,"flow_dst_last_pkt_time":1613865079202653,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2038,"flow_dst_tot_l4_payload_len":5498,"midstream":0,"thread_ts_usec":1613865079254264,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"","tls": {"version":"TLSv1.2","server_names":"sni.cloudflaressl.com,psiphon3.net,*.psiphon3.net","ja3":"2d703033628575a99d44820c43b84876","ja3s":"eca9b8f0f3eae50309eaf901cb822d9b","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Cloudflare, Inc., CN=Cloudflare Inc ECC CA-3","subjectDN":"C=US, ST=CA, L=San Francisco, O=Cloudflare, Inc., CN=sni.cloudflaressl.com","alpn":"h2,http\/1.1","fingerprint":"49:30:DE:8F:B7:AF:C3:76:40:09:44:15:B4:6B:D9:8F:BE:0C:6B:0C"}}} 01048{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":62,"source":"psiphon3.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":30,"flow_first_seen":1613865079123029,"flow_src_last_pkt_time":1613865079845431,"flow_dst_last_pkt_time":1613865079841273,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1008,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3700,"flow_dst_tot_l4_payload_len":5574,"midstream":0,"thread_ts_usec":1613865079845431,"l3_proto":"ip4","src_ip":"192.168.0.103","dst_ip":"104.18.151.190","src_port":40557,"dst_port":443,"l4_proto":"tcp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS.Psiphon","proto_id":"91.303","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":62,"source":"psiphon3.pcap","alias":"nDPId-test","packets-captured":62,"packets-processed":62,"total-skipped-flows":0,"total-l4-payload-len":9274,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1613865079845431} @@ -19,10 +19,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6044156 bytes -~~ total memory freed........: 6044156 bytes -~~ total allocations/frees...: 121559/121559 +~~ total memory allocated....: 6044292 bytes +~~ total memory freed........: 6044292 bytes +~~ total allocations/frees...: 121560/121560 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars -~~ json string max len.......: 1537 chars -~~ json string avg len.......: 1007 chars +~~ json string max len.......: 1921 chars +~~ json string avg len.......: 1188 chars diff --git a/test/results/punycode-idn.pcap.out b/test/results/punycode-idn.pcap.out index 327842ad6..6548007e6 100644 --- a/test/results/punycode-idn.pcap.out +++ b/test/results/punycode-idn.pcap.out @@ -27,9 +27,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039475 bytes -~~ total memory freed........: 6039475 bytes -~~ total allocations/frees...: 121530/121530 +~~ total memory allocated....: 6039883 bytes +~~ total memory freed........: 6039883 bytes +~~ total allocations/frees...: 121533/121533 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars ~~ json string max len.......: 1020 chars diff --git a/test/results/quic-23.pcap.out b/test/results/quic-23.pcap.out index 765f3ad70..cad510332 100644 --- a/test/results/quic-23.pcap.out +++ b/test/results/quic-23.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046403 bytes -~~ total memory freed........: 6046403 bytes -~~ total allocations/frees...: 121528/121528 +~~ total memory allocated....: 6046539 bytes +~~ total memory freed........: 6046539 bytes +~~ total allocations/frees...: 121529/121529 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2265 chars diff --git a/test/results/quic-24.pcap.out b/test/results/quic-24.pcap.out index df8f58c8b..b3542d630 100644 --- a/test/results/quic-24.pcap.out +++ b/test/results/quic-24.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046184 bytes -~~ total memory freed........: 6046184 bytes -~~ total allocations/frees...: 121523/121523 +~~ total memory allocated....: 6046320 bytes +~~ total memory freed........: 6046320 bytes +~~ total allocations/frees...: 121524/121524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2198 chars diff --git a/test/results/quic-27.pcap.out b/test/results/quic-27.pcap.out index b5f0937a8..a0ed862be 100644 --- a/test/results/quic-27.pcap.out +++ b/test/results/quic-27.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046565 bytes -~~ total memory freed........: 6046565 bytes -~~ total allocations/frees...: 121529/121529 +~~ total memory allocated....: 6046701 bytes +~~ total memory freed........: 6046701 bytes +~~ total allocations/frees...: 121530/121530 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2338 chars diff --git a/test/results/quic-28.pcap.out b/test/results/quic-28.pcap.out index 17b7761f5..f2ac155e9 100644 --- a/test/results/quic-28.pcap.out +++ b/test/results/quic-28.pcap.out @@ -5,7 +5,7 @@ 01103{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474847575,"flow_dst_last_pkt_time":1591267474847575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1200,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1591267474847575,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.wireshark.org","quic": {"tls": {"version":"TLSv1.3","ja3":"1e022f87823477abd6a79c31d70062d7","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-28,h3-27","tls_supported_versions":"TLSv1.3"}}}} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1591267474847575,"flow_dst_last_pkt_time":1591267474861209,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1591267474861209,"pkt":"bmImQfCg7jdRvai\/CABFAABL8YhAADkR0gRoGgvwCgkAAgG76soANzParQAAAAAUQMS6Zy9FF9Xn7IIP1UsQeHX9qMwQgoOBp4aIL+MPCXOdR4KiF\/8AABs="} 02122{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1591267474861366,"flow_dst_last_pkt_time":1591267474861209,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1242,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1242,"pkt_l4_len":1208,"thread_ts_usec":1591267474861366,"pkt":"7jdRvai\/bmImQfCgCABFAATMbsJAAEARSUoKCQACaBoL8OrKAbsEuILewv8AABsQgoOBp4aIL+MPCXOdR4KiFxRAxLpnL0UX1efsgg\/VSxB4df2ozABEgps603pxkyOuWqOuDCBHqFD5j6Z3HbedH1LdiS7r9g7eF1q+4GbQDzwEnV9STArM0Em4niSxcOP14YGEMbCxBeurtCEC8Tmf6DBDqyOKEQqlh98RR0FuyctJCM99u6oRT6urYJjdL6PSSu3YTL8HY6NviKj+LkpdTz6KmCgYvbgKd7NEhPEXmVYO+dL7mTC6YtcnEsrAHQU704mlKvqtFGL2\/5msnq\/TWBIk6bybV0DxYkGzE2Dnlwtw+dvrt9SpZJQBYmvuqQWRkw7Xl0Ri5Ou\/YH0Nf3CEwfW93dKkzcyI\/xYg9i+2QKy1ICjIZ\/JAWTdEHFRK8O6Gl0vStYOHFWBxnM\/YifVgYZg0OsrKE2RfzjKKmCKUpNz\/eEInpy3g7Oy6BASDjgCLyqH4KHC0RkRyxMeAwO\/4Ueuev5PR+GIZT6RPX+8eDG+GEJz8bGHJ80oLKupj5MfUtk1+qegg2dzVfHgOvprBxIArXCNmBUVNivV7wlObqf87COabZiPrwNrq3bed\/ALhpVnLbXDu3mPYFozof6hWLQUSRUCvRIP+L3zyyxfAOLZZ711TySAZxpgSSNbMb5wMga2ZxBCZGIiJBujBs0RFh65ea1D90334s1gOATeyFD6G0Y5nni0vv93RqV0rCUx5NmKsmees6Lb5Tn92zzlLElQ0tJj8i0NV+A1o9UmRJisTfKPDHGhnjIKCy7tWmA\/6WnyjC5MVpEofvbOp6VSLzrYFEbs4xO0nP5EWcI9akrhkBkR4BVPvA3BR\/JNC6qdA6XjZq7vEC4PK42e5TCzz\/lS4AoqV6qY+iOUqeRm\/KZeFGwLXw2YBxOFGvLQSYLCrM0JT+ZZ\/+YM0cgNTb4UsfslWeAa\/dEDn2K0d5vlVIufoqB2DscZriUDfkBrMe3p2BYO28jOG0dIt\/\/+wVszbGGjaG2DAkiTDrcM67+fz7k2j14PiNbU6+l0I0CfyoRbB67XXdFnPllMtNEGiR4aBRcQCCchbCVwdD7xGfKg8VLCKykEzUES\/y7hiagE2xpKTSbAUtzMYTnIbSLikbFGyfUOpyFdt16r3gk3qkldqup8CI9vmdvD1rvxsFHFdQKlm4ct28WVqNsM7AcMCYS4IdY3fjlHdgQeFzGauOLiE2HquU8FAgRipNJCs2vXSgmlj6qxAuSretb3YYCFUtS5vV7VhzZ\/si5aRaf72K7CkGDHBs9yzIrPzdtDp1CIjAcpqkTgTiqw5a7bneWQdm6knt9coPgKABTdfR1Wfei0Q3edydbubwRd1QyG5zjI0T9bXVZf85BmVvZ\/oiH86E0oC1c6Hyl3M4ke1W9+ncVNagK7XEVU\/lQ9u6NvkLWq7c7LzCfIQKMjglkD6IZxuZzbgX+IVXu+2\/W0iJnR1BIZqRhI1sURkCMk5kSbefJtA\/3ss1rR1eV5WU9Nj63Lk8fki45wlDZBMYeXWKNBze+M4K2DVnLaUMILrXDsu6YTHRFaaXufk6rRMF0IUC\/p6LhqvtpFhBb7T6xRXz1tVkXrpMYBZz4xjGSbfGjFB"} -01687{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474935131,"flow_dst_last_pkt_time":1591267474949617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1197,"flow_src_tot_l4_payload_len":4297,"flow_dst_tot_l4_payload_len":5362,"midstream":0,"thread_ts_usec":1591267474949617,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6116.1,"max":20960,"stddev":7174.9,"var":51478880.0,"ent":3.9,"data": [13634,13791,13932,1053,15111,1394,4,2,2195,342,15,8,10,14715,11,4,4,3,4,4,3,13849,1181,10523,11750,5487,19948,6547,20960,4038,19076]},"pktlen": {"min":85,"avg":343.8,"max":1242,"stddev":425.6,"var":181138.2,"ent":4.1,"data": [1242,89,1242,113,203,1242,1238,1239,259,152,103,85,85,168,112,557,85,85,110,85,85,85,85,85,700,85,147,85,859,85,122,86]},"bins": {"c_to_s": [0,6,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,9,3,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,1,0,0,1,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02082{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267474935131,"flow_dst_last_pkt_time":1591267474949617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1197,"flow_src_tot_l4_payload_len":4297,"flow_dst_tot_l4_payload_len":5362,"midstream":0,"thread_ts_usec":1591267474949617,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6116.1,"max":20960,"stddev":7174.9,"var":51478880.0,"ent":3.9,"data": [13634,13791,13932,1053,15111,1394,4,2,2195,342,15,8,10,14715,11,4,4,3,4,4,3,13849,1181,10523,11750,5487,19948,6547,20960,4038,19076]},"pktlen": {"min":71,"avg":329.8,"max":1228,"stddev":425.6,"var":181138.2,"ent":4.0,"data": [1228,75,1228,99,189,1228,1224,1225,245,138,89,71,71,154,98,543,71,71,96,71,71,71,71,71,686,71,133,71,845,71,108,72]},"bins": {"c_to_s": [0,6,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,9,3,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,0,1,1,0,0,1,1,0,0,1],"entropies": [7.825420856,5.391368389,7.839229107,6.043497086,6.731246471,7.843968391,7.815639019,7.852266788,7.065521240,6.543905735,6.067143917,5.873550892,5.873550892,6.748120308,6.120771885,7.600786686,5.845381737,5.732706547,6.072868347,5.683273315,5.722074032,5.818619251,5.778411865,5.760875225,7.744878292,5.750242710,6.580695629,5.778411865,7.773950577,5.873550892,6.249063969,5.721802711]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00923{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":253,"source":"quic-28.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":219,"flow_first_seen":1591267474847575,"flow_src_last_pkt_time":1591267477602863,"flow_dst_last_pkt_time":1591267477602221,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1200,"flow_dst_max_l4_payload_len":1200,"flow_src_tot_l4_payload_len":5428,"flow_dst_tot_l4_payload_len":230739,"midstream":0,"thread_ts_usec":1591267477602863,"l3_proto":"ip4","src_ip":"10.9.0.2","dst_ip":"104.26.11.240","src_port":60106,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Cloudflare","proto_id":"188.220","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00564{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":253,"source":"quic-28.pcap","alias":"nDPId-test","packets-captured":253,"packets-processed":253,"total-skipped-flows":0,"total-l4-payload-len":236167,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1591267477602863} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6052987 bytes -~~ total memory freed........: 6052987 bytes -~~ total allocations/frees...: 121761/121761 +~~ total memory allocated....: 6053123 bytes +~~ total memory freed........: 6053123 bytes +~~ total allocations/frees...: 121762/121762 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2127 chars diff --git a/test/results/quic-29.pcap.out b/test/results/quic-29.pcap.out index 973aaac5a..e2020f52e 100644 --- a/test/results/quic-29.pcap.out +++ b/test/results/quic-29.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046184 bytes -~~ total memory freed........: 6046184 bytes -~~ total allocations/frees...: 121523/121523 +~~ total memory allocated....: 6046320 bytes +~~ total memory freed........: 6046320 bytes +~~ total allocations/frees...: 121524/121524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2199 chars diff --git a/test/results/quic-33.pcapng.out b/test/results/quic-33.pcapng.out index a43cf8ba5..3a790aa3b 100644 --- a/test/results/quic-33.pcapng.out +++ b/test/results/quic-33.pcapng.out @@ -5,7 +5,7 @@ 01387{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456563491,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1607938456563491,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","quic": {"tls": {"version":"TLSv1.3","ja3":"0299b052ace53a14c3a04aceb5efd247","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-33,hq-33,h3-32,hq-32,h3-31,hq-31,h3-29,hq-29","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft),TLSv1.3 (draft),TLSv1.3 (draft)"}}}} 02197{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456566304,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":1294,"pkt_l4_len":1240,"thread_ts_usec":1607938456566304,"pkt":"AAAAAAAAAAAAAAAAht1gLBAvBNgRQAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABEVvI5gTYBOuKAAAAAQijB72XkxHdoQg7VxcI2Jvc+wBAmyNACkF8YFqpKbrULKoDb19+uZg6qvjJtwEJ\/uOaQSa3OSU6O4kzdS3stlDlI1x0pxU6U1p+48IkszqoivEYtB69bd+ITaYbTkxaelp3jMONrgP7+RVKaRNSt1HkpjhOcLPrzWczoHNZnIhNfvDy2JT2t08AucggcJe2\/4B\/vdnrtpqK6V\/yqwGFTMu1rQIkxS92C6tKauoy9+VqrwAAAAEIowe9l5MR3aEIO1cXCNib3PtEAuCsTgG\/NlsvOl6GJP2fa9o99BT145OKWZuTcmr433tc4jI7eA6S9XkiunJFKo6ZwPI0CMllqhzpZg\/M2oExoGin\/1BGN9cmCUQfuYgNqfFCtG+9ndT9HYjrsBCdjtJLmxL7rPr9q0tjGpDyuXZi9R4mNROPUrln\/PkhZzgiM0sHtdd5p\/bNeUYtEqE7ldAVt6\/n44lU+YN3SU+JWXbqssVrfvVzr36h3ab7fYZ2wDsFWfe3UAXx72w0FuOOYB7+7UQe00b5Z0z5SyfSm4P9dPYqojw9+jCHeJHd8IAkR4khzwJfJ3q7ZLCXjemRtbjS+jOnIFHSC581L8cRfFE0puRn3ZcyA6eigK1\/b\/IulmnDweMhm5uzPfRzVpuYtDAmfupBBO\/lq0x9UE6G6aXlrZk5pUsV\/Pqkms2\/6G+WtFFZQVjHMyjk00Lt801D4RBFQF6Pahphh1rFyerbrHyGpVjzLCCjQyphY+Ef9GwnSwZSXfDtl5l6V75F8hdBb7eRQwoSsYy2TAPUn+5EgUUMa1L0FdqwqulhpTwuiKxlEjCwVmTxOQ9cg0ckmklTggiUpDihR6CGEJh4wbwQvtSQI7moaNImb3zhI+1KDCqOesSmC0luDPiQ6HVXRRmZBTcfdXaVe6yn8aOTSuCvFQcYVZJMmDXWA3tjd8oaA17lJRBbd52Hesk8cJ\/YJxx85q2dKnHlb3PDDd1GsYUOHckqW9oBPW3OnKOCPAmLbdAwZewxw5NCtlvRr65YuEBJebGFHlf1HDlzUGnZEYOFz7QCUVI0Cm1TQGPnrse0LdnJMU4XAsVFTZ0rmN1WZ7lpL6siOc2kDO70InGs0erREqxP56ACsZJMVSLIWh+Wtd1TXT7s1cqcJTYFE1niy2vrWekG6gLj5S6d+RexzQMJFxrY7r+11SACpmCHMFInRkZ2X9ItKQsY5EbZalkFRVlIPVyM4egzMKz9sn52T\/vMFKgNzwFrf2sp17iUQaz1IyM4BWPhByUmfVEtsPpNhTudVAjT+DAK93H3WyrArXi\/C2kIO6kQjQL8MrdQf21Vn+lMg29055+PrObIIyJyGedJEXiBJHhcPUZyzw5wKIN3qGujdkkwR3NWZGQsR9D9oFcHebuLVvyY9rfcmZsewBxwBuE+3j7ZET5hnurVax3LpMwvKOC7lHimTxsExq+Apn9MfGeNafcclrRpd8qOhu5Y\/D9oPxLb43JPWxWrwE9\/H\/\/i9MLl+t0zWNInh13oyE1g07E++NmYobon6Smh\/KGoGULC6seHfmLDTFHYkzCH+jMiW6zoYiu7MVxzW\/pT13bjivVb6\/E5Iu6Gt0D2z7Y6bkUG7P9GxtXA2I4cOhOe8m7St\/U9gg=="} 01532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1607938456563491,"flow_dst_last_pkt_time":1607938456566431,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":805,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":805,"pkt_l4_len":751,"thread_ts_usec":1607938456566431,"pkt":"AAAAAAAAAAAAAAAAht1gLBAvAu8RQAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAABEVvI5gLvAwKiAAAAAQijB72XkxHdoQg7VxcI2Jvc+0EX7RIgJstg2q\/pC81tAEQflatapq\/RZQEybKUVkOQrHxIiM3xbz3ZbafCyVgp9YFd+JrcvMCpFHqt9ha4UaWT\/CVOhVDMl+x8Qz2Pi7UbhXXzBIpETH8Z7GAVhwJp3720klhijkJwcoDMcJhlagIc47WtHZyC2\/NvYhyD6pe18qYPoUjuwqv+wJE\/ZuFV52ejpLWx76nNhIhGaoM22WiUW2N20UYQh0kubnK8ydedmguDEIxF73mmjfBjQU7d+\/kjc6w69nvaNM1WUtVe+1pIxu53jikC+jWmnb37byYPq9yuXiC3\/7jLmxfDtd9m0NACttAKJA\/JNnc1mj5nC7Y4hcumqIR3HrbC6nuLoYsXX2Zp0f9UgYV0fEqMHvZeTEd2hiKBY6bJdCuJKiCqdgeiTl8HqX5mvvlLWJPlmCEJCqIrxf4AkkUVGE4BSMBWdBgCOEniMLjdilc+qHYhwYNZ7tIGoZF6d6e+Y9Yje+rmHUnbpVz7jAirlBT5H70Gx8i7gxMgFdddmzogwCmelHc7wvmzlC3bbPNEkyFgFvBjt104z4kXXH0FdVNTjvLWqMrMbCISgSyaKcGImnAuSczuqI+IdDAVMV3KZetnbRYTODT0MnkiyhjZS2c2FGhXiSczCoL+nOf5G7u0IMQ1S2B5gWkWA4zkPvuFc+aQWgo\/5D9qUsPB6Q6\/Lj7MI5fOlLauhfzQmW9GNJRpuqdg3\/ZmECJ9z4HnHnfJd1luO6tXDuMawQhxYeD2xpO\/QqBEAH7sAsFTq\/abn1uTe8vqVNYsZRf0hwJAKRW\/BJxg25OGxhUlcywIb3vGZoq+dJmTxYWX\/eqXVDs+dco62ygOlroB9wJoypHt\/D+y7eYcgKaWYE3hnP28kNmmEQuWhfqoLHNJTZas1p5oY5kezaxnU27xSuQXqGdvZdYxhIaICM8EHXUKIOqW8fx5oue03v9+86w=="} -01909{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456569390,"flow_dst_last_pkt_time":1607938456569730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3531,"flow_dst_tot_l4_payload_len":26643,"midstream":0,"thread_ts_usec":1607938456569730,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":391.5,"max":3446,"stddev":792.0,"var":627294.4,"ent":3.2,"data": [2813,127,21,3446,599,267,22,367,71,407,38,1140,1379,530,25,290,50,285,35,19,16,16,16,16,15,17,16,46,17,16,16]},"pktlen": {"min":115,"avg":1004.9,"max":1502,"stddev":605.0,"var":366070.2,"ent":4.7,"data": [1294,1294,805,1502,115,117,209,117,1294,1294,373,1502,501,245,117,117,117,117,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502,1502]},"bins": {"c_to_s": [0,4,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0],"s_to_c": [0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,15,0,0]},"directions": [0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02307{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456569390,"flow_dst_last_pkt_time":1607938456569730,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":53,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3531,"flow_dst_tot_l4_payload_len":26643,"midstream":0,"thread_ts_usec":1607938456569730,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":391.5,"max":3446,"stddev":792.0,"var":627294.4,"ent":3.2,"data": [2813,127,21,3446,599,267,22,367,71,407,38,1140,1379,530,25,290,50,285,35,19,16,16,16,16,15,17,16,46,17,16,16]},"pktlen": {"min":101,"avg":990.9,"max":1488,"stddev":605.0,"var":366070.2,"ent":4.6,"data": [1280,1280,791,1488,101,103,195,103,1280,1280,359,1488,487,231,103,103,103,103,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488,1488]},"bins": {"c_to_s": [0,4,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0],"s_to_c": [0,3,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,15,0,0]},"directions": [0,1,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [7.803868771,7.809453964,7.636795044,7.827753067,4.482279301,4.907669544,6.029671192,4.876163006,7.831148624,7.774451256,7.038985729,7.835481644,7.443472862,6.574716568,4.842088223,4.868834019,4.744999409,4.934416294,7.840272427,7.834603786,7.829602718,7.819114208,7.856932640,7.836608410,7.829055309,7.839015007,7.837625027,7.848807812,7.847033501,7.843163967,7.839411736,7.808558464]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01141{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":992,"source":"quic-33.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":99,"flow_dst_packets_processed":893,"flow_first_seen":1607938456563491,"flow_src_last_pkt_time":1607938456578110,"flow_dst_last_pkt_time":1607938456578127,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":8598,"flow_dst_tot_l4_payload_len":1270620,"midstream":0,"thread_ts_usec":1607938456578127,"l3_proto":"ip6","src_ip":"::1","dst_ip":"::1","src_port":51430,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00567{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":992,"source":"quic-33.pcapng","alias":"nDPId-test","packets-captured":992,"packets-processed":992,"total-skipped-flows":0,"total-l4-payload-len":1279218,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1607938456578127} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6074583 bytes -~~ total memory freed........: 6074583 bytes -~~ total allocations/frees...: 122500/122500 +~~ total memory allocated....: 6074719 bytes +~~ total memory freed........: 6074719 bytes +~~ total allocations/frees...: 122501/122501 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars -~~ json string max len.......: 2203 chars -~~ json string avg len.......: 1341 chars +~~ json string max len.......: 2312 chars +~~ json string avg len.......: 1389 chars diff --git a/test/results/quic-34.pcap.out b/test/results/quic-34.pcap.out index 70ec7f048..a559ecb55 100644 --- a/test/results/quic-34.pcap.out +++ b/test/results/quic-34.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046033 bytes -~~ total memory freed........: 6046033 bytes -~~ total allocations/frees...: 121512/121512 +~~ total memory allocated....: 6046169 bytes +~~ total memory freed........: 6046169 bytes +~~ total allocations/frees...: 121513/121513 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2201 chars diff --git a/test/results/quic-fuzz-overflow.pcapng.out b/test/results/quic-fuzz-overflow.pcapng.out index 2fa02b7c4..ab4babee8 100644 --- a/test/results/quic-fuzz-overflow.pcapng.out +++ b/test/results/quic-fuzz-overflow.pcapng.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035642 bytes -~~ total memory freed........: 6035642 bytes -~~ total allocations/frees...: 121487/121487 +~~ total memory allocated....: 6035778 bytes +~~ total memory freed........: 6035778 bytes +~~ total allocations/frees...: 121488/121488 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 505 chars ~~ json string max len.......: 3075 chars diff --git a/test/results/quic-mvfst-22.pcap.out b/test/results/quic-mvfst-22.pcap.out index 7feb09f08..475316b22 100644 --- a/test/results/quic-mvfst-22.pcap.out +++ b/test/results/quic-mvfst-22.pcap.out @@ -4,7 +4,7 @@ 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":24710880,"flow_src_last_pkt_time":24710880,"flow_dst_last_pkt_time":24710880,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":24710880,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"graph.facebook.com","quic": {"tls": {"version":"TLSv1.3","ja3":"a3795d067fbf6f44c8657f9e9cbae493","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-fb-05,h1q-fb","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft)"}}}} 02180{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":24710880,"flow_dst_last_pkt_time":24717506,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"thread_ts_usec":24717506,"pkt":"CAAnANMtUlQAEjUCCABFAAUAAAYAAEAR9MMfDVYICgACDwG7ixEE7JMhzPrOsAEACEhjA85S+SrVAETSp3xd4I3jcnRue9L34hUuKLzlfpPUk0DMF1\/VFxThZTibHyGTQPaeM6iOotElwwAC1lRX5vIn9ya6YsAZzR1T20xEKAiW3eJkBYrfQ3apmceqTTBCX0bJxPnVeRIzBODDHWoJM4cXlDC\/p3lohjBDIh+3Pmk8tNap58UqGgjHnaigatc5CgFJHJWL+Kd1f9qcpuyZT1uB\/ns\/WT+PLudF\/jQ9707j1mFbnqiURY6nhTe97ZArhq7t1JVJAsO33k150ABBjgVdT\/6wgI8ik0OKmmJMbfb2L+7Ixq0YAACyySDSzQt+wcslS6ksj5zkeJG1dT9Y35jxFQSLUO32yxmbwQFG+b4QvZMRJyJvqfQ7oSMncZe7gs3wgTuaXe5geZfkx17MmRYXTYrf9pvAukh+MM4Q8hjt2gZyy+8MqEokO31Taq32iXjDeFgjn7q\/sQ6rvlxCVyZt8Ccaw1VxzzUAQNXg6QrtjGJsnqKEgZqyevLn4vgbCyEPYSqzUTMTMLMrTP+YLSeAUyD\/0KlFtPE0vwwFCXwILzsVlF8Hrkegr6zVR+h\/fNZFiUKr8jA4htexop3\/TtMjF2PSObMi\/B\/O4yOQK7dMjsb7j6HNoUatgqnfa\/Ep22MPaFjhmHCE5j8WrQYwGpwTuF1k+FX+IBnWV4aUFnYpvfr221AiaeRWseWythbDWPKdPOoQEd\/nzlYGC5Oxk\/91qMZSP6Qi8tEzsAHdyiB9WngqFXo1pqCT6\/T6hHvEqNor+wZ910MK6fQ\/Z\/7idL3\/nnBnU9m8lqNNZM0XegQQnU8+PD\/XZhQjxUwoqqNWAXTx+KKl5uQmMcpN8TieU3aBwrb2x1xcZVNXnjwFxiEsI7kDQg0bAdgGrjrWKUk4cVimEMb0EC3L3V2ZK9Ef+8sswkJ6ekYpwvMTIYU4ZOYeN6c9agkkoqzbCCHeRQql9R0YriJFUFgYENUK5b9nwRNBW+A+lZE8ptuzw5xsFcuyBXpjCKYIgsmKcLlQPkBkV4L5QGZQzzBmN2GgfUAEzN8WWVN0hJqYa9YhcX7zxmRv9gsMitNksaFnr6AlihFLFZqlT9Y648AprztjF7njBZZ3u+CXpZkG7Px2yrrdTouwjAToPn\/AdVmPPTHV6xKp99fDbwaMyfL+yOcnJ2plbK+wkS1jsiP\/yDk9VzA04xL0657ViUEAuv3t4Pev7pI\/DIFdRVSmTSWKvywkuBVJ\/VJOp\/6cO+Cy5FlDhTQR7H8evMXUaEHp69QHfF8fPUAjUyJ7IMeXXtuK3UkzI7UvsOqWVYGkA2OumbWmFRfgS9XBGi3DmR5otgit5Y81MAvHsCQ0V0IB2P\/yq9sRuL6R8TwF63sAvaPwfsPjICjHyZ2krnIlWXUbArKvncQeHm1H6y9ztqgfn+NTwpQWRfi71aj5FP2C+U3RB9l5HqGgyZJ9tt\/Xiom3MonkmdTNfE9C0G+zTKbgAzuir0+laGJim+TV37+wtcreN2P4GKPPo2goOCnc140xbDBLn4BL2axie9RcUyuxXK9wAWvijAfXal3f1DydwVZ8LxwK8o06yHcTKFQ\/sXJaHnxv2HTtF\/v0IBQjQRHILVxnhCjAh73MlFUFSG3zJQ2aU164W5cGJFQS3\/OOJsBbuI1J+KjSFQ=="} 02177{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":24710880,"flow_dst_last_pkt_time":24717680,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"thread_ts_usec":24717680,"pkt":"CAAnANMtUlQAEjUCCABFAAUAAAgAAEAR9MEfDVYICgACDwG7ixEE7GUmy\/rOsAEACEhjA85S+SrVAETSuH7quCgS8Qh0D\/bDO3gFDyLADGIuWnyCygbJxoXjp96KXvspho+865YDAISOGlOK6zOTsHDQAebkiFhwjAE3CGShccg0NcaDyS5u33R8Osm0onTcQUcavm+SMZHNxND0mAg59a7z7rYhXIsBKLYSznCIFNmBhvnQ+54HWzq4kDWVLL0ptfvb3giThFXk1AIMtBbaQwMGxHg\/8x0s7Ppw1zOCvbNuFb2SaGK8woqt2broJB\/xJJE2S1FwZCmQqqrE1mHTwDi+8M\/OC1IyVNxKVB8saqcFSbFe3BJEULgEgbvBwmfmNN7Wau\/J6gJxg5w745\/ujGtOLBoEAnkzp3XoTJN0Y42xyNe7RF+e2AS8staHpKBMbgG4b2fukqv0W5QWMOb9XdlK5lappO8kEpmoLvACo9Sy1bI0dfdz52edGlrvLjFy2h3zOMrwDHWDRiYmPSAbJ9pyo+VCqFMWVDhQI4ZmsKudQZcU+vReqpUp36fwM5gOtsh2Hk\/S0k+EHqDAZZLNzSF4Yr5ZabIDN\/R6biJU+FbtoUG+RJBpWcvmHAUftMbmErNWLgTpRpllj3nUl2F8eMASJGjRK8oYFrTV1fl7xjdeBam93XysGVWS92VND4SDvDULI6TRr\/337rNSj3EREqThlcSaMocH0kz+\/upNhJQxDeelV1RY26qv9bW8VdFma6p7uhfRK2roH3G5uc\/+tiG6qdmRct7WQoGsbTeaFFwB7Ji7Wtb9Amekof3OVUrPd+6iV+W3mM4hQL9kRTkFzHEd\/WA\/+8ZmZ+0XzQrpy3WwRvRc4DmvV7nvOYs8y+909LdGLV6CpRLEK1604OVZbyXxVxq8+mD19ElUn1g8QnbzGBFa3Eif7B0cGdFF8WqgYvqe7ufF46ZJs8QD63+SQv8gGxmUo3SJWQ3Yfj1uYEYSEfqi43AQxOFbKmd5oqszRdikvUk0Zh8XMjntw3CR4tWh1lqTR3LIN8Lt7A9gIRX8+3G76YoaDY2JIMjxOuLYIRBVe\/VWBuKPMLqRCv4wvIDach8GKJmbI9PTQ01q1Z5kL\/zM7jTdFAlentpckr6+ua\/D6t6rLd0nkkL8d+15pg8\/FKhrDBHA4Ml4BRHizjz4SpRJ2QEiV\/niWkbX1e0hkpcbZ2xmOFDZW\/9O8RjAOdM08kiCSbKZTUpnl9P0qLKtjystpZa5q8OrBMgSHUgHM1S7geU06smT7+czbBGnnd5A+6PV0mPwqueT\/OUV15fL2NUOxgfqhC8iKqRfJcjzm8CssrkrLVEfaPmw7D7KOm7\/2J64iyqOubriFO6KrbjP+1qKiLmCaqNeEy3JTylMKWsH5UVovtnGGCKeolJjanKSFdzQ0naGenN7GlArcfV78Zclt+QC9mK2mtHkEiOwhoeprg\/zQujUyWH4lxZTrhtEFhlJUvQKpPst4HYEqZgxQPGS5nmr51v1f2cwzcaORxf3cXeVVh\/GKwiwMjI8VaKzhRxAoKZZ3g1TUl61dqF4liU6GnZkX+YBlPJ80vXLVfIDc4zwsjaBUxk1pJO\/LOLCp5buKJ87EbzIoejsqFXfFarTVLwKw\/2KUHEIwDL1x1rU0t6Q+Ap29yyER+brp4OyVHhD6T7u9LrfjXexdQfUgnSNX1Ib4LZ7OO\/KrQ=="} -01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":24710880,"flow_src_last_pkt_time":27201767,"flow_dst_last_pkt_time":27283563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":6836,"flow_dst_tot_l4_payload_len":11997,"midstream":0,"thread_ts_usec":27283563,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":168785.7,"max":2090987,"stddev":514567.3,"var":264779546624.0,"ent":2.1,"data": [6626,174,24,23,15783,192,68,25740,16544,24398,2090987,2072824,30640,212689,1822,115,243417,45,25374,21896,80671,49,21,8,9,96673,35817,60860,70,11]},"pktlen": {"min":66,"avg":630.5,"max":1294,"stddev":577.0,"var":332915.8,"ent":4.3,"data": [1274,1294,1294,235,95,1274,120,109,80,275,73,66,1142,70,74,612,1274,1235,70,70,74,66,1294,1294,1294,1294,98,79,66,1294,1294,1294]},"bins": {"c_to_s": [1,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,3,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02093{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":24710880,"flow_src_last_pkt_time":27201767,"flow_dst_last_pkt_time":27283563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":6836,"flow_dst_tot_l4_payload_len":11997,"midstream":0,"thread_ts_usec":27283563,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":168785.7,"max":2090987,"stddev":514567.3,"var":264779546624.0,"ent":2.1,"data": [6626,174,24,23,15783,192,68,25740,16544,24398,2090987,2072824,30640,212689,1822,115,243417,45,25374,21896,80671,49,21,8,9,96673,35817,60860,70,11]},"pktlen": {"min":52,"avg":616.5,"max":1280,"stddev":577.0,"var":332915.8,"ent":4.3,"data": [1260,1280,1280,221,81,1260,106,95,66,261,59,52,1128,56,60,598,1260,1221,56,56,60,52,1280,1280,1280,1280,84,65,52,1280,1280,1280]},"bins": {"c_to_s": [1,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,3,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,0,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,1,1,1,1],"entropies": [7.865873814,7.840335846,7.856841087,6.935217857,5.841008663,7.844548225,5.975329399,6.068257332,5.408033371,7.120600224,5.413970470,5.168682098,7.824946880,5.206433296,5.433454037,7.633729935,7.839689255,7.820494652,5.385004520,5.200210571,5.379368782,5.130220413,7.847099781,7.835284233,7.857980728,7.824029922,5.854679585,5.473884106,5.168681622,7.866020203,7.849047184,7.840563774]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00900{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":490,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":188,"flow_dst_packets_processed":301,"flow_first_seen":24710880,"flow_src_last_pkt_time":74905965,"flow_dst_last_pkt_time":74922862,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":72648,"flow_dst_tot_l4_payload_len":195043,"midstream":0,"thread_ts_usec":74922862,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00900{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":490,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":188,"flow_dst_packets_processed":302,"flow_first_seen":24710880,"flow_src_last_pkt_time":74905965,"flow_dst_last_pkt_time":139922848,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":72648,"flow_dst_tot_l4_payload_len":195075,"midstream":0,"thread_ts_usec":139922848,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"31.13.86.8","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Facebook","proto_id":"188.119","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":490,"source":"quic-mvfst-22.pcap","alias":"nDPId-test","packets-captured":490,"packets-processed":490,"total-skipped-flows":0,"total-l4-payload-len":267723,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":1,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":139922848} @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6059972 bytes -~~ total memory freed........: 6059972 bytes -~~ total allocations/frees...: 121998/121998 +~~ total memory allocated....: 6060108 bytes +~~ total memory freed........: 6060108 bytes +~~ total allocations/frees...: 121999/121999 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 2185 chars diff --git a/test/results/quic-mvfst-22_decryption_error.pcap.out b/test/results/quic-mvfst-22_decryption_error.pcap.out index 2eeece2e1..f0978dba4 100644 --- a/test/results/quic-mvfst-22_decryption_error.pcap.out +++ b/test/results/quic-mvfst-22_decryption_error.pcap.out @@ -5,7 +5,7 @@ 00897{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296832000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1232,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1232,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1593498296832000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","quic": {}}} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":106,"pkt_l4_len":86,"thread_ts_usec":1593498296833000,"pkt":"RQAAapbBAABAEXBACuYoqF5h4ZLy9AG7AFbkKub6zrABCEACR1YBz3h7AD4ztLOg+8\/NWUDesKp0sDyq9wl\/qnK\/iaP4qknLwsMfEkvd24lrwL0JnOo2eK80vHLhCKIp2AiTqDI94jB8\/Q=="} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296832000,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":0,"pkt_l4_offset":20,"pkt_len":106,"pkt_l4_len":86,"thread_ts_usec":1593498296833000,"pkt":"RQAAapbBAABAEXBACuYoqF5h4ZLy9AG7AFbkKub6zrABCEACR1YBz3h7AD4ztLOg+8\/NWUDesKp0sDyq9wl\/qnK\/iaP4qknLwsMfEkvd24lrwL0JnOo2eK80vHLhCKIp2AiTqDI94jB8\/Q=="} -01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296836000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3572,"flow_dst_tot_l4_payload_len":18205,"midstream":0,"thread_ts_usec":1593498296836000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":1666.7,"max":3000,"stddev":942.8,"var":888888.8,"ent":1.4,"data": [1000,3000,1000]},"pktlen": {"min":60,"avg":708.5,"max":1280,"stddev":531.1,"var":282057.0,"ent":4.5,"data": [1260,106,106,106,698,698,698,60,60,60,66,66,66,261,261,261,400,400,400,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280]},"bins": {"c_to_s": [0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [0,3,0,0,0,0,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02001{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498296833000,"flow_dst_last_pkt_time":1593498296836000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":3572,"flow_dst_tot_l4_payload_len":18205,"midstream":0,"thread_ts_usec":1593498296836000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":1666.7,"max":3000,"stddev":942.8,"var":888888.8,"ent":1.4,"data": [1000,3000,1000]},"pktlen": {"min":60,"avg":708.5,"max":1280,"stddev":531.1,"var":282057.0,"ent":4.5,"data": [1260,106,106,106,698,698,698,60,60,60,66,66,66,261,261,261,400,400,400,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280,1280]},"bins": {"c_to_s": [0,3,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [0,3,0,0,0,0,0,3,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [7.860296249,6.126270771,6.126270771,6.163064480,7.718494892,7.718494892,7.717700005,5.480065823,5.480065823,5.506893158,5.413313866,5.413313866,5.536673069,7.175638199,7.175638199,7.187689304,7.409482956,7.409482956,7.414732456,7.811549187,7.811549187,7.811690331,7.844969273,7.844969273,7.846896648,7.838176727,7.838176727,7.839562893,7.844841957,7.844841957,7.846801758,7.857825279]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00938{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":353,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":43,"flow_dst_packets_processed":310,"flow_first_seen":1593498296832000,"flow_src_last_pkt_time":1593498297033000,"flow_dst_last_pkt_time":1593498297036000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1232,"flow_dst_max_l4_payload_len":1252,"flow_src_tot_l4_payload_len":11825,"flow_dst_tot_l4_payload_len":378781,"midstream":0,"thread_ts_usec":1593498297036000,"l3_proto":"ip4","src_ip":"10.230.40.168","dst_ip":"94.97.225.146","src_port":62196,"dst_port":443,"l4_proto":"udp","flow_datalink":12,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00587{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":353,"source":"quic-mvfst-22_decryption_error.pcap","alias":"nDPId-test","packets-captured":353,"packets-processed":353,"total-skipped-flows":0,"total-l4-payload-len":390606,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1593498297036000} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6055958 bytes -~~ total memory freed........: 6055958 bytes -~~ total allocations/frees...: 121859/121859 +~~ total memory allocated....: 6056094 bytes +~~ total memory freed........: 6056094 bytes +~~ total allocations/frees...: 121860/121860 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 515 chars ~~ json string max len.......: 2169 chars diff --git a/test/results/quic-mvfst-27.pcapng.out b/test/results/quic-mvfst-27.pcapng.out index c7645b270..d093e4f97 100644 --- a/test/results/quic-mvfst-27.pcapng.out +++ b/test/results/quic-mvfst-27.pcapng.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046332 bytes -~~ total memory freed........: 6046332 bytes -~~ total allocations/frees...: 121528/121528 +~~ total memory allocated....: 6046468 bytes +~~ total memory freed........: 6046468 bytes +~~ total allocations/frees...: 121529/121529 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 2254 chars diff --git a/test/results/quic-mvfst-exp.pcap.out b/test/results/quic-mvfst-exp.pcap.out index 1217e006b..73630e335 100644 --- a/test/results/quic-mvfst-exp.pcap.out +++ b/test/results/quic-mvfst-exp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046625 bytes -~~ total memory freed........: 6046625 bytes -~~ total allocations/frees...: 121538/121538 +~~ total memory allocated....: 6046761 bytes +~~ total memory freed........: 6046761 bytes +~~ total allocations/frees...: 121539/121539 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars ~~ json string max len.......: 2212 chars diff --git a/test/results/quic-v2-01.pcapng.out b/test/results/quic-v2-01.pcapng.out index 4184fedf4..f66393505 100644 --- a/test/results/quic-v2-01.pcapng.out +++ b/test/results/quic-v2-01.pcapng.out @@ -5,7 +5,7 @@ 01472{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746209343,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1252,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1252,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1252,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1643108746209343,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","quic": {"tls": {"version":"TLSv1.3","ja3":"c0ce40fbb78cbf86a14e6a38b26d6ede","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-34,hq-34,h3-33,hq-33,h3-32,hq-32,h3-31,hq-31,h3-29,hq-29,h3-30,hq-30,h3-28,hq-28,h3-27,hq-27,h3,hq-interop","tls_supported_versions":"TLSv1.3,TLSv1.3 (draft),TLSv1.3 (draft),TLSv1.3 (draft)"}}}} 02195{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746211563,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1294,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1294,"pkt_l4_len":1260,"thread_ts_usec":1643108746211563,"pkt":"CgAnAAAACAAnfrFjCABFAgUAAoAAAEARgVPAqDjGwKg4ARFbhbUE7O7hnXCaUMQIS6wx1HkzRzII64iRQkuUIpwAQJyCVjJNuDCrTNqXXWMPn6Re4L7SYVwqGIQCQc\/4z9NyAaPCA1EjtACuJoZLCrSNpYRSybpCuKQ+WoUiUllNx92L2MPAGJw7utYFPv5OGHw1\/\/sWndgkLy8hp7pR69\/u09rZKcS+JfFwJmuIf\/ksSjGDUumn50Ay2Rd6o4XXl0HmsmbBIvWvgU6hASVdT4jxaoclAPsXX8CPP0up6Fe0cJpQxAhLrDHUeTNHMgjriJFCS5QinEQVHufFpgZs2aV6du2ZRQqQKDOjoGilHODVeRgnXJ5P7T\/zsZp32p1pLUsBPppTZZgXUGe0MYPRpYRLZP6S2YwCHKWU+l73n0JGtHauiFtNycThrlHgcsb8sk5tcvU6Y6ScYjaBJZo4SvzfNpo4yZWfBNk2UYHfihFbXoBagL8Ni3TJrQD045tOl+1YfuvN63veyZsQEZqEx0dBAmyVl+9xjvqkhzopKh+NpWRz5BIklAlUFmpNduMfQ3T20hAf9mJ3AOigASJmi6bsOzfT+fmMLLJFCGGvf7Vtj5E1FZRVn4fPJh6AHDI4r32EO9lBeOo\/bRxKO\/xtuNE4dXyQrhgsAmgYHZAjkPqRu\/l7804XDa5V8jNWzrthKJ47r2cSNRYsG+fH2fUAebN4YB+rihSsIZxpHY2QnwFGSwB6H7Skxg+Iph02BLynk+Iu8t78JbQQo03RTVad7a1H2K5yGJBnwMaDh8uWKRogMWzILW0GAvr6cB6rKtZvIB6iaFRtpW21wxF6FMiWghHWS2MMSMwh35jVZuDUmDisttokt9hNGZX0VcNuKmWidzlE8BvnwG5U\/lPWrVnAvZVmrZTmpKOyI5TR7nxh84GrxxCAx17MsDCnck39parnwVt\/QNJg4GreMjaXUUPTYWQryOwbG6s95MTEr3kfYLs4mW1uf0zDrci29F2sFu\/C\/HmqkFvZ0OOGC+62wGqGORW\/vlf01u6eGRup6wAte8fwWPF\/vwQLZV4\/zxpFUgF0tAqfKM3PO4Haxa9nHsPVZrUGZMlLFWcB4nBKG1NdoHQpFnsMhBc+wza2JrPisqt5PiVyJC6OvV\/cU7ww3Rc1ZbzC4jloEENrow5U5qEqSaBP1zNwYznCuMne7LwjmE8EnIma1wUrAiD9QtQZyRcWI2tpjtba1QsGHPmDL5TsbCiu5lRo6fKqxLAw32vAkyC76P1133lt7HXruzSBRhmkFpsQbeMtEt1sNBll1ZQMowIuN84gLLCcft+MTcp3i74\/r8i865o44mVqYEl+o8X\/pbSdpT9L6gLAevV9TpMYpr+mcHT0ieagX7Jnn35uw6zjOtQWRDf+XCisrr1nKY1EVNzop8RK6vKaPR4oivRBODylVd6kbG0JUHAnr0Ix4f91IhN0iE9wN0staG0WUiyWtw\/orMSuxqBfKKdgnMAvmqdZTtqpjXi4aDVPEGseUXFoRd2eIp1NKtyrFMTN8zew2FQfUM5ZPV+mLZOckS47BcCaj33vmjmNhp4PqOibtw4GGIkqKdtzvIDU5hpFJQe3oYXwcGYY3eEEzdtrD2Vx0tDP6Yxy6KvVsm5\/mMYXMhGZoUA1zlKEtVTTbazFot35oVX4ngIUMjLuaLnu+ZQA\/SsjZCeWQrKvnx2aQ0fMdg=="} 01476{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1643108746209343,"flow_dst_last_pkt_time":1643108746211597,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":766,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":766,"pkt_l4_len":732,"thread_ts_usec":1643108746211597,"pkt":"CgAnAAAACAAnfrFjCABFAgLwAoEAAEARg2LAqDjGwKg4ARFbhbUC3F+UvXCaUMQIS6wx1HkzRzII64iRQkuUIpxBBHClZrSkXwcilginpQcYrC6+gYqStd9rEPJAVa\/X+ectxL4RSmYFqLCVrwpVh1cagxhOComdCEfuthVLRVGijz0VZq73gJfVJDTIt9AqzDxtaVsVpsxn9nkBr8pmVajuM19igvEhLOOlSEyBeUeB0DFdaZHW2\/JO3NISTHIWsZrZsFMVLd9gHsuxJ1cw3ZhmXfOm4UQbO0gsJiSVP1hEVffenYC7rMaAhCUYN9+RJxV5yNtMPMGyD3sgFiZTkHnxcTLuuCOpBBBkbts\/gMCM9IZChkDacnOh2OF9\/ohY3MEFlrim9kn0Lkww\/L7utDiRt6G4nl7rnCzjkcY3xLHSfS\/UQGApX0usMdR5M0cyG4HtNIk9Hu3yusEW1qJhexs\/jd2MFqPbzXoJkoBqBRJp9qv7uPIeaJrkQv0lZW4FoaNVZAxaKV+W4vwOyfLLLUAqbD+eP0q2akwmVXy9Y8QV3RpHIAEJdYstRBWUkoiGbfH\/tn+FdXpRyxXFod1a\/iZeqISyuYA2sKP1DJjEFrTzbkdHxX2JNiQQ2tZ+ApMfsQ0Q3QHD6f2C+xRLtvPcLqXP7RxXsRrD38p085fQ2lzG5FGYGgbhRGLwEvS2xYmIc5SWcIMn4zDkXXhhptIlqESYssWwykAjHZI2+hUtqOdrCizJkWiDODkpCMdaXGRR20dzaKQXdlriwcHLV5d1GvkCwMjcqS+C3ysNw8ltkxZbJAw3X1KjTK669DDz0zSittHV41nQk4SLHBtK3xCfytcsQ2Woqekdb3A1Hgo2e8QMTF4S4OsVjiekXWM847U9xQtRGGBIxOeuuzZN2uX3hL9UxceXknbMIBuTtD1iz9sd5bcqUQJpjX4\/iuJ0SwzD3dHw3Uy0h7w+q864l4fPWvhkeXfYvfcT+Icqi6TMXyciH2pSvVxaT4WJf32OcA=="} -01911{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746213653,"flow_dst_last_pkt_time":1643108746213782,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3681,"flow_dst_tot_l4_payload_len":28445,"midstream":0,"thread_ts_usec":1643108746213782,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":282.2,"max":2611,"stddev":585.9,"var":343297.1,"ent":3.2,"data": [2220,34,85,2611,15,161,480,75,75,407,511,344,364,20,7,7,7,5,8,6,304,236,17,5,4,4,3,7,5,393,329]},"pktlen": {"min":97,"avg":1045.9,"max":1482,"stddev":592.8,"var":351417.0,"ent":4.7,"data": [1294,1294,766,1482,445,1482,225,97,97,481,97,97,225,1482,1482,1482,1482,1482,1482,1482,1482,97,1482,1482,1482,1482,1482,1482,1482,1482,97,1482]},"bins": {"c_to_s": [0,4,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0],"s_to_c": [0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,18,0,0]},"directions": [0,1,1,1,0,0,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02310{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746213653,"flow_dst_last_pkt_time":1643108746213782,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":55,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3681,"flow_dst_tot_l4_payload_len":28445,"midstream":0,"thread_ts_usec":1643108746213782,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":282.2,"max":2611,"stddev":585.9,"var":343297.1,"ent":3.2,"data": [2220,34,85,2611,15,161,480,75,75,407,511,344,364,20,7,7,7,5,8,6,304,236,17,5,4,4,3,7,5,393,329]},"pktlen": {"min":83,"avg":1031.9,"max":1468,"stddev":592.8,"var":351417.0,"ent":4.7,"data": [1280,1280,752,1468,431,1468,211,83,83,467,83,83,211,1468,1468,1468,1468,1468,1468,1468,1468,83,1468,1468,1468,1468,1468,1468,1468,1468,83,1468]},"bins": {"c_to_s": [0,4,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0],"s_to_c": [0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,18,0,0]},"directions": [0,1,1,1,0,0,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,1,0,1],"entropies": [7.859164715,7.830483913,7.691216469,7.861833572,7.535028458,7.857851028,7.014661312,5.904921532,5.971303463,7.551024437,6.091784954,5.908110142,7.010611057,7.856127262,7.862607956,7.865868568,7.851809502,7.870316029,7.876718044,7.846899033,7.842083454,5.832632065,7.868857384,7.869379997,7.866369724,7.853280067,7.852721214,7.849537849,7.868902206,7.856405258,5.923110962,7.879580021]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01164{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":923,"source":"quic-v2-01.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":34,"flow_dst_packets_processed":889,"flow_first_seen":1643108746209343,"flow_src_last_pkt_time":1643108746226518,"flow_dst_last_pkt_time":1643108746226632,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":5301,"flow_dst_tot_l4_payload_len":1267919,"midstream":0,"thread_ts_usec":1643108746226632,"l3_proto":"ip4","src_ip":"192.168.56.1","dst_ip":"192.168.56.198","src_port":34229,"dst_port":4443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC","proto_id":"188","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":923,"source":"quic-v2-01.pcapng","alias":"nDPId-test","packets-captured":923,"packets-processed":923,"total-skipped-flows":0,"total-l4-payload-len":1273220,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1643108746226632} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6072684 bytes -~~ total memory freed........: 6072684 bytes -~~ total allocations/frees...: 122431/122431 +~~ total memory allocated....: 6072820 bytes +~~ total memory freed........: 6072820 bytes +~~ total allocations/frees...: 122432/122432 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars -~~ json string max len.......: 2200 chars -~~ json string avg len.......: 1341 chars +~~ json string max len.......: 2315 chars +~~ json string avg len.......: 1392 chars diff --git a/test/results/quic.pcap.out b/test/results/quic.pcap.out index 6afadfd7f..31b65ff2f 100644 --- a/test/results/quic.pcap.out +++ b/test/results/quic.pcap.out @@ -5,7 +5,7 @@ 00953{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155536815947,"flow_dst_last_pkt_time":1431155536815947,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431155536815947,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"mail.google.com","quic": {"user_agent":"beta Chrome\/43.0.2357.45"}}} 01088{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1431155536861947,"flow_dst_last_pkt_time":1431155536815947,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":478,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":478,"pkt_l4_len":444,"thread_ts_usec":1431155536861947,"pkt":"ZHACjT05eJKcD6iOCABFAAHQHY9AAEARrNjAqAFt2DrUZeHpAbsBvNDyDbLeXfFPVUXrUTAyNAKdxuQD3gljSLhQUOfLRbUHNhGyhVA9b2u4w1RW9E4SCZCpycMJZccQCIwgTfygJ\/6u\/OxyXHQ8t9GsIUVpGN5BSEz\/EaopIjzG0oey+J14dhVaQT5clZ4hX2alMKUnKCpX2UHp8k4gIBE+BTaDbhx4sVltZ3YRbFd1slVBcwxCCDis9hGoXWyhcUU9TpSCvPXqyDIBYGsw8hGUNxjvWcC36dLiKPlQ1A++VHlkjzGxGsfgIrij15t0O6lgXxVbA\/HpW3G2ebAmsKraKCAnkkUtJl3AOI\/J2OljPOJ8ybsb8ihq0NT5yt7I6jw60az5CR6QV4lZS\/t+fQsKeKH0MrEQhH3b6f+BZUKI9uikSR4hfQxA8xYeMMFcn\/fjScjPTaUqPoQqgHKJPMZAaJaOIXR\/06t5\/mWN79wAQ5uIfj\/sSvnF2vA+Wg+Ct+7u2iMK\/1hOAY0\/EO0phnuWYuhnxN7rmjjYiKKpzjb+WYnzCHocgbS6q4u8VmchP8qd2Emms7CkStzYV\/CAUZKEnfSvajU\/RaVfjhz9giNrW3Dr5B1Mu7zIwMFBEg=="} 02320{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1431155536861947,"flow_dst_last_pkt_time":1431155536876004,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1431155536876004,"pkt":"eJKcD6iOZHACjT05CABFAAVi+w8AADYRFcbYOtRlwKgBbQG74ekFTrySAAED7yXOnwe7pFDDfekcKJR3Jy2sqO+OrEMBkrmlA5460PLSsQWLxQP3oiY5d8U9vyThqGCVEM5n\/b30dAd2DjWMikTcCyMma2f07JhYHF3MMGVgNWOe6MGYINMPJ609w8TfRzFDXO2Hv3Rd+Io3\/xrzZn4oPs6zhHI1yq2C3Bu04kRZDHQePoRj30\/8HvjxNKB4JiKyE+zKdMREBQ3JOi\/Z6sOIMbX9akogkYpnl7ng6wuSDWdU0O6S17QqQ\/PZNbWcKj10ybS4iwVQA0f8amB7S9uZIaouXNiBUNnVoBkvwUNJHLfYTkO7Lcrh9\/y6VuU0sUqC5BwPmW+2ikCeMngUD1xHT1Lx5xcuKKpYgNXg5fiz8miFT9HCjdjO6B4AMX2tdmMxafKWE\/OE83wkxbiDjermaqDLFN43iZrsa77dngVKSa0JOoliFCpsBQc+8MPNJciywBt2F7RgKowH2h+9Qk9ORQtDAbuXMpSiJJWSUWGURbG9ZouMcFzy3aCPhH9WEaiDxSqv5bG1C+4++Ap3JmLZGydHT1SxVwfUUCxHryOH1SJLcVb8wYjogx1ZyV2hUKKGb\/LTkrzKQgQmaow0b30+zmXo8EqAqNi+pbkwMCjRuhbpSGWkDycL5nwxuP9Ml3fkw+Nua2MwUp0EfcBQbRU9wNgqxQ9uJseySfgLNd277XFk6kBsEbZHLkwoqVC16i6UXqO9Bq9Qa6OSE4HmTd0ZK\/TJwTkvyZH7HArDOO\/IcXlmUhCYygfBL2Q5ZpNExxrN9hs9fyUTlDAy\/fKVbi1DmTvb8UQ08IKIHR88Yq94i78i11E4Ck+d\/mt1HMNvsgPj2pD+djmLPe2eSTH37Jk2vmFRiqCOpbpsl49D\/VP3D6Iqy69k4ASDn2RRISJtJTG3B4eSG0UcIyl51iCsWhHCXqo+IYYFVP5DZZddk8U1w9uBnJXeOg1TXZTOMI0ol6bS146IgKA69vbLEVfalKBSuGdHvDKyOMSnLak5kQ2gF6fQS9y3naenu5fopH54EXjO3jjfmTVJmGvZC\/P1NiZtWEgaqDhB2DugL5t17Tc3VwmJfqg+3eAVYWabEKtkMdIl3iArLACUUBNCZz1HkomKYV+WYy79+d13Y8v1fzFaFyLLqqM4eyurBPDRG\/+y1oiSpL+pmxwnbgxI3utzVErOYH+5lhn82g\/+Ii+SkdpS0RH4VCbqV\/v0Y4Y5Od4xYJhouL7GcBe5gBVDLL2wvDGN\/2TxDwPjLE+A3+O2Fa4G5F\/+gjnrsB0wdiL\/ilvOHsRXVpnfbw+QbFdGjFQzBh00mHjlv+hyldAVX6DRrmAyZqfHl4R8DYS3AwjxssPWDwDtSUMlQQpikBERZ9MMlFb4xTKRR\/wBi8a8Irtzx\/kIza\/1v2NJPtS13JBH+AEVAHqIKkeVWhalz8eieG0tc75G2spbagtiyakNL\/rq+i0PePLukIW0MDDsvi7O7dn\/0fwGspoErTl6j3PKwj7+sTyyEqAVRQx1M7OB+kmMDRumZ6Ct9DotkVa72qOqLha\/8xxMPobKOFlHa3535yRdBIpdRmga9bEYopLGGzkYHAzAiGpiXAo7oYF9gbpS7a5ciOCtFbOspMqjc6us7YE1Fk9eZR8mOK3nE7WlV4miQCj5Ye\/jSzjCwJgC1JXYSzigmV7HoFUEa9032KRB3TfddhJ9qY+MTGbbTrJ2h+zE2tLE+GlMJ43i68EjkXl4FQgRWpuP1j6L9IzE9WrKG1pRl60aGD77YrqqhZeBKTB3VaLzjU5uW3RnvxwpEMU20qKXXlS1"} -01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155545866860,"flow_dst_last_pkt_time":1431155545859249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4333,"flow_dst_tot_l4_payload_len":4661,"midstream":0,"thread_ts_usec":1431155545866860,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":583684.4,"max":3197585,"stddev":963931.8,"var":929164558336.0,"ent":3.4,"data": [46000,60057,14787,65380,2487,93393,168067,168088,622738,681338,42,58036,3119141,3197585,40,12,54064,25544,1951118,28580,2034695,28303,25,7,56884,470823,496378,2190158,2289756,44685,126004]},"pktlen": {"min":61,"avg":323.1,"max":1392,"stddev":382.9,"var":146578.8,"ent":4.2,"data": [1392,478,1392,79,74,725,82,725,79,214,508,70,82,194,170,69,101,82,79,255,163,77,71,240,61,88,215,79,1190,77,758,469]},"bins": {"c_to_s": [0,8,0,1,1,1,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [4,4,0,0,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1,0,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} +02148{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431155536815947,"flow_src_last_pkt_time":1431155545866860,"flow_dst_last_pkt_time":1431155545859249,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4333,"flow_dst_tot_l4_payload_len":4661,"midstream":0,"thread_ts_usec":1431155545866860,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.212.101","src_port":57833,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":583684.4,"max":3197585,"stddev":963931.8,"var":929164558336.0,"ent":3.4,"data": [46000,60057,14787,65380,2487,93393,168067,168088,622738,681338,42,58036,3119141,3197585,40,12,54064,25544,1951118,28580,2034695,28303,25,7,56884,470823,496378,2190158,2289756,44685,126004]},"pktlen": {"min":47,"avg":309.1,"max":1378,"stddev":382.9,"var":146578.8,"ent":4.1,"data": [1378,464,1378,65,60,711,68,711,65,200,494,56,68,180,156,55,87,68,65,241,149,63,57,226,47,74,201,65,1176,63,744,455]},"bins": {"c_to_s": [0,8,0,1,1,1,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [4,4,0,0,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,0,1,0,1,1,0,1,0,0,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1,0,1,0,0,1,1,0],"entropies": [4.785362720,7.506221294,7.842458248,5.653138161,5.515064240,7.661302567,5.705106735,7.653655529,5.683907509,6.901843548,7.549375057,5.423249722,5.793341637,6.893099785,6.626470089,5.353907585,6.017427444,5.664593697,5.555222511,7.050589561,6.613369942,5.496887207,5.372109413,7.016873360,5.139485359,5.793843269,6.920541286,5.579985619,7.860387802,5.401647568,7.762588978,7.570559025]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.GMail","proto_id":"188.122","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 00558{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","packets-captured":414,"packets-processed":413,"total-skipped-flows":0,"total-l4-payload-len":237528,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1461850699450756} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1461850699450756,"flow_src_last_pkt_time":1461850699450756,"flow_dst_last_pkt_time":1461850699450756,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1461850699450756,"l3_proto":"ip4","src_ip":"10.0.0.4","dst_ip":"10.0.0.3","src_port":40134,"dst_port":6121,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02297{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":414,"source":"quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1461850699450756,"flow_dst_last_pkt_time":1461850699450756,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1461850699450756,"pkt":"OGO7P47K7LHXhMJyCABFAAViImxAAEAR\/xgKAAAECgAAA5zGF+kFThlmCfresOVX5pKgUTAzMwHak8zsp30I9q698IIAoAEUBUNITE8NAAAAUEFEAEwEAABWRVIAUAQAAENDUwBgBAAATVNQQ2QEAABQRE1EaAQAAElDU0xsBAAAQ1RJTXQEAABOT05QlAQAAFNDTFOYBAAAQ1NDVJgEAABDT1BUnAQAAENGQ1egBAAAU0ZDV6QEAAAtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLVEwMzN7Junn5Fxx\/wHogWCSkhroZAAAAFg1MDlYAgAASxIiVwAAAADS+1vXZRZzJ1+rqmPJtznpSW1g7BCg2rfC01sXLNMkHQEAAABGSVhEAEAAAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} @@ -54,7 +54,7 @@ 00960{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":450,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075953299562,"flow_dst_last_pkt_time":1463075953299562,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463075953299562,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"www.youtube.com","quic": {"user_agent":"Chrome\/50.0.2661.102 Linux x86_64"}}} 00960{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":451,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1463075953300127,"flow_dst_last_pkt_time":1463075953299562,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":387,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":387,"pkt_l4_len":353,"thread_ts_usec":1463075953300127,"pkt":"6HTmLPTkABlmWmaMCABFAAF1aTxAAEARYx3AqAFt2DrSzomkAbsBYbFkDby767UFbXetUTAzMAIyT2zFCwKRbjpW5pKGcwa\/zOYtI4ibM\/DXTo+3hM8QHjQop2VE57N\/4px1Dr2rh1Of6fuprsXKXOLDTQHDMOztLE0ibzNUs5cviwMINA8HUKs1w\/8wSCAJg+c5E0s64vzHKdQ5N4AY1I+whZj+YXv7QX9bQtyBCP0WJRsK41puLJyY\/5rYf1WXDzsnCxRRei33WDvMsb+MNKppe2kXK4Q1DqzsKviobjh+ZnTmMaJFKxfjljXwNv0dsW2Nhjh9NEpVNdRUHHe+L\/umz5nJPSc8m3xsZrs27PfAfYs3O4DQT7zrN+rUD1tvAlM6ojpuYBXQUKIqFg6jkPkLtz0lnT5ofUC3bxq1J8gFqtExK3aj\/kH0as9Y1tYZiRMdgBmqLNq1Ru6unJsdETbKAQha1+Pgo4qtxiVVhohC7TEjAQj3UwwRrwKowX6bUvpY"} 02310{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":452,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1463075953300127,"flow_dst_last_pkt_time":1463075953334920,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1463075953334920,"pkt":"ABlmWmaM6HTmLPTkCABFAAViGxkAADQR+VPYOtLOwKgBbQG7iaQFTgWwDLy767UFbXetARhGCjp5JYP2NRSCDQGAAVJFSgAHAAAAU1RLADwAAABTTk8AdAAAAFBST0a7AAAAU0NGR04BAABSUkVKUgEAAENTQ1RGAgAAQ1JU\/xIGAAAt19AYB5aaMKurHRM81LpDG06F1\/HgjIAXnLSYHoaRDG+YCx4gYrs3k43pE\/W5utsyegd0CLIV4fasqoZkRpVLMtnpS+sIRqrbfvgjIL2IUeZTlSGu\/7+bU4Z+Ij1vgEEcToZ\/00OYAYgC+05liNl+ov97hTBFAiBs6kS1HuLjC8x7gQEfBCOAowmjvDZU885lgtcWaGEy0QIhAPm+1mJq5QK6WHRPaEUwOfyND\/8ufeGnt66391Aj9lqnU0NGRwcAAABBRUFECAAAAFNDSUQYAAAAUERNRBwAAABQVUJTPwAAAEtFWFNDAAAAT0JJVEsAAABFWFBZUwAAAEFFU0dDQzIwWGClOjtYNIHfmiHJ0bGFX0NISUQgAACup8alaVf8gP6KOzle5pjmXvoOKgb+N2LRgB5dcX8Ka0MyNTUSxc3dEjis6kATN1cAAAAADQAAAADyAHcA7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo\/csAAAFUe1HMJwAABAMASDBGAiEAqHfzHEY9KN1QjXeaiZlcHt6ybhyDsnLIoo6e82Zg73ACIQCveMl0OwuTrVY5LqDcb5TIihLD6ZAJQlUDU68E5\/BK6AB3AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABVHtRyfMAAAQDAEgwRgIhAMWc6riI2T4lmoQuPyvTrFTQuoCnh6VaWJBNwHgCZloKAiEAiHJhhSnJcrUXaDEZQLClSBLKToA3CEOVFu+IPvrOhh4BAwHogWCSkhroAwAAAAN7Junn5Fxx\/wAAAAAA\/wYAAHi7c1AtxPvNxgAsudi+GzSx3oe04Tic2NatWf922kf0hhwVG1mgwsAMmIdMgPkF1p4zMDcyN7AwtgR1otKwWsXBw+UMTDdp+UV5mYmwBMnOw+ubX5pXAkpdYZmp5XB38SC7S9RAGOwuHh4tYJiChMGRGwkUZgf68ZwtsPnBAWYwM7IzOzGwvF91fdMNT2Ud1a7MlSledVlybaZOW\/IT25eYrq8qUp7OLmq33YHB9tcRfpb4rOn2rfYyM5bOl9xpdepuGi\/LiYsHpi9uYuk3aGLpJlSANTGD+wiCLE3MrkCOYxOKA5t4tfQS81KK8jPBDZ4mMSC3oCA1Lz0zLxVZmZCWXnJOfmkKspgYzCDdxLzEnMqSzORisDg3woJEZE5OEx+S1XqZeaj8rAJUfml2Ez+yU\/USi9AFStEEktBVJOejCeRWoAmUoGspy0Nyc0oqEie1GImTVoTEyShF4mSWIHHycpA4BSicElCgQjiJKcAiABJ4cMdARPKaRGACQNncVGCLAqxMECZalpmSmg8WAsVrcQmwYEwGaeNF4gEluYDcshJDJLYRmA00PTe1pAioClk10Chg2yUjE1xANQmAeDloMV+ZX1pSmpSqm5efnJ+fnQlPTFBxNGWpKaWQKhyWQICpJTcdzJGCJ7+czNS8kmJke7iRkyYLSH0TG1Aa2MZpEsGa9LiQkyyWYONC8hYXuGiGmMYBdqdeEjC6kT0ggs35SA0q9gaDDKRiOQZYsGgjFbjy0DKwIDsTyVf67p6O7kbgElUbqQyHKYYGgyGyDlC5jtTI273NV8E2Yd+C1ye2dnFOb2eeVW6ug9bQQS6rsfaMFCEtB2DVhdYd4WBjS2\/kARbTBgaQ"} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075954259331,"flow_dst_last_pkt_time":1463075954259852,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3706,"flow_dst_tot_l4_payload_len":22849,"midstream":0,"thread_ts_usec":1463075954259852,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":61937.4,"max":828641,"stddev":198595.2,"var":39440068608.0,"ent":2.0,"data": [565,35358,43,40485,132,24017,25957,16828,62,532,35459,51659,446,11,26638,25576,828641,25,803246,620,371,204,811,210,360,238,291,204,540,286,244]},"pktlen": {"min":75,"avg":871.8,"max":1392,"stddev":620.8,"var":385421.5,"ent":4.5,"data": [1392,387,1392,1392,1392,383,79,82,1392,75,75,85,1392,1392,1188,82,79,1392,1392,82,1392,1392,1392,82,1392,82,1392,1392,1392,82,1392,1392]},"bins": {"c_to_s": [0,8,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,16,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,1,1,1,0,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"quic.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1463075953299562,"flow_src_last_pkt_time":1463075954259331,"flow_dst_last_pkt_time":1463075954259852,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3706,"flow_dst_tot_l4_payload_len":22849,"midstream":0,"thread_ts_usec":1463075954259852,"l3_proto":"ip4","src_ip":"192.168.1.109","dst_ip":"216.58.210.206","src_port":35236,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":61937.4,"max":828641,"stddev":198595.2,"var":39440068608.0,"ent":2.0,"data": [565,35358,43,40485,132,24017,25957,16828,62,532,35459,51659,446,11,26638,25576,828641,25,803246,620,371,204,811,210,360,238,291,204,540,286,244]},"pktlen": {"min":61,"avg":857.8,"max":1378,"stddev":620.8,"var":385421.5,"ent":4.5,"data": [1378,373,1378,1378,1378,369,65,68,1378,61,61,71,1378,1378,1174,68,65,1378,1378,68,1378,1378,1378,68,1378,68,1378,1378,1378,68,1378,1378]},"bins": {"c_to_s": [0,8,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,16,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,1,1,1,0,1,1,1,0,0,1,1,0,1,1,1,0,1,0,1,1,1,0,1,1],"entropies": [5.050794601,7.427186489,7.589700222,2.645882607,5.424244404,7.418235779,5.309068680,5.493865013,7.858019829,5.512544155,5.545331001,5.716576576,7.892964363,7.881204605,7.816042900,5.554157257,5.641524315,7.888419628,7.861907005,5.675695419,7.860325336,7.873119831,7.856549263,5.635182381,7.861664295,5.694005013,7.863921165,7.839401245,7.861547947,5.558049202,7.862613201,7.852869511]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00917{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1463060980356958,"flow_src_last_pkt_time":1463060980457563,"flow_dst_last_pkt_time":1463060980449085,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":2740,"flow_dst_tot_l4_payload_len":2737,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"216.58.201.227","src_port":40030,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00868{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1463060980313862,"flow_src_last_pkt_time":1463060980404996,"flow_dst_last_pkt_time":1463060980377579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":81,"flow_src_tot_l4_payload_len":157,"flow_dst_tot_l4_payload_len":81,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Google","proto_id":"126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00758{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":518,"source":"quic.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1463060980313862,"flow_src_last_pkt_time":1463060980404996,"flow_dst_last_pkt_time":1463060980377579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":37,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":81,"flow_src_tot_l4_payload_len":157,"flow_dst_tot_l4_payload_len":81,"midstream":0,"thread_ts_usec":1463075954300949,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"172.217.16.3","src_port":40461,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -73,9 +73,9 @@ ~~ total active/idle flows...: 10/10 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6065536 bytes -~~ total memory freed........: 6065536 bytes -~~ total allocations/frees...: 122103/122103 +~~ total memory allocated....: 6066896 bytes +~~ total memory freed........: 6066896 bytes +~~ total allocations/frees...: 122113/122113 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 2330 chars diff --git a/test/results/quic046.pcap.out b/test/results/quic046.pcap.out index 56994ffa7..dd077a3b4 100644 --- a/test/results/quic046.pcap.out +++ b/test/results/quic046.pcap.out @@ -5,7 +5,7 @@ 00969{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191933380,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1584456191933380,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","quic": {"user_agent":"Chrome\/80.0.3987.132 Windows NT 6.3; Win64; x64"}}} 01213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1584456191934367,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":574,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":574,"pkt_l4_len":540,"thread_ts_usec":1584456191934367,"pkt":"ILABHGh4AJqdnpsZCABFAAIwVxBAAIAROIfAqAHs2DrOVsWbAbsCHCGo01EwNDZQtKT59fQu3TkAAAAChrDGo43cDq7OAgdbv23GehH0jM01fB5SqCBHGsm4tNDoSAuylkVeyVU1nO51BVLZDdQpzNO9j8lf2o\/kFvxF1keBb1V8bWQbm4GDCTzD9DJbwk6JCzbiEHbQt2\/y4DufAauHa+qhpg6F7I1VBRA5chHzaHSfbKq18eEDQ2D7fby9uiPXDB6cfTGjCACXfFYXGo9zhyaFNtzZv4x3bPv04LGnwloRH845hLIF6d5Y+oKP0inx4RVaOxEjSkSubSvYLun8u1+DAfAvr3DdmGZRAp60H0VhNkgFDR0TK1bvdtwD\/6cndHRtyUINoQIRApDi1wb1MmCAOOvL7steTPHXY5nIkaq4iXTy+WyGwwX1EiuR+wqkWZoB8nUqj3ZqApzNfexl+c7aCawPzdHT3P5zDq7dSyz1wAkXCTveL49FopZWy\/uuB+P5RJbaGpw3CvzBYR4o98uBght36oYbWpopqUw9u0okr+r3kEm4Q75LZzqLS97VgZsNPml00CwyHuDEnhiPWf19O4H99TJdYurnXZ+SQi1Zt2RI1GgBrEOAj7V7V\/6W2VgqcYkPqL1UO6lW\/zp\/K8LZMma1gVsHh4jJ1oXnE7Qjtqi9Um0bkNgFqZBX1s4cYf2FTDL0Lgyu2DOK3ATmX6nv91Qh9\/msYcWCN59XOhhsFRlmXSuc2N2TzOTtWg=="} 00609{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1584456191934926,"flow_dst_last_pkt_time":1584456191933380,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":128,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":128,"pkt_l4_len":94,"thread_ts_usec":1584456191934926,"pkt":"ILABHGh4AJqdnpsZCABFAAByVxFAAIAROkTAqAHs2DrOVsWbAbsAXuOl01EwNDZQtKT59fQu3TkAAAADQ7oFqOGvWa6mhIUAfFpbpAofPEreEA\/GGklYOasxEedYwPIHZE9zXMBgbnX+9bPuSN5MQzRW31QsSe2iJHxiKYqGbP8="} -01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191967570,"flow_dst_last_pkt_time":1584456191967633,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4485,"flow_dst_tot_l4_payload_len":23197,"midstream":0,"thread_ts_usec":1584456191967633,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":176,"avg":2207.8,"max":29469,"stddev":6263.4,"var":39229868.0,"ent":2.6,"data": [987,559,560,557,592,573,584,606,710,21225,29469,423,216,240,242,250,248,254,253,253,237,265,240,242,256,252,6530,176,509,707,228]},"pktlen": {"min":62,"avg":907.1,"max":1392,"stddev":591.6,"var":350034.9,"ent":4.6,"data": [1392,574,128,201,199,199,200,199,205,202,1392,1392,269,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,70,62,1392,70,1392]},"bins": {"c_to_s": [2,0,1,0,5,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +02109{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191967570,"flow_dst_last_pkt_time":1584456191967633,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4485,"flow_dst_tot_l4_payload_len":23197,"midstream":0,"thread_ts_usec":1584456191967633,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":176,"avg":2207.8,"max":29469,"stddev":6263.4,"var":39229868.0,"ent":2.6,"data": [987,559,560,557,592,573,584,606,710,21225,29469,423,216,240,242,250,248,254,253,253,237,265,240,242,256,252,6530,176,509,707,228]},"pktlen": {"min":48,"avg":893.1,"max":1378,"stddev":591.6,"var":350034.9,"ent":4.6,"data": [1378,560,114,187,185,185,186,185,191,188,1378,1378,255,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,56,48,1378,56,1378]},"bins": {"c_to_s": [2,0,1,0,5,2,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,17,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,1,1,0,1],"entropies": [4.104627609,7.586378098,6.310873032,6.874300003,6.880319118,6.833760738,6.876335144,6.910101891,6.969146729,6.870172024,4.098705292,7.858126640,7.073942184,7.867921352,7.889789104,7.868343830,7.839922428,7.858704567,7.859090805,7.875567436,7.864448547,7.848357201,7.879473686,7.877913952,7.860894203,7.857960701,7.861531734,5.436729908,5.095174789,7.816503525,5.401014805,7.861771584]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00918{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":100,"source":"quic046.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":37,"flow_dst_packets_processed":63,"flow_first_seen":1584456191933380,"flow_src_last_pkt_time":1584456191984839,"flow_dst_last_pkt_time":1584456191986142,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":5170,"flow_dst_tot_l4_payload_len":81927,"midstream":0,"thread_ts_usec":1584456191986142,"l3_proto":"ip4","src_ip":"192.168.1.236","dst_ip":"216.58.206.86","src_port":50587,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":100,"source":"quic046.pcap","alias":"nDPId-test","packets-captured":100,"packets-processed":100,"total-skipped-flows":0,"total-l4-payload-len":87097,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1584456191986142} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038589 bytes -~~ total memory freed........: 6038589 bytes -~~ total allocations/frees...: 121588/121588 +~~ total memory allocated....: 6038725 bytes +~~ total memory freed........: 6038725 bytes +~~ total allocations/frees...: 121589/121589 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2307 chars diff --git a/test/results/quic_0RTT.pcap.out b/test/results/quic_0RTT.pcap.out index 2b22870a8..65dbe90f2 100644 --- a/test/results/quic_0RTT.pcap.out +++ b/test/results/quic_0RTT.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6061113 bytes -~~ total memory freed........: 6061113 bytes -~~ total allocations/frees...: 121558/121558 +~~ total memory allocated....: 6061385 bytes +~~ total memory freed........: 6061385 bytes +~~ total allocations/frees...: 121560/121560 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2198 chars diff --git a/test/results/quic_crypto_aes_auth_size.pcap.out b/test/results/quic_crypto_aes_auth_size.pcap.out index d2da7a22e..c892dc5d7 100644 --- a/test/results/quic_crypto_aes_auth_size.pcap.out +++ b/test/results/quic_crypto_aes_auth_size.pcap.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6062263 bytes -~~ total memory freed........: 6062263 bytes -~~ total allocations/frees...: 121543/121543 +~~ total memory allocated....: 6062535 bytes +~~ total memory freed........: 6062535 bytes +~~ total allocations/frees...: 121545/121545 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 510 chars ~~ json string max len.......: 2349 chars diff --git a/test/results/quic_frags_ch_in_multiple_packets.pcapng.out b/test/results/quic_frags_ch_in_multiple_packets.pcapng.out index e8e5c6bd7..22c0be386 100644 --- a/test/results/quic_frags_ch_in_multiple_packets.pcapng.out +++ b/test/results/quic_frags_ch_in_multiple_packets.pcapng.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6060671 bytes -~~ total memory freed........: 6060671 bytes -~~ total allocations/frees...: 121533/121533 +~~ total memory allocated....: 6060807 bytes +~~ total memory freed........: 6060807 bytes +~~ total allocations/frees...: 121534/121534 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 520 chars ~~ json string max len.......: 2245 chars diff --git a/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out b/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out index 46148c25f..cde027802 100644 --- a/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out +++ b/test/results/quic_frags_ch_out_of_order_same_packet_craziness.pcapng.out @@ -655,9 +655,9 @@ ~~ total active/idle flows...: 113/113 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7914402 bytes -~~ total memory freed........: 7914402 bytes -~~ total allocations/frees...: 125494/125494 +~~ total memory allocated....: 7929770 bytes +~~ total memory freed........: 7929770 bytes +~~ total allocations/frees...: 125607/125607 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 535 chars ~~ json string max len.......: 2387 chars diff --git a/test/results/quic_interop_V.pcapng.out b/test/results/quic_interop_V.pcapng.out index d57081bcf..57e71ed83 100644 --- a/test/results/quic_interop_V.pcapng.out +++ b/test/results/quic_interop_V.pcapng.out @@ -406,9 +406,9 @@ ~~ total active/idle flows...: 77/77 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6806039 bytes -~~ total memory freed........: 6806039 bytes -~~ total allocations/frees...: 123822/123822 +~~ total memory allocated....: 6816511 bytes +~~ total memory freed........: 6816511 bytes +~~ total allocations/frees...: 123899/123899 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars ~~ json string max len.......: 2224 chars diff --git a/test/results/quic_q39.pcap.out b/test/results/quic_q39.pcap.out index 4eaad5ea0..eaa350014 100644 --- a/test/results/quic_q39.pcap.out +++ b/test/results/quic_q39.pcap.out @@ -5,7 +5,7 @@ 00972{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509098995610775,"flow_dst_last_pkt_time":1509098995610775,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1509098995610775,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"s.youtube.com","quic": {"user_agent":"com.google.android.youtube Cronet\/63.0.3223.7"}}} 02038{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1509098995619706,"flow_dst_last_pkt_time":1509098995610775,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1174,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1174,"pkt_l4_len":1140,"thread_ts_usec":1509098995619706,"pkt":"AAAAPJ7rSEb7OSWDCABFAASIpypAAD8RBxGq2BDRFZ2345bcAbsEdFQcDeca1dd1bE1NUTAzOQJfXHZ4r4NHY5hNEdjLP+5ayCAfN4aRrJwcGbvr9Ig30\/shURCI87o6EE5x2r0qaxNPy9ijcArYvwm83T\/uUNOwvPrQL1kQ63P7NcdMjvNaDrlFf0DGfuOc7NBPTTXBkaePu98lEtAf3wsOApXg5IhtfmWdfKrgEpCXWFWsxttw6C4\/lCwJqkUGaOjHW5OhnY9r8qCDBdkX4XN\/4WmFW6nWq\/XYAKSy+w3zKPd0+LJKlxsYwrzgGV2rjQwmb93iv1FFvCzNy4lqNoUoMblenytDJV5TJvGYH4s+\/7AX7HDhbJj+lIeaRA3g7dV3H3kgoU\/SpbsdOzy0YVY6Bp9yZermraiyHURn7bAotygD2Vp7YwNcdNEG9BU3funEay5GDjyBK1j66ZDJgNXirLZjzse1+VcJnT0WzMubicwvU30jDw+McSt9Bti6\/gP9FAz9\/lD31IeL8vackSc4lx75mviO5HS6BA\/NqsjQ9B8m4Ji2diYR80xUpIbgdFQiU+oifhm6+LGlaffXf5zfdWBFidIfld\/b7JT3SCK0xn1oi2TKxI8Oroqc4ijms7JGelhl0fef2CpmP0WCIT2YgyU6YwvWa1W7lII+N1ZbTeUAByGqF1QhTf5cSKd79GJRi+dbNY7B3Wj4KJv9v8GAF7TKwPiEZdDEpbOPHL\/FjvVpM04y5hU8HR+06oyFgTK1\/6hdbKNXNH9cJjr2nmUmezntPWc2AFfXM+e\/7E1fv7zcT4Kq1YOLXr9\/RjJvDNQoj81czTWLgfREm6KUrj\/r6fSbFJFnhuScfBlR9k2Pc7b3lIEZb0KXGhxHCyB1J7D8gUoqDhJYFGV+VkGVNhJpozvYPJ8ykH\/Y41HD8nsSDL9iDj9URAxCKHefDlX7Pwz6OhBfkcIZAyY3zG\/w9rr4x0Pl7U6qcsdZ1MBpDJ9qjugA+Tt8C4JpvLxNAR0kx92LyFnt3BYr58WDPwTbktI01oxzKDO5QfY46azjmnqJ+Or2LI93bDxwCMYKsLGAmehhGKZad4Iy8CQig4MBQDG0NMhHKAI6+BaplljmUnDnEalyg57\/03tWWLR4CQIYoKQ9N\/\/fDmFtkFJjraB0A767qxG7Cy8Linc3qzCa86538v6kM371bSCg\/XlL+EWzVEgq8MNOp+Kf2xPBIqWXFiVMGJ1GcpQwm6iQItRpY+85J5+RUK5X+3OW5ex3EYIjJUr+g2x3sFkDiuAsaRHgrjj6WnNpOZnghw1uaYp+E3H8VPrRSwSKqch7lieJx+ojtBtD\/W9etVSxGJeGD7lz+4wIhuht4d\/jcmgefkRDKcrraaR9azCKs\/kbJ\/PpVxbRsVvTZyAXgG+ABf\/0Dt+UshFkLro\/tuKww4FrErwElInQ+88Azyk3w8tcu1AYrDqSPj2BvjSRVwl0PO7TtbVWqgcuYET3exljbs22Rr5eyEoiPXhNZMDC79zLn441b43FrUKvwSHTJR\/j33VYKbaP4oVCvb26Vw=="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1509098995619706,"flow_dst_last_pkt_time":1509098995647453,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1509098995647453,"pkt":"AAAAPJ7rSEb7OSWDCABFAAA\/AABAADgRuYQVnbfjqtgQ0QG7ltwAKyQ\/COca1dd1bE1NATKbKH1UbNEn\/TIU5EABJEsBAQAAAAANBgA="} -01760{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099004752497,"flow_dst_last_pkt_time":1509099004382425,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":14377,"flow_dst_tot_l4_payload_len":2074,"midstream":0,"thread_ts_usec":1509099004752497,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":577850.7,"max":6514643,"stddev":1531988.4,"var":2346988339200.0,"ent":2.7,"data": [8931,36678,89781,7,404130,1367,298294,119221,31,434781,6185342,12819,6514643,11351,11378,22730,702601,702694,435266,435159,11351,11442,16019,15861,397203,9235,397732,33897,93428,52,499948]},"pktlen": {"min":60,"avg":556.2,"max":1392,"stddev":603.7,"var":364512.4,"ent":4.1,"data": [1392,1174,77,1392,73,83,83,72,305,60,83,270,1392,78,1392,1392,75,1392,74,1392,76,1392,76,1392,76,1392,730,76,76,104,60,98]},"bins": {"c_to_s": [0,4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,9,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,0,1,1,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +02158{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099004752497,"flow_dst_last_pkt_time":1509099004382425,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":41,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":14377,"flow_dst_tot_l4_payload_len":2074,"midstream":0,"thread_ts_usec":1509099004752497,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":577850.7,"max":6514643,"stddev":1531988.4,"var":2346988339200.0,"ent":2.7,"data": [8931,36678,89781,7,404130,1367,298294,119221,31,434781,6185342,12819,6514643,11351,11378,22730,702601,702694,435266,435159,11351,11442,16019,15861,397203,9235,397732,33897,93428,52,499948]},"pktlen": {"min":46,"avg":542.2,"max":1378,"stddev":603.7,"var":364512.4,"ent":4.1,"data": [1378,1160,63,1378,59,69,69,58,291,46,69,256,1378,64,1378,1378,61,1378,60,1378,62,1378,62,1378,62,1378,716,62,62,90,46,84]},"bins": {"c_to_s": [0,4,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,9,0,0,0,0,0],"s_to_c": [4,10,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0]},"directions": [0,0,1,1,1,0,0,1,1,1,0,0,0,1,0,0,1,0,1,0,1,0,1,0,1,0,0,1,1,1,1,0],"entropies": [4.179285526,7.832315445,4.966748714,7.846248627,5.380072594,5.640916824,5.720768929,5.299251080,7.336034775,4.816403389,5.818665504,7.074090958,7.867320538,5.431150436,7.827050686,7.874505997,5.477433681,7.859999657,5.412702084,7.863677979,5.373553276,7.855113029,5.379174232,7.856376648,5.502585888,7.846080780,7.718618870,5.508206844,5.470327377,6.029057026,4.816403389,5.969577789]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00920{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":60,"source":"quic_q39.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":27,"flow_dst_packets_processed":33,"flow_first_seen":1509098995610775,"flow_src_last_pkt_time":1509099044522763,"flow_dst_last_pkt_time":1509099044559423,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18965,"flow_dst_tot_l4_payload_len":2686,"midstream":0,"thread_ts_usec":1509099044559423,"l3_proto":"ip4","src_ip":"170.216.16.209","dst_ip":"21.157.183.227","src_port":38620,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":60,"source":"quic_q39.pcap","alias":"nDPId-test","packets-captured":60,"packets-processed":60,"total-skipped-flows":0,"total-l4-payload-len":21651,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1509099044559423} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037427 bytes -~~ total memory freed........: 6037427 bytes -~~ total allocations/frees...: 121548/121548 +~~ total memory allocated....: 6037563 bytes +~~ total memory freed........: 6037563 bytes +~~ total allocations/frees...: 121549/121549 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2306 chars diff --git a/test/results/quic_q43.pcap.out b/test/results/quic_q43.pcap.out index 71b1d2eb8..a32fcf19a 100644 --- a/test/results/quic_q43.pcap.out +++ b/test/results/quic_q43.pcap.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035699 bytes -~~ total memory freed........: 6035699 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6035835 bytes +~~ total memory freed........: 6035835 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2306 chars diff --git a/test/results/quic_q46.pcap.out b/test/results/quic_q46.pcap.out index 8e47a0dca..b96a00f2a 100644 --- a/test/results/quic_q46.pcap.out +++ b/test/results/quic_q46.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036265 bytes -~~ total memory freed........: 6036265 bytes -~~ total allocations/frees...: 121508/121508 +~~ total memory allocated....: 6036401 bytes +~~ total memory freed........: 6036401 bytes +~~ total allocations/frees...: 121509/121509 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2321 chars diff --git a/test/results/quic_q46_b.pcap.out b/test/results/quic_q46_b.pcap.out index ad660f745..259c76da3 100644 --- a/test/results/quic_q46_b.pcap.out +++ b/test/results/quic_q46_b.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036267 bytes -~~ total memory freed........: 6036267 bytes -~~ total allocations/frees...: 121508/121508 +~~ total memory allocated....: 6036403 bytes +~~ total memory freed........: 6036403 bytes +~~ total allocations/frees...: 121509/121509 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 2402 chars diff --git a/test/results/quic_q50.pcap.out b/test/results/quic_q50.pcap.out index 0d4c6c832..697f61396 100644 --- a/test/results/quic_q50.pcap.out +++ b/test/results/quic_q50.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046582 bytes -~~ total memory freed........: 6046582 bytes -~~ total allocations/frees...: 121527/121527 +~~ total memory allocated....: 6046718 bytes +~~ total memory freed........: 6046718 bytes +~~ total allocations/frees...: 121528/121528 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2329 chars diff --git a/test/results/quic_t50.pcap.out b/test/results/quic_t50.pcap.out index c67c474f3..5d83c8b3d 100644 --- a/test/results/quic_t50.pcap.out +++ b/test/results/quic_t50.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046369 bytes -~~ total memory freed........: 6046369 bytes -~~ total allocations/frees...: 121521/121521 +~~ total memory allocated....: 6046505 bytes +~~ total memory freed........: 6046505 bytes +~~ total allocations/frees...: 121522/121522 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2338 chars diff --git a/test/results/quic_t51.pcap.out b/test/results/quic_t51.pcap.out index f7b96d09d..08e2d3ff0 100644 --- a/test/results/quic_t51.pcap.out +++ b/test/results/quic_t51.pcap.out @@ -5,7 +5,7 @@ 01167{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620434413428,"flow_dst_last_pkt_time":1598620434413428,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1598620434413428,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","quic": {"user_agent":"dev Chrome\/86.0.4240.9 Windows NT 6.1; Win64; x64","tls": {"version":"TLSv1.3","ja3":"92e76078d514999cd950474995dab2b5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h3-T051","tls_supported_versions":"TLSv1.3"}}}} 02325{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1598620434413428,"flow_dst_last_pkt_time":1598620434419300,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1598620434419300,"pkt":"AAAAAAAAAAIA\/tPQCABFAAViAABAADcRkr3T95Nau+OImAG72DwFTvx1wFQwNTEACP+UFbWwBYYNAEU0cA7ob5DRu6SNsqDMEz7qri8UnfijZV8Hhw\/oxky0x+Zt0s6erWm7kWn2+1owrYTdI9p89OpW\/6ptpwv9v0J5BjJyyLuuQ7qMgzGXDs2ur++juUsUpOdkAs5K5BYVfQAmPmXEGyVgmyCeUg1T7Vj6FslmnDV909IngQqr2X3bAL3as4fB8O0bAq64I2nnjXRSsXtOF+WecFDOIkhsUozc+8M2nJh6kczAN6BO7Q6B24T4pTF7f\/SWotAh0wmioZGWvmsK3tbjrCGONmSc7G6EA+eCMtEUY\/yq8VyKOSmIHald\/L7JGCPyNYCQuoSWiWNaW\/I+iZ2Tm83YJ0ULZZc8urwFDYH3aj1AkglwflqENARW1+\/0Wgf8CdNT18FiabAis+X7vPL\/K0rfVmIy72rlRNRfOG7y7nzx1KwQOQc8aCVF3CWYU+Lmd10cKRMsTRDen+t7CfJT6D6czKmRS9zHy8defw2VL+sr4ea6knMol1lydS5om9MxXCYpqegXuWZiFTSbzJvhE4RaqOqWqlC3CyDO4ySp0wcYRr6Xiz\/ypHsBLBgujZNocUdxB92srmLhWvU+EKXNqnvn4sN9tP\/B4VI81UNJfpKqafd5TbC3xVerPG2FpOE4rg1k2rQi9r6v1+PQ\/d3R0LlFcbJ1hI9fgnNKZUfeIejFNzw84ZCPAGKEZF9DRij\/q7+ynKTHsKprl5SyrzqmDatgR6jPni4YdUIipVxz2xAMDSfgGHJudxWet0g70XvUgRUnZwnINCVHKug\/Cwaar4s1XCM8uhzoEef40bHIf\/1cPPikcn5BGvUj0yq5vKOgKlUAn1Pgd3RmxD4udRVK4hr3Qq2qz0yzGHjPkF5V31PdO+LbljCDil0atM9nNzYRQDTxXIy4ROBhbRF0GC5xxy\/5G1Z3EVEXnUgV7cKAoSoRYsJk+ehBddHi\/2\/aZLTP9GUgaj03e1ZAUqg\/pLbgzkOggtkBYwlEystem00J3RiW59azSXPWDzpQD37GvUqWpvchJjuAPROhp0eQOeyP6Sm5m8Ha1f9MDT\/mDWqN\/iBuFORPOJebKiYDmtBTotFqfXW1txgynw6EHUJzSE+pl4MdTTWGiKeLLjK6VcgkjK3QCvZi2YAV34jHwjHZGw2P\/U6KrMCfYoKLgcta7eGwEJgt1TEOATVA86YdSNrUK8Cm6qplxo7u2vCTdHfHERZHXlWiV5V+M6yg8jJ+w71hYe+9QRnWDWxxhFwqS3Rom5NgfL3qyZPAg7B0TvVcGC3k1t2hVxdIBJT1YLB9P8xcq205KojLAkrnJ6A03YtC2cE+\/GfTI6rrSdcn22uQHH1uwQgPFlvo5F8SRGnmtqbBCoQkhDA10opFpEUHAKVRysF1xT\/NgfiMQHD+An4IrPRfuv9gDg0rUkwJww22wh5gLlRkZ\/Syy5BClTzH9Eje2q1QlkG4NyNIdxlgTeTWfrV+owYm4Q+FXDFSqiziTTjYt929oBaNekN7DaLZNKBHzE9aRpnZjKaGJOIkilbSRnfMsOP+KhOdyxkYqJB7lgyVuE7zA+Cs6QfiNfeFBdysqGJcMLaCJe1XQZYseYZCHv9I1fYRd7rHJDJ5TLxG9ZoKBvyy9qAFruCnQdJM3kRJUF0ZdxtTsL1YtSrJYqn3hcGRfsN64Wu2ioNCdgwzJ\/IOr225URP0O\/yfvAjNTo393KgekGIplrSAr2vqB7j6oyQmlBJgPRuYDzTKmIMBKNHRY+Gk4U31TV\/ldcN5g5htDYX20DA3i7tEfKzfbUYY"} 02326{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1598620434482713,"flow_dst_last_pkt_time":1598620434419300,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1598620434482713,"pkt":"AAAAAAAAAAgAH83gCABFAAViXl9AAH8R7F2744iY0\/eTWtg8AbsFTtamzVQwNTEI\/5QVtbAFhg0AAEU0KsIg8w2st8fMy25uq6gsPA7KRO4wWARaQxn0e+nvMAG\/ncVOK2\/1iV8zM1GT+gj2yfRnYitTLViCwPF0TV0R7p64xnLqwrHTiNaW89JgMAHQze00LP7FiTbOvqpo5S+7AzCO4J36LH8gasnIPNye5ytyGP9hxarM0Gwv6wB1BKIgh6Hfi9vN\/Jaq\/hKaWtnsFyqFx21T1U0YmQzCOhcYGHZNHNGEmxqlfOiET0cy7A2zooythTNQBScefWz4fyugA0KO5z5EPbOCuLPnOhJ8u0jAA5snZ9Av4lfTCNurCTo\/b96gqEMXFCAN6kklskS6mSW1P2yxo93FRN9w3VFPyMe8m7WnAxPUMrijM3bZFrpYXz6N3LoSvj\/7t1mbaz3Ew6W7CCET2\/vUPuty0yYuKN9hlZRGZDAOI7p7UV84zBa3MKUoIB90BBwtqXlv\/AcyfRFhSrAf1TPDIen8IRojBr5qTqwwDIcvMREVIsmeXYDDAIh87njz+3l6UiC0r72z0Vz8KlwPmvyd1tNbK4UoVu5yliqV7BzHAT0P+flRjAVL+Vtw\/1eTO0KLmizThDqycqyAF1MjS6cC4BRlgBDuBvC7oqizuHTk4JOICP+TLa71t9U0MO4SvptmKRFy9UA159ziHHDRbAhIzzVEm+HGxTjT93PUzlkT4beWAgYYW5swcH8m2E+qX\/jfh4l+RAJ7s1FC99eqQD\/G2qHKz49sTvtw3eknSSHiADw1dFNDiGytHeAJqgKsYZ6xbxYgMT8vQQJWpcCaoPnc1R\/36QBSKDfO0Ei6I0Nk2Twp2jW7ybYg3WV9zcO8mcO+t2rUANioNNaghKiQ6\/\/kCvnfaOZl9\/nMaaP8oRI80YNnM3bBLePCUoIodPlfRsS+qRORwVaYVbmTkVd+7OOE68KIf+CtQJzWPG1I9szX6EUokwcVW4JeKB3DLXSgUJqbrCp8nB5Gt1Xl+DVmAWNn0zlmAkUkIYwVaRlUBt12nmZM5GfCFjeNYwyxKhMtco0zqNoFh6GPimEo\/HJoIaculB01PGh4MlKE33m6lcbQnV2mcjQy9+X6G7gJAvssvNVim+h2CyUIa0AFnvBEp0BZ0LQBw4xxW1+LO+851oEKlpBHf2CaPTJQbQ3lYLcFUbbZ7WxtncvtHzy\/SI9UgKeWcagnCcsYLbPsnPnloEl6cnUj6vnGVoFZ0zI4TVPk88\/biBoFXX37AYSAsISWoXJh5fdyK7Ub3uTshAtqeqBBTUeUFjb5Aj4cdCLyefeqdX7eVX7iolZTDjMHw6WHcQg9j8QT5ZehE6eQ3EWBv\/dyJkxi+P\/\/5RRqzAOol5xZb6h4LuhsvzWHQihAaP9MzFNZJKsrSoe\/spLPEQi09YKZ53xMfFjPTNozP7awNtIb6QltDJNIByFfslEQklWBp3nSDDraHwFBspLwhrXO\/4KJq80I0e6UvL2AGkUJ3WcnYVtrSbxxk4APJ7JesOtrVvfG0zUeYMWMSCdfwkF4KodqZGtJ3QATjzBea+nTD5uHk34dDyJnSJKk0ILq0jIFLho8LlWIyJH4QOXOz4qaWrv1Yq7zohspvZk7qqBfzWtq9nyRWQ1TZln6OTuRj1nSwDkH3Qwyv3P3ftVCIjgLduzJ1KxoPir\/gAp5xz8YWBMXoD3IJzkv\/PGQNpizq54tSdx\/+EwNQ0FXkMrTDVKVITAuSnBIkg9sH6JW+WpNYsbAPv3JnEFyzt8fIeM\/r0Qmf+N6zxgE9jaSg9C2Ue6YSiQO2VAdyYTxTvnFaxwR"} -01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620467988515,"flow_dst_last_pkt_time":1598620467941031,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4666,"flow_dst_tot_l4_payload_len":8428,"midstream":0,"thread_ts_usec":1598620467988515,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":2164602.8,"max":19582580,"stddev":5209676.0,"var":27140724621312.0,"ent":2.5,"data": [5872,69285,110768,19,33,113561,2317,5835,79981,27,46402,10090862,10162287,246207,1361,7,331600,26165,19472426,19582580,120230,670,167,185037,26475,2999498,3090044,125889,1350,111,205624]},"pktlen": {"min":67,"avg":451.2,"max":1392,"stddev":500.3,"var":250315.8,"ent":4.2,"data": [1392,1392,1392,1392,1392,1254,83,83,115,68,658,75,1003,67,682,68,313,75,75,511,67,734,68,151,75,75,225,67,470,68,273,75]},"bins": {"c_to_s": [0,8,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [7,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,0,1,1,1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,1,1,1,0,0,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02160{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620467988515,"flow_dst_last_pkt_time":1598620467941031,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4666,"flow_dst_tot_l4_payload_len":8428,"midstream":0,"thread_ts_usec":1598620467988515,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":2164602.8,"max":19582580,"stddev":5209676.0,"var":27140724621312.0,"ent":2.5,"data": [5872,69285,110768,19,33,113561,2317,5835,79981,27,46402,10090862,10162287,246207,1361,7,331600,26165,19472426,19582580,120230,670,167,185037,26475,2999498,3090044,125889,1350,111,205624]},"pktlen": {"min":53,"avg":437.2,"max":1378,"stddev":500.3,"var":250315.8,"ent":4.1,"data": [1378,1378,1378,1378,1378,1240,69,69,101,54,644,61,989,53,668,54,299,61,61,497,53,720,54,137,61,61,211,53,456,54,259,61]},"bins": {"c_to_s": [0,8,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [7,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,0,1,1,1,0,0,0,1,1,0,0,1,1,1,1,0,0,0,1,1,1,1,0,0,0,1,1,1,1,0],"entropies": [7.869323730,7.856849670,7.844151974,7.845833778,7.865318298,7.844552517,5.639471054,5.726426601,6.218957901,5.208410263,7.701806545,5.635654926,7.814414501,5.246605873,7.688014030,5.353935242,7.329473972,5.701228619,5.602868080,7.546798706,5.284341812,7.731115818,5.282484531,6.512764931,5.557705879,5.570081234,6.968918324,5.284341812,7.518057823,5.231468201,7.265197754,5.557705879]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00930{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":205,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":72,"flow_dst_packets_processed":132,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620488484485,"flow_dst_last_pkt_time":1598620488458891,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":8772,"flow_dst_tot_l4_payload_len":133705,"midstream":0,"thread_ts_usec":1598620488484485,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":642,"source":"quic_t51.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":171,"flow_dst_packets_processed":471,"flow_first_seen":1598620434413428,"flow_src_last_pkt_time":1598620524479693,"flow_dst_last_pkt_time":1598620524442441,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":21835,"flow_dst_tot_l4_payload_len":524919,"midstream":0,"thread_ts_usec":1598620524479693,"l3_proto":"ip4","src_ip":"187.227.136.152","dst_ip":"211.247.147.90","src_port":55356,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":642,"source":"quic_t51.pcap","alias":"nDPId-test","packets-captured":642,"packets-processed":642,"total-skipped-flows":0,"total-l4-payload-len":546754,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":1,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1598620524479693} @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6064642 bytes -~~ total memory freed........: 6064642 bytes -~~ total allocations/frees...: 122151/122151 +~~ total memory allocated....: 6064778 bytes +~~ total memory freed........: 6064778 bytes +~~ total allocations/frees...: 122152/122152 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2331 chars diff --git a/test/results/quickplay.pcap.out b/test/results/quickplay.pcap.out index 2c4b3628a..bfe3d122a 100644 --- a/test/results/quickplay.pcap.out +++ b/test/results/quickplay.pcap.out @@ -63,7 +63,7 @@ 01111{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":36,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1429000054688452,"flow_dst_last_pkt_time":1429000054555518,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":500,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":500,"pkt_l4_len":464,"thread_ts_usec":1429000054688452,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAAeRjvEAAPwaG4wo2qfp4HCMoyykAUHABs6PLUc5cUBgk\/ZRuAABHRVQgL3NlZy92b2wxL3MvV2FybmVyL3FwbWV6emhhd2tkaWdpdGFsY29udGFnaW9uMjA1NDAzM2ZlYXR1cmVlbmdsaXNoMjBsdHJ0MjM5NzZmcHM3ODM0MTkyLzIwMTUtMDItMDIvU1RWODBSMTkyL3FwbWV6ei1IYXdrX0RpZ2l0YWxfQ09OVEFHSU9OXzIwNTQwMzNfRkVBVFVSRV9FTkdMSVNIXzJfMF9MVFJUXzIzOTc2ZnBzXzc4MzQxOTIubTJ0X1NUVjgwUjE5Mi0wMDIxLnRzIEhUVFAvMS4xDQpIb3N0OiB2b2Qtc2luZ3RlbGhhd2sucXVpY2twbGF5LmNvbQ0KQ29ubmVjdGlvbjoga2VlcC1hbGl2ZQ0KVXNlci1BZ2VudDogTW96aWxsYS81LjAgKExpbnV4OyBBbmRyb2lkIDQuNC40OyBNSSAzVyBCdWlsZC9LVFU4NFApIEFwcGxlV2ViS2l0LzUzNy4zNiAoS0hUTUwsIGxpa2UgR2Vja28pIFZlcnNpb24vNC4wIENocm9tZS8zMy4wLjAuMCBNb2JpbGUgU2FmYXJpLzUzNy4zNg0KDQo="} 00792{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1429000054595190,"flow_dst_last_pkt_time":1429000054967566,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"thread_ts_usec":1429000054967566,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUEEkAArQbHccvNgWUKNqn6AFCnCorJCJ8MOwSFUBgII8UCAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwDvBAYGAAAXudj2eCNNjv4Uv\/n42\/lx"} 00791{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":38,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1429000052350287,"flow_dst_last_pkt_time":1429000055158240,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":261,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":261,"pkt_l4_len":225,"thread_ts_usec":1429000055158240,"pkt":"AAACEgAAAAAAAAAAAAAIAEUcAPUJYkAArAas5svNl6AKNqn6AFDWZdcfCppPknoiUBkIIrzXAABIVFRQLzEuMSAyMDAgT0sNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KQ29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsgZmlsZW5hbWU9bWljcm9tc2dyZXNwLmRhdA0KQ29udGVudC1MZW5ndGg6IDQ3DQoNCn5fAAAAAFUr0H3fAhACF0hkbD5sDN+EgwD\/BAgIAACTADJ0e1hwz8xBqPPud44t"} -01831{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1429000052217627,"flow_src_last_pkt_time":1429000090450568,"flow_dst_last_pkt_time":1429000090229285,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":444,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":8360,"flow_dst_tot_l4_payload_len":10852,"midstream":1,"thread_ts_usec":1429000090450568,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.35.40","src_port":52009,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":182557,"avg":2459503.2,"max":5871155,"stddev":1331263.2,"var":1772261736448.0,"ent":4.7,"data": [2337891,2470825,5776550,5871155,324615,2084534,1689148,182557,2170257,2013275,645600,519622,2223724,2353455,480927,4401947,3911834,3909668,3936554,2356476,2338349,2619995,2626526,2264068,2270477,2391541,2349518,2604523,2641967,2224884,2252137]},"pktlen": {"min":76,"avg":656.4,"max":1456,"stddev":347.9,"var":121006.6,"ent":4.8,"data": [500,1456,500,240,585,502,1248,585,502,854,587,76,504,1268,585,502,158,502,658,502,1124,502,1208,502,348,502,1456,502,962,502,580,502]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,13,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,1,2,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming"}} +02230{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1429000052217627,"flow_src_last_pkt_time":1429000090450568,"flow_dst_last_pkt_time":1429000090229285,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":444,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":531,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":8360,"flow_dst_tot_l4_payload_len":10852,"midstream":1,"thread_ts_usec":1429000090450568,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"120.28.35.40","src_port":52009,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":182557,"avg":2459503.2,"max":5871155,"stddev":1331263.2,"var":1772261736448.0,"ent":4.7,"data": [2337891,2470825,5776550,5871155,324615,2084534,1689148,182557,2170257,2013275,645600,519622,2223724,2353455,480927,4401947,3911834,3909668,3936554,2356476,2338349,2619995,2626526,2264068,2270477,2391541,2349518,2604523,2641967,2224884,2252137]},"pktlen": {"min":60,"avg":640.4,"max":1440,"stddev":347.9,"var":121006.6,"ent":4.8,"data": [484,1440,484,224,569,486,1232,569,486,838,571,60,488,1252,569,486,142,486,642,486,1108,486,1192,486,332,486,1440,486,946,486,564,486]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,13,1,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,1,0,0,1,2,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [5.927153111,7.868373871,5.963050365,7.051006317,5.916583061,5.928764343,7.836061001,5.947601795,5.927013874,7.735056400,5.960254192,4.985874176,5.956949711,7.848547459,5.950881958,5.944071770,6.557918549,5.946902752,7.695936680,5.966873169,7.840433598,5.939571857,7.838245869,5.963761330,7.329223633,5.943363190,7.857814789,5.947385788,7.759774208,5.933074474,7.621943474,5.938513279]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":17,"category":"Streaming"}} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1429000110390234,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":625,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":625,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":625,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1429000110390234,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 01356{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":681,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":681,"pkt_l4_len":645,"thread_ts_usec":1429000110390234,"pkt":"AAQCEgAAAAAAAAAAAAAIAEUAApm620AAPwZqrgo2qfrLzZPXi1YAUBkYU+pems3wUBgAbqLPAABQT1NUIGh0dHA6Ly9oa21pbm9yc2hvcnQud2VpeGluLnFxLmNvbS9jZ2ktYmluL21pY3JvbXNnLWJpbi9ydGt2cmVwb3J0IEhUVFAvMS4xDQpBY2NlcHQ6ICovKg0KQ2FjaGUtQ29udHJvbDogbm8tY2FjaGUNCkNvbm5lY3Rpb246IGNsb3NlDQpDb250ZW50LUxlbmd0aDogMzU1DQpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL29jdGV0LXN0cmVhbQ0KSG9zdDogaGttaW5vcnNob3J0LndlaXhpbi5xcS5jb20NClVzZXItQWdlbnQ6IE1pY3JvTWVzc2VuZ2VyIENsaWVudA0KDQqNXyYBAEFVK9B93wIQAhdIZGw+bAzfhIMAzAXaBLgCxN0BAsPj4k0n0ICdjYK52ViOWnOC4Vzgxi7+iegOsMW+oW6QdEAHg+UlyxaSBb9\/s0oeR4gum6gk+uWhqjv3Tkoz3jpOxZ3uqg5IoeAevVK78mE+75Mm5QEXaL\/24wa8I4nsiJTVEr54yg9WsIjA1I\/cd65YM57jS4+t1kJ\/xpqwwPsMfqK2G34N85Xo0uWP1F2PyLEjHiJZyK4xRu\/XYVzahdDn1vQRPtqQ3i2o6ggKNGN3kBkFa6C2GO0zTqwt7XUYqb0ppGq3KKIyPCtrTg5YICuEsfTDMTLer3J067M5VD93Ij+RkxqqGFN9+gvu+C\/smM0OksnEYsvtVnkr65ZF5Pk4qVPYHRDIlRcRHe0XzckIkJitYHFr8VSN2R6GxFfZK0YtMPQdmLxH6qLecheL3Cuuz7XcYpBc6JGpDIih+q4v"} 01248{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":83,"source":"quickplay.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1429000110390234,"flow_src_last_pkt_time":1429000110390234,"flow_dst_last_pkt_time":1429000110390234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":625,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":625,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":625,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1429000110390234,"l3_proto":"ip4","src_ip":"10.54.169.250","dst_ip":"203.205.147.215","src_port":35670,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"HTTP_Proxy.QQ","proto_id":"131.48","encrypted":0,"breed":"Fun","category_id":9,"category":"Chat","hostname":"hkminorshort.weixin.qq.com","http": {"url":"http:\/\/hkminorshort.weixin.qq.com\/cgi-bin\/micromsg-bin\/rtkvreport","code":0,"content_type":"","user_agent":"MicroMessenger Client","request_content_type":"application\/octet-stream"}}} @@ -127,9 +127,9 @@ ~~ total active/idle flows...: 21/21 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6078932 bytes -~~ total memory freed........: 6078932 bytes -~~ total allocations/frees...: 121946/121946 +~~ total memory allocated....: 6081788 bytes +~~ total memory freed........: 6081788 bytes +~~ total allocations/frees...: 121967/121967 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2426 chars diff --git a/test/results/radius_false_positive.pcapng.out b/test/results/radius_false_positive.pcapng.out index 7b231f63b..c289aed2f 100644 --- a/test/results/radius_false_positive.pcapng.out +++ b/test/results/radius_false_positive.pcapng.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035931 bytes -~~ total memory freed........: 6035931 bytes -~~ total allocations/frees...: 121497/121497 +~~ total memory allocated....: 6036067 bytes +~~ total memory freed........: 6036067 bytes +~~ total allocations/frees...: 121498/121498 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 508 chars ~~ json string max len.......: 2214 chars diff --git a/test/results/raknet.pcap.out b/test/results/raknet.pcap.out index a2ed3a9e6..df69e41ff 100644 --- a/test/results/raknet.pcap.out +++ b/test/results/raknet.pcap.out @@ -95,9 +95,9 @@ ~~ total active/idle flows...: 12/12 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6055419 bytes -~~ total memory freed........: 6055419 bytes -~~ total allocations/frees...: 121663/121663 +~~ total memory allocated....: 6057051 bytes +~~ total memory freed........: 6057051 bytes +~~ total allocations/frees...: 121675/121675 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 2456 chars diff --git a/test/results/rdp.pcap.out b/test/results/rdp.pcap.out index 893d252b0..664ed22f2 100644 --- a/test/results/rdp.pcap.out +++ b/test/results/rdp.pcap.out @@ -5,7 +5,7 @@ 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1559207465138576,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":56,"pkt_type":2048,"pkt_l3_offset":4,"pkt_l4_offset":24,"pkt_len":56,"pkt_l4_len":32,"thread_ts_usec":1559207465180991,"pkt":"AgAAAEUAADRflEAAfwYqMMCoAo6sEAK5DT3NDkeav7z5vOJZgBL6AEVOAAACBAW0AQMDAAEBBAI="} 00490{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1559207465181061,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":44,"pkt_type":2048,"pkt_l3_offset":4,"pkt_l4_offset":24,"pkt_len":44,"pkt_l4_len":20,"thread_ts_usec":1559207465181061,"pkt":"AgAAAEUAACgAAEAAQAbI0KwQArnAqAKOzQ4NPfm84llHmr+9UBAgAGAaAAA="} 00987{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465181421,"flow_dst_last_pkt_time":1559207465180991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":19,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1559207465181421,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01839{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465679719,"flow_dst_last_pkt_time":1559207465679652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":572,"flow_dst_max_l4_payload_len":1179,"flow_src_tot_l4_payload_len":1691,"flow_dst_tot_l4_payload_len":1900,"midstream":0,"thread_ts_usec":1559207465679719,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"data_analysis": {"iat": {"min":149,"avg":34910.3,"max":86174,"stddev":23095.5,"var":533403456.0,"ent":4.5,"data": [42415,42485,360,46147,45785,5885,50430,44534,5170,48270,43112,41453,86174,44710,10166,53885,43706,302,43769,43467,297,43729,43444,307,149,43556,40251,83348,297,42450,42166]},"pktlen": {"min":44,"avg":157.3,"max":1223,"stddev":233.3,"var":54415.1,"ent":4.1,"data": [68,56,44,63,63,44,217,1223,44,170,95,44,130,335,44,616,132,44,149,77,44,535,199,44,85,81,44,84,44,85,88,44]},"bins": {"c_to_s": [12,3,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,4,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,0,1,0]},"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +02238{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207465679719,"flow_dst_last_pkt_time":1559207465679652,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":572,"flow_dst_max_l4_payload_len":1179,"flow_src_tot_l4_payload_len":1691,"flow_dst_tot_l4_payload_len":1900,"midstream":0,"thread_ts_usec":1559207465679719,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"data_analysis": {"iat": {"min":149,"avg":34910.3,"max":86174,"stddev":23095.5,"var":533403456.0,"ent":4.5,"data": [42415,42485,360,46147,45785,5885,50430,44534,5170,48270,43112,41453,86174,44710,10166,53885,43706,302,43769,43467,297,43729,43444,307,149,43556,40251,83348,297,42450,42166]},"pktlen": {"min":40,"avg":153.3,"max":1219,"stddev":233.3,"var":54415.1,"ent":4.1,"data": [64,52,40,59,59,40,213,1219,40,166,91,40,126,331,40,612,128,40,145,73,40,531,195,40,81,77,40,80,40,81,84,40]},"bins": {"c_to_s": [12,3,1,2,0,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,4,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,0,1,1,0,0,1,0],"entropies": [4.441382408,4.923395157,4.571928501,4.281987667,4.796913624,4.630641460,5.275919437,7.619496822,4.680641174,6.597459316,5.503854275,4.680641174,6.437798500,7.132068157,4.680641174,7.669749737,6.215856552,4.680641174,6.650300980,5.246529579,4.680641174,7.538676739,6.737553120,4.680641174,5.756097317,5.626734734,4.881687641,5.445608139,4.680641174,5.722887993,5.468319893,4.680641174]},"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01045{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2010,"source":"rdp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":936,"flow_dst_packets_processed":1074,"flow_first_seen":1559207465138576,"flow_src_last_pkt_time":1559207472612156,"flow_dst_last_pkt_time":1559207472692980,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":578,"flow_dst_max_l4_payload_len":1273,"flow_src_tot_l4_payload_len":17682,"flow_dst_tot_l4_payload_len":516561,"midstream":0,"thread_ts_usec":1559207472692980,"l3_proto":"ip4","src_ip":"172.16.2.185","dst_ip":"192.168.2.142","src_port":52494,"dst_port":3389,"l4_proto":"tcp","flow_datalink":0,"flow_max_packets":3,"ndpi": {"flow_risk": {"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"RDP","proto_id":"88","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00563{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":2010,"source":"rdp.pcap","alias":"nDPId-test","packets-captured":2010,"packets-processed":2010,"total-skipped-flows":0,"total-l4-payload-len":534243,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1559207472692980} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6093941 bytes -~~ total memory freed........: 6093941 bytes -~~ total allocations/frees...: 123498/123498 +~~ total memory allocated....: 6094077 bytes +~~ total memory freed........: 6094077 bytes +~~ total allocations/frees...: 123499/123499 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1844 chars -~~ json string avg len.......: 1104 chars +~~ json string max len.......: 2243 chars +~~ json string avg len.......: 1278 chars diff --git a/test/results/reasm_crash_anon.pcapng.out b/test/results/reasm_crash_anon.pcapng.out index e32d31f9b..0add8530a 100644 --- a/test/results/reasm_crash_anon.pcapng.out +++ b/test/results/reasm_crash_anon.pcapng.out @@ -4,7 +4,7 @@ 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":1,"flow_src_last_pkt_time":1410865705717955,"flow_dst_last_pkt_time":1410865705717955,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1410865705717955,"pkt":"AAQAAQAGplhD8kgGAAAIAEUAAEEBjUAAQAbTicCokZMK0QiUyBJV7zv7Y\/\/dkdtagBghO+7bAAABAQgKPplWKzpg4vE8ZGV0YWlscyAvPg0K"} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1410865705717964,"flow_dst_last_pkt_time":1410865705717955,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":81,"pkt_l4_len":45,"thread_ts_usec":1410865705717964,"pkt":"AAQAAQAGplhD8kgGAAAIAEUAAEEBjUAAQAbTicCokZMK0QiUyBJV7zv7Y\/\/dkdtagBghO+7bAAABAQgKPplWKzpg4vE8ZGV0YWlscyAvPg0K"} 00642{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1410865705717964,"flow_dst_last_pkt_time":1410865705719465,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":142,"pkt_l4_len":106,"thread_ts_usec":1410865705719465,"pkt":"AAAAAQAGUrCAkIlsAAAIAEUAAH6lHkAAQAYvuwrRCJTAqJGTVe\/IEt2R21o7+2QM0BgBxZZgqqoBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAaqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqg=="} -01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":9709947.0,"max":30165638,"stddev":14064983.0,"var":197823744180224.0,"ent":3.3,"data": [9,1510,1527,4,1248,1237,4,30097711,30099473,1765,3,1246,1236,30097518,8,30099327,1814,1237,30097422,1775,4,30101686,1241,30097498,30165638,1254,69395,30031106,8,30032779,1670]},"pktlen": {"min":68,"avg":171.0,"max":793,"stddev":234.8,"var":55144.5,"ent":4.2,"data": [81,81,142,68,68,793,68,68,81,122,68,68,781,68,81,81,122,68,68,81,68,68,793,68,81,122,793,68,81,81,122,68]},"bins": {"c_to_s": [23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0]}} +01992{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":9709947.0,"max":30165638,"stddev":14064983.0,"var":197823744180224.0,"ent":3.3,"data": [9,1510,1527,4,1248,1237,4,30097711,30099473,1765,3,1246,1236,30097518,8,30099327,1814,1237,30097422,1775,4,30101686,1241,30097498,30165638,1254,69395,30031106,8,30032779,1670]},"pktlen": {"min":52,"avg":155.0,"max":777,"stddev":234.8,"var":55144.5,"ent":4.0,"data": [65,65,126,52,52,777,52,52,65,106,52,52,765,52,65,65,106,52,52,65,52,52,777,52,65,106,777,52,65,65,106,52]},"bins": {"c_to_s": [23,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,0,1,0,0,0,1,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,1,0,0,0,1,0],"entropies": [5.512839317,5.512839317,3.005599976,5.193430901,5.193430901,5.327538013,5.193430901,5.156889915,5.391298771,5.590394974,5.079966545,5.101990700,0.545940340,5.140451908,5.395370483,5.389761925,5.628829002,5.193430901,5.193430901,5.482069969,5.118428230,5.193430901,5.310135365,5.116507530,5.433681488,5.596330643,5.286610126,5.010550022,5.397304058,5.397304058,5.612702370,5.193430901]}} 00822{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":32,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1410865705717955,"flow_src_last_pkt_time":1410865856222147,"flow_dst_last_pkt_time":1410865856222116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":13,"flow_dst_max_l4_payload_len":725,"flow_src_tot_l4_payload_len":129,"flow_dst_tot_l4_payload_len":3158,"midstream":1,"thread_ts_usec":1410865856222147,"l3_proto":"ip4","src_ip":"192.168.145.147","dst_ip":"10.209.8.148","src_port":51218,"dst_port":21999,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00567{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":94,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","packets-captured":94,"packets-processed":93,"total-skipped-flows":0,"total-l4-payload-len":5079,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1410866307727956} 00571{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":170,"source":"reasm_crash_anon.pcapng","alias":"nDPId-test","packets-captured":170,"packets-processed":169,"total-skipped-flows":0,"total-l4-payload-len":6225,"total-not-detected-flows":1,"total-guessed-flows":0,"total-detected-flows":0,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1410866909737971} @@ -18,10 +18,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043750 bytes -~~ total memory freed........: 6043750 bytes -~~ total allocations/frees...: 121697/121697 +~~ total memory allocated....: 6043886 bytes +~~ total memory freed........: 6043886 bytes +~~ total allocations/frees...: 121698/121698 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 503 chars -~~ json string max len.......: 1598 chars -~~ json string avg len.......: 1043 chars +~~ json string max len.......: 1997 chars +~~ json string avg len.......: 1240 chars diff --git a/test/results/reasm_segv_anon.pcapng.out b/test/results/reasm_segv_anon.pcapng.out index 0e192c36a..27f4d1b56 100644 --- a/test/results/reasm_segv_anon.pcapng.out +++ b/test/results/reasm_segv_anon.pcapng.out @@ -23,7 +23,7 @@ 00438{"packet_event_id":1,"packet_event_name":"packet","packet_id":26,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":114,"pkt_l4_len":0,"thread_ts_usec":1550422831516116,"pkt":"AAAAcxs8EFFy5LtdCABFeABkmSIAAEARXQGRTALsu2A0VQhoCGgAUAAAMv8AQAn8kEPqcwAARQAAPFk9QAB\/BgFvrBEkFT++kSvhEwBQ8LOPBjqqWZmgEAEB\/lMAAAEBBRI6qnTxOqqQSTqqZIk6qm95"} 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":30,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":114,"expected":118,"global_ts_usec":1550422833287234} 00437{"packet_event_id":1,"packet_event_name":"packet","packet_id":30,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":114,"pkt_l4_len":0,"thread_ts_usec":1550422833134009,"pkt":"AAAAcxs8EFFy5LtdCABFeABkzGMAAEARKcCRTALsu2A0VQhoCGgAUAAAMv8AQAn8kEPrcwAARQAAPFk+QAB\/BgFurBEkFT++kSvhEwBQ8LOPBjqqXxGgEAEB+NsAAAEBBRI6qnTxOqqQSTqqZIk6qm95"} -01744{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1550422828553466,"flow_src_last_pkt_time":1550422833287234,"flow_dst_last_pkt_time":1550422833289770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":640,"flow_dst_tot_l4_payload_len":27912,"midstream":0,"thread_ts_usec":1550422833289770,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":305486.2,"max":1859119,"stddev":563984.9,"var":318078976000.0,"ent":3.1,"data": [396021,83822,1376171,124,2,2,1,3,2,2,113,124,1859119,964928,439709,439658,123,2,1,1,1,121,163901,20078,1615354,1799040,121,3,155764,155637,124]},"pktlen": {"min":90,"avg":934.2,"max":1490,"stddev":651.3,"var":424215.9,"ent":4.5,"data": [106,106,106,1490,1490,1490,1490,1490,1490,1490,1490,1490,1490,114,1490,114,1490,1490,1490,1490,1386,1490,1490,122,122,114,90,402,1178,114,90,402]},"bins": {"c_to_s": [0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,17,0,0]},"directions": [0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"GTP.GTP_U","proto_id":"152.271","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02140{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1550422828553466,"flow_src_last_pkt_time":1550422833287234,"flow_dst_last_pkt_time":1550422833289770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":64,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":640,"flow_dst_tot_l4_payload_len":27912,"midstream":0,"thread_ts_usec":1550422833289770,"l3_proto":"ip4","src_ip":"145.76.2.236","dst_ip":"187.96.52.85","src_port":2152,"dst_port":2152,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":305486.2,"max":1859119,"stddev":563984.9,"var":318078976000.0,"ent":3.1,"data": [396021,83822,1376171,124,2,2,1,3,2,2,113,124,1859119,964928,439709,439658,123,2,1,1,1,121,163901,20078,1615354,1799040,121,3,155764,155637,124]},"pktlen": {"min":76,"avg":920.2,"max":1476,"stddev":651.3,"var":424215.9,"ent":4.5,"data": [92,92,92,1476,1476,1476,1476,1476,1476,1476,1476,1476,1476,100,1476,100,1476,1476,1476,1476,1372,1476,1476,108,108,100,76,388,1164,100,76,388]},"bins": {"c_to_s": [0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,17,0,0]},"directions": [0,0,0,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1,1,1,1,1,0,0,0,1,1,1,0,1,1],"entropies": [5.396138191,5.404344082,5.439617157,7.876337528,7.839885235,7.778254986,7.872960091,7.839048862,7.805950642,7.829119205,7.848347187,7.849987984,7.779471874,5.402985096,7.775711060,5.441986561,7.838281155,7.873279095,7.848281860,7.860656261,7.849815845,7.850412846,7.844122410,5.518630505,5.537148952,5.382984638,5.187358379,7.340617657,7.811021328,5.454438686,5.151109695,7.382753849]},"ndpi": {"confidence": {"6":"DPI"},"proto":"GTP.GTP_U","proto_id":"152.271","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":34,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":122,"expected":126,"global_ts_usec":1550422833447409} 00450{"packet_event_id":1,"packet_event_name":"packet","packet_id":34,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":122,"pkt_l4_len":0,"thread_ts_usec":1550422833289895,"pkt":"AAAAcxs8EFFy5LtdCABFeABsAdEAAEAR9EqRTALsu2A0VQhoCGgAWAAAMv8ASAn8kEPscwAARQAARFk\/QAB\/BgFlrBEkFT++kSvhEwBQ8LOPBjqqXxHAEAEBHQQAAAEBBRo6qqCxOqqlwTqqdPE6qpBJOqpkiTqqb3k="} 00244{"error_event_id":15,"error_event_name":"Captured packet size is smaller than expected packet size","datalink":1,"packet_id":35,"source":"reasm_segv_anon.pcapng","alias":"nDPId-test","size":122,"expected":126,"global_ts_usec":1550422834706876} @@ -72,10 +72,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038019 bytes -~~ total memory freed........: 6038019 bytes -~~ total allocations/frees...: 121569/121569 +~~ total memory allocated....: 6038155 bytes +~~ total memory freed........: 6038155 bytes +~~ total allocations/frees...: 121570/121570 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 247 chars -~~ json string max len.......: 1749 chars -~~ json string avg len.......: 997 chars +~~ json string max len.......: 2145 chars +~~ json string avg len.......: 1195 chars diff --git a/test/results/reddit.pcap.out b/test/results/reddit.pcap.out index ffdb3643f..c6e9a95a4 100644 --- a/test/results/reddit.pcap.out +++ b/test/results/reddit.pcap.out @@ -26,8 +26,8 @@ 01149{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":39,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684552325,"flow_dst_last_pkt_time":1605291684551717,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291684552325,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01209{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":56,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684552325,"flow_dst_last_pkt_time":1605291684592780,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291684592780,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01478{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"reddit.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1605291684481568,"flow_src_last_pkt_time":1605291684592921,"flow_dst_last_pkt_time":1605291684593083,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291684593083,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} -01714{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"reddit.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291684451133,"flow_src_last_pkt_time":1605291684654464,"flow_dst_last_pkt_time":1605291684654375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":824,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":2166,"flow_dst_tot_l4_payload_len":4508,"midstream":0,"thread_ts_usec":1605291684654464,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14520.5,"max":75646,"stddev":23887.5,"var":570611008.0,"ent":3.2,"data": [24940,24984,493,75646,1,1,75219,11,11,8777,4975,582,741,37567,3490,25948,1187,485,1611,1121,59921,1,1,1,1,58810,38,10]},"pktlen": {"min":86,"avg":295.1,"max":1294,"stddev":342.1,"var":117045.1,"ent":4.3,"data": [94,94,86,603,86,1294,1294,586,86,86,86,150,178,910,724,86,666,86,86,117,86,117,86,86,398,436,299,125,153,86,86,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":98736.8,"max":1287577,"stddev":316362.8,"var":100085415936.0,"ent":1.8,"data": [33174,33242,863,66592,1,1,1,1,65678,11,9,6,13203,712,517,42062,2,27621,483,471,1369,59921,136,1228856,1287577,855,2,1,1]},"pktlen": {"min":86,"avg":413.8,"max":1134,"stddev":437.6,"var":191482.0,"ent":4.3,"data": [94,94,86,603,86,1134,1134,1134,601,86,86,86,86,179,185,459,86,344,86,86,152,86,124,86,86,1134,86,1134,1134,1134,217,1134]},"bins": {"c_to_s": [9,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,0,1,1,1,1,1]}} +02113{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"reddit.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291684451133,"flow_src_last_pkt_time":1605291684654464,"flow_dst_last_pkt_time":1605291684654375,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":824,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":2166,"flow_dst_tot_l4_payload_len":4508,"midstream":0,"thread_ts_usec":1605291684654464,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14520.5,"max":75646,"stddev":23887.5,"var":570611008.0,"ent":3.2,"data": [24940,24984,493,75646,1,1,75219,11,11,8777,4975,582,741,37567,3490,25948,1187,485,1611,1121,59921,1,1,1,1,58810,38,10]},"pktlen": {"min":72,"avg":281.1,"max":1280,"stddev":342.1,"var":117045.1,"ent":4.2,"data": [80,80,72,589,72,1280,1280,572,72,72,72,136,164,896,710,72,652,72,72,103,72,103,72,72,384,422,285,111,139,72,72,72]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0],"entropies": [4.711516857,5.217300892,5.071401596,4.609335899,4.946592331,7.806063652,7.848966122,7.544353485,5.166606426,5.045011044,5.138829231,6.070029259,6.486535549,7.761092186,7.700193405,5.014019012,7.592603683,5.138829231,5.097352028,5.692110538,5.138829231,5.768221378,5.097352028,5.041796684,7.336868286,7.405985832,7.111319542,5.950567245,6.190017700,5.111051083,5.111051559,5.081305504]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01965{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":98736.8,"max":1287577,"stddev":316362.8,"var":100085415936.0,"ent":1.8,"data": [33174,33242,863,66592,1,1,1,1,65678,11,9,6,13203,712,517,42062,2,27621,483,471,1369,59921,136,1228856,1287577,855,2,1,1]},"pktlen": {"min":72,"avg":399.8,"max":1120,"stddev":437.6,"var":191482.0,"ent":4.2,"data": [80,80,72,589,72,1120,1120,1120,587,72,72,72,72,165,171,445,72,330,72,72,138,72,110,72,72,1120,72,1120,1120,1120,203,1120]},"bins": {"c_to_s": [9,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,0,0,1,1,1,0,1,1,1,1,1],"entropies": [4.907011032,5.304951668,5.190349579,4.499736786,5.055853844,6.898099899,7.358309269,7.317547321,7.583971977,5.273682594,5.245904922,5.273682594,5.273682594,6.093073368,6.340588570,7.416254044,5.083631516,7.073973179,5.083631516,5.218127251,6.225534439,5.218127251,5.702238560,5.055853844,5.111409664,7.793631554,5.218127251,7.806817532,7.807598114,7.795763016,6.697732925,7.803894997]}} 01482{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":109,"source":"reddit.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605291684452132,"flow_src_last_pkt_time":1605291685883411,"flow_dst_last_pkt_time":1605291685884221,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1120,"flow_dst_tot_l4_payload_len":9354,"midstream":0,"thread_ts_usec":1605291685884221,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686035717,"flow_src_last_pkt_time":1605291686035717,"flow_dst_last_pkt_time":1605291686035717,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686035717,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686035717,"flow_dst_last_pkt_time":1605291686035717,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686035717,"pkt":"qtsDr8lk5EKm5WPyht1gDzZzACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3PIBu+DxzH8AAAAAoAL9INmFAAACBAWgBAIICql05ecAAAAAAQMDBw=="} @@ -137,16 +137,16 @@ 01472{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":738,"source":"reddit.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686064586,"flow_src_last_pkt_time":1605291686146132,"flow_dst_last_pkt_time":1605291686146919,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686146919,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56586,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}} 01212{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":751,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1605291686064604,"flow_src_last_pkt_time":1605291686146162,"flow_dst_last_pkt_time":1605291686148836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686148836,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01472{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":754,"source":"reddit.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686064604,"flow_src_last_pkt_time":1605291686146162,"flow_dst_last_pkt_time":1605291686148836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686148836,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56588,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}} -01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":779,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1605291686035769,"flow_src_last_pkt_time":1605291686160496,"flow_dst_last_pkt_time":1605291686157690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1388,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":3806,"flow_dst_tot_l4_payload_len":3988,"midstream":0,"thread_ts_usec":1605291686160496,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8221.6,"max":41517,"stddev":14383.5,"var":206883872.0,"ent":3.1,"data": [29904,29917,129,38003,2302,1,40177,45,72,17,3,2699,111,630,30,181,4,41517,1269,39145,1579,42,7307,1546,7292,2107,217,138,38,226]},"pktlen": {"min":86,"avg":330.1,"max":1474,"stddev":366.7,"var":134435.4,"ent":4.3,"data": [94,94,86,603,86,1134,1134,86,86,1134,606,86,86,179,185,375,405,1474,283,86,344,86,209,241,86,152,86,231,124,196,197,308]},"bins": {"c_to_s": [8,1,1,4,2,0,2,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02118{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":779,"source":"reddit.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1605291686035769,"flow_src_last_pkt_time":1605291686160496,"flow_dst_last_pkt_time":1605291686157690,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1388,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":3806,"flow_dst_tot_l4_payload_len":3988,"midstream":0,"thread_ts_usec":1605291686160496,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56564,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8221.6,"max":41517,"stddev":14383.5,"var":206883872.0,"ent":3.1,"data": [29904,29917,129,38003,2302,1,40177,45,72,17,3,2699,111,630,30,181,4,41517,1269,39145,1579,42,7307,1546,7292,2107,217,138,38,226]},"pktlen": {"min":72,"avg":316.1,"max":1460,"stddev":366.7,"var":134435.4,"ent":4.3,"data": [80,80,72,589,72,1120,1120,72,72,1120,592,72,72,165,171,361,391,1460,269,72,330,72,195,227,72,138,72,217,110,182,183,294]},"bins": {"c_to_s": [8,1,1,4,2,0,2,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,0,0,0,0,0],"entropies": [4.882011414,5.304953098,5.179864883,4.549963951,5.111409664,6.918439388,7.329545975,5.245904922,5.188381195,7.346970558,7.538538456,5.218127251,5.245904922,5.939581871,6.414350033,7.179112434,7.152504921,7.613826752,6.820423126,5.139187336,7.056142330,5.190349579,6.550985336,6.538044453,5.083631992,6.217070103,5.162571907,6.655886650,5.512269497,6.450225830,6.518562317,6.906108856]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":807,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686129954,"flow_dst_last_pkt_time":1605291686182404,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686182404,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01502{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":809,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686129954,"flow_dst_last_pkt_time":1605291686182405,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686182405,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":811,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686084924,"flow_src_last_pkt_time":1605291686130302,"flow_dst_last_pkt_time":1605291686182406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686182406,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01502{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":818,"source":"reddit.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686084924,"flow_src_last_pkt_time":1605291686182436,"flow_dst_last_pkt_time":1605291686183890,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686183890,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56590,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} -01560{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10367.1,"max":48292,"stddev":16265.1,"var":264551920.0,"ent":3.2,"data": [38700,38720,198,38531,1,38345,41,14,329,334,4,2216,2804,187,210,6465,48292,2910,39329,6844,2704,1,9551,251,801,2129,1]},"pktlen": {"min":86,"avg":423.6,"max":1134,"stddev":435.5,"var":189657.0,"ent":4.3,"data": [94,94,86,603,86,1134,86,1134,86,1134,616,86,86,179,185,450,482,129,86,344,86,86,86,152,86,124,86,1134,1134,1134,1134,1134]},"bins": {"c_to_s": [8,2,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1]}} +01959{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10367.1,"max":48292,"stddev":16265.1,"var":264551920.0,"ent":3.2,"data": [38700,38720,198,38531,1,38345,41,14,329,334,4,2216,2804,187,210,6465,48292,2910,39329,6844,2704,1,9551,251,801,2129,1]},"pktlen": {"min":72,"avg":409.6,"max":1120,"stddev":435.5,"var":189657.0,"ent":4.2,"data": [80,80,72,589,72,1120,72,1120,72,1120,602,72,72,165,171,436,468,115,72,330,72,72,72,138,72,110,72,1120,1120,1120,1120,1120]},"bins": {"c_to_s": [8,2,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1,1,1,1,1],"entropies": [4.734510422,5.203058243,5.273682594,4.560284615,5.139187336,6.919415474,5.273682594,7.320698738,5.273682594,7.355862617,7.598192215,5.301460266,5.301460266,6.043826580,6.386544228,7.400215149,7.219000340,5.771939278,5.139187336,7.067717552,5.190349579,5.055854321,5.055854321,6.171116352,5.245904922,5.665874481,5.111409664,7.825948715,7.822474480,7.825513840,7.821124554,7.834854126]}} 01506{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686060652,"flow_src_last_pkt_time":1605291686199280,"flow_dst_last_pkt_time":1605291686201936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1550,"flow_dst_tot_l4_payload_len":9238,"midstream":0,"thread_ts_usec":1605291686201936,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56578,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"styles.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} -01537{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11195.6,"max":60278,"stddev":19812.6,"var":392540128.0,"ent":2.7,"data": [36077,36109,144,41300,1,41154,44,17,686,689,5,2344,1105,220,36,172,60278,1038,57438,31,1,25,34,2,940]},"pktlen": {"min":86,"avg":311.4,"max":1134,"stddev":353.7,"var":125114.1,"ent":4.3,"data": [94,94,86,603,86,1134,86,1134,86,1134,590,86,86,179,185,460,373,241,86,344,86,86,152,86,86,86,1134,701,86,86,86,124]},"bins": {"c_to_s": [10,1,1,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,1,1,0,0,0,0]}} +01936{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11195.6,"max":60278,"stddev":19812.6,"var":392540128.0,"ent":2.7,"data": [36077,36109,144,41300,1,41154,44,17,686,689,5,2344,1105,220,36,172,60278,1038,57438,31,1,25,34,2,940]},"pktlen": {"min":72,"avg":297.4,"max":1120,"stddev":353.7,"var":125114.1,"ent":4.2,"data": [80,80,72,589,72,1120,72,1120,72,1120,576,72,72,165,171,446,359,227,72,330,72,72,138,72,72,72,1120,687,72,72,72,110]},"bins": {"c_to_s": [10,1,1,1,1,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,1,1,0,0,0,0],"entropies": [4.791447639,5.270516872,5.273682594,4.464357376,5.111409664,6.904564381,5.273682594,7.359911442,5.273682594,7.337382793,7.522022247,5.273682594,5.273682594,6.074471474,6.455021381,7.426345348,7.089967251,6.816715717,5.083631992,7.110243320,5.083631992,5.218127251,6.187361240,5.008678436,5.036456108,5.064233780,7.784244537,7.688348293,5.230819225,5.245904922,5.235420227,5.565464973]}} 01475{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":910,"source":"reddit.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686064532,"flow_src_last_pkt_time":1605291686204966,"flow_dst_last_pkt_time":1605291686203988,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1563,"flow_dst_tot_l4_payload_len":5635,"midstream":0,"thread_ts_usec":1605291686204966,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56582,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"preview.redd.it","tls": {"version":"TLSv1.2","server_names":"redd.it,*.redd.it","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redd.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3D:15:31:F3:94:55:33:92:88:5C:61:40:B0:FD:ED:27:6D:29:3A:12"}}} -01549{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10575.8,"max":52464,"stddev":19563.6,"var":382734336.0,"ent":2.8,"data": [44627,44653,347,50980,1843,1,52464,10,3,2,2413,668,102,121,49031,1,45760,75,169,1186,1,1,1443,16,7,133,49,15]},"pktlen": {"min":86,"avg":377.0,"max":1134,"stddev":422.8,"var":178733.3,"ent":4.2,"data": [94,94,86,603,86,1134,1134,1134,616,86,86,86,86,179,185,403,167,86,344,86,86,86,152,86,1134,1132,86,86,86,1134,86,1134]},"bins": {"c_to_s": [11,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,1,0,1]}} +01948{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10575.8,"max":52464,"stddev":19563.6,"var":382734336.0,"ent":2.8,"data": [44627,44653,347,50980,1843,1,52464,10,3,2,2413,668,102,121,49031,1,45760,75,169,1186,1,1,1443,16,7,133,49,15]},"pktlen": {"min":72,"avg":363.0,"max":1120,"stddev":422.8,"var":178733.3,"ent":4.1,"data": [80,80,72,589,72,1120,1120,1120,602,72,72,72,72,165,171,389,153,72,330,72,72,72,138,72,1120,1118,72,72,72,1120,72,1120]},"bins": {"c_to_s": [11,0,2,1,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,1,0,1],"entropies": [4.907011986,5.354953289,5.301460266,4.552157402,5.139187336,6.938700199,7.322981834,7.354511738,7.534717083,5.245904922,5.218127251,5.245904922,5.273682594,6.089848042,6.412801743,7.335155964,6.124976635,5.139187336,7.085140228,5.273682594,5.111409664,5.028076649,6.191080093,5.111409664,7.845114708,7.817538738,5.273682594,5.245904922,5.263197899,7.819205284,5.245904922,7.795106411]}} 01506{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1052,"source":"reddit.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686084954,"flow_src_last_pkt_time":1605291686233012,"flow_dst_last_pkt_time":1605291686233017,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1107,"flow_dst_tot_l4_payload_len":8188,"midstream":0,"thread_ts_usec":1605291686233017,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56592,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"emoji.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.redditmedia.com,redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"96:A3:77:56:81:79:10:5C:E8:7F:F0:33:D2:7E:1C:45:08:2C:25:85"}}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686301196,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686301196,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686301196,"flow_dst_last_pkt_time":1605291686301196,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686301196,"pkt":"qtsDr8lk5EKm5WPyht1gDu9XACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3RIBuyQ3ML0AAAAAoAL9IDDZAAACBAWgBAIICql05vEAAAAAAQMDBw=="} @@ -155,7 +155,7 @@ 01162{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1211,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686327471,"flow_dst_last_pkt_time":1605291686327034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686327471,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1398,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686327471,"flow_dst_last_pkt_time":1605291686419456,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291686419456,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01527{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1406,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686419467,"flow_dst_last_pkt_time":1605291686420291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291686420291,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}}} -01539{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12918.2,"max":91996,"stddev":23629.4,"var":558350720.0,"ent":2.8,"data": [25838,25880,395,66367,26055,91996,835,829,7,4,1579,121,254,42141,1,1,6209,2,1,46395,10,6,2,1,4,940]},"pktlen": {"min":86,"avg":377.3,"max":1134,"stddev":424.0,"var":179781.3,"ent":4.2,"data": [94,94,86,603,86,1134,86,1134,1134,637,86,86,86,179,185,417,86,86,86,360,152,1134,1134,1134,1134,86,86,86,86,86,86,124]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0]}} +01938{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12918.2,"max":91996,"stddev":23629.4,"var":558350720.0,"ent":2.8,"data": [25838,25880,395,66367,26055,91996,835,829,7,4,1579,121,254,42141,1,1,6209,2,1,46395,10,6,2,1,4,940]},"pktlen": {"min":72,"avg":363.3,"max":1120,"stddev":424.0,"var":179781.3,"ent":4.1,"data": [80,80,72,589,72,1120,72,1120,1120,623,72,72,72,165,171,403,72,72,72,346,138,1120,1120,1120,1120,72,72,72,72,72,72,110]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0],"entropies": [4.907011986,5.304953098,5.301460266,4.568593025,5.139187336,6.968538761,5.258596897,7.334045410,7.344312668,7.577483654,5.301460266,5.329237938,5.301460266,6.086132526,6.472829342,7.337939262,5.128702641,5.166965008,5.166965008,7.241396427,6.241778851,7.834823132,7.795830250,7.800470352,7.816886902,5.273682594,5.301460266,5.273682594,5.329237938,5.301460266,5.329237938,5.684057236]}} 01530{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1653,"source":"reddit.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686301196,"flow_src_last_pkt_time":1605291686469619,"flow_dst_last_pkt_time":1605291686468646,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1078,"flow_dst_tot_l4_payload_len":8227,"midstream":0,"thread_ts_usec":1605291686469619,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56594,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"b.thumbs.redditmedia.com","tls": {"version":"TLSv1.2","server_names":"*.thumbs.redditmedia.com,thumbs.redditmedia.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.thumbs.redditmedia.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"FF:F4:6C:CF:D6:FD:64:3E:50:17:A2:DE:B0:F2:B6:9B:76:59:C6:75"}}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1925,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291686985114,"flow_dst_last_pkt_time":1605291686985114,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291686985114,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1925,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1605291686985114,"flow_dst_last_pkt_time":1605291686985114,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291686985114,"pkt":"qtsDr8lk5EKm5WPyht1gAMi0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxxABu7duD88AAAAAoAL9IJsfAAACBAWgBAIIClRf4AwAAAAAAQMDBw=="} @@ -175,10 +175,10 @@ 01219{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1938,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687016854,"flow_dst_last_pkt_time":1605291687060476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291687060476,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01200{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1949,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687024727,"flow_dst_last_pkt_time":1605291687075726,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687075726,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"c.amazon-adsystem.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01175{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1962,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687024606,"flow_dst_last_pkt_time":1605291687096859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687096859,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"c.aaxads.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1994,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687110047,"flow_dst_last_pkt_time":1605291687110135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10234,"midstream":0,"thread_ts_usec":1605291687110135,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":8926.9,"max":43636,"stddev":14641.6,"var":214376368.0,"ent":3.1,"data": [31477,31507,233,36835,7050,43636,16,599,576,2431,165,135,37718,689,1069,36764,111,89,22,531,8580,9121,90,75,174,158,5,98]},"pktlen": {"min":86,"avg":436.5,"max":1294,"stddev":490.0,"var":240053.7,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,547,86,150,178,347,86,86,666,86,117,86,117,86,792,86,1294,86,1294,1294,86,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01542{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9355.9,"max":51019,"stddev":15790.2,"var":249329552.0,"ent":3.0,"data": [38538,38619,398,37312,14166,1,1,51019,20,3,2,2,2408,107,140,31274,2,1645,1,30239,111,3355,1,3233,8,2,2]},"pktlen": {"min":86,"avg":475.6,"max":1474,"stddev":586.5,"var":343946.1,"ent":4.0,"data": [94,94,86,603,86,1474,1474,1474,1474,401,86,86,86,86,86,150,178,344,86,86,86,157,86,117,1474,1474,1474,1474,86,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,1,1,0,0,0,0]}} +02123{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1994,"source":"reddit.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291686985114,"flow_src_last_pkt_time":1605291687110047,"flow_dst_last_pkt_time":1605291687110135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":965,"flow_dst_tot_l4_payload_len":10234,"midstream":0,"thread_ts_usec":1605291687110135,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":50960,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":8926.9,"max":43636,"stddev":14641.6,"var":214376368.0,"ent":3.1,"data": [31477,31507,233,36835,7050,43636,16,599,576,2431,165,135,37718,689,1069,36764,111,89,22,531,8580,9121,90,75,174,158,5,98]},"pktlen": {"min":72,"avg":422.5,"max":1280,"stddev":490.0,"var":240053.7,"ent":4.1,"data": [80,80,72,589,72,1280,1280,72,72,533,72,136,164,333,72,72,652,72,103,72,103,72,778,72,1280,72,1280,1280,72,72,1280,1280]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,1,1],"entropies": [4.794175148,5.301737785,5.137723446,4.609352589,5.163392067,7.822265148,7.828993320,5.193279266,5.193279266,7.574356556,5.165501595,6.187675953,6.451539040,7.193062782,5.135614395,5.135614395,7.646523952,5.182794571,5.842692375,5.165501595,5.903290272,5.163392067,7.712309837,5.193279266,7.843823910,5.165501595,7.846527100,7.838549614,5.193279266,5.165501118,7.822370052,7.826137066]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +01941{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9355.9,"max":51019,"stddev":15790.2,"var":249329552.0,"ent":3.0,"data": [38538,38619,398,37312,14166,1,1,51019,20,3,2,2,2408,107,140,31274,2,1645,1,30239,111,3355,1,3233,8,2,2]},"pktlen": {"min":72,"avg":461.6,"max":1460,"stddev":586.5,"var":343946.1,"ent":4.0,"data": [80,80,72,589,72,1460,1460,1460,1460,387,72,72,72,72,72,136,164,330,72,72,72,143,72,103,1460,1460,1460,1460,72,72,72,72]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,1,1,0,0,0,0],"entropies": [4.836891651,5.211080551,5.205674171,4.514605999,5.057240963,7.814661026,7.847680092,7.865528107,7.842185020,7.380033970,5.243936539,5.243936539,5.155763149,5.188381195,5.132825851,6.139283180,6.518441677,7.254546165,5.029463291,5.029463291,5.057240963,6.252353668,5.243936539,5.873327255,7.877524853,7.827719688,7.871821880,7.839930534,5.243936539,5.243936539,5.271714211,5.271714211]}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2016,"source":"reddit.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291686985710,"flow_src_last_pkt_time":1605291687112023,"flow_dst_last_pkt_time":1605291687112006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":11490,"midstream":0,"thread_ts_usec":1605291687112023,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::df9:21c6","src_port":43492,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"c.amazon-adsystem.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01690{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2070,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687186026,"flow_dst_last_pkt_time":1605291687186023,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":998,"flow_dst_tot_l4_payload_len":10536,"midstream":0,"thread_ts_usec":1605291687186026,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14548.7,"max":72269,"stddev":19347.3,"var":374318368.0,"ent":3.4,"data": [27356,27416,299,37313,35299,1,72269,38,3,2523,128,130,31242,2117,15088,1,45626,28,24,154,29754,10263,39831,697,1,666]},"pktlen": {"min":86,"avg":446.9,"max":1474,"stddev":553.5,"var":306346.9,"ent":4.1,"data": [94,94,86,603,86,1474,1474,324,86,86,86,166,178,364,86,86,86,357,357,156,86,86,86,117,86,1474,86,1459,1474,1459,1474,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,5,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02089{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2070,"source":"reddit.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291686996891,"flow_src_last_pkt_time":1605291687186026,"flow_dst_last_pkt_time":1605291687186023,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":998,"flow_dst_tot_l4_payload_len":10536,"midstream":0,"thread_ts_usec":1605291687186026,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3b6","src_port":38320,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14548.7,"max":72269,"stddev":19347.3,"var":374318368.0,"ent":3.4,"data": [27356,27416,299,37313,35299,1,72269,38,3,2523,128,130,31242,2117,15088,1,45626,28,24,154,29754,10263,39831,697,1,666]},"pktlen": {"min":72,"avg":432.9,"max":1460,"stddev":553.5,"var":306346.9,"ent":4.0,"data": [80,80,72,589,72,1460,1460,310,72,72,72,152,164,350,72,72,72,343,343,142,72,72,72,103,72,1460,72,1445,1460,1445,1460,72]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,5,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,0,0,1,1,0,1,1,1,1,0],"entropies": [4.857011795,5.304952145,5.190349579,4.366506100,5.111409664,7.825345039,7.835193157,7.203350067,5.273682594,5.245904922,5.245904922,6.284915447,6.470990181,7.367970467,5.111409664,5.139187336,5.055853844,7.210521698,7.280154705,6.282705784,5.207642555,5.273682594,5.245904922,5.913538456,5.139187336,7.867059231,5.245904922,7.855923176,7.844721794,7.856983662,7.858796120,5.273682594]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2333,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687485783,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687485783,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2333,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687485783,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687485783,"pkt":"qtsDr8lk5EKm5WPyht1gDGJhACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACs2RLCx1IBu5\/PXZ4AAAAAoAL9IP2VAAACBAWgBAIICruOxrcAAAAAAQMDBw=="} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2341,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1605291687485783,"flow_dst_last_pkt_time":1605291687512994,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687512994,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAKzZEsIqAcsBIEmLB5kd7IUo3\/YpAbvHUvrRnoyfz12foBJXgAjWAAACBAV4AQMDAwQCCArC1z5Fu47Gtw=="} @@ -192,8 +192,8 @@ 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2356,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687513279,"flow_dst_last_pkt_time":1605291687552593,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291687552593,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"securepubads.g.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01219{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2382,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687545503,"flow_dst_last_pkt_time":1605291687606576,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291687606576,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01545{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687606628,"flow_dst_last_pkt_time":1605291687606672,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291687606672,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}}} -01713{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2397,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687606682,"flow_dst_last_pkt_time":1605291687608302,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":978,"flow_dst_tot_l4_payload_len":10865,"midstream":0,"thread_ts_usec":1605291687608302,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":9362.2,"max":49462,"stddev":15182.4,"var":230505152.0,"ent":3.1,"data": [27211,27234,262,32139,7460,39332,541,528,9,1876,115,75,39448,325,11758,49462,14,229,1909,2,1682,24,5,95,52,1631]},"pktlen": {"min":86,"avg":456.6,"max":1474,"stddev":558.6,"var":312025.4,"ent":4.1,"data": [94,94,86,603,86,1474,86,1474,188,86,86,150,178,360,86,86,86,666,117,86,86,117,522,1474,1474,86,86,86,1474,86,1474,1474]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} -01553{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8714.2,"max":61125,"stddev":16231.6,"var":263464320.0,"ent":2.9,"data": [30377,30415,332,47450,13993,61125,95,1,49,10,2,3286,115,139,30628,2061,91,29231,1271,1309,181,374,3,2,1,161,6,3,2]},"pktlen": {"min":86,"avg":377.2,"max":1134,"stddev":425.8,"var":181298.7,"ent":4.2,"data": [94,94,86,603,86,1134,86,1134,1134,718,86,86,86,179,185,351,86,86,86,344,86,152,86,124,1134,1134,1134,1134,86,86,86,86]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,0,0,0,0]}} +02112{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2397,"source":"reddit.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687485783,"flow_src_last_pkt_time":1605291687606682,"flow_dst_last_pkt_time":1605291687608302,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":978,"flow_dst_tot_l4_payload_len":10865,"midstream":0,"thread_ts_usec":1605291687608302,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::acd9:12c2","src_port":51026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":9362.2,"max":49462,"stddev":15182.4,"var":230505152.0,"ent":3.1,"data": [27211,27234,262,32139,7460,39332,541,528,9,1876,115,75,39448,325,11758,49462,14,229,1909,2,1682,24,5,95,52,1631]},"pktlen": {"min":72,"avg":442.6,"max":1460,"stddev":558.6,"var":312025.4,"ent":4.0,"data": [80,80,72,589,72,1460,72,1460,174,72,72,136,164,346,72,72,72,652,103,72,72,103,508,1460,1460,72,72,72,1460,72,1460,1460]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,1,0,1,1],"entropies": [4.882011414,5.229951859,5.245904922,4.668323040,5.111409664,7.823575497,5.218127251,7.840838909,6.577263832,5.273682594,5.245904922,6.141845703,6.526543617,7.249311924,5.028076172,5.028076649,5.028076172,7.620381832,5.685565948,5.134794235,5.107016563,5.797031403,7.461103439,7.863368988,7.879219532,5.218127251,5.218127251,5.218127251,7.865433216,5.218127251,7.849226475,7.844064713]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +01952{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8714.2,"max":61125,"stddev":16231.6,"var":263464320.0,"ent":2.9,"data": [30377,30415,332,47450,13993,61125,95,1,49,10,2,3286,115,139,30628,2061,91,29231,1271,1309,181,374,3,2,1,161,6,3,2]},"pktlen": {"min":72,"avg":363.2,"max":1120,"stddev":425.8,"var":181298.7,"ent":4.1,"data": [80,80,72,589,72,1120,72,1120,1120,704,72,72,72,165,171,337,72,72,72,330,72,138,72,110,1120,1120,1120,1120,72,72,72,72]},"bins": {"c_to_s": [12,1,1,1,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1,1,1,0,0,0,0],"entropies": [4.882011890,5.254952908,5.245904922,4.537001133,5.045369625,6.921907902,5.119708538,7.178970814,7.321282864,7.568989754,5.190349579,5.162571907,5.096531868,5.980709553,6.354322433,7.210721493,5.083631516,5.139187336,5.111409664,7.047548294,5.218127251,6.254519463,5.162571907,5.573678017,7.803915977,7.831707001,7.839641571,7.817306042,5.245904922,5.245904922,5.245904922,5.245904922]}} 01548{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2457,"source":"reddit.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687514756,"flow_src_last_pkt_time":1605291687641122,"flow_dst_last_pkt_time":1605291687641103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1012,"flow_dst_tot_l4_payload_len":8292,"midstream":0,"thread_ts_usec":1605291687641122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"platform.twitter.com","tls": {"version":"TLSv1.2","server_names":"platform.twitter.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=Twitter Security, CN=platform.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"2B:30:10:3B:07:2F:F2:EB:3D:08:E3:BB:45:61:F7:A3:9F:4C:A7:92"}}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2460,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687642048,"flow_dst_last_pkt_time":1605291687642048,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687642048,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2460,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687642048,"flow_dst_last_pkt_time":1605291687642048,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687642048,"pkt":"qtsDr8lk5EKm5WPyht1gDI7+ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFgAAAAAAACAImmABu4PHuxgAAAAAoAL9IGTNAAACBAWgBAIICsL4XLwAAAAAAQMDBw=="} @@ -203,7 +203,7 @@ 01218{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2554,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687678071,"flow_dst_last_pkt_time":1605291687721930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291687721930,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagmanager.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2578,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291687761761,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687761761,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687761761,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3d1","src_port":32970,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2578,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687761761,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687761761,"pkt":"qtsDr8lk5EKm5WPyht1gCTrZACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABoU7PRgMoBuzRK2bcAAAAAoAL9IFSZAAACBAWgBAIIClvEqOkAAAAAAQMDBw=="} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2589,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687769797,"flow_dst_last_pkt_time":1605291687770512,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":967,"flow_dst_tot_l4_payload_len":10018,"midstream":0,"thread_ts_usec":1605291687770512,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8834.9,"max":43870,"stddev":14652.3,"var":214690448.0,"ent":3.2,"data": [34309,34348,1675,38053,7520,1,43870,15,3,2990,179,332,37258,1,401,1,34144,24,176,2332,6921,9068,836,1,863,34,109,28,721]},"pktlen": {"min":86,"avg":429.8,"max":1294,"stddev":486.5,"var":236643.5,"ent":4.2,"data": [94,94,86,603,86,1294,1294,564,86,86,86,150,178,349,86,86,666,117,86,86,117,86,559,86,1294,1294,86,86,1294,86,1294,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,1,0,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2589,"source":"reddit.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687642048,"flow_src_last_pkt_time":1605291687769797,"flow_dst_last_pkt_time":1605291687770512,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":967,"flow_dst_tot_l4_payload_len":10018,"midstream":0,"thread_ts_usec":1605291687770512,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:816::2008","src_port":39520,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8834.9,"max":43870,"stddev":14652.3,"var":214690448.0,"ent":3.2,"data": [34309,34348,1675,38053,7520,1,43870,15,3,2990,179,332,37258,1,401,1,34144,24,176,2332,6921,9068,836,1,863,34,109,28,721]},"pktlen": {"min":72,"avg":415.8,"max":1280,"stddev":486.5,"var":236643.5,"ent":4.1,"data": [80,80,72,589,72,1280,1280,550,72,72,72,136,164,335,72,72,652,103,72,72,103,72,545,72,1280,1280,72,72,1280,72,1280,1280]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,1,1,0,0,1,0,1,1],"entropies": [4.845952988,5.276736736,5.138828754,4.602811337,5.041796684,7.803936958,7.832890034,7.552286625,5.166606426,5.194384098,5.194384098,6.037216187,6.610102654,7.276579857,5.041796684,5.041796684,7.656215668,5.660604000,5.183899403,5.183899403,5.788832664,5.069574356,7.590582848,5.222161770,7.845970631,7.817458153,5.222161770,5.222161770,7.842357159,5.222161770,7.846263409,7.836318970]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2609,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":2,"flow_src_last_pkt_time":1605291687761761,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291687790624,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAGhTs9EqAcsBIEmLB5kd7IUo3\/YpAbuAylJzVUg0Stm4oBJXgFBhAAACBAV4AQMDAwQCCArC1z9gW8So6Q=="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2610,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":3,"flow_src_last_pkt_time":1605291687790646,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291687790646,"pkt":"qtsDr8lk5EKm5WPyht1gCTrZACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABoU7PRgMoBuzRK2bhSc1VJgBAB+9RVAAABAQgKW8SpBsLXP2A="} 01135{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2611,"source":"reddit.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291687761761,"flow_src_last_pkt_time":1605291687790793,"flow_dst_last_pkt_time":1605291687790624,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291687790793,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6853:b3d1","src_port":32970,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.aaxdetect.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} @@ -240,9 +240,9 @@ 01595{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3147,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291687974969,"flow_dst_last_pkt_time":1605291688036418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3364,"midstream":0,"thread_ts_usec":1605291688036418,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"secure.quantserve.com","tls": {"version":"TLSv1.2","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}}} 01222{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3171,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291687829706,"flow_dst_last_pkt_time":1605291688046248,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688046248,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01668{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688046258,"flow_dst_last_pkt_time":1605291688046580,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3439,"midstream":0,"thread_ts_usec":1605291688046580,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}}} -01595{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":22403.4,"max":180245,"stddev":39725.6,"var":1578121344.0,"ent":3.3,"data": [41345,41375,239,45639,16078,1,61463,16,3,3880,365,125,94049,180245,10480,2,92307,53,428,5467,8019,1891,14882,15513,1,15533,36,263,1]},"pktlen": {"min":86,"avg":460.9,"max":1474,"stddev":554.6,"var":307585.9,"ent":4.1,"data": [94,94,86,603,86,1474,1474,674,86,86,86,212,185,344,344,86,360,155,86,86,124,86,86,124,86,1474,1474,86,86,1474,1474,1474]},"bins": {"c_to_s": [10,1,0,2,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,1,1,0,0,1,1,1]}} +01994{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":22403.4,"max":180245,"stddev":39725.6,"var":1578121344.0,"ent":3.3,"data": [41345,41375,239,45639,16078,1,61463,16,3,3880,365,125,94049,180245,10480,2,92307,53,428,5467,8019,1891,14882,15513,1,15533,36,263,1]},"pktlen": {"min":72,"avg":446.9,"max":1460,"stddev":554.6,"var":307585.9,"ent":4.0,"data": [80,80,72,589,72,1460,1460,660,72,72,72,198,171,330,330,72,346,141,72,72,110,72,72,110,72,1460,1460,72,72,1460,1460,1460]},"bins": {"c_to_s": [10,1,0,2,0,0,0,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,0,0,1,1,1,0,1,1,0,0,1,1,1],"entropies": [5.270193100,5.621731281,5.459350586,4.656135082,5.421088219,6.918155670,7.356199741,7.583865643,5.431572914,5.431572914,5.348239899,6.523558617,6.440567493,7.245548248,7.233427525,5.403794765,7.155272961,6.347721100,5.459350586,5.459350586,5.820535183,5.393310547,5.355048180,6.026633739,5.409216881,7.855928898,7.870290756,5.487128258,5.459350586,7.867146015,7.870689869,7.867941856]}} 01599{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3293,"source":"reddit.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687933355,"flow_src_last_pkt_time":1605291688258109,"flow_dst_last_pkt_time":1605291688258300,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1296,"flow_dst_tot_l4_payload_len":10685,"midstream":0,"thread_ts_usec":1605291688258300,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2620:116:800d:21:f916:5049:f87f:108e","src_port":48648,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"secure.quantserve.com","tls": {"version":"TLSv1.2","server_names":"*.quantserve.com,*.quantcount.com,*.apextag.com,quantserve.com,quantcount.com,apextag.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"b898351eb5e266aefd3723d466935494","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Quantcast Corporation, CN=*.quantserve.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"3A:30:B1:4A:CE:62:AF:55:B1:89:FF:0C:CB:69:E3:80:CB:B0:91:90"}}} -01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3311,"source":"reddit.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687931808,"flow_src_last_pkt_time":1605291688275672,"flow_dst_last_pkt_time":1605291688275738,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1514,"flow_dst_tot_l4_payload_len":8800,"midstream":0,"thread_ts_usec":1605291688275738,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54862,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":23717.0,"max":168765,"stddev":39116.9,"var":1530135680.0,"ent":3.3,"data": [34819,34839,225,53032,4946,57771,466,435,8,5,3584,2043,379,91732,168765,1823,72847,231,970,1993,2727,14555,61747,2,76315,38,696,685,116]},"pktlen": {"min":86,"avg":408.8,"max":1294,"stddev":466.2,"var":217386.3,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,1294,286,86,86,86,150,178,491,491,86,666,86,117,86,117,86,86,827,1294,86,86,1294,86,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +02128{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3311,"source":"reddit.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291687931808,"flow_src_last_pkt_time":1605291688275672,"flow_dst_last_pkt_time":1605291688275738,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1514,"flow_dst_tot_l4_payload_len":8800,"midstream":0,"thread_ts_usec":1605291688275738,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:806::200e","src_port":54862,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":23717.0,"max":168765,"stddev":39116.9,"var":1530135680.0,"ent":3.3,"data": [34819,34839,225,53032,4946,57771,466,435,8,5,3584,2043,379,91732,168765,1823,72847,231,970,1993,2727,14555,61747,2,76315,38,696,685,116]},"pktlen": {"min":72,"avg":394.8,"max":1280,"stddev":466.2,"var":217386.3,"ent":4.1,"data": [80,80,72,589,72,1280,72,1280,1280,272,72,72,72,136,164,477,477,72,652,72,103,72,103,72,72,813,1280,72,72,1280,72,1280]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,2,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,0,1,1,1,0,0,1,0,1],"entropies": [4.855388641,5.336174011,5.166606426,4.455770016,5.107836723,7.809723854,5.222161770,7.834493160,7.853783131,7.186578274,5.194384098,5.194384098,5.222161770,6.074600697,6.474341869,7.424253941,7.412911415,5.135614395,7.636740208,5.081305027,5.736714840,5.107836723,5.719827175,5.194384098,5.063430309,7.714984417,7.833517075,5.166606426,5.204868793,7.844364166,5.194384098,7.833867073]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3346,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688324076,"flow_dst_last_pkt_time":1605291688324076,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688324076,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3346,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688324076,"flow_dst_last_pkt_time":1605291688324076,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688324076,"pkt":"qtsDr8lk5EKm5WPyht1gDP1bACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADYOtHmx5wBu0pXpjQAAAAAoAL9INe7AAACBAWgBAIICn8mSwwAAAAAAQMDBw=="} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3358,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688336354,"flow_src_last_pkt_time":1605291688336354,"flow_dst_last_pkt_time":1605291688336354,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688336354,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -261,8 +261,8 @@ 01210{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3517,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688365341,"flow_dst_last_pkt_time":1605291688408044,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688408044,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"ad.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01210{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3521,"source":"reddit.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688336354,"flow_src_last_pkt_time":1605291688371089,"flow_dst_last_pkt_time":1605291688408514,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1605291688408514,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51102,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"ad.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01201{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3538,"source":"reddit.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688344280,"flow_src_last_pkt_time":1605291688372055,"flow_dst_last_pkt_time":1605291688411963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688411963,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2600:9000:219c:ee00:6:44e3:f8c0:93a1","src_port":56186,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"rules.quantcount.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01735{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3794,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688488430,"flow_dst_last_pkt_time":1605291688495517,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":4278,"midstream":0,"thread_ts_usec":1605291688495517,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10832.1,"max":42730,"stddev":14959.8,"var":223794400.0,"ent":3.6,"data": [41079,41100,165,31856,11033,42730,469,1,470,25,2812,1299,93,34223,10205,1,40205,536,1458,1,938,16571,1,3,16547,20,17,4417,310,12670,24540]},"pktlen": {"min":86,"avg":264.0,"max":1474,"stddev":362.6,"var":131502.0,"ent":4.1,"data": [94,94,86,603,86,1474,86,1474,186,86,86,150,178,500,86,666,86,86,117,86,117,86,807,117,125,86,86,86,125,121,296,86]},"bins": {"c_to_s": [11,2,2,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} -01591{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":48119.6,"max":216552,"stddev":68159.2,"var":4645675520.0,"ent":3.6,"data": [29231,29299,228,29539,187299,216552,332,326,7,1815,188,30,70254,211900,6516,1,182884,58339,20162,41757,64,46,873,11694,10868,9898,6233,112514,128634,76106]},"pktlen": {"min":86,"avg":272.4,"max":1474,"stddev":353.4,"var":124913.6,"ent":4.2,"data": [94,94,86,603,86,1474,86,1474,749,86,86,212,185,376,376,86,86,86,186,86,328,86,130,86,124,124,86,86,86,545,86,352]},"bins": {"c_to_s": [9,1,0,3,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,0,1,0,1,1,1,0,1]}} +02134{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3794,"source":"reddit.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1605291688324076,"flow_src_last_pkt_time":1605291688488430,"flow_dst_last_pkt_time":1605291688495517,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1402,"flow_dst_tot_l4_payload_len":4278,"midstream":0,"thread_ts_usec":1605291688495517,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::d83a:d1e6","src_port":51100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10832.1,"max":42730,"stddev":14959.8,"var":223794400.0,"ent":3.6,"data": [41079,41100,165,31856,11033,42730,469,1,470,25,2812,1299,93,34223,10205,1,40205,536,1458,1,938,16571,1,3,16547,20,17,4417,310,12670,24540]},"pktlen": {"min":72,"avg":250.0,"max":1460,"stddev":362.6,"var":131502.0,"ent":4.0,"data": [80,80,72,589,72,1460,72,1460,172,72,72,136,164,486,72,652,72,72,103,72,103,72,793,103,111,72,72,72,111,107,282,72]},"bins": {"c_to_s": [11,2,2,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,1,1,0,1,1,1,0,0,0,0,0,0,1],"entropies": [4.857011318,5.329952717,5.273682594,4.540163040,5.139187336,7.843326092,5.273682594,7.862450600,6.539532185,5.273682594,5.273682594,6.134756088,6.541216850,7.446951866,5.166965008,7.636521339,5.100924969,5.273682594,5.932955742,5.111409664,5.777672768,5.263197899,7.737014294,5.703792095,5.962306976,5.301460266,5.329237938,5.329237938,6.057867527,5.878192425,7.107053280,5.166965008]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":48119.6,"max":216552,"stddev":68159.2,"var":4645675520.0,"ent":3.6,"data": [29231,29299,228,29539,187299,216552,332,326,7,1815,188,30,70254,211900,6516,1,182884,58339,20162,41757,64,46,873,11694,10868,9898,6233,112514,128634,76106]},"pktlen": {"min":72,"avg":258.4,"max":1460,"stddev":353.4,"var":124913.6,"ent":4.1,"data": [80,80,72,589,72,1460,72,1460,735,72,72,198,171,362,362,72,72,72,172,72,314,72,116,72,110,110,72,72,72,531,72,338]},"bins": {"c_to_s": [9,1,0,3,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,1,0,1,1,0,1,0,0,1,0,1,1,1,0,1],"entropies": [4.822575092,5.245516300,5.245904922,4.574756145,5.111409664,6.787540913,5.218127251,7.353115559,7.586227894,5.162571907,5.190349579,6.362659931,6.273279667,7.149994850,7.138213634,5.083631992,5.055854321,5.055854321,6.419822216,5.083631992,6.981730461,5.245904922,5.900056362,5.218127251,5.636374950,5.857635021,5.190349579,5.083631992,5.083631992,7.496485710,5.175263882,7.287763596]}} 01671{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":3882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291687800179,"flow_src_last_pkt_time":1605291688483940,"flow_dst_last_pkt_time":1605291688560007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1460,"flow_dst_tot_l4_payload_len":4488,"midstream":0,"thread_ts_usec":1605291688560007,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"syndication.twitter.com","tls": {"version":"TLSv1.2","server_names":"syndication.twitter.com,syndication.twimg.com,syndication-o.twitter.com,syndication-o.twimg.com,cdn.syndication.twitter.com,cdn.syndication.twimg.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Twitter, Inc., OU=lon3, CN=syndication.twitter.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"09:D3:FE:9A:3E:39:A7:E2:90:5B:C9:1F:3B:7D:CE:7C:7E:08:1C:6F"}}} 00803{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3906,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688611238,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688611238,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3906,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688611238,"flow_dst_last_pkt_time":1605291688611238,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688611238,"pkt":"qtsDr8lk5EKm5WPyht1gDEO\/ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATQaDRQpB0IHggC2mzgBu\/F3Z44AAAAAoAL9IIe6AAACBAWgBAIICvY2BR4AAAAAAQMDBw=="} @@ -280,7 +280,7 @@ 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4267,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1605291688749044,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688786435,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgFAAAAAAAAIAQqAcsBIEmLB5kd7IUo3\/YpAbvfwoEYYXPjQDuzoBJXgOVIAAACBAV4AQMDAwQCCArC10M\/bf\/I8g=="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4268,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1605291688786460,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291688786460,"pkt":"qtsDr8lk5EKm5WPyht1gCJDMACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAE38IBu+NAO7OBGGF0gBAB+2k0AAABAQgKbf\/JGMLXQz8="} 01155{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4269,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688786633,"flow_dst_last_pkt_time":1605291688786435,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688786633,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01734{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688786771,"flow_dst_last_pkt_time":1605291688811895,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1624,"flow_dst_tot_l4_payload_len":5905,"midstream":0,"thread_ts_usec":1605291688811895,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12972.1,"max":51136,"stddev":18175.8,"var":330360896.0,"ent":3.5,"data": [43010,43065,309,41280,10189,51136,400,38397,3509,41489,471,1,468,4,62,52,2291,169,102,38533,1,35978,9,3,58,5162,2233,17560,249]},"pktlen": {"min":86,"avg":321.8,"max":1294,"stddev":396.4,"var":157103.1,"ent":4.2,"data": [94,94,86,603,86,185,86,609,86,1294,86,1294,1294,86,86,423,86,160,178,473,86,341,341,182,86,86,86,117,86,86,117,1294]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,2,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02133{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4390,"source":"reddit.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688611238,"flow_src_last_pkt_time":1605291688786771,"flow_dst_last_pkt_time":1605291688811895,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1624,"flow_dst_tot_l4_payload_len":5905,"midstream":0,"thread_ts_usec":1605291688811895,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:134:1a0d:1429:742:782:b6","src_port":39736,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12972.1,"max":51136,"stddev":18175.8,"var":330360896.0,"ent":3.5,"data": [43010,43065,309,41280,10189,51136,400,38397,3509,41489,471,1,468,4,62,52,2291,169,102,38533,1,35978,9,3,58,5162,2233,17560,249]},"pktlen": {"min":72,"avg":307.8,"max":1280,"stddev":396.4,"var":157103.1,"ent":4.1,"data": [80,80,72,589,72,171,72,595,72,1280,72,1280,1280,72,72,409,72,146,164,459,72,327,327,168,72,72,72,103,72,72,103,1280]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,2,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1],"entropies": [5.156615734,5.498501778,5.447478771,4.680018902,5.305136681,6.159050465,5.343176365,5.095525742,5.322429657,7.814732552,5.475256443,7.833696365,7.860356808,5.419701099,5.436994553,7.369849682,5.475256443,6.433616161,6.626874924,7.528322220,5.360692024,7.254635811,7.262678146,6.541914940,5.447478771,5.475256443,5.447478771,6.000376225,5.388469696,5.360692024,5.934231758,7.832221508]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitter","proto_id":"91.120","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 01220{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":4414,"source":"reddit.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688712501,"flow_src_last_pkt_time":1605291688754330,"flow_dst_last_pkt_time":1605291688813598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688813598,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2006","src_port":54726,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"static.doubleclick.net","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":4492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688830061,"flow_dst_last_pkt_time":1605291688830061,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688830061,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4492,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1605291688830061,"flow_dst_last_pkt_time":1605291688830061,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688830061,"pkt":"qtsDr8lk5EKm5WPyht1gBrB0ACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACAB4woBuyKqv5AAAAAAoAL9IFwjAAACBAWgBAIICu7gTZEAAAAAAQMDBw=="} @@ -302,15 +302,15 @@ 01150{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4861,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688894065,"flow_dst_last_pkt_time":1605291688893806,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688894065,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4865,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":2,"flow_src_last_pkt_time":1605291688831210,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291688894545,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgVAAAAAAAAIBYqAcsBIEmLB5kd7IUo3\/YpAbvMSCvRvaZMy7vtoBJXgIUlAAACBAV4AQMDAwQCCArC10OaRJp0xw=="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":4867,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_src_last_pkt_time":1605291688894570,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605291688894570,"pkt":"qtsDr8lk5EKm5WPyht1gDPOvACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFQAAAAAAACAWzEgBu0zLu+0r0b2ngBAB+wj4AAABAQgKRJp1BsLXQ5o="} -01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688895635,"flow_dst_last_pkt_time":1605291688895679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":990,"flow_dst_tot_l4_payload_len":9898,"midstream":0,"thread_ts_usec":1605291688895679,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10111.2,"max":62320,"stddev":17971.1,"var":322959648.0,"ent":3.0,"data": [37391,37416,173,47446,15044,62320,24,361,320,2535,232,269,39947,114,2294,39328,242,2903,2650,782,796,254,1,2,253,13,20,95,1]},"pktlen": {"min":86,"avg":426.8,"max":1294,"stddev":483.3,"var":233579.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,303,86,150,178,372,86,86,86,666,86,117,511,86,1294,86,1294,1294,1294,86,86,86,1294,306]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02118{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":4882,"source":"reddit.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688749044,"flow_src_last_pkt_time":1605291688895635,"flow_dst_last_pkt_time":1605291688895679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":990,"flow_dst_tot_l4_payload_len":9898,"midstream":0,"thread_ts_usec":1605291688895679,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2004","src_port":57282,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":10111.2,"max":62320,"stddev":17971.1,"var":322959648.0,"ent":3.0,"data": [37391,37416,173,47446,15044,62320,24,361,320,2535,232,269,39947,114,2294,39328,242,2903,2650,782,796,254,1,2,253,13,20,95,1]},"pktlen": {"min":72,"avg":412.8,"max":1280,"stddev":483.3,"var":233579.9,"ent":4.1,"data": [80,80,72,589,72,1280,1280,72,72,289,72,136,164,358,72,72,72,652,72,103,497,72,1280,72,1280,1280,1280,72,72,72,1280,292]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,1,1,0,0,1,0,1,0,1,1,1,0,0,0,1,1],"entropies": [4.742643356,5.251736641,5.156122208,4.431118965,5.052281380,7.795456409,7.833138943,5.183899879,5.183899879,7.222666740,5.183899879,6.136840343,6.526112080,7.291018963,5.080059052,5.080059052,5.107836723,7.666177273,5.098598480,5.762085438,7.464744568,5.183899879,7.830111027,5.156122208,7.819734097,7.865944386,7.829904556,5.128344536,5.156122208,5.100566864,7.822502613,7.162058353]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 01148{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4885,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291688895701,"flow_dst_last_pkt_time":1605291688894545,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291688895701,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01195{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5588,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291688894065,"flow_dst_last_pkt_time":1605291688963049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01193{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5606,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291688895701,"flow_dst_last_pkt_time":1605291688963101,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963101,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"i.ytimg.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5611,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291688889651,"flow_dst_last_pkt_time":1605291688963103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963103,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fonts.gstatic.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":5621,"source":"reddit.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291688843948,"flow_src_last_pkt_time":1605291688889830,"flow_dst_last_pkt_time":1605291688963145,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291688963145,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47304,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"fonts.gstatic.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5669,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291689005944,"flow_dst_last_pkt_time":1605291689006046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":8982,"midstream":0,"thread_ts_usec":1605291689006046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13032.1,"max":68993,"stddev":23942.8,"var":573258176.0,"ent":2.8,"data": [63745,63780,224,68524,719,1,1,1,68993,14,7,6,49,23,8336,2581,2495,40185,1017,27807,170,1594,1,1430,17,147,1]},"pktlen": {"min":86,"avg":399.7,"max":1294,"stddev":459.2,"var":210886.5,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,1294,86,86,86,86,483,86,150,178,421,86,666,86,86,86,117,117,517,86,86,1294,1294,342,125]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} -01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5691,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291689013039,"flow_dst_last_pkt_time":1605291689013078,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":9699,"midstream":0,"thread_ts_usec":1605291689013078,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12082.8,"max":73480,"stddev":21188.9,"var":448969504.0,"ent":3.0,"data": [45331,45373,379,65680,8193,73480,42,21,5,12589,926,174,173,41157,1595,28896,105,3348,1,3744,1,1,6991,22,3,3,85,1]},"pktlen": {"min":86,"avg":423.5,"max":1294,"stddev":484.5,"var":234727.2,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,355,86,86,150,178,387,167,86,666,86,117,86,86,86,480,1294,1294,1294,86,86,86,86,1294,1294]},"bins": {"c_to_s": [11,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01715{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5714,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291689029453,"flow_dst_last_pkt_time":1605291689029440,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1007,"flow_dst_tot_l4_payload_len":10130,"midstream":0,"thread_ts_usec":1605291689029453,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14159.8,"max":67787,"stddev":23093.6,"var":533315104.0,"ent":3.2,"data": [63335,63360,1131,67787,769,1,1,67414,6,6,11732,1751,188,41623,368,28482,452,4153,1923,5466,17937,17942,106,77,226,1,229,7]},"pktlen": {"min":86,"avg":434.5,"max":1294,"stddev":488.8,"var":238946.4,"ent":4.2,"data": [94,94,86,603,86,1294,1294,765,86,86,86,150,178,389,86,666,86,117,86,86,117,86,470,86,1294,86,1294,1294,1294,1294,86,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +02099{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5669,"source":"reddit.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291688830061,"flow_src_last_pkt_time":1605291689005944,"flow_dst_last_pkt_time":1605291689006046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1039,"flow_dst_tot_l4_payload_len":8982,"midstream":0,"thread_ts_usec":1605291689006046,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2001","src_port":58122,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13032.1,"max":68993,"stddev":23942.8,"var":573258176.0,"ent":2.8,"data": [63745,63780,224,68524,719,1,1,1,68993,14,7,6,49,23,8336,2581,2495,40185,1017,27807,170,1594,1,1430,17,147,1]},"pktlen": {"min":72,"avg":385.7,"max":1280,"stddev":459.2,"var":210886.5,"ent":4.1,"data": [80,80,72,589,72,1280,1280,1280,1280,72,72,72,72,469,72,136,164,407,72,652,72,72,72,103,103,503,72,72,1280,1280,328,111]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,1,0,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,1,1,1,1],"entropies": [4.810268402,5.216053009,5.081305027,4.495285511,5.070961475,7.775168419,7.813756466,7.830919743,7.820947170,5.175122738,5.202900410,5.175122738,5.164638042,7.419659138,5.202900410,6.144525528,6.597908497,7.465239525,5.081446171,7.628419399,5.025890350,5.081446171,5.136860371,5.834997177,5.649486065,7.575581074,5.202900410,5.202900410,7.817056179,7.851086140,7.198029995,5.871317387]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +02108{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5691,"source":"reddit.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688843899,"flow_src_last_pkt_time":1605291689013039,"flow_dst_last_pkt_time":1605291689013078,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1086,"flow_dst_tot_l4_payload_len":9699,"midstream":0,"thread_ts_usec":1605291689013078,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80c::2003","src_port":47302,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12082.8,"max":73480,"stddev":21188.9,"var":448969504.0,"ent":3.0,"data": [45331,45373,379,65680,8193,73480,42,21,5,12589,926,174,173,41157,1595,28896,105,3348,1,3744,1,1,6991,22,3,3,85,1]},"pktlen": {"min":72,"avg":409.5,"max":1280,"stddev":484.5,"var":234727.2,"ent":4.1,"data": [80,80,72,589,72,1280,72,1280,341,72,72,136,164,373,153,72,652,72,103,72,72,72,466,1280,1280,1280,72,72,72,72,1280,1280]},"bins": {"c_to_s": [11,0,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,1,0,0,0,0,1,1],"entropies": [4.855388641,5.270608902,5.232646942,4.480056286,5.091208458,7.815004349,5.193278790,7.850385666,7.281913757,5.248834610,5.137723923,6.052643776,6.521836281,7.361442566,6.438180447,5.052281380,7.594014645,5.288202286,5.794967651,5.135614395,5.191169739,5.137001514,7.486030579,7.839892864,7.804619789,7.849721909,5.260424614,5.260424614,5.288202286,5.277717590,7.826467514,7.832191467]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02114{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":5714,"source":"reddit.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291688831210,"flow_src_last_pkt_time":1605291689029453,"flow_dst_last_pkt_time":1605291689029440,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1007,"flow_dst_tot_l4_payload_len":10130,"midstream":0,"thread_ts_usec":1605291689029453,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:815::2016","src_port":52296,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":14159.8,"max":67787,"stddev":23093.6,"var":533315104.0,"ent":3.2,"data": [63335,63360,1131,67787,769,1,1,67414,6,6,11732,1751,188,41623,368,28482,452,4153,1923,5466,17937,17942,106,77,226,1,229,7]},"pktlen": {"min":72,"avg":420.5,"max":1280,"stddev":488.8,"var":238946.4,"ent":4.1,"data": [80,80,72,589,72,1280,1280,751,72,72,72,136,164,375,72,652,72,103,72,72,103,72,456,72,1280,72,1280,1280,1280,1280,72,72]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,1,1,1,0,0],"entropies": [4.855387688,5.286172390,5.166606426,4.403482437,5.097352028,7.810871601,7.864149094,7.683444977,5.164638042,5.232646465,5.288201809,6.259301662,6.552115440,7.385071278,5.107836723,7.668366432,5.149313450,5.867877483,5.069574356,5.080059052,5.803856373,5.204868793,7.481070042,5.260424137,7.860325813,5.260424137,7.834439754,7.818997860,7.817288876,7.835785389,5.232646465,5.260424137]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.YouTube","proto_id":"91.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00787{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689408040,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291689408040,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7094,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689408040,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291689408040,"pkt":"qtsDr8lk5EKm5WPyht1gCYSFACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3UABuxOPoYYAAAAAoAL9IMRnAAACBAWgBAIICql08xMAAAAAAQMDBw=="} 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7110,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1605291689408040,"flow_dst_last_pkt_time":1605291689433785,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291689433785,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvdQHZ86cETj6GHoBJXgAFCAAACBAV4AQMDAwQCCArC10XLqXTzEw=="} @@ -318,7 +318,7 @@ 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7112,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689434011,"flow_dst_last_pkt_time":1605291689433785,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291689434011,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01216{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8671,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689434011,"flow_dst_last_pkt_time":1605291689577976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1048,"midstream":0,"thread_ts_usec":1605291689577976,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01485{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8678,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689578012,"flow_dst_last_pkt_time":1605291689578047,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3144,"midstream":0,"thread_ts_usec":1605291689578047,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} -01556{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16756.9,"max":144189,"stddev":37481.1,"var":1404833920.0,"ent":2.7,"data": [25745,25768,203,144189,2,143997,4,71,1,41,7,2508,597,1253,49737,1,1,45397,18,103,1,65,704,437,888,38392,2516,1067,2238]},"pktlen": {"min":86,"avg":277.2,"max":1134,"stddev":320.8,"var":102914.8,"ent":4.3,"data": [94,94,86,603,86,1134,1134,86,86,1134,601,86,86,179,185,485,86,86,344,152,86,86,86,453,86,124,580,156,86,86,86,128]},"bins": {"c_to_s": [9,1,2,1,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1]}} +01955{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":16756.9,"max":144189,"stddev":37481.1,"var":1404833920.0,"ent":2.7,"data": [25745,25768,203,144189,2,143997,4,71,1,41,7,2508,597,1253,49737,1,1,45397,18,103,1,65,704,437,888,38392,2516,1067,2238]},"pktlen": {"min":72,"avg":263.2,"max":1120,"stddev":320.8,"var":102914.8,"ent":4.2,"data": [80,80,72,589,72,1120,1120,72,72,1120,587,72,72,165,171,471,72,72,330,138,72,72,72,439,72,110,566,142,72,72,72,114]},"bins": {"c_to_s": [9,1,2,1,0,0,0,0,0,0,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,1,0,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1],"entropies": [4.857011795,5.259831905,5.179864883,4.529115200,5.055853844,6.908260822,7.364731312,5.245904922,5.218127251,7.327914715,7.541935444,5.162571907,5.218127251,6.139030457,6.351455688,7.439690113,5.166965008,5.139187336,7.125073433,6.245332241,5.235420227,5.273682594,5.139187336,7.450459003,5.273682594,5.556783676,7.574505329,6.164192200,5.085018635,5.139187336,5.139187336,5.963419437]}} 01488{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8914,"source":"reddit.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291689408040,"flow_src_last_pkt_time":1605291689629927,"flow_dst_last_pkt_time":1605291689672104,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":1710,"flow_dst_tot_l4_payload_len":4392,"midstream":0,"thread_ts_usec":1605291689672104,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56640,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Reddit","proto_id":"91.205","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"gateway.reddit.com","tls": {"version":"TLSv1.2","server_names":"reddit.com,*.reddit.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"16c0b3e6a7b8173c16d944cfeaeee9cf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert SHA2 Secure Server CA","subjectDN":"C=US, ST=California, L=San Francisco, O=Reddit Inc., CN=*.reddit.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"DB:E9:D5:FE:EB:EF:68:34:55:FD:62:BA:C9:BB:04:D4:E3:22:18:81"}}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9080,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690373466,"flow_src_last_pkt_time":1605291690373466,"flow_dst_last_pkt_time":1605291690373466,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690373466,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:805::2002","src_port":51006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9080,"source":"reddit.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":1,"flow_src_last_pkt_time":1605291690373466,"flow_dst_last_pkt_time":1605291690373466,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291690373466,"pkt":"qtsDr8lk5EKm5WPyht1gB68TACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIBQAAAAAAACACxz4Buz6Su2UAAAAAoAL9IFr7AAACBAWgBAIIClRf7UgAAAAAAQMDBw=="} @@ -345,8 +345,8 @@ 01262{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9134,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690449801,"flow_dst_last_pkt_time":1605291690483975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291690483975,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"8a755a3fef0b189d8ab5b0d10758f68a.safeframe.googlesyndication.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01221{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9160,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690405354,"flow_src_last_pkt_time":1605291690440589,"flow_dst_last_pkt_time":1605291690501383,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1360,"midstream":0,"thread_ts_usec":1605291690501383,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"aax-eu.amazon-adsystem.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01525{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9166,"source":"reddit.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605291690405354,"flow_src_last_pkt_time":1605291690502241,"flow_dst_last_pkt_time":1605291690502750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1360,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5440,"midstream":0,"thread_ts_usec":1605291690502750,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::345f:7ca5","src_port":46646,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Amazon","proto_id":"91.178","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"aax-eu.amazon-adsystem.com","tls": {"version":"TLSv1.2","server_names":"aax-eu.amazon-adsystem.com,aax.amazon-adsystem.com,aax-cpm.amazon-adsystem.com,aax-dtb-web.amazon-adsystem.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"49b45fc1ab090aa3a159778313fc9b9e","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=Amazon, OU=Server CA 1B, CN=Amazon","subjectDN":"CN=aax-eu.amazon-adsystem.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"5D:18:8E:CB:B7:91:5C:79:26:B5:08:49:FF:2C:24:D8:06:54:91:8B"}}} -01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690384370,"flow_src_last_pkt_time":1605291690495032,"flow_dst_last_pkt_time":1605291690511816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":5622,"midstream":0,"thread_ts_usec":1605291690511816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7680.9,"max":45875,"stddev":12464.9,"var":155373568.0,"ent":3.4,"data": [18528,18557,358,37185,9026,1,2,1,45875,10,14,14,8672,419,266,33620,1,89,1151,1,25433,25,482,7313,1,1,6808,24,7,3698,20526]},"pktlen": {"min":86,"avg":294.1,"max":1294,"stddev":371.7,"var":138197.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,1294,287,86,86,86,86,150,178,363,86,86,86,666,117,86,86,117,789,530,125,86,86,86,125,86]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01732{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9193,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690527565,"flow_dst_last_pkt_time":1605291690527527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1054,"flow_dst_tot_l4_payload_len":6986,"midstream":0,"thread_ts_usec":1605291690527565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7102.9,"max":34221,"stddev":11390.5,"var":129743840.0,"ent":3.4,"data": [28106,28139,660,33241,1626,34221,71,30,636,643,4625,213,224,27018,3512,25468,241,4283,1409,5453,77,6348,1,6424,34,8,196,1,158,22]},"pktlen": {"min":86,"avg":337.8,"max":1294,"stddev":408.2,"var":166632.7,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,86,548,86,150,178,436,86,666,86,117,86,117,86,86,496,1294,1294,86,86,86,718,125,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,0,1,1,1,1,0,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +02111{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9174,"source":"reddit.pcap","alias":"nDPId-test","flow_id":46,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690384370,"flow_src_last_pkt_time":1605291690495032,"flow_dst_last_pkt_time":1605291690511816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1020,"flow_dst_tot_l4_payload_len":5622,"midstream":0,"thread_ts_usec":1605291690511816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2002","src_port":59336,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7680.9,"max":45875,"stddev":12464.9,"var":155373568.0,"ent":3.4,"data": [18528,18557,358,37185,9026,1,2,1,45875,10,14,14,8672,419,266,33620,1,89,1151,1,25433,25,482,7313,1,1,6808,24,7,3698,20526]},"pktlen": {"min":72,"avg":280.1,"max":1280,"stddev":371.7,"var":138197.8,"ent":4.1,"data": [80,80,72,589,72,1280,1280,1280,273,72,72,72,72,136,164,349,72,72,72,652,103,72,72,103,775,516,111,72,72,72,111,72]},"bins": {"c_to_s": [12,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,1,0,0,0,0,1],"entropies": [4.830388546,5.286173820,5.175123215,4.582562923,5.135614395,7.820514202,7.848834991,7.840905190,7.029392242,5.204868793,5.232646465,5.232646465,5.232646465,6.256432056,6.550828457,7.277585983,5.097352028,5.107836723,5.107836723,7.629249096,5.686814308,5.260424137,5.260424137,5.854413509,7.698106289,7.556940079,5.871694088,5.222162247,5.166606903,5.166606903,5.962721825,5.004921436]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02131{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9193,"source":"reddit.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605291690421002,"flow_src_last_pkt_time":1605291690527565,"flow_dst_last_pkt_time":1605291690527527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1054,"flow_dst_tot_l4_payload_len":6986,"midstream":0,"thread_ts_usec":1605291690527565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::2001","src_port":59624,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7102.9,"max":34221,"stddev":11390.5,"var":129743840.0,"ent":3.4,"data": [28106,28139,660,33241,1626,34221,71,30,636,643,4625,213,224,27018,3512,25468,241,4283,1409,5453,77,6348,1,6424,34,8,196,1,158,22]},"pktlen": {"min":72,"avg":323.8,"max":1280,"stddev":408.2,"var":166632.7,"ent":4.1,"data": [80,80,72,589,72,1280,72,1280,72,534,72,136,164,422,72,652,72,103,72,103,72,72,482,1280,1280,72,72,72,704,111,72,72]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,0,1,1,1,1,0,0,0,1,1,0,0],"entropies": [4.750831604,5.256616592,5.147345066,5.037306786,5.025890827,7.794999599,5.175122738,7.849133015,5.175122738,7.594861984,5.147345066,6.103534698,6.601645947,7.415776730,5.023922443,7.687021732,5.175123215,5.854413509,4.959850788,5.758662224,5.147345066,5.053668499,7.493776798,7.824415684,7.830970287,5.175122738,5.175122738,5.147345066,7.700448990,5.878117561,5.175122738,5.175122738]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291690926655,"flow_dst_last_pkt_time":1605291690926655,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690926655,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9279,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_packet_id":1,"flow_src_last_pkt_time":1605291690926655,"flow_dst_last_pkt_time":1605291690926655,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291690926655,"pkt":"qtsDr8lk5EKm5WPyht1gDDgdACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICAAAAAAAACABttYBu\/eX0dQAAAAAoAL9IKwyAAACBAWgBAIIChrDFp8AAAAAAQMDBw=="} 00793{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":9280,"source":"reddit.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291690926734,"flow_src_last_pkt_time":1605291690926734,"flow_dst_last_pkt_time":1605291690926734,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291690926734,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46808,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -411,9 +411,9 @@ 01223{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9446,"source":"reddit.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605291690926978,"flow_src_last_pkt_time":1605291690957682,"flow_dst_last_pkt_time":1605291691004686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605291691004686,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36968,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"tpc.googlesyndication.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9475,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":2,"flow_src_last_pkt_time":1605291690992851,"flow_dst_last_pkt_time":1605291691029572,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291691029572,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgPAAAAAAAAIAEqAcsBIEmLB5kd7IUo3\/YpAbuQbO1037mLrsxooBJXgErvAAACBAV4AQMDAwQCCArC10wIuJU7dg=="} 00540{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9476,"source":"reddit.pcap","alias":"nDPId-test","flow_id":59,"flow_packet_id":3,"flow_src_last_pkt_time":1605291691029601,"flow_dst_last_pkt_time":1605291691029572,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":74,"pkt_l4_len":20,"thread_ts_usec":1605291691029601,"pkt":"qtsDr8lk5EKm5WPyht1gBfK\/ABQGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIDwAAAAAAACABkGwBu4uuzGgAAAAAUAQAANo6AAA="} -01701{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9501,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291691043702,"flow_dst_last_pkt_time":1605291691043566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1291,"flow_dst_tot_l4_payload_len":11382,"midstream":0,"thread_ts_usec":1605291691043702,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7798.6,"max":42183,"stddev":12366.5,"var":152931424.0,"ent":3.3,"data": [25564,25583,1059,31489,7154,1,37586,36,127,1,1,1,87,28,7124,13598,568,199,42183,2,20688,340,10112,7,263,1,3,2,10101,50]},"pktlen": {"min":86,"avg":482.5,"max":1294,"stddev":513.4,"var":263601.8,"ent":4.2,"data": [94,94,86,603,86,1294,1294,86,86,1294,1294,1294,1294,234,86,86,150,178,356,403,86,666,86,117,86,86,86,1076,1294,1294,86,86]},"bins": {"c_to_s": [10,0,2,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9585,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926912,"flow_src_last_pkt_time":1605291691067608,"flow_dst_last_pkt_time":1605291691069122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1326,"flow_dst_tot_l4_payload_len":6622,"midstream":0,"thread_ts_usec":1605291691069122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9430.2,"max":45897,"stddev":14278.1,"var":203864128.0,"ent":3.4,"data": [29535,29546,105,39799,6197,1,1,45897,20,10,16645,7440,877,217,45409,188,20393,461,14689,1873,1,1,16098,2949,2,2950,29,8,1564,1]},"pktlen": {"min":86,"avg":334.9,"max":1294,"stddev":398.4,"var":158685.9,"ent":4.2,"data": [94,94,86,603,86,1294,1294,325,86,86,86,150,178,405,389,86,666,86,117,86,117,86,86,86,565,412,221,86,86,86,1294,1294]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,1,1,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} -01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9629,"source":"reddit.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926867,"flow_src_last_pkt_time":1605291691075065,"flow_dst_last_pkt_time":1605291691075150,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":5335,"midstream":0,"thread_ts_usec":1605291691075150,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:811::200a","src_port":38166,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9882.7,"max":43801,"stddev":13582.8,"var":184491312.0,"ent":3.6,"data": [28655,28663,221,37924,6057,43801,75,33,588,595,16415,9761,878,43789,3898,20653,579,14876,1700,16044,10542,2,1,1,10492,40,13,10,172,3]},"pktlen": {"min":86,"avg":284.1,"max":1294,"stddev":336.6,"var":113301.5,"ent":4.2,"data": [94,94,86,603,86,1294,86,1294,86,586,86,150,178,369,86,666,86,117,86,117,86,86,545,911,286,371,86,86,86,86,125,86]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,1,0,1,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02100{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9501,"source":"reddit.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605291690926655,"flow_src_last_pkt_time":1605291691043702,"flow_dst_last_pkt_time":1605291691043566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1291,"flow_dst_tot_l4_payload_len":11382,"midstream":0,"thread_ts_usec":1605291691043702,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:808::2001","src_port":46806,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":7798.6,"max":42183,"stddev":12366.5,"var":152931424.0,"ent":3.3,"data": [25564,25583,1059,31489,7154,1,37586,36,127,1,1,1,87,28,7124,13598,568,199,42183,2,20688,340,10112,7,263,1,3,2,10101,50]},"pktlen": {"min":72,"avg":468.5,"max":1280,"stddev":513.4,"var":263601.8,"ent":4.2,"data": [80,80,72,589,72,1280,1280,72,72,1280,1280,1280,1280,220,72,72,136,164,342,389,72,652,72,103,72,72,72,1062,1280,1280,72,72]},"bins": {"c_to_s": [10,0,2,0,0,0,0,0,1,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,1,1,1,0,0],"entropies": [4.825832367,5.281616688,5.136860847,4.553145885,5.043183804,7.811286926,7.839466095,5.164638519,5.164638519,7.864381790,7.859279633,7.843964577,7.841698170,6.810353279,5.109083176,5.136860847,6.135817528,6.436379910,7.296087742,7.276475906,5.025890350,7.637989998,5.136860847,5.737908840,5.098739147,5.043183804,5.070961475,7.799327850,7.850948334,7.827920914,5.136860847,5.136860847]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02130{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9585,"source":"reddit.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926912,"flow_src_last_pkt_time":1605291691067608,"flow_dst_last_pkt_time":1605291691069122,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1326,"flow_dst_tot_l4_payload_len":6622,"midstream":0,"thread_ts_usec":1605291691069122,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80f::2001","src_port":36964,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9430.2,"max":45897,"stddev":14278.1,"var":203864128.0,"ent":3.4,"data": [29535,29546,105,39799,6197,1,1,45897,20,10,16645,7440,877,217,45409,188,20393,461,14689,1873,1,1,16098,2949,2,2950,29,8,1564,1]},"pktlen": {"min":72,"avg":320.9,"max":1280,"stddev":398.4,"var":158685.9,"ent":4.1,"data": [80,80,72,589,72,1280,1280,311,72,72,72,136,164,391,375,72,652,72,103,72,103,72,72,72,551,398,207,72,72,72,1280,1280]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,1,0,0,1,0,0,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,1,1,1,0,1,1,1,0,0,0,1,1],"entropies": [4.860268116,5.316052437,5.175122738,4.626070023,5.053668499,7.798489094,7.858765125,7.213901043,5.175122738,5.175122738,5.136860371,6.074123383,6.494878292,7.385508060,7.250154495,4.998777390,7.691906452,5.175122738,5.820339203,5.053668022,5.765991211,5.015406132,5.015406132,5.147345066,7.610651970,7.403194427,6.718353748,5.175122738,5.175122738,5.114727020,7.829133987,7.837005138]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement"}} +02128{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":9629,"source":"reddit.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605291690926867,"flow_src_last_pkt_time":1605291691075065,"flow_dst_last_pkt_time":1605291691075150,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":987,"flow_dst_tot_l4_payload_len":5335,"midstream":0,"thread_ts_usec":1605291691075150,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:811::200a","src_port":38166,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":9882.7,"max":43801,"stddev":13582.8,"var":184491312.0,"ent":3.6,"data": [28655,28663,221,37924,6057,43801,75,33,588,595,16415,9761,878,43789,3898,20653,579,14876,1700,16044,10542,2,1,1,10492,40,13,10,172,3]},"pktlen": {"min":72,"avg":270.1,"max":1280,"stddev":336.6,"var":113301.5,"ent":4.2,"data": [80,80,72,589,72,1280,72,1280,72,572,72,136,164,355,72,652,72,103,72,103,72,72,531,897,272,357,72,72,72,72,111,72]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,1,0,1,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,1,1],"entropies": [4.786516666,5.247180939,5.070820332,4.566688538,5.043183804,7.807061672,5.053527355,7.847422123,5.025749683,7.577804089,5.043042660,6.031175137,6.392292976,7.341467381,4.977143764,7.597589493,5.081305027,5.788832188,5.004921436,5.547259808,5.015406132,5.081305027,7.471312523,7.741707325,7.060866833,7.323482037,5.109082699,5.109082699,5.064012051,5.053527355,5.763209343,5.043183804]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11226,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605291696948991,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696948991,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605291696948991,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::34d3:acec","src_port":47006,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11226,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696948991,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291696948991,"pkt":"qtsDr8lk5EKm5WPyht1gDNdJACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAAA006zst54Bu3jHKBQAAAAAoAL9IL45AAACBAWgBAIIClIhuaMAAAAAAQMDBw=="} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":11227,"source":"reddit.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1605291696948991,"flow_dst_last_pkt_time":1605291696965238,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605291696965238,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPQBk\/5sAAAAAAAAAADTTrOwqAcsBIEmLB5kd7IUo3\/YpAbu3nh9OKxV4xygVoBJXgPOCAAACBAV4AQMDAwQCCArC12M3UiG5ow=="} @@ -491,10 +491,10 @@ ~~ total active/idle flows...: 60/60 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7187544 bytes -~~ total memory freed........: 7187544 bytes -~~ total allocations/frees...: 134232/134232 +~~ total memory allocated....: 7195704 bytes +~~ total memory freed........: 7195704 bytes +~~ total allocations/frees...: 134292/134292 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1740 chars -~~ json string avg len.......: 1115 chars +~~ json string max len.......: 2139 chars +~~ json string avg len.......: 1315 chars diff --git a/test/results/riotgames.pcap.out b/test/results/riotgames.pcap.out index c2a14840f..51eb11c4c 100644 --- a/test/results/riotgames.pcap.out +++ b/test/results/riotgames.pcap.out @@ -64,9 +64,9 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6049909 bytes -~~ total memory freed........: 6049909 bytes -~~ total allocations/frees...: 121611/121611 +~~ total memory allocated....: 6051133 bytes +~~ total memory freed........: 6051133 bytes +~~ total allocations/frees...: 121620/121620 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 916 chars diff --git a/test/results/rsh-syslog-false-positive.pcap.out b/test/results/rsh-syslog-false-positive.pcap.out index 53c25fd19..4f18446c8 100644 --- a/test/results/rsh-syslog-false-positive.pcap.out +++ b/test/results/rsh-syslog-false-positive.pcap.out @@ -19,9 +19,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035873 bytes -~~ total memory freed........: 6035873 bytes -~~ total allocations/frees...: 121495/121495 +~~ total memory allocated....: 6036009 bytes +~~ total memory freed........: 6036009 bytes +~~ total allocations/frees...: 121496/121496 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 259 chars ~~ json string max len.......: 1645 chars diff --git a/test/results/rsh.pcap.out b/test/results/rsh.pcap.out index 242f4483f..1a65fc035 100644 --- a/test/results/rsh.pcap.out +++ b/test/results/rsh.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042143 bytes -~~ total memory freed........: 6042143 bytes -~~ total allocations/frees...: 121525/121525 +~~ total memory allocated....: 6042415 bytes +~~ total memory freed........: 6042415 bytes +~~ total allocations/frees...: 121527/121527 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 1014 chars diff --git a/test/results/rsync.pcap.out b/test/results/rsync.pcap.out index 0582d9a64..8ab06a17b 100644 --- a/test/results/rsync.pcap.out +++ b/test/results/rsync.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038559 bytes -~~ total memory freed........: 6038559 bytes -~~ total allocations/frees...: 121518/121518 +~~ total memory allocated....: 6038695 bytes +~~ total memory freed........: 6038695 bytes +~~ total allocations/frees...: 121519/121519 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 907 chars diff --git a/test/results/rtmp.pcap.out b/test/results/rtmp.pcap.out index fb4c72863..4ba49b82e 100644 --- a/test/results/rtmp.pcap.out +++ b/test/results/rtmp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038443 bytes -~~ total memory freed........: 6038443 bytes -~~ total allocations/frees...: 121514/121514 +~~ total memory allocated....: 6038579 bytes +~~ total memory freed........: 6038579 bytes +~~ total allocations/frees...: 121515/121515 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 913 chars diff --git a/test/results/rtsp.pcap.out b/test/results/rtsp.pcap.out index 8d6468d97..4efe291f9 100644 --- a/test/results/rtsp.pcap.out +++ b/test/results/rtsp.pcap.out @@ -10,39 +10,39 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1627567279015798,"flow_dst_last_pkt_time":1627567279015763,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567279015798,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRW5UAAgAaM0AoBAQoKAgICzPghaqHfszoAAAAAgAL68BmUAAACBAW0AQMDCAEBBAI="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":15,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1627567279015800,"flow_dst_last_pkt_time":1627567279015763,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567279015800,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRW5UAAfwaN0AoBAQoKAgICzPghaqHfszoAAAAAgAL68BmUAAACBAW0AQMDCAEBBAI="} 00975{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":25,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279029411,"flow_dst_last_pkt_time":1627567279016046,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567279029411,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279050715,"flow_dst_last_pkt_time":1627567279050859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567279050859,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":2259.6,"max":21135,"stddev":5876.1,"var":34528696.0,"ent":2.2,"data": [35,2,147,185,74,3,21,233,32,2,57,13140,10,5,57,13537,3,20,31,20633,10,29,32,21135,10,3,84,464,2,22,30]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +02145{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":44,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567279050715,"flow_dst_last_pkt_time":1627567279050859,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567279050859,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":2259.6,"max":21135,"stddev":5876.1,"var":34528696.0,"ent":2.2,"data": [35,2,147,185,74,3,21,233,32,2,57,13140,10,5,57,13537,3,20,31,20633,10,29,32,21135,10,3,84,464,2,22,30]},"pktlen": {"min":40,"avg":92.6,"max":182,"stddev":58.6,"var":3438.9,"ent":4.7,"data": [52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,40,46,46,165,165,165,165,182,182,182,182,46,40,46,46]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1],"entropies": [4.423448086,4.423448086,4.461909771,4.461909771,4.669178486,4.669178486,4.707640171,4.707640171,4.375547886,4.375547886,4.662815571,4.375547886,5.749258041,5.749258041,5.749258041,5.749258041,4.342726707,4.625071049,4.342726707,4.342726707,5.713921547,5.730617523,5.730617523,5.713921547,5.797795296,5.797795296,5.797795296,5.797795296,4.342726707,4.675071239,4.386205196,4.342726707]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":109,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338841836,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567338841836,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1627567338841836,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841836,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXFEAAgAaMoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":110,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1627567338841847,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841847,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXFEAAgAaMoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":111,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1627567338841853,"flow_dst_last_pkt_time":1627567338841836,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567338841853,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXFEAAfwaNoQoBAQoKAgICzPohap\/Ji+cAAAAAgAL68EL7AAACBAW0AQMDCAEBBAI="} 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":121,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338851945,"flow_dst_last_pkt_time":1627567338842169,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567338851945,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01747{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338873699,"flow_dst_last_pkt_time":1627567338873793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567338873793,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":2058.7,"max":21234,"stddev":5470.2,"var":29923468.0,"ent":2.2,"data": [11,6,72,280,3,19,31,588,10,4,95,9323,12,6,70,10052,3,20,30,20464,12,35,38,21234,11,6,415,877,63,5,25]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,62,56,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +02145{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":140,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567338873699,"flow_dst_last_pkt_time":1627567338873793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567338873793,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":2058.7,"max":21234,"stddev":5470.2,"var":29923468.0,"ent":2.2,"data": [11,6,72,280,3,19,31,588,10,4,95,9323,12,6,70,10052,3,20,30,20464,12,35,38,21234,11,6,415,877,63,5,25]},"pktlen": {"min":40,"avg":92.6,"max":182,"stddev":58.6,"var":3438.9,"ent":4.7,"data": [52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,40,46,46,165,165,165,165,182,182,182,182,46,46,40,46]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1],"entropies": [4.384986401,4.384986401,4.423448086,4.423448086,4.630716801,4.669178486,4.669178486,4.630716801,4.402615547,4.402615547,4.693943024,4.402615547,5.758685112,5.758685112,5.758685112,5.758685112,4.342726707,4.675070763,4.386205196,4.342726707,5.747313976,5.747313976,5.747313976,5.747313976,5.794003963,5.794003963,5.804993153,5.804993153,4.299248219,4.299248219,4.625071049,4.342726707]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":193,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398644402,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567398644402,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":193,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":1,"flow_src_last_pkt_time":1627567398644402,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644402,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXQ0AAgAaMcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":194,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1627567398644413,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644413,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXQ0AAgAaMcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":195,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1627567398644419,"flow_dst_last_pkt_time":1627567398644402,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567398644419,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXQ0AAfwaNcgoBAQoKAgICzPwhaprxAXoAAAAAgAL68NI+AAACBAW0AQMDCAEBBAI="} 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":205,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398650712,"flow_dst_last_pkt_time":1627567398644910,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567398650712,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01750{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":224,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398672191,"flow_dst_last_pkt_time":1627567398672567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567398672567,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":1805.0,"max":21000,"stddev":5109.4,"var":26105754.0,"ent":2.2,"data": [11,6,298,316,75,4,113,848,111,3,200,4833,13,7,374,6198,62,5,77,20136,13,74,34,21000,11,7,67,946,6,27,79]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +02148{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":224,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567398672191,"flow_dst_last_pkt_time":1627567398672567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567398672567,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":1805.0,"max":21000,"stddev":5109.4,"var":26105754.0,"ent":2.2,"data": [11,6,298,316,75,4,113,848,111,3,200,4833,13,7,374,6198,62,5,77,20136,13,74,34,21000,11,7,67,946,6,27,79]},"pktlen": {"min":40,"avg":92.6,"max":182,"stddev":58.6,"var":3438.9,"ent":4.7,"data": [52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,46,40,46,165,165,165,165,182,182,182,182,46,40,46,46]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1],"entropies": [4.348445415,4.348445415,4.386907101,4.386907101,4.594175816,4.594175816,4.632637501,4.632637501,4.315659046,4.315659046,4.593943119,4.315659046,5.696279526,5.696279526,5.696279526,5.696279526,4.272180557,4.272180557,4.593943596,4.315659046,5.713315964,5.725437164,5.725437164,5.713315964,5.750239849,5.750239849,5.750239849,5.750239849,4.228702545,4.543943405,4.228702545,4.272180557]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":289,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406342871,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567406342871,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":289,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1627567406342871,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342871,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXW0AAgAaMWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":290,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1627567406342884,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342884,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXW0AAgAaMWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":291,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1627567406342896,"flow_dst_last_pkt_time":1627567406342871,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567406342896,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXW0AAfwaNWgoBAQoKAgICzP4hahoxf3IAAAAAgAL68NUEAAACBAW0AQMDCAEBBAI="} 00977{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":309,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":8,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849577,"flow_dst_last_pkt_time":1627567406849152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567406849577,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01756{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849646,"flow_dst_last_pkt_time":1627567406870301,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567406870301,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":33361.5,"max":505214,"stddev":123872.6,"var":15344430080.0,"ent":1.2,"data": [13,12,110,1319,2,16,338,505214,14,12,119,504501,5,45,55,1025,12,6,56,113,30,3,36,579,55,2,21,20351,8,26,107]},"pktlen": {"min":56,"avg":92.3,"max":181,"stddev":48.8,"var":2380.7,"ent":4.8,"data": [68,68,68,68,62,56,62,62,68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,62,56,62,181,181,181,181]},"bins": {"c_to_s": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +02155{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567406849646,"flow_dst_last_pkt_time":1627567406870301,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":464,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567406870301,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":33361.5,"max":505214,"stddev":123872.6,"var":15344430080.0,"ent":1.2,"data": [13,12,110,1319,2,16,338,505214,14,12,119,504501,5,45,55,1025,12,6,56,113,30,3,36,579,55,2,21,20351,8,26,107]},"pktlen": {"min":40,"avg":76.3,"max":165,"stddev":48.8,"var":2380.7,"ent":4.7,"data": [52,52,52,52,46,40,46,46,52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,46,40,46,165,165,165,165]},"bins": {"c_to_s": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1],"entropies": [4.370469093,4.370469093,4.370469093,4.370469093,3.475291967,3.831542015,3.475291967,3.518770218,4.370469093,4.370469093,4.370469093,4.370469093,4.630716801,4.669178486,4.630716801,4.669178486,4.332069397,4.332069397,4.562815189,4.288591385,5.709887981,5.709887981,5.697067261,5.697067261,4.255770683,4.255770683,4.575070858,4.299248695,5.728408337,5.740529537,5.728408337,5.740529537]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01018{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":381,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":8,"flow_first_seen":1627567277506127,"flow_src_last_pkt_time":1627567277506259,"flow_dst_last_pkt_time":1627567277506605,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":149,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":596,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1627567407043157,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52470,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":393,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466882987,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567466882987,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":393,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1627567466882987,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466882987,"pkt":"AAMAAQAGAAwp8x5yAAAIAEUAADRXikAAgAaMKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":394,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":2,"flow_src_last_pkt_time":1627567466883000,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466883000,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXikAAgAaMKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":395,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1627567466883010,"flow_dst_last_pkt_time":1627567466882987,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567466883010,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXikAAfwaNKwoBAQoKAgICzQAhaqp6lfQAAAAAgAL68C43AAACBAW0AQMDCAEBBAI="} 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":405,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466894186,"flow_dst_last_pkt_time":1627567466883471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567466894186,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01754{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":424,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466918846,"flow_dst_last_pkt_time":1627567466919056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567466919056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2320.3,"max":23771,"stddev":5847.6,"var":34194776.0,"ent":2.4,"data": [13,10,107,377,5,25,77,583,10,4,135,10337,14,11,11449,2,754,44,76,20263,13,28,87,23771,10,4,96,3496,1,20,106]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,62,56,172,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +02152{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":424,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567466882987,"flow_src_last_pkt_time":1627567466918846,"flow_dst_last_pkt_time":1627567466919056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567466919056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52480,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":2320.3,"max":23771,"stddev":5847.6,"var":34194776.0,"ent":2.4,"data": [13,10,107,377,5,25,77,583,10,4,135,10337,14,11,11449,2,754,44,76,20263,13,28,87,23771,10,4,96,3496,1,20,106]},"pktlen": {"min":40,"avg":92.6,"max":182,"stddev":58.6,"var":3438.9,"ent":4.7,"data": [52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,46,40,156,46,46,165,165,165,165,182,182,182,182,46,40,46,46]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1,1,1,1],"entropies": [4.333256245,4.333256245,4.371717930,4.371717930,4.585553169,4.624014854,4.585553169,4.624014854,4.338141441,4.338141441,4.646440029,4.338141441,5.716025352,5.716025352,5.703204632,4.234774113,4.577568054,5.703204632,4.234774113,4.278252602,5.685709476,5.709951878,5.685709476,5.709951878,5.773123264,5.773123264,5.773123264,5.773123264,4.234774113,4.577568054,4.234774113,4.278252602]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":477,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":56,"flow_first_seen":1627567279015763,"flow_src_last_pkt_time":1627567337246837,"flow_dst_last_pkt_time":1627567337247147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3772,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567467094146,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52472,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":485,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528106056,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567528106056,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":485,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1627567528106056,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106056,"pkt":"AAMAAQAGAAwp8x5yLpgIAEUAADRXuEAAgAaL\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":486,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1627567528106069,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106069,"pkt":"AAAAAQAGAAwp8x5yAAAIAEUAADRXuEAAgAaL\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":487,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1627567528106081,"flow_dst_last_pkt_time":1627567528106056,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":68,"pkt_type":2048,"pkt_l3_offset":16,"pkt_l4_offset":36,"pkt_len":68,"pkt_l4_len":32,"thread_ts_usec":1627567528106081,"pkt":"AAQAAQAGAAwpOL1kAAAIAEUAADRXuEAAfwaM\/QoBAQoKAgICzQIhahNS1wEAAAAAgAL68IRQAAACBAW0AQMDCAEBBAI="} 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":497,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":9,"flow_dst_packets_processed":4,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528113539,"flow_dst_last_pkt_time":1627567528106633,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":116,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":116,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1627567528113539,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} -01746{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":516,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528134816,"flow_dst_last_pkt_time":1627567528135319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567528135319,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":1871.7,"max":21029,"stddev":5194.1,"var":26978296.0,"ent":2.2,"data": [13,12,126,440,5,40,92,581,9,4,94,6644,14,9,113,7455,6,53,93,20043,15,52,57,21029,9,6,97,810,5,21,76]},"pktlen": {"min":56,"avg":108.6,"max":198,"stddev":58.6,"var":3438.9,"ent":4.8,"data": [68,68,68,68,68,68,68,68,62,62,56,62,172,172,172,172,62,56,62,62,181,181,181,181,198,198,198,198,62,56,62,62]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} +02144{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":516,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1627567528106056,"flow_src_last_pkt_time":1627567528134816,"flow_dst_last_pkt_time":1627567528135319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":142,"flow_dst_max_l4_payload_len":125,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":500,"midstream":0,"thread_ts_usec":1627567528135319,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52482,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":1871.7,"max":21029,"stddev":5194.1,"var":26978296.0,"ent":2.2,"data": [13,12,126,440,5,40,92,581,9,4,94,6644,14,9,113,7455,6,53,93,20043,15,52,57,21029,9,6,97,810,5,21,76]},"pktlen": {"min":40,"avg":92.6,"max":182,"stddev":58.6,"var":3438.9,"ent":4.7,"data": [52,52,52,52,52,52,52,52,46,46,40,46,156,156,156,156,46,40,46,46,165,165,165,165,182,182,182,182,46,40,46,46]},"bins": {"c_to_s": [8,0,0,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,0,0,0,0,1,1,1,1],"entropies": [4.268796921,4.268796921,4.307258606,4.307258606,4.437603951,4.476065636,4.437603951,4.476065636,4.253599167,4.253599167,4.522574425,4.253599167,5.663463116,5.663463116,5.663463116,5.663463116,4.228702545,4.543943405,4.228702545,4.272181034,5.650695801,5.662817001,5.650695801,5.662817001,5.715077877,5.715077877,5.715077877,5.715077877,4.272181034,4.593943119,4.272181034,4.315659046]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":44,"flow_first_seen":1627567338841836,"flow_src_last_pkt_time":1627567397145857,"flow_dst_last_pkt_time":1627567397146153,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3772,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52474,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":52,"flow_first_seen":1627567398644402,"flow_src_last_pkt_time":1627567406306458,"flow_dst_last_pkt_time":1627567406309520,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3176,"flow_dst_tot_l4_payload_len":7568,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52476,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} 01024{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":568,"source":"rtsp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":44,"flow_dst_packets_processed":60,"flow_first_seen":1627567406342871,"flow_src_last_pkt_time":1627567465366594,"flow_dst_last_pkt_time":1627567465366846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":695,"flow_src_tot_l4_payload_len":3760,"flow_dst_tot_l4_payload_len":7540,"midstream":0,"thread_ts_usec":1627567528308580,"l3_proto":"ip4","src_ip":"10.1.1.10","dst_ip":"10.2.2.2","src_port":52478,"dst_port":8554,"l4_proto":"tcp","flow_datalink":113,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"RTSP","proto_id":"50","encrypted":0,"breed":"Fun","category_id":1,"category":"Media"}} @@ -57,10 +57,10 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6076861 bytes -~~ total memory freed........: 6076861 bytes -~~ total allocations/frees...: 122145/122145 +~~ total memory allocated....: 6077813 bytes +~~ total memory freed........: 6077813 bytes +~~ total allocations/frees...: 122152/122152 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1761 chars -~~ json string avg len.......: 1124 chars +~~ json string max len.......: 2160 chars +~~ json string avg len.......: 1323 chars diff --git a/test/results/rtsp_setup_http.pcapng.out b/test/results/rtsp_setup_http.pcapng.out index 79c57580d..9d7661599 100644 --- a/test/results/rtsp_setup_http.pcapng.out +++ b/test/results/rtsp_setup_http.pcapng.out @@ -13,9 +13,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037770 bytes -~~ total memory freed........: 6037770 bytes -~~ total allocations/frees...: 121490/121490 +~~ total memory allocated....: 6037906 bytes +~~ total memory freed........: 6037906 bytes +~~ total allocations/frees...: 121491/121491 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 502 chars ~~ json string max len.......: 1039 chars diff --git a/test/results/rx.pcap.out b/test/results/rx.pcap.out index ce7f4115a..e00fa6a34 100644 --- a/test/results/rx.pcap.out +++ b/test/results/rx.pcap.out @@ -25,7 +25,7 @@ 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":28,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1460647299986990,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":108,"pkt_l4_len":74,"thread_ts_usec":1460647300017623,"pkt":"AAjK968mPIqwbTfwCABFAABeUWIAADoRQO7Ap858g3LbqBtYG1kASjJ01w+zMFwiT7QAAAABAAAAAAAAAAECIgAAXV0AAQAAAAAAAAABAAAAAQAAAAAGAQEAAAAAAAWkAAAFpAAAABAAAAAB"} 00858{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":28,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1460647299986990,"flow_src_last_pkt_time":1460647299986990,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":66,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":66,"midstream":0,"thread_ts_usec":1460647300017623,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":7001,"dst_port":7000,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":29,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1460647300017672,"flow_dst_last_pkt_time":1460647300017623,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":107,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":107,"pkt_l4_len":73,"thread_ts_usec":1460647300017672,"pkt":"PIqwbTfwAAjK968mCABFAABd9xIAAEARlT6DctuowKfOfBtZG1gASacR1w+zMFwiT7QAAAABAAAAAAAAAAICIQAAAAAAAQAAAAAAAAABAAAAAAAAAAEHAAAAAAAAFjwAAAWkAAAAEAAAAAQ="} -01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":61,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647300147650,"flow_dst_last_pkt_time":1460647300150407,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":2528,"flow_dst_tot_l4_payload_len":1781,"midstream":0,"thread_ts_usec":1460647300150407,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":52,"avg":28663.1,"max":105287,"stddev":33586.2,"var":1128029952.0,"ent":4.0,"data": [77545,77601,57048,57152,38155,1292,39484,65722,277,65926,103176,105287,2087,8975,9068,2966,1842,4798,61436,65225,3784,52,6802,6683,61,3692,3703,4895,8042,2994,2787]},"pktlen": {"min":70,"avg":176.7,"max":782,"stddev":165.9,"var":27529.2,"ent":4.5,"data": [74,108,107,74,510,107,118,70,107,78,107,94,86,435,74,510,107,198,107,174,782,107,94,198,107,110,214,107,94,86,435,74]},"bins": {"c_to_s": [1,4,7,0,1,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,6,5,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} +02095{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":61,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647300147650,"flow_dst_last_pkt_time":1460647300150407,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":2528,"flow_dst_tot_l4_payload_len":1781,"midstream":0,"thread_ts_usec":1460647300150407,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":52,"avg":28663.1,"max":105287,"stddev":33586.2,"var":1128029952.0,"ent":4.0,"data": [77545,77601,57048,57152,38155,1292,39484,65722,277,65926,103176,105287,2087,8975,9068,2966,1842,4798,61436,65225,3784,52,6802,6683,61,3692,3703,4895,8042,2994,2787]},"pktlen": {"min":56,"avg":162.7,"max":768,"stddev":165.9,"var":27529.2,"ent":4.5,"data": [60,94,93,60,496,93,104,56,93,64,93,80,72,421,60,496,93,184,93,160,768,93,80,184,93,96,200,93,80,72,421,60]},"bins": {"c_to_s": [1,4,7,0,1,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,6,5,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,0,1,0,1],"entropies": [4.077751637,3.436867237,3.527563810,4.011084557,4.341524601,3.511269569,3.900409222,4.138328075,3.532774925,3.942092896,3.562457323,5.267373562,3.808812857,7.113327503,4.069581032,4.336879253,3.522217751,6.534686565,3.586733341,6.423340321,7.662765026,3.559956789,5.237494469,6.512056828,3.573345423,5.590069771,6.656118393,3.594850540,5.217373848,3.930941820,7.131436825,4.136247635]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1460647264018403,"flow_src_last_pkt_time":1460647264026325,"flow_dst_last_pkt_time":1460647264026287,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":292,"flow_dst_max_l4_payload_len":36,"flow_src_tot_l4_payload_len":357,"flow_dst_tot_l4_payload_len":36,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":41559,"dst_port":7002,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":10,"flow_first_seen":1460647299986990,"flow_src_last_pkt_time":1460647320158051,"flow_dst_last_pkt_time":1460647300312692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":1665,"flow_dst_tot_l4_payload_len":637,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.124","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":132,"source":"rx.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":31,"flow_first_seen":1460647299704750,"flow_src_last_pkt_time":1460647320158014,"flow_dst_last_pkt_time":1460647300329629,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":468,"flow_dst_max_l4_payload_len":740,"flow_src_tot_l4_payload_len":4792,"flow_dst_tot_l4_payload_len":4266,"midstream":0,"thread_ts_usec":1460647320158051,"l3_proto":"ip4","src_ip":"131.114.219.168","dst_ip":"192.167.206.241","src_port":7001,"dst_port":7000,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"RX","proto_id":"223","encrypted":0,"breed":"Acceptable","category_id":16,"category":"RPC"}} @@ -40,10 +40,10 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045965 bytes -~~ total memory freed........: 6045965 bytes -~~ total allocations/frees...: 121659/121659 +~~ total memory allocated....: 6046645 bytes +~~ total memory freed........: 6046645 bytes +~~ total allocations/frees...: 121664/121664 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 487 chars -~~ json string max len.......: 1958 chars -~~ json string avg len.......: 1221 chars +~~ json string max len.......: 2100 chars +~~ json string avg len.......: 1292 chars diff --git a/test/results/s7comm.pcap.out b/test/results/s7comm.pcap.out index c70c2388a..cca0ec4ce 100644 --- a/test/results/s7comm.pcap.out +++ b/test/results/s7comm.pcap.out @@ -5,7 +5,7 @@ 00861{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803880679,"flow_dst_last_pkt_time":1408528803880679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1408528803880679,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1408528803880679,"flow_dst_last_pkt_time":1408528803884414,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"thread_ts_usec":1408528803884414,"pkt":"kOa6hF5BABsbI+s7CABFAAA+AM4AAB4GGGrAqAEowKgBCgBmEFkAAvsQkETduFAYEAAGowAAAwAAFhHQAAcAAwDAAQrBAgEAwgIBAg=="} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1408528803884562,"flow_dst_last_pkt_time":1408528803884414,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":79,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":79,"pkt_l4_len":45,"thread_ts_usec":1408528803884562,"pkt":"ABsbI+s7kOa6hF5BCABFAABBLUxAAIAGAADAqAEKwKgBKBBZAGaQRN24AAL7JlAY+tqDtgAAAwAAGQLwgDIBAAACAAAIAADwAAABAAEB4A=="} -01670{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803957564,"flow_dst_last_pkt_time":1408528803957480,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":794,"midstream":1,"thread_ts_usec":1408528803957564,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":66,"avg":4957.6,"max":9013,"stddev":3321.6,"var":11033309.0,"ent":4.5,"data": [3735,3883,3114,3055,66,6981,6927,4642,8989,4385,568,7037,6437,271,5970,5746,295,9009,8666,204,8975,8763,201,9013,8819,232,8990,8762,250,4988,4713]},"pktlen": {"min":61,"avg":91.2,"max":275,"stddev":40.3,"var":1625.5,"ent":4.9,"data": [76,76,79,81,61,87,135,61,87,135,61,87,275,61,87,135,61,83,115,61,83,115,61,83,115,61,83,115,61,85,91,61]},"bins": {"c_to_s": [17,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02069{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528803957564,"flow_dst_last_pkt_time":1408528803957480,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":396,"flow_dst_tot_l4_payload_len":794,"midstream":1,"thread_ts_usec":1408528803957564,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":66,"avg":4957.6,"max":9013,"stddev":3321.6,"var":11033309.0,"ent":4.5,"data": [3735,3883,3114,3055,66,6981,6927,4642,8989,4385,568,7037,6437,271,5970,5746,295,9009,8666,204,8975,8763,201,9013,8819,232,8990,8762,250,4988,4713]},"pktlen": {"min":47,"avg":77.2,"max":261,"stddev":40.3,"var":1625.5,"ent":4.9,"data": [62,62,65,67,47,73,121,47,73,121,47,73,261,47,73,121,47,69,101,47,69,101,47,69,101,47,69,101,47,71,77,47]},"bins": {"c_to_s": [17,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,3,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0,0,1,0],"entropies": [4.432188988,4.290980816,4.257703304,3.892863989,4.469065666,4.562385082,3.916244507,4.469065666,4.445193291,3.499234200,4.469065666,4.517119408,2.438902855,4.367897987,4.497249603,3.901077271,4.469065666,4.394919872,4.398461342,4.469065666,4.423905373,4.398461342,4.426512718,4.412964821,4.410789013,4.469065666,4.412964821,4.372174263,4.410450935,4.692483425,4.443362713,4.469065666]},"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00910{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":55,"source":"s7comm.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":36,"flow_dst_packets_processed":19,"flow_first_seen":1408528803880679,"flow_src_last_pkt_time":1408528804003972,"flow_dst_last_pkt_time":1408528804016478,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":7,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":247,"flow_dst_max_l4_payload_len":221,"flow_src_tot_l4_payload_len":1202,"flow_dst_tot_l4_payload_len":1088,"midstream":1,"thread_ts_usec":1408528804016478,"l3_proto":"ip4","src_ip":"192.168.1.10","dst_ip":"192.168.1.40","src_port":4185,"dst_port":102,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"s7comm","proto_id":"249","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00558{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":55,"source":"s7comm.pcap","alias":"nDPId-test","packets-captured":55,"packets-processed":55,"total-skipped-flows":0,"total-l4-payload-len":2290,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1408528804016478} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037236 bytes -~~ total memory freed........: 6037236 bytes -~~ total allocations/frees...: 121542/121542 +~~ total memory allocated....: 6037372 bytes +~~ total memory freed........: 6037372 bytes +~~ total allocations/frees...: 121543/121543 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1675 chars -~~ json string avg len.......: 1030 chars +~~ json string max len.......: 2074 chars +~~ json string avg len.......: 1204 chars diff --git a/test/results/safari.pcap.out b/test/results/safari.pcap.out index eb9e6208c..5125e7d52 100644 --- a/test/results/safari.pcap.out +++ b/test/results/safari.pcap.out @@ -17,7 +17,7 @@ 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1620898025217296,"flow_dst_last_pkt_time":1620898025217296,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898025217296,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EtfkAbuNFQaeAAAAALAC\/\/8+CAAAAgQFtAEDAwUBAQgKMzDJ1AAAAAAEAgAA"} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":33,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025217638,"flow_dst_last_pkt_time":1620898025217638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620898025217638,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00541{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":33,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1620898025217638,"flow_dst_last_pkt_time":1620898025217638,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898025217638,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6EtflAbtmxM47AAAAALAC\/\/+cugAAAgQFtAEDAwUBAQgKMzDJ1AAAAAAEAgAA"} -01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":76603.5,"max":579033,"stddev":166832.5,"var":27833075712.0,"ent":2.8,"data": [28338,28438,576,28670,6985,69,14,35105,3,52717,81952,29,29304,948,28144,550635,1230,579033,248,252,138,105,115,138,126,100,428094,455026,4375,1236,32565]},"pktlen": {"min":66,"avg":569.5,"max":1506,"stddev":644.5,"var":415419.9,"ent":4.1,"data": [78,74,66,301,66,1506,1506,641,66,66,159,66,117,66,425,66,1506,1506,66,1506,66,1506,66,1506,66,1506,66,445,66,1506,1506,66]},"bins": {"c_to_s": [11,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,1,1,1,0]}} +01967{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":76603.5,"max":579033,"stddev":166832.5,"var":27833075712.0,"ent":2.8,"data": [28338,28438,576,28670,6985,69,14,35105,3,52717,81952,29,29304,948,28144,550635,1230,579033,248,252,138,105,115,138,126,100,428094,455026,4375,1236,32565]},"pktlen": {"min":52,"avg":555.5,"max":1492,"stddev":644.5,"var":415419.9,"ent":4.0,"data": [64,60,52,287,52,1492,1492,627,52,52,145,52,103,52,411,52,1492,1492,52,1492,52,1492,52,1492,52,1492,52,431,52,1492,1492,52]},"bins": {"c_to_s": [11,0,1,0,0,0,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,1,1,0,0,1,1,1,0,1,0,1,0,1,0,1,0,0,1,1,1,0],"entropies": [4.396777153,5.300120831,5.014835358,5.627039909,5.023147106,7.096756935,7.334726810,7.588644505,4.961856365,4.853978634,6.075397491,4.986606121,5.885092735,4.983880520,7.377478600,4.983880997,7.862138748,7.865662575,4.937912464,7.882334709,4.815825462,7.869226933,4.976374149,7.871172428,4.854287148,7.892846584,5.014835358,7.391702652,5.061608791,7.860088825,7.873157978,5.053297043]}} 01422{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":37,"source":"safari.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898024056646,"flow_src_last_pkt_time":1620898025244024,"flow_dst_last_pkt_time":1620898025243976,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":379,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1066,"flow_dst_tot_l4_payload_len":15026,"midstream":0,"thread_ts_usec":1620898025244024,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55262,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","server_names":"www.iit.cnr.it","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"263c859c5391203d774bc0599793d915","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=NL, ST=Noord-Holland, L=Amsterdam, O=TERENA, CN=TERENA SSL CA 3","subjectDN":"C=IT, ST=Lazio, L=Roma, O=Consiglio Nazionale delle Ricerche, OU=IIT, CN=www.iit.cnr.it","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"C4:F6:98:75:7E:20:5C:B6:33:14:59:3F:CF:26:96:38:D0:4B:73:69"}}} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1620898025216866,"flow_dst_last_pkt_time":1620898025246476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620898025246476,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG71+Mw2y0GI1TJC6AS\/oiwoAAAAgQFrAQCCAo6Vq73MzDJ0wEDAwc="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":46,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1620898025246531,"flow_dst_last_pkt_time":1620898025246476,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1620898025246531,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGrCfAqAGykjA6EtfjAbsjVMkLMNstB4AQECzNqAAAAQEICjMwyew6Vq73"} @@ -39,11 +39,11 @@ 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":71,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025249194,"flow_dst_last_pkt_time":1620898025279148,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025279148,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}} 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":74,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025249268,"flow_dst_last_pkt_time":1620898025281225,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025281225,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}} 01205{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":77,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025252477,"flow_dst_last_pkt_time":1620898025284814,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":141,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":141,"midstream":0,"thread_ts_usec":1620898025284814,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.iit.cnr.it","tls": {"version":"TLSv1.2","ja3":"ee4ced3f2d15de4b5cb6fb0a894fec9f","ja3s":"fd4bc6cea4877646ccd62f0792ec0b62","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"}}} -01834{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216866,"flow_src_last_pkt_time":1620898025482937,"flow_dst_last_pkt_time":1620898025510399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1135,"flow_dst_tot_l4_payload_len":16958,"midstream":0,"thread_ts_usec":1620898025510399,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55267,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":18051.7,"max":118862,"stddev":28694.5,"var":823374080.0,"ent":3.5,"data": [29610,29665,2362,30524,2,28159,51917,8877,77853,8496,625,1248,27408,129,120,247,131,125,259,123,123,248,503,122,637,24023,24010,84464,7818,118862,914]},"pktlen": {"min":66,"avg":632.0,"max":1506,"stddev":660.5,"var":436248.1,"ent":4.2,"data": [78,74,66,277,66,207,66,117,508,66,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66,1043,66,66,497,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01834{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216193,"flow_src_last_pkt_time":1620898025515519,"flow_dst_last_pkt_time":1620898025515861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1102,"flow_dst_tot_l4_payload_len":16480,"midstream":0,"thread_ts_usec":1620898025515861,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55265,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":19322.4,"max":140358,"stddev":32968.3,"var":1086907520.0,"ent":3.4,"data": [30407,30442,2425,30749,1690,30065,50340,8582,78328,9234,5001,125,33713,130,749,881,125,129,16,259,3,103964,6593,140358,1494,509,31816,122,126,243,376]},"pktlen": {"min":66,"avg":616.1,"max":1506,"stddev":656.6,"var":431150.1,"ent":4.1,"data": [78,74,66,277,66,207,66,117,472,66,66,1506,1506,66,1506,1506,66,1506,1506,565,66,66,66,500,66,1506,1506,66,1506,1506,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01834{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":260,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025519635,"flow_dst_last_pkt_time":1620898025519733,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16706,"midstream":0,"thread_ts_usec":1620898025519733,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":19559.5,"max":144002,"stddev":33697.1,"var":1135492736.0,"ent":3.4,"data": [31343,31380,1377,32375,996,31994,49530,8158,77501,8373,630,1247,30061,122,9,127,127,136,106790,7135,144002,5758,108,35937,131,121,250,128,122,249,129]},"pktlen": {"min":66,"avg":624.0,"max":1506,"stddev":657.1,"var":431734.9,"ent":4.2,"data": [78,74,66,277,66,207,66,117,503,66,66,1506,1506,66,1506,1506,66,791,66,66,497,66,1506,1506,66,1506,1506,66,1506,1506,66,1506]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01831{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025521891,"flow_dst_last_pkt_time":1620898025521857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1125,"flow_dst_tot_l4_payload_len":16096,"midstream":0,"thread_ts_usec":1620898025521891,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":19628.1,"max":147007,"stddev":34082.4,"var":1161612032.0,"ent":3.3,"data": [33594,33644,1195,33573,9,32379,46938,8284,78165,6257,993,261,30448,865,3,877,105414,6486,147007,2135,111,37341,124,122,246,129,624,757,125,122,244]},"pktlen": {"min":66,"avg":604.8,"max":1506,"stddev":660.8,"var":436665.8,"ent":4.1,"data": [78,74,66,277,66,207,66,117,495,66,66,1506,1506,66,1506,181,66,66,500,66,1506,1506,66,1506,1506,66,1506,1506,66,1506,1506,66]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} -01832{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025552151,"flow_dst_last_pkt_time":1620898025552116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1558,"flow_dst_tot_l4_payload_len":13367,"midstream":0,"thread_ts_usec":1620898025552151,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":21602.4,"max":146010,"stddev":34561.6,"var":1194505728.0,"ent":3.5,"data": [30429,30474,1424,31291,132,29986,50740,8293,78244,9210,246,28671,116212,146010,494,137,30426,114,380,498,130,113,14,250,2,896,5501,36248,1496,132,31482]},"pktlen": {"min":66,"avg":533.0,"max":1506,"stddev":616.9,"var":380607.3,"ent":4.1,"data": [78,74,66,277,66,207,66,117,494,66,66,1413,66,497,66,1506,1506,66,1506,1506,66,1506,1506,425,66,66,66,503,66,1506,1506,66]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02233{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":180,"source":"safari.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216866,"flow_src_last_pkt_time":1620898025482937,"flow_dst_last_pkt_time":1620898025510399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":442,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1135,"flow_dst_tot_l4_payload_len":16958,"midstream":0,"thread_ts_usec":1620898025510399,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55267,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":18051.7,"max":118862,"stddev":28694.5,"var":823374080.0,"ent":3.5,"data": [29610,29665,2362,30524,2,28159,51917,8877,77853,8496,625,1248,27408,129,120,247,131,125,259,123,123,248,503,122,637,24023,24010,84464,7818,118862,914]},"pktlen": {"min":52,"avg":618.0,"max":1492,"stddev":660.5,"var":436248.1,"ent":4.1,"data": [64,60,52,263,52,193,52,103,494,52,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52,1029,52,52,483,52,1492]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,0,0,0,1,1],"entropies": [4.365527153,5.154205322,4.884933472,5.833237171,5.047091484,6.387271881,4.923395157,5.485030651,7.478204250,4.994112968,4.772770882,7.875178814,7.866140842,4.961856842,7.872851372,7.874671459,4.961856842,7.876760006,7.864192009,4.884933472,7.871975422,7.883419514,4.961856842,7.874213696,7.878833771,4.923395157,7.820206165,4.961856842,4.839769840,7.462142944,5.085553646,7.865268230]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02233{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":223,"source":"safari.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216193,"flow_src_last_pkt_time":1620898025515519,"flow_dst_last_pkt_time":1620898025515861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1102,"flow_dst_tot_l4_payload_len":16480,"midstream":0,"thread_ts_usec":1620898025515861,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55265,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":19322.4,"max":140358,"stddev":32968.3,"var":1086907520.0,"ent":3.4,"data": [30407,30442,2425,30749,1690,30065,50340,8582,78328,9234,5001,125,33713,130,749,881,125,129,16,259,3,103964,6593,140358,1494,509,31816,122,126,243,376]},"pktlen": {"min":52,"avg":602.1,"max":1492,"stddev":656.6,"var":431150.1,"ent":4.1,"data": [64,60,52,263,52,193,52,103,458,52,52,1492,1492,52,1492,1492,52,1492,1492,551,52,52,52,486,52,1492,1492,52,1492,1492,52,1492]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0,1,1,0,1],"entropies": [4.396777153,5.200120449,4.854287148,5.825632572,5.100070000,6.466464043,4.937912464,5.504448891,7.429816246,5.008629799,5.047091484,7.873772621,7.867330074,4.976373672,7.875112534,7.878286839,5.014835358,7.858428001,7.863643646,7.549911976,4.945418835,4.976373672,4.892748356,7.471665859,5.100070477,7.873035431,7.880444050,4.892748356,7.872234821,7.868445873,4.854287148,7.863982677]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02233{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":260,"source":"safari.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025216511,"flow_src_last_pkt_time":1620898025519635,"flow_dst_last_pkt_time":1620898025519733,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1130,"flow_dst_tot_l4_payload_len":16706,"midstream":0,"thread_ts_usec":1620898025519733,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55266,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":19559.5,"max":144002,"stddev":33697.1,"var":1135492736.0,"ent":3.4,"data": [31343,31380,1377,32375,996,31994,49530,8158,77501,8373,630,1247,30061,122,9,127,127,136,106790,7135,144002,5758,108,35937,131,121,250,128,122,249,129]},"pktlen": {"min":52,"avg":610.0,"max":1492,"stddev":657.1,"var":431734.9,"ent":4.1,"data": [64,60,52,263,52,193,52,103,489,52,52,1492,1492,52,1492,1492,52,777,52,52,483,52,1492,1492,52,1492,1492,52,1492,1492,52,1492]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1],"entropies": [4.314822197,5.233453751,4.923395157,5.828969955,5.023147106,6.406717777,4.808010101,5.437491417,7.501916409,5.023147106,4.970168114,7.863673210,7.870786667,4.923395157,7.876905441,7.877601147,4.961856842,7.763181210,4.923395157,4.762846470,7.385672092,5.061608791,7.861380100,7.878694057,4.839769363,7.892414093,7.876000881,4.916692734,7.865588188,7.858906269,4.930902004,7.889223099]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02230{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":280,"source":"safari.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1620898025217638,"flow_src_last_pkt_time":1620898025521891,"flow_dst_last_pkt_time":1620898025521857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":434,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1125,"flow_dst_tot_l4_payload_len":16096,"midstream":0,"thread_ts_usec":1620898025521891,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55269,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":19628.1,"max":147007,"stddev":34082.4,"var":1161612032.0,"ent":3.3,"data": [33594,33644,1195,33573,9,32379,46938,8284,78165,6257,993,261,30448,865,3,877,105414,6486,147007,2135,111,37341,124,122,246,129,624,757,125,122,244]},"pktlen": {"min":52,"avg":590.8,"max":1492,"stddev":660.8,"var":436665.8,"ent":4.1,"data": [64,60,52,263,52,193,52,103,481,52,52,1492,1492,52,1492,167,52,52,486,52,1492,1492,52,1492,1492,52,1492,1492,52,1492,1492,52]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,1,0,1,1,0,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0],"entropies": [4.428027153,5.266787052,5.014835835,5.842227459,5.023147106,6.438008308,4.937912464,5.659790039,7.505598068,5.008629799,5.138532162,7.874384403,7.853630066,5.053297043,7.871713161,6.760118008,4.937911987,4.854287148,7.518191338,5.025067806,7.867798328,7.843288898,5.053297043,7.860529423,7.873259544,5.014835358,7.870237827,7.866991520,4.976373672,7.854802608,7.868881702,5.053297043]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02231{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"safari.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1620898025217296,"flow_src_last_pkt_time":1620898025552151,"flow_dst_last_pkt_time":1620898025552116,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":437,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1558,"flow_dst_tot_l4_payload_len":13367,"midstream":0,"thread_ts_usec":1620898025552151,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55268,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":21602.4,"max":146010,"stddev":34561.6,"var":1194505728.0,"ent":3.5,"data": [30429,30474,1424,31291,132,29986,50740,8293,78244,9210,246,28671,116212,146010,494,137,30426,114,380,498,130,113,14,250,2,896,5501,36248,1496,132,31482]},"pktlen": {"min":52,"avg":519.0,"max":1492,"stddev":616.9,"var":380607.3,"ent":4.0,"data": [64,60,52,263,52,193,52,103,480,52,52,1399,52,483,52,1492,1492,52,1492,1492,52,1492,1492,411,52,52,52,489,52,1492,1492,52]},"bins": {"c_to_s": [10,1,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,8,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,0,1,1,1,0,1,1,0,1,1,1,0,0,0,0,1,1,1,0],"entropies": [4.365527153,5.212701797,4.906957626,5.866992474,4.948143959,6.471822739,4.777055740,5.588072777,7.508736134,5.010550499,4.972089291,7.876531601,4.976373672,7.413162708,4.945419312,7.858516216,7.873053551,4.770353794,7.876352787,7.853984356,4.861793518,7.863806248,7.873053074,7.450196266,4.900255680,4.900255203,4.774691582,7.458786488,5.100070000,7.869789600,7.864884853,5.053297043]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":5392,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1620898027036438,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027036438,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1620898027036438,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"146.48.58.18","src_port":55285,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5392,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027036438,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1620898027036438,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGrBvAqAGykjA6Etf1AbvGGXtuAAAAALAC\/\/+JoQAAAgQFtAEDAwUBAQgKMzDQVQAAAAAEAgAA"} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5393,"source":"safari.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1620898027036438,"flow_dst_last_pkt_time":1620898027065042,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1620898027065042,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8AABAADQGuB+SMDoSwKgBsgG71\/XZbafoxhl7b6AS\/ogqVAAAAgQFrAQCCAo6VrYRMzDQVQEDAwc="} @@ -67,10 +67,10 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6285244 bytes -~~ total memory freed........: 6285244 bytes -~~ total allocations/frees...: 127601/127601 +~~ total memory allocated....: 6286196 bytes +~~ total memory freed........: 6286196 bytes +~~ total allocations/frees...: 127608/127608 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1839 chars -~~ json string avg len.......: 1164 chars +~~ json string max len.......: 2238 chars +~~ json string avg len.......: 1363 chars diff --git a/test/results/salesforce.pcap.out b/test/results/salesforce.pcap.out index 45f702a83..23f53cf9f 100644 --- a/test/results/salesforce.pcap.out +++ b/test/results/salesforce.pcap.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046555 bytes -~~ total memory freed........: 6046555 bytes -~~ total allocations/frees...: 121511/121511 +~~ total memory allocated....: 6046691 bytes +~~ total memory freed........: 6046691 bytes +~~ total allocations/frees...: 121512/121512 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 1469 chars diff --git a/test/results/sccp_hw_conf_register.pcapng.out b/test/results/sccp_hw_conf_register.pcapng.out index e68d3407e..33d3f4988 100644 --- a/test/results/sccp_hw_conf_register.pcapng.out +++ b/test/results/sccp_hw_conf_register.pcapng.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036134 bytes -~~ total memory freed........: 6036134 bytes -~~ total allocations/frees...: 121504/121504 +~~ total memory allocated....: 6036270 bytes +~~ total memory freed........: 6036270 bytes +~~ total allocations/frees...: 121505/121505 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 508 chars ~~ json string max len.......: 933 chars diff --git a/test/results/sctp.cap.out b/test/results/sctp.cap.out index 5a8b8ba46..ad6d529bf 100644 --- a/test/results/sctp.cap.out +++ b/test/results/sctp.cap.out @@ -19,9 +19,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037381 bytes -~~ total memory freed........: 6037381 bytes -~~ total allocations/frees...: 121501/121501 +~~ total memory allocated....: 6037653 bytes +~~ total memory freed........: 6037653 bytes +~~ total allocations/frees...: 121503/121503 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 866 chars diff --git a/test/results/selfsigned.pcap.out b/test/results/selfsigned.pcap.out index d9296bb90..c471a50c5 100644 --- a/test/results/selfsigned.pcap.out +++ b/test/results/selfsigned.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6048701 bytes -~~ total memory freed........: 6048701 bytes -~~ total allocations/frees...: 121516/121516 +~~ total memory allocated....: 6048837 bytes +~~ total memory freed........: 6048837 bytes +~~ total allocations/frees...: 121517/121517 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 1610 chars diff --git a/test/results/sflow.pcap.out b/test/results/sflow.pcap.out index 6146a144a..da7586df5 100644 --- a/test/results/sflow.pcap.out +++ b/test/results/sflow.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035902 bytes -~~ total memory freed........: 6035902 bytes -~~ total allocations/frees...: 121496/121496 +~~ total memory allocated....: 6036038 bytes +~~ total memory freed........: 6036038 bytes +~~ total allocations/frees...: 121497/121497 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 909 chars diff --git a/test/results/signal.pcap.out b/test/results/signal.pcap.out index 4cab3e0cf..d2cae7604 100644 --- a/test/results/signal.pcap.out +++ b/test/results/signal.pcap.out @@ -34,7 +34,7 @@ 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"signal.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051247603797,"flow_src_last_pkt_time":1569051247716407,"flow_dst_last_pkt_time":1569051247714648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051247716407,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57021,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1569051247716684,"flow_dst_last_pkt_time":1569051247714775,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569051247716684,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGZHzAqAIRIuHwrd68AbvGwW2ECR79gIAQBAtLWAAAAQEICihVUl9kFVbr"} 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":31,"source":"signal.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051247601573,"flow_src_last_pkt_time":1569051247716836,"flow_dst_last_pkt_time":1569051247714775,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051247716836,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57020,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"signal.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569051247599529,"flow_src_last_pkt_time":1569051247791544,"flow_dst_last_pkt_time":1569051247792234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":10648,"midstream":0,"thread_ts_usec":1569051247792234,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":12410.3,"max":52274,"stddev":19984.8,"var":399390400.0,"ent":3.2,"data": [44158,46025,121,45605,778,217,319,168,47796,18,50,46011,44670,7772,1684,58,381,118,52274,18,1127,18,42555,122,704,525,120,879,64,358,7]},"pktlen": {"min":66,"avg":427.3,"max":1506,"stddev":522.5,"var":272968.6,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,1506,66,66,66,673,66,146,112,109,101,207,337,337,66,136,66,66,66,66,97,1112,1112,1506,427]},"bins": {"c_to_s": [10,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} +02091{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"signal.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1569051247599529,"flow_src_last_pkt_time":1569051247791544,"flow_dst_last_pkt_time":1569051247792234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":10648,"midstream":0,"thread_ts_usec":1569051247792234,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":12410.3,"max":52274,"stddev":19984.8,"var":399390400.0,"ent":3.2,"data": [44158,46025,121,45605,778,217,319,168,47796,18,50,46011,44670,7772,1684,58,381,118,52274,18,1127,18,42555,122,704,525,120,879,64,358,7]},"pktlen": {"min":52,"avg":413.3,"max":1492,"stddev":522.5,"var":272968.6,"ent":4.0,"data": [64,60,52,569,52,1492,1492,1268,1492,52,52,52,659,52,132,98,95,87,193,323,323,52,122,52,52,52,52,83,1098,1098,1492,413]},"bins": {"c_to_s": [10,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,1,1,1,1],"entropies": [4.496222496,5.260978699,5.115703106,4.449790955,5.154164791,7.842132568,7.877580166,7.812294483,7.873640060,5.077241421,5.115703106,5.032077789,7.623220921,5.154164791,6.284255981,5.843806267,5.875387192,5.767893314,6.860127449,7.271677971,7.350573063,5.115703106,6.393777370,5.115703106,5.062724113,5.024262428,5.038779736,5.628359795,7.828307152,7.836736202,7.865890980,7.503857136]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} 01241{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051247594090,"flow_src_last_pkt_time":1569051247706645,"flow_dst_last_pkt_time":1569051247818667,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051247818667,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01630{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":60,"source":"signal.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051247594090,"flow_src_last_pkt_time":1569051247706645,"flow_dst_last_pkt_time":1569051247818679,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":2469,"midstream":0,"thread_ts_usec":1569051247818679,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":49226,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}} 01170{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":63,"source":"signal.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051247600467,"flow_src_last_pkt_time":1569051247711181,"flow_dst_last_pkt_time":1569051247822394,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051247822394,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"34.225.240.173","src_port":57019,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} @@ -89,7 +89,7 @@ 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"signal.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264091926,"flow_src_last_pkt_time":1569051264259470,"flow_dst_last_pkt_time":1569051264203333,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264259470,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57024,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":202,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1569051264259507,"flow_dst_last_pkt_time":1569051264203483,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1569051264259507,"pkt":"xiwDYGpkxGGLNYKpCABFAAA0AABAAEAGUTrAqAIRI6kDKN7BAbuYIIuNFdnORoAQBAtBKQAAAQEICihVkvxkFUBN"} 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":203,"source":"signal.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264093006,"flow_src_last_pkt_time":1569051264259677,"flow_dst_last_pkt_time":1569051264203483,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264259677,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57025,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569051264078385,"flow_src_last_pkt_time":1569051264310199,"flow_dst_last_pkt_time":1569051264310869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":862,"flow_dst_tot_l4_payload_len":11255,"midstream":0,"thread_ts_usec":1569051264310869,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57022,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":14977.4,"max":100663,"stddev":25001.2,"var":625062336.0,"ent":3.3,"data": [34916,37696,123,37363,772,231,309,173,37044,153,34846,100663,83343,17640,1078,2531,59,427,91,36023,34,31611,467,2412,13,489,2231,1076,233,244,7]},"pktlen": {"min":66,"avg":445.7,"max":1506,"stddev":520.4,"var":270842.4,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,1506,66,66,673,66,673,78,146,112,109,101,207,337,337,66,66,66,136,66,66,1112,1112,1506,427]},"bins": {"c_to_s": [9,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} +02103{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":222,"source":"signal.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569051264078385,"flow_src_last_pkt_time":1569051264310199,"flow_dst_last_pkt_time":1569051264310869,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":862,"flow_dst_tot_l4_payload_len":11255,"midstream":0,"thread_ts_usec":1569051264310869,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"23.57.24.16","src_port":57022,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":14977.4,"max":100663,"stddev":25001.2,"var":625062336.0,"ent":3.3,"data": [34916,37696,123,37363,772,231,309,173,37044,153,34846,100663,83343,17640,1078,2531,59,427,91,36023,34,31611,467,2412,13,489,2231,1076,233,244,7]},"pktlen": {"min":52,"avg":431.7,"max":1492,"stddev":520.4,"var":270842.4,"ent":4.1,"data": [64,60,52,569,52,1492,1492,1268,1492,52,52,659,52,659,64,132,98,95,87,193,323,323,52,52,52,122,52,52,1098,1098,1492,413]},"bins": {"c_to_s": [9,3,1,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,1,0,0,0,0,0,2,0,0,1,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,1,0,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,1,1],"entropies": [4.496222496,5.227644920,5.115703106,4.414837837,5.154164791,7.853477478,7.870889187,7.817573071,7.876551151,5.115703106,5.062724590,7.664700031,5.077241421,7.657122135,4.978374004,6.355051041,5.966256618,5.935075283,5.821801186,6.831858158,7.289732933,7.287264824,5.154164791,5.115703106,5.154164791,6.311809540,5.115703106,5.115703106,7.817995071,7.817259789,7.852911472,7.453959465]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AppleiTunes","proto_id":"91.145","encrypted":1,"breed":"Fun","category_id":17,"category":"Streaming"}} 01240{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":228,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264073974,"flow_src_last_pkt_time":1569051264229464,"flow_dst_last_pkt_time":1569051264342899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264342899,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01629{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":229,"source":"signal.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051264073974,"flow_src_last_pkt_time":1569051264229464,"flow_dst_last_pkt_time":1569051264343005,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":2469,"midstream":0,"thread_ts_usec":1569051264343005,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":49227,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"303951d4c50efb2e991652225a6f02b1","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}} 01169{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":233,"source":"signal.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264090815,"flow_src_last_pkt_time":1569051264259325,"flow_dst_last_pkt_time":1569051264369936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264369936,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57023,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} @@ -105,7 +105,7 @@ 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":321,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264775024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051264776825,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01169{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":323,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264887563,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051264887563,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01558{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":324,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051264776825,"flow_dst_last_pkt_time":1569051264887591,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2478,"midstream":0,"thread_ts_usec":1569051264887591,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"textsecure-service.whispersystems.org","tls": {"version":"TLSv1.2","server_names":"textsecure-service.whispersystems.org,service.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"1089ea6f0461a29006cc96dfe7a11d80","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=textsecure-service.whispersystems.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"5E:9E:63:F5:69:45:C7:DC:E6:4D:26:68:36:7E:C2:68:DB:02:60:8B"}}} -01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":350,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051265118031,"flow_dst_last_pkt_time":1569051265227415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":12293,"flow_dst_tot_l4_payload_len":2636,"midstream":0,"thread_ts_usec":1569051265227415,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":32686.5,"max":114919,"stddev":49905.0,"var":2490513152.0,"ent":3.3,"data": [108942,110621,122,110401,2138,28,112445,4951,114919,23,109553,1892,17,11,122,779,118,231,116,111402,211,108448,1776,614,1715,181,200,291,136,109394,1485]},"pktlen": {"min":66,"avg":533.2,"max":1506,"stddev":606.2,"var":367455.8,"ent":4.1,"data": [78,74,66,583,66,1506,1104,66,192,117,135,66,119,116,108,312,1506,1506,1506,378,66,104,848,66,66,1506,1506,1506,1506,151,66,66]},"bins": {"c_to_s": [4,3,1,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02109{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":350,"source":"signal.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051264666082,"flow_src_last_pkt_time":1569051265118031,"flow_dst_last_pkt_time":1569051265227415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":12293,"flow_dst_tot_l4_payload_len":2636,"midstream":0,"thread_ts_usec":1569051265227415,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"35.169.3.40","src_port":57026,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":32686.5,"max":114919,"stddev":49905.0,"var":2490513152.0,"ent":3.3,"data": [108942,110621,122,110401,2138,28,112445,4951,114919,23,109553,1892,17,11,122,779,118,231,116,111402,211,108448,1776,614,1715,181,200,291,136,109394,1485]},"pktlen": {"min":52,"avg":519.2,"max":1492,"stddev":606.2,"var":367455.8,"ent":4.1,"data": [64,60,52,569,52,1492,1090,52,178,103,121,52,105,102,94,298,1492,1492,1492,364,52,90,834,52,52,1492,1492,1492,1492,137,52,52]},"bins": {"c_to_s": [4,3,1,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,1,0,1,1,0,0,0,0,0,1,1],"entropies": [4.390677452,5.215063572,5.101185799,4.568855762,5.154164791,7.123593330,7.686298847,5.024262428,6.455136299,5.824676991,6.354698181,5.077241421,5.747490406,5.596203804,5.551773548,7.089583874,7.859809875,7.887398720,7.860632420,7.352869511,5.192626476,5.919520855,7.736015797,5.115703106,5.115703106,7.850556374,7.899875164,7.874493599,7.879738331,6.114603519,5.154164791,4.993616104]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569051266396342,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051266396342,"l3_proto":"ip4","src_ip":"23.57.24.16","dst_ip":"192.168.2.17","src_port":443,"dst_port":57016,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1569051266396342,"pkt":"xGGLNYKpxiwDYGpkCABFAABMyV0AADQGy0wXORgQwKgCEQG73rjhiC89LB07wYAYAQKY+AAAAQEICpZOcwIoVP9fFwMDABNN53WS+HQ+OdIkNGbGHI++PaTs"} 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":357,"source":"signal.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569051266396342,"flow_src_last_pkt_time":1569051266396342,"flow_dst_last_pkt_time":1569051266396342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051266396342,"l3_proto":"ip4","src_ip":"23.57.24.16","dst_ip":"192.168.2.17","src_port":443,"dst_port":57016,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -118,7 +118,7 @@ 01087{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":376,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267154562,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051267161538,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01147{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":378,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267197332,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569051267197332,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01471{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":379,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267161538,"flow_dst_last_pkt_time":1569051267197345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":2383,"midstream":0,"thread_ts_usec":1569051267197345,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}}} -01557{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":11950.2,"max":43365,"stddev":16041.8,"var":257340416.0,"ent":3.7,"data": [32885,39763,98,40023,2747,13,39382,7752,43365,416,22,34673,57,7463,493,19,81,373,5900,119,379,42152,16,471,26781,7559,10672,123,259,280,26119]},"pktlen": {"min":66,"avg":512.2,"max":1506,"stddev":608.0,"var":369644.2,"ent":4.1,"data": [78,74,66,583,66,1506,1009,66,192,66,117,135,66,66,119,116,108,257,104,1506,1506,1506,66,104,66,685,66,1506,1506,1506,1506,66]},"bins": {"c_to_s": [5,4,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,1]}} +01952{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":13,"avg":11950.2,"max":43365,"stddev":16041.8,"var":257340416.0,"ent":3.7,"data": [32885,39763,98,40023,2747,13,39382,7752,43365,416,22,34673,57,7463,493,19,81,373,5900,119,379,42152,16,471,26781,7559,10672,123,259,280,26119]},"pktlen": {"min":52,"avg":498.2,"max":1492,"stddev":608.0,"var":369644.2,"ent":4.0,"data": [64,60,52,569,52,1492,995,52,178,52,103,121,52,52,105,102,94,243,90,1492,1492,1492,52,90,52,671,52,1492,1492,1492,1492,52]},"bins": {"c_to_s": [5,4,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0],"s_to_c": [7,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,1,1,1,0,1,0,0,0,0,1],"entropies": [4.433722496,5.194311619,5.024262428,4.269306660,5.062724590,7.102223873,7.698739052,5.077241421,6.281415939,5.115703106,5.989915848,6.360937119,5.077241421,5.077241421,5.716584206,5.596204281,5.530496597,6.966745853,5.422244072,7.874898434,7.862365246,7.863490105,4.937912464,5.888910294,5.077241421,7.631612301,5.077241421,7.861750603,7.881488323,7.873866558,7.857449532,5.115703106]}} 01476{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":404,"source":"signal.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1569051267121677,"flow_src_last_pkt_time":1569051267296344,"flow_dst_last_pkt_time":1569051267317465,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":11716,"flow_dst_tot_l4_payload_len":2541,"midstream":0,"thread_ts_usec":1569051267317465,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"13.35.253.42","src_port":57027,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Signal","proto_id":"91.39","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"cdn.signal.org","tls": {"version":"TLSv1.2","server_names":"cdn.signal.org","ja3":"6725ca90906e1036febcbfd464e2e326","ja3s":"c4b2785a87896e19d37eee932070cb22","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=California, L=San Francisco, O=Open Whisper Systems, OU=Open Whisper Systems, CN=TextSecure","subjectDN":"C=US, ST=California, O=Open Whisper Systems, OU=Open Whisper Systems, CN=cdn.signal.org","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2","fingerprint":"81:3D:8A:2E:EE:B2:E1:F4:1C:2B:6D:20:16:54:B2:C1:87:D0:1E:12"}}} 00897{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1569051245838268,"flow_src_last_pkt_time":1569051261595218,"flow_dst_last_pkt_time":1569051245838268,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DHCP","proto_id":"18","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00898{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":637,"source":"signal.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1569051255515841,"flow_src_last_pkt_time":1569051255541412,"flow_dst_last_pkt_time":1569051255539776,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":77,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1569051267601717,"l3_proto":"ip4","src_ip":"192.168.2.17","dst_ip":"17.248.146.144","src_port":56996,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -148,10 +148,10 @@ ~~ total active/idle flows...: 19/19 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6314336 bytes -~~ total memory freed........: 6314336 bytes -~~ total allocations/frees...: 122426/122426 +~~ total memory allocated....: 6316920 bytes +~~ total memory freed........: 6316920 bytes +~~ total allocations/frees...: 122445/122445 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1717 chars -~~ json string avg len.......: 1103 chars +~~ json string max len.......: 2114 chars +~~ json string avg len.......: 1301 chars diff --git a/test/results/simple-dnscrypt.pcap.out b/test/results/simple-dnscrypt.pcap.out index 234835cd5..18910fe9e 100644 --- a/test/results/simple-dnscrypt.pcap.out +++ b/test/results/simple-dnscrypt.pcap.out @@ -7,7 +7,7 @@ 01047{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284694670,"flow_dst_last_pkt_time":1491813284666208,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491813284694670,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01107{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284694670,"flow_dst_last_pkt_time":1491813284804255,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":1310,"midstream":0,"thread_ts_usec":1491813284804255,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01465{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":7,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813284809547,"flow_dst_last_pkt_time":1491813284819906,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813284819906,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} -01576{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":43169.3,"max":221977,"stddev":52652.2,"var":2772254720.0,"ent":3.9,"data": [110617,111151,27928,119560,18487,5167,114877,3012,7467,5,1,10608,4894,14894,118,54,378,91813,2,71462,3132,28841,26832,76361,36004,32630,95192,61613,221977,1]},"pktlen": {"min":54,"avg":397.4,"max":1364,"stddev":516.9,"var":267229.7,"ent":4.0,"data": [66,66,54,260,54,1364,1364,54,1364,1364,1364,360,54,180,107,110,96,272,312,123,54,92,54,92,54,54,54,415,54,119,1364,1324]},"bins": {"c_to_s": [7,4,1,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,6,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1]}} +01973{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":43169.3,"max":221977,"stddev":52652.2,"var":2772254720.0,"ent":3.9,"data": [110617,111151,27928,119560,18487,5167,114877,3012,7467,5,1,10608,4894,14894,118,54,378,91813,2,71462,3132,28841,26832,76361,36004,32630,95192,61613,221977,1]},"pktlen": {"min":40,"avg":383.4,"max":1350,"stddev":516.9,"var":267229.7,"ent":3.9,"data": [52,52,40,246,40,1350,1350,40,1350,1350,1350,346,40,166,93,96,82,258,298,109,40,78,40,78,40,40,40,401,40,105,1350,1310]},"bins": {"c_to_s": [7,4,1,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,6,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,1,1,0,0,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1],"entropies": [4.700937748,5.053297043,4.884183884,5.597340584,4.884183884,7.257542610,7.247560978,4.734184265,7.594522476,7.479546547,7.614046097,7.344598770,4.780641079,6.391661167,5.721328735,5.834361076,5.503191471,7.138485432,7.091854095,6.122251511,4.934183598,5.396905422,4.884183884,5.818656921,4.884183884,4.884183884,4.884183884,7.331987381,4.934183598,5.989890099,7.848228931,7.847333908]}} 01468{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285148253,"flow_dst_last_pkt_time":1491813285258007,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":10162,"midstream":0,"thread_ts_usec":1491813285258007,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"b8f81673c0e1d29908346f3bab892b9b","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":40,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286275625,"flow_dst_last_pkt_time":1491813286275625,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1491813286275625,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":40,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1491813286275625,"flow_dst_last_pkt_time":1491813286275625,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1491813286275625,"pkt":"uFpz9d6dpDTZFrEGCABFAAA0PSdAAIAGML7AqCunhncaGMRNAbtYb9jbAAAAAIACIADK3QAAAgQFtAEDAwgBAQQC"} @@ -30,7 +30,7 @@ 01473{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":76,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286592939,"flow_dst_last_pkt_time":1491813286594033,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813286594033,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 01134{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":81,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286491438,"flow_dst_last_pkt_time":1491813286609961,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":1310,"midstream":0,"thread_ts_usec":1491813286609961,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01473{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":87,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1491813286392272,"flow_src_last_pkt_time":1491813286612199,"flow_dst_last_pkt_time":1491813286612925,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6550,"midstream":0,"thread_ts_usec":1491813286612925,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50258,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} -01560{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":26187.7,"max":105611,"stddev":36205.4,"var":1310829056.0,"ent":3.6,"data": [76904,76992,229,75549,27738,2534,105611,594,1,590,1297,3,1553,3254,3682,128,52,3057,79,49,84732,1,74133,4254,9610,25085,23405,82024,4138,98354]},"pktlen": {"min":54,"avg":333.1,"max":1364,"stddev":456.8,"var":208637.0,"ent":4.0,"data": [66,66,54,264,54,1364,1364,54,1364,1364,54,1364,360,54,180,107,110,96,334,133,132,312,123,54,54,92,54,92,54,416,415,54]},"bins": {"c_to_s": [7,4,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,0,1,1,1,0]}} +01957{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":26187.7,"max":105611,"stddev":36205.4,"var":1310829056.0,"ent":3.6,"data": [76904,76992,229,75549,27738,2534,105611,594,1,590,1297,3,1553,3254,3682,128,52,3057,79,49,84732,1,74133,4254,9610,25085,23405,82024,4138,98354]},"pktlen": {"min":40,"avg":319.1,"max":1350,"stddev":456.8,"var":208637.0,"ent":3.9,"data": [52,52,40,250,40,1350,1350,40,1350,1350,40,1350,346,40,166,93,96,82,320,119,118,298,109,40,40,78,40,78,40,402,401,40]},"bins": {"c_to_s": [7,4,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,0,0,0,0,0,0,0,1,1,0,1,1,1,0,1,1,1,0],"entropies": [4.662476063,5.014835358,4.784183979,5.463803768,4.784183979,7.264608860,7.254951954,4.784183979,7.596163750,7.476695061,4.665311813,7.616894245,7.412656784,4.784183979,6.267624378,5.635307789,5.800558090,5.503190994,7.286572456,6.049404621,6.063973427,7.156964302,6.273537159,4.934183598,4.884183884,5.802693844,4.834183693,5.438509464,4.884183884,7.476879120,7.394095898,4.934183598]}} 01476{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":107,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1491813286393273,"flow_src_last_pkt_time":1491813286786121,"flow_dst_last_pkt_time":1491813286786057,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":280,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":7944,"midstream":0,"thread_ts_usec":1491813286786121,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50259,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"5":"DPI (cache)"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"simplednscrypt.org","tls": {"version":"TLSv1.2","server_names":"simplednscrypt.org,www.simplednscrypt.org","ja3":"83e04bc58d402f9633983cbf22724b02","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Domain Validation Secure Server CA","subjectDN":"OU=Domain Control Validated, OU=PositiveSSL, CN=simplednscrypt.org","alpn":"h2,http\/1.1","fingerprint":"3E:20:0F:BF:AD:D8:5C:A1:A1:1B:E5:B2:A7:D4:68:E2:6A:DB:01:41"}}} 00928{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":21,"flow_first_seen":1491813284555591,"flow_src_last_pkt_time":1491813285262104,"flow_dst_last_pkt_time":1491813285262021,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":218,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":804,"flow_dst_tot_l4_payload_len":13434,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50233,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.DNScrypt","proto_id":"91.208","encrypted":1,"breed":"Safe","category_id":14,"category":"Network"}} 00776{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":111,"source":"simple-dnscrypt.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":8,"flow_dst_packets_processed":10,"flow_first_seen":1491813286275625,"flow_src_last_pkt_time":1491813286718876,"flow_dst_last_pkt_time":1491813286718848,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1310,"flow_src_tot_l4_payload_len":336,"flow_dst_tot_l4_payload_len":7183,"midstream":0,"thread_ts_usec":1491813286913648,"l3_proto":"ip4","src_ip":"192.168.43.167","dst_ip":"134.119.26.24","src_port":50253,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -45,10 +45,10 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6141396 bytes -~~ total memory freed........: 6141396 bytes -~~ total allocations/frees...: 121674/121674 +~~ total memory allocated....: 6141940 bytes +~~ total memory freed........: 6141940 bytes +~~ total allocations/frees...: 121678/121678 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars -~~ json string max len.......: 1581 chars -~~ json string avg len.......: 1039 chars +~~ json string max len.......: 1978 chars +~~ json string avg len.......: 1238 chars diff --git a/test/results/sip.pcap.out b/test/results/sip.pcap.out index f58edd53a..33315d439 100644 --- a/test/results/sip.pcap.out +++ b/test/results/sip.pcap.out @@ -22,7 +22,7 @@ 00554{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":44,"source":"sip.pcap","alias":"nDPId-test","packets-captured":44,"packets-processed":43,"total-skipped-flows":0,"total-l4-payload-len":17733,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":9,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":22,"global_ts_usec":1120470187658020} 00903{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":46,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":10,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470216689496,"flow_dst_last_pkt_time":1120469956406918,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":680,"flow_dst_max_l4_payload_len":491,"flow_src_tot_l4_payload_len":4633,"flow_dst_tot_l4_payload_len":4354,"midstream":0,"thread_ts_usec":1120470216689496,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":46,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":3,"flow_first_seen":1120470049188993,"flow_src_last_pkt_time":1120470114910372,"flow_dst_last_pkt_time":1120470116279089,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":347,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":822,"flow_dst_max_l4_payload_len":614,"flow_src_tot_l4_payload_len":6938,"flow_dst_tot_l4_payload_len":1818,"midstream":0,"thread_ts_usec":1120470216689496,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"200.68.120.81","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01828{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":50,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470235521078,"flow_dst_last_pkt_time":1120470235448732,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":825,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":7448,"flow_dst_tot_l4_payload_len":4947,"midstream":0,"thread_ts_usec":1120470235521078,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25935,"avg":42751008.0,"max":279041814,"stddev":57873684.0,"var":3349363405357056.0,"ent":4.0,"data": [136757,17415627,17424961,49834,89928591,89874891,17280679,17290428,150200040,150188219,17325180,17335822,73916043,73902652,17325038,17333170,25935,17724998,29031776,29092737,34118166,34119076,29272359,29031830,29031631,29031476,17104967,497671,1001842,279041814,227102]},"pktlen": {"min":47,"avg":429.3,"max":867,"stddev":273.0,"var":74531.7,"ent":4.6,"data": [509,528,722,348,388,509,528,722,533,509,528,722,533,509,528,722,348,512,47,47,47,47,47,47,47,47,47,867,867,867,635,382]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,0,0,0,0,4,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,2,1,0,0,0,1,6,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02227{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":50,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470235521078,"flow_dst_last_pkt_time":1120470235448732,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":825,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":7448,"flow_dst_tot_l4_payload_len":4947,"midstream":0,"thread_ts_usec":1120470235521078,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25935,"avg":42751008.0,"max":279041814,"stddev":57873684.0,"var":3349363405357056.0,"ent":4.0,"data": [136757,17415627,17424961,49834,89928591,89874891,17280679,17290428,150200040,150188219,17325180,17335822,73916043,73902652,17325038,17333170,25935,17724998,29031776,29092737,34118166,34119076,29272359,29031830,29031631,29031476,17104967,497671,1001842,279041814,227102]},"pktlen": {"min":33,"avg":415.3,"max":853,"stddev":273.0,"var":74531.7,"ent":4.6,"data": [495,514,708,334,374,495,514,708,519,495,514,708,519,495,514,708,334,498,33,33,33,33,33,33,33,33,33,853,853,853,621,368]},"bins": {"c_to_s": [9,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,0,0,0,0,4,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,2,1,0,0,0,1,6,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0],"entropies": [5.741633415,5.745016098,5.709460258,5.733335018,5.724183083,5.734008312,5.752299309,5.705936909,5.742718697,5.746319294,5.735527039,5.694232941,5.749829292,5.746265888,5.718012810,5.700710297,5.702609062,5.648171425,4.098355293,4.098355293,4.098355293,4.098355293,4.098355293,4.098355293,4.037749290,4.098355293,4.098355293,5.722674847,5.721789837,5.722674847,5.763523579,5.703196526]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":55,"source":"sip.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":12,"flow_first_seen":1120469572844249,"flow_src_last_pkt_time":1120470268180956,"flow_dst_last_pkt_time":1120470268128176,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":5,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1076,"flow_dst_max_l4_payload_len":593,"flow_src_tot_l4_payload_len":8864,"flow_dst_tot_l4_payload_len":5392,"midstream":0,"thread_ts_usec":1120470268180956,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"212.242.33.35","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":55,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":3,"flow_first_seen":1120470049188993,"flow_src_last_pkt_time":1120470114910372,"flow_dst_last_pkt_time":1120470116279089,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":347,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":822,"flow_dst_max_l4_payload_len":614,"flow_src_tot_l4_payload_len":6938,"flow_dst_tot_l4_payload_len":1818,"midstream":0,"thread_ts_usec":1120470268180956,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"200.68.120.81","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00902{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":57,"source":"sip.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":3,"flow_first_seen":1120470049188993,"flow_src_last_pkt_time":1120470114910372,"flow_dst_last_pkt_time":1120470116279089,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":347,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":822,"flow_dst_max_l4_payload_len":614,"flow_src_tot_l4_payload_len":6938,"flow_dst_tot_l4_payload_len":1818,"midstream":0,"thread_ts_usec":1120470315341351,"l3_proto":"ip4","src_ip":"192.168.1.2","dst_ip":"200.68.120.81","src_port":5060,"dst_port":5060,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SIP","proto_id":"100","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} @@ -59,10 +59,10 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043761 bytes -~~ total memory freed........: 6043761 bytes -~~ total allocations/frees...: 121629/121629 +~~ total memory allocated....: 6044305 bytes +~~ total memory freed........: 6044305 bytes +~~ total allocations/frees...: 121633/121633 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1833 chars -~~ json string avg len.......: 1159 chars +~~ json string max len.......: 2232 chars +~~ json string avg len.......: 1359 chars diff --git a/test/results/sip_hello.pcapng.out b/test/results/sip_hello.pcapng.out index f3eeffc69..3495db3ac 100644 --- a/test/results/sip_hello.pcapng.out +++ b/test/results/sip_hello.pcapng.out @@ -24,9 +24,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036511 bytes -~~ total memory freed........: 6036511 bytes -~~ total allocations/frees...: 121517/121517 +~~ total memory allocated....: 6036647 bytes +~~ total memory freed........: 6036647 bytes +~~ total allocations/frees...: 121518/121518 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars ~~ json string max len.......: 918 chars diff --git a/test/results/sites.pcapng.out b/test/results/sites.pcapng.out index 3b2470acb..b2a4db9b0 100644 --- a/test/results/sites.pcapng.out +++ b/test/results/sites.pcapng.out @@ -30,7 +30,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":69,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1623223596002274,"flow_dst_last_pkt_time":1623223595999034,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1623223596002274,"pkt":"pJGxgjQ5PKn0qB\/sCABFAAA0ZBlAAEAGCezAqAGAW8au0MW8AbvaIBcIazbbIYAQAfbJTQAAAQEICrzqTwcXn7ww"} 01099{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":70,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596004515,"flow_dst_last_pkt_time":1623223595999034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623223596004515,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.2","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 01144{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":72,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596004515,"flow_dst_last_pkt_time":1623223596052201,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1623223596052201,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.3","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} -01500{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":199,"avg":19621.6,"max":52937,"stddev":23899.2,"var":571172992.0,"ent":2.8,"data": [46836,50076,2241,52937,230,52220,1478,638,2420,52443,779,3077,237,199,47900,235]},"pktlen": {"min":66,"avg":613.8,"max":1514,"stddev":646.4,"var":417856.7,"ent":4.2,"data": [74,74,66,583,66,1514,1514,1266,166,66,66,66,66,146,236,304,369,109,97,1514,1514,1514,1514,1514,1514,1514,1514,388,66,66,66,97]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0]}} +01898{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":199,"avg":19621.6,"max":52937,"stddev":23899.2,"var":571172992.0,"ent":2.8,"data": [46836,50076,2241,52937,230,52220,1478,638,2420,52443,779,3077,237,199,47900,235]},"pktlen": {"min":52,"avg":599.8,"max":1500,"stddev":646.4,"var":417856.7,"ent":4.1,"data": [60,60,52,569,52,1500,1500,1252,152,52,52,52,52,132,222,290,355,95,83,1500,1500,1500,1500,1500,1500,1500,1500,374,52,52,52,83]},"bins": {"c_to_s": [10,0,1,0,0,1,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,1,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0],"entropies": [4.713301182,5.220872402,5.008629799,5.408417225,5.079967022,7.845353127,7.893048763,7.841969490,6.480354786,5.047091007,5.047091484,5.085552692,5.085553169,6.254513264,6.947219372,7.136369228,7.362440109,5.997154236,5.666953564,7.893563271,7.867501259,7.878776073,7.865104198,7.874600887,7.869311810,7.861063480,7.860395432,7.425109863,5.085552692,5.047091007,5.085552692,5.564384460]}} 01148{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":98,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223596109406,"flow_dst_last_pkt_time":1623223596108936,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1036,"flow_dst_tot_l4_payload_len":16479,"midstream":0,"thread_ts_usec":1623223596109406,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"upload.wikimedia.org","tls": {"version":"TLSv1.3","ja3":"6b5e0cfe988c723ee71faf54f8460684","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2"}}} 00767{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":107,"source":"sites.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":17,"flow_first_seen":1623222051753416,"flow_src_last_pkt_time":1623222112086485,"flow_dst_last_pkt_time":1623222112185361,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":965,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2226,"flow_dst_tot_l4_payload_len":6554,"midstream":0,"thread_ts_usec":1623223596203292,"l3_proto":"ip4","src_ip":"192.168.1.227","dst_ip":"52.73.71.226","src_port":50071,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":119,"source":"sites.pcapng","alias":"nDPId-test","packets-captured":119,"packets-processed":118,"total-skipped-flows":0,"total-l4-payload-len":35609,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":6,"total-updates":0,"current-active-flows":1,"total-active-flows":4,"total-idle-flows":3,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":36,"global_ts_usec":1623226283573712} @@ -39,7 +39,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":120,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1623226283573712,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1623226283601626,"pkt":"AoEfHBPlpJGxgjQ5CABFAAA0AABAADMGZpwtUvEzwKgB+gBQm9LNImc9F4Arv4ASchAIQAAAAgQFeAEBBAIBAwMK"} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":121,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1623226283602794,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1623226283602794,"pkt":"pJGxgjQ5AoEfHBPlCABFAAAoM5VAAEAGJhPAqAH6LVLxM5vSAFAXgCu\/zSJnPlAQAKy6PQAAAAAAAAAA"} 01048{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":122,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226283612303,"flow_dst_last_pkt_time":1623226283601626,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":190,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1623226283612303,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"videosnap.like.video","http": {"url":"videosnap.like.video\/eu_live\/5uz\/1YOmxT.webp?type=8&resize=1&dw=360","code":0,"content_type":"","user_agent":"Like-Android"}}} -01657{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226284678348,"flow_dst_last_pkt_time":1623226284677149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":18862,"midstream":0,"thread_ts_usec":1623226284678348,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":249,"avg":138004.6,"max":1031142,"stddev":327437.1,"var":107215077376.0,"ent":1.6,"data": [27914,29082,9509,39180,2950,249,59912,307,304,974261,1031142,29550,491,2002,490,730]},"pktlen": {"min":60,"avg":659.1,"max":1514,"stddev":701.2,"var":491744.0,"ent":4.1,"data": [74,66,60,244,60,1514,1514,1514,1514,1514,1514,1396,60,60,60,60,60,60,60,244,1514,1514,1514,1514,60,60,1514,1514,60,60,60,60]},"bins": {"c_to_s": [15,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02056{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"sites.pcapng","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1623226283573712,"flow_src_last_pkt_time":1623226284678348,"flow_dst_last_pkt_time":1623226284677149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":190,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":18862,"midstream":0,"thread_ts_usec":1623226284678348,"l3_proto":"ip4","src_ip":"192.168.1.250","dst_ip":"45.82.241.51","src_port":39890,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":249,"avg":138004.6,"max":1031142,"stddev":327437.1,"var":107215077376.0,"ent":1.6,"data": [27914,29082,9509,39180,2950,249,59912,307,304,974261,1031142,29550,491,2002,490,730]},"pktlen": {"min":46,"avg":645.1,"max":1500,"stddev":701.2,"var":491744.0,"ent":4.0,"data": [60,52,46,230,46,1500,1500,1500,1500,1500,1500,1382,46,46,46,46,46,46,46,230,1500,1500,1500,1500,46,46,1500,1500,46,46,46,46]},"bins": {"c_to_s": [15,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,12,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0],"entropies": [4.650921822,4.854286671,4.347350597,5.690956593,4.347350597,7.663578510,7.860166073,7.846680641,7.877070427,7.858085155,7.884421825,7.865271091,4.347350597,4.303872585,4.260394573,4.303872585,4.303872585,4.347350597,4.347350597,5.731587410,7.670816898,7.866776943,7.851586819,7.865674973,4.303872585,4.303872108,7.855195045,7.870656013,4.303872585,4.260394096,4.303872108,4.303872585]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Likee","proto_id":"7.261","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00916{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":229,"source":"sites.pcapng","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":24,"flow_first_seen":1623223595952198,"flow_src_last_pkt_time":1623223766553269,"flow_dst_last_pkt_time":1623223766548680,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1177,"flow_dst_tot_l4_payload_len":16557,"midstream":0,"thread_ts_usec":1623226286427901,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"91.198.174.208","src_port":50620,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Wikipedia","proto_id":"91.176","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":231,"source":"sites.pcapng","alias":"nDPId-test","packets-captured":231,"packets-processed":230,"total-skipped-flows":0,"total-l4-payload-len":108050,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":5,"total-detection-updates":6,"total-updates":0,"current-active-flows":1,"total-active-flows":5,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":44,"global_ts_usec":1631088115362469} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":231,"source":"sites.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1631088115362469,"flow_src_last_pkt_time":1631088115362469,"flow_dst_last_pkt_time":1631088115362469,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1631088115362469,"l3_proto":"ip4","src_ip":"192.168.1.128","dst_ip":"199.232.82.109","src_port":46724,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -348,9 +348,9 @@ ~~ total active/idle flows...: 47/47 ~~ total timeout flows.......: 4 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6622574 bytes -~~ total memory freed........: 6622574 bytes -~~ total allocations/frees...: 122993/122993 +~~ total memory allocated....: 6628966 bytes +~~ total memory freed........: 6628966 bytes +~~ total allocations/frees...: 123040/123040 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2515 chars diff --git a/test/results/skinny.pcap.out b/test/results/skinny.pcap.out index 10a2efde1..e700e03de 100644 --- a/test/results/skinny.pcap.out +++ b/test/results/skinny.pcap.out @@ -10,7 +10,7 @@ 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801130506133,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801130506133,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1317801130506148,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1317801130506148,"pkt":"AB1FDGVjABTy5fxCCABFYABE5ZNAAD8GUDDAqMEMwKjDMgfQyUyJcg5JId4l61AYLGoX3AAAFAAAABQAAAAQAQAAAQAAAEs2LgEDAAAA\/\/\/\/\/w=="} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1317801130506205,"flow_dst_last_pkt_time":1317801130506133,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1317801130506205,"pkt":"AB1FDGVjABTy5fxCCABFYABI5ZVAAD8GUCrAqMEMwKjDMgfQyUyJcg5lId4l61AYLGr9cQAAGAAAABQAAABFAQAAAAAAAAEAAABLNi4BgBczMjEAAAA="} -01711{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":60,"source":"skinny.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1317801130501299,"flow_src_last_pkt_time":1317801134312976,"flow_dst_last_pkt_time":1317801134286303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":52,"flow_dst_max_l4_payload_len":324,"flow_src_tot_l4_payload_len":248,"flow_dst_tot_l4_payload_len":1620,"midstream":1,"thread_ts_usec":1317801134312976,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.12","src_port":49399,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":245054.2,"max":3609828,"stddev":877176.1,"var":769437794304.0,"ent":1.5,"data": [2211,18,14,5962,3780,258,15,49,20014,19685,10391,48806,3559643,16,82,3609828,11683,20052,16478,36490,7020,23440,32822,19981,11660,17,20000,11522,27273,50735,26736]},"pktlen": {"min":60,"avg":114.2,"max":378,"stddev":74.3,"var":5521.7,"ent":4.8,"data": [78,82,70,78,60,378,82,90,82,60,214,74,60,78,194,90,60,266,60,102,60,198,60,198,60,198,186,60,106,106,60,106]},"bins": {"c_to_s": [9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,5,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,1,1,1,1,0,1,0,1,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02106{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":60,"source":"skinny.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1317801130501299,"flow_src_last_pkt_time":1317801134312976,"flow_dst_last_pkt_time":1317801134286303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":52,"flow_dst_max_l4_payload_len":324,"flow_src_tot_l4_payload_len":248,"flow_dst_tot_l4_payload_len":1620,"midstream":1,"thread_ts_usec":1317801134312976,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.12","src_port":49399,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":245054.2,"max":3609828,"stddev":877176.1,"var":769437794304.0,"ent":1.5,"data": [2211,18,14,5962,3780,258,15,49,20014,19685,10391,48806,3559643,16,82,3609828,11683,20052,16478,36490,7020,23440,32822,19981,11660,17,20000,11522,27273,50735,26736]},"pktlen": {"min":46,"avg":100.2,"max":364,"stddev":74.3,"var":5521.7,"ent":4.7,"data": [64,68,56,64,46,364,68,76,68,46,200,60,46,64,180,76,46,252,46,88,46,184,46,184,46,184,172,46,92,92,46,92]},"bins": {"c_to_s": [9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,0,0,5,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,1,1,1,1,0,1,0,1,1,1,1,0,1,0,0,1,1,0,1,0,1,1,0,0,0,1,0],"entropies": [3.922401428,4.000817776,4.543873787,4.299025536,4.398030758,3.738415241,4.369860649,4.173765659,4.555430412,4.446094513,4.498068333,4.266249657,4.654558659,4.450102329,2.632452726,4.180215836,4.398030758,4.264904022,4.549461365,3.957430601,4.654558659,2.670037031,4.549461365,2.689654589,4.478915215,2.567897081,4.683412552,4.398031235,4.043387413,3.999909163,4.567602158,4.021648407]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134322539,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134322539,"pkt":"ABTy5fxCAB56JnR1CABFuADIE4MAAEARYEbAqMM6wKjBGH2WJLMAtK8pgIAFmwAC4MD2v1fi\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/39+\/v18ffz+\/f9+\/n17eXh6e357fv1+\/v59\/fx9fX16e379+vv7+359fnv\/\/X3+\/35\/e3v+\/H7\/fnv+fXz9\/v7+fX18fHx7fHt+f3\/\/fv3+f\/7+\/v79\/\/5\/eXt8fX9+f\/\/\/\/39+f3x5e3x6eX1+fv5+f\/78\/P78\/nz+fn5+fA=="} 00863{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134322539,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":172,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134322539,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} @@ -36,16 +36,16 @@ 00745{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":89,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1317801134389369,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134389369,"pkt":"ABTy5fxCAB56JnR1CABFuADIE40AAEARYDzAqMM6wKjBGH2YJLQAtJABgAAFlgAFiLgeBjsifHt9f319fPv+\/v54f\/7\/e3l9e\/79f3p7fn18e316ff5+\/X58fv1\/\/v9+f3p+f31\/fv3+f31+\/np6fnx8fnz9\/P\/8fv37ff3\/fH7+\/3v\/f318f\/t8fP19fH19\/fl\/ev39+fx9d3Fw+NlhW8pMTLpRPsLeSefcWnbk8lz61FL72VV96Wtf6+1j6G777m\/scn\/3eX7+cXDubGz2fnF77nN2\/A=="} 00749{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1317801134403859,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134403859,"pkt":"ABTy5fxCAB1FDGVjCABFuADIE+4AAEARX+PAqMMywKjBGEVEJLgAtCDKgAAGQAAC40B8EHHz+vv9\/f7+\/nx6eXh7ff\/9\/fb4+vj5+f5+fHh8eHd5en5++\/39\/Xt\/enl7eH54efr+\/Pp9f3p5fHV4enp\/\/Pj59vn+9vb8fHl6d3t5ev5\/\/P768\/n5+f7+fHV1dnR6fXd8\/31\/eHr+eX39d3n4\/f73+Pz8\/3t7e3p2dn59fPv5+\/v4\/X\/8fH18e39+fv78\/fv59\/b7\/nx7fXh3d3p\/fHt9fg=="} 00752{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1317801134423839,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":214,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":214,"pkt_l4_len":180,"thread_ts_usec":1317801134423839,"pkt":"ABTy5fxCAB1FDGVjCABFuADIE\/EAAEARX+DAqMMywKjBGEVEJLgAtBwlgAAGQQAC4+B8EHHzfn78fXn\/eXV9d3b9\/338+\/f7fH59e3p2eX3++\/309fz6e3l6c3h3dnt3fff49\/Pz9vf2+Pv9fX19fX1+\/f1\/e3l5d3d1dHh6fHp6fv7++\/r3+H59fHx9e3l9+\/99\/P37+X57e3l8e3p\/f379\/fv7+\/r8\/v\/8\/n7\/\/\/39fXx6dnd5ev9+eXx6eH16fPx\/\/Pj5+fv7\/H15d3l7fH7\/\/f39\/A=="} -01686{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":125,"source":"skinny.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801134322976,"flow_src_last_pkt_time":1317801134482957,"flow_dst_last_pkt_time":1317801134468575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3096,"flow_dst_tot_l4_payload_len":2408,"midstream":0,"thread_ts_usec":1317801134482957,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.195.50","src_port":32144,"dst_port":17718,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":9857.4,"max":25564,"stddev":10215.5,"var":104355640.0,"ent":3.9,"data": [25,19949,10,25564,11,20009,15,19949,15,19947,7,19983,8,20009,7,20042,7,20010,7,19977,4,19971,13,19997,11,20024,12,20020,11,19956,10]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":307,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134942562,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134942562,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19901,"avg":20000.7,"max":20073,"stddev":35.0,"var":1222.2,"ent":5.0,"data": [20010,20035,19901,20015,19977,20040,20015,20006,19996,20018,19974,20009,19997,20001,20001,19982,20073,20009,20000,19999,20061,19944,19990,19953,20026,19940,20010,20055,20010,19978,19998]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01728{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":319,"source":"skinny.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134348136,"flow_src_last_pkt_time":1317801134968092,"flow_dst_last_pkt_time":1317801134348136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134968092,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17726,"dst_port":9399,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19962,"avg":19998.6,"max":20095,"stddev":27.6,"var":759.7,"ent":5.0,"data": [19962,19969,20095,19966,20007,20019,20010,19970,19996,20019,19982,19965,20001,20006,19994,20032,19986,19999,19985,19996,20021,19995,20005,19995,19975,19984,19971,20037,20033,19973,20008]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134349579,"flow_src_last_pkt_time":1317801134969420,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134969420,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32152,"dst_port":9396,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19475,"avg":19994.9,"max":20520,"stddev":142.6,"var":20347.9,"ent":5.0,"data": [19831,19959,20146,19907,20018,20014,20011,20005,20001,20003,20045,19895,20035,19968,20008,20010,19972,20003,20520,19475,20014,19970,20034,19981,19987,19986,19966,20048,20036,19972,20021]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} -01729{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":334,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134383882,"flow_src_last_pkt_time":1317801135003916,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801135003916,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17732,"dst_port":9400,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19941,"avg":20001.1,"max":20100,"stddev":38.1,"var":1453.4,"ent":5.0,"data": [19977,19980,20100,19974,19997,19973,19984,19994,20002,20000,19996,19991,19980,20100,20004,19971,19986,20073,19948,19997,19947,20007,19941,20015,20065,19981,19993,20024,20019,20002,20013]},"pktlen": {"min":214,"avg":214.0,"max":214,"stddev":0.0,"var":0.0,"ent":5.0,"data": [214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214,214]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02085{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":125,"source":"skinny.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801134322976,"flow_src_last_pkt_time":1317801134482957,"flow_dst_last_pkt_time":1317801134468575,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":172,"flow_src_tot_l4_payload_len":3096,"flow_dst_tot_l4_payload_len":2408,"midstream":0,"thread_ts_usec":1317801134482957,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.195.50","src_port":32144,"dst_port":17718,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":9857.4,"max":25564,"stddev":10215.5,"var":104355640.0,"ent":3.9,"data": [25,19949,10,25564,11,20009,15,19949,15,19947,7,19983,8,20009,7,20042,7,20010,7,19977,4,19971,13,19997,11,20024,12,20020,11,19956,10]},"pktlen": {"min":200,"avg":200.0,"max":200,"stddev":0.0,"var":0.0,"ent":5.0,"data": [200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200]},"bins": {"c_to_s": [0,0,0,0,0,18,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0],"entropies": [4.233760357,4.233760357,4.755019665,4.755019665,4.365148544,4.365148544,5.067544460,5.067544460,4.363914013,4.363914013,4.870802402,4.870802402,5.547243595,5.547243595,5.061565876,5.061565876,5.180966377,5.180966377,5.064822674,5.064822674,5.333183289,5.333183289,5.182554245,5.182554245,5.614361763,5.614361763,5.808181763,5.808181763,5.246697903,5.246697903,5.232192516,5.232192516]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02128{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":307,"source":"skinny.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134322539,"flow_src_last_pkt_time":1317801134942562,"flow_dst_last_pkt_time":1317801134322539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134942562,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32150,"dst_port":9395,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19901,"avg":20000.7,"max":20073,"stddev":35.0,"var":1222.2,"ent":5.0,"data": [20010,20035,19901,20015,19977,20040,20015,20006,19996,20018,19974,20009,19997,20001,20001,19982,20073,20009,20000,19999,20061,19944,19990,19953,20026,19940,20010,20055,20010,19978,19998]},"pktlen": {"min":200,"avg":200.0,"max":200,"stddev":0.0,"var":0.0,"ent":5.0,"data": [200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.253760338,4.786761761,5.077544212,4.880802631,5.060857296,5.094822407,5.175570965,5.860004425,5.252192497,4.811758041,5.051555157,5.202684879,4.826058388,4.792474747,4.938888073,4.741405487,4.472463608,4.580914974,4.584398270,4.538744450,4.508350849,4.288617134,4.379649162,4.592761517,4.371983528,4.385575771,4.512448788,4.759740829,4.715042114,4.770418644,3.938650370,4.306789398]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02127{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":319,"source":"skinny.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134348136,"flow_src_last_pkt_time":1317801134968092,"flow_dst_last_pkt_time":1317801134348136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134968092,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17726,"dst_port":9399,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19962,"avg":19998.6,"max":20095,"stddev":27.6,"var":759.7,"ent":5.0,"data": [19962,19969,20095,19966,20007,20019,20010,19970,19996,20019,19982,19965,20001,20006,19994,20032,19986,19999,19985,19996,20021,19995,20005,19995,19975,19984,19971,20037,20033,19973,20008]},"pktlen": {"min":200,"avg":200.0,"max":200,"stddev":0.0,"var":0.0,"ent":5.0,"data": [200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.382149220,4.433072090,5.554677963,5.245295525,5.359684944,5.638034821,5.272410393,5.136450291,4.824490070,4.458597660,4.762297153,4.430035591,4.140134811,3.858884573,3.769583702,3.278017282,3.433972836,3.403135061,3.567106962,4.292976856,4.648509502,4.789345264,4.830762386,4.555335999,4.442068100,6.184312344,4.938612938,6.346918106,6.461272717,6.171940327,6.510017872,6.460319996]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02130{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":322,"source":"skinny.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134349579,"flow_src_last_pkt_time":1317801134969420,"flow_dst_last_pkt_time":1317801134349579,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801134969420,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"192.168.193.24","src_port":32152,"dst_port":9396,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19475,"avg":19994.9,"max":20520,"stddev":142.6,"var":20347.9,"ent":5.0,"data": [19831,19959,20146,19907,20018,20014,20011,20005,20001,20003,20045,19895,20035,19968,20008,20010,19972,20003,20520,19475,20014,19970,20034,19981,19987,19986,19966,20048,20036,19972,20021]},"pktlen": {"min":200,"avg":200.0,"max":200,"stddev":0.0,"var":0.0,"ent":5.0,"data": [200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.393408298,4.432039738,5.622674942,5.222123623,5.373581886,5.658831120,5.279973507,5.143450737,4.839715958,4.427013874,4.767832279,4.403833866,4.120435238,3.834218979,3.762180805,3.235242844,3.409477234,3.386922836,3.548633337,4.268260479,4.605560303,4.771471977,4.801124096,4.541038036,4.446225643,6.169005394,4.927167892,6.350693703,6.448822498,6.188875198,6.544920921,6.452270985]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} +02128{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":334,"source":"skinny.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1317801134383882,"flow_src_last_pkt_time":1317801135003916,"flow_dst_last_pkt_time":1317801134383882,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":172,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":172,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5504,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801135003916,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.193.24","src_port":17732,"dst_port":9400,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19941,"avg":20001.1,"max":20100,"stddev":38.1,"var":1453.4,"ent":5.0,"data": [19977,19980,20100,19974,19997,19973,19984,19994,20002,20000,19996,19991,19980,20100,20004,19971,19986,20073,19948,19997,19947,20007,19941,20015,20065,19981,19993,20024,20019,20002,20013]},"pktlen": {"min":200,"avg":200.0,"max":200,"stddev":0.0,"var":0.0,"ent":5.0,"data": [200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200,200]},"bins": {"c_to_s": [0,0,0,0,0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.886732578,5.045310974,5.069633007,5.162554741,5.808761120,5.197607994,4.773752689,5.019257545,5.175136566,4.783205986,4.789572239,4.908454418,4.722610474,4.455634594,4.590435505,4.554622650,4.530591965,4.497926712,4.290644169,4.361923218,4.586849689,4.387413979,4.413131237,4.509451866,4.762583256,4.689284325,4.748415470,3.920776129,4.292247295,5.242364883,5.593360424,5.532413960]},"ndpi": {"confidence": {"6":"DPI"},"proto":"RTP","proto_id":"87","encrypted":0,"breed":"Acceptable","category_id":1,"category":"Media"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801140764515,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801140764515,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"10.16.2.25","src_port":50917,"dst_port":2000,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1317801140764515,"pkt":"ABTy5fxCAB56JnR1CABFYAA0F0wAAEAG0wzAqMM6ChACGcblB9CCZg4uo3beQVAYIAAasgAABAAAAAAAAAAAAAAA"} 00868{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2643,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801140764515,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140764515,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1317801140764515,"l3_proto":"ip4","src_ip":"192.168.195.58","dst_ip":"10.16.2.25","src_port":50917,"dst_port":2000,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00517{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2664,"source":"skinny.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":2,"flow_src_last_pkt_time":1317801140764515,"flow_dst_last_pkt_time":1317801140821803,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1317801140821803,"pkt":"AB56JnR1ABTy5fxCCABFYAAod8dAADwGNp0KEAIZwKjDOgfQxuWjdt5BgmYOOlAQFtAn6gAAAAAAAAAA"} -01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2918,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801141425306,"flow_dst_last_pkt_time":1317801141427620,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":492,"flow_dst_max_l4_payload_len":52,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":244,"midstream":1,"thread_ts_usec":1317801141427620,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":704537.4,"max":7045910,"stddev":1877203.8,"var":3523893788672.0,"ent":2.2,"data": [15,57,704,686,19914,3582983,19282,3622236,2065,19,22,17967,15924,20052,36329,2146,19966,30884,40036,6899,19067,13061,64116,28324,103909,42273,80357,6999604,16,5837,7045910]},"pktlen": {"min":60,"avg":110.9,"max":546,"stddev":93.8,"var":8793.0,"ent":4.7,"data": [90,82,86,60,266,60,74,74,60,82,70,78,60,546,60,198,198,60,198,60,102,186,60,106,106,60,106,60,82,82,78,60]},"bins": {"c_to_s": [10,2,0,0,4,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,1,1,1,0,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02118{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2918,"source":"skinny.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1317801130506133,"flow_src_last_pkt_time":1317801141425306,"flow_dst_last_pkt_time":1317801141427620,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":492,"flow_dst_max_l4_payload_len":52,"flow_src_tot_l4_payload_len":1512,"flow_dst_tot_l4_payload_len":244,"midstream":1,"thread_ts_usec":1317801141427620,"l3_proto":"ip4","src_ip":"192.168.193.12","dst_ip":"192.168.195.50","src_port":2000,"dst_port":51532,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":704537.4,"max":7045910,"stddev":1877203.8,"var":3523893788672.0,"ent":2.2,"data": [15,57,704,686,19914,3582983,19282,3622236,2065,19,22,17967,15924,20052,36329,2146,19966,30884,40036,6899,19067,13061,64116,28324,103909,42273,80357,6999604,16,5837,7045910]},"pktlen": {"min":46,"avg":96.9,"max":532,"stddev":93.8,"var":8793.0,"ent":4.6,"data": [76,68,72,46,252,46,60,60,46,68,56,64,46,532,46,184,184,46,184,46,88,172,46,92,92,46,92,46,68,68,64,46]},"bins": {"c_to_s": [10,2,0,0,4,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,1,0,0,0,0,1,0,1,0,0,1,0,1,1,0,1,1,1,0,1,0,0,0,0,1],"entropies": [4.173766136,4.678438187,4.574613094,4.565872192,4.279353142,4.501398087,4.236247540,4.455914497,4.565872669,4.052432537,4.485925674,4.342070580,4.370963097,3.259213448,4.414441586,2.680906296,2.637759447,4.414441109,2.672017574,4.419027328,3.803910494,4.757339001,4.522394180,3.983498335,3.940019846,4.627491474,4.013442516,4.584012985,4.549689770,4.584219933,4.418852329,4.565872192]},"ndpi": {"confidence": {"6":"DPI"},"proto":"CiscoSkinny","proto_id":"164","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00728{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801141463821,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801141463821,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.195.58","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1317801141463821,"pkt":"AB56JnR1AB1FDGVjCABFAAA4GBEAAEABWvbAqMMywKjDOgMDmwIAAAAARbgAyBe5AABAEVn2wKjDOsCowzJ9kEU2ALSefw=="} 00853{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2941,"source":"skinny.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1317801141463821,"flow_src_last_pkt_time":1317801141463821,"flow_dst_last_pkt_time":1317801141463821,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1317801141463821,"l3_proto":"ip4","src_ip":"192.168.195.50","dst_ip":"192.168.195.58","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.235927}} @@ -68,10 +68,10 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6134676 bytes -~~ total memory freed........: 6134676 bytes -~~ total allocations/frees...: 124534/124534 +~~ total memory allocated....: 6135900 bytes +~~ total memory freed........: 6135900 bytes +~~ total allocations/frees...: 124543/124543 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1736 chars -~~ json string avg len.......: 1112 chars +~~ json string max len.......: 2135 chars +~~ json string avg len.......: 1312 chars diff --git a/test/results/skype-conference-call.pcap.out b/test/results/skype-conference-call.pcap.out index 8fa8cbf0e..3fbad9409 100644 --- a/test/results/skype-conference-call.pcap.out +++ b/test/results/skype-conference-call.pcap.out @@ -5,7 +5,7 @@ 01111{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916646303,"flow_dst_last_pkt_time":1501061916646303,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":104,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":104,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1501061916646303,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":1,"num_binding_requests":1,"num_processed_pkts":0}}} 00649{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1501061916646303,"flow_dst_last_pkt_time":1501061916653642,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1501061916653642,"pkt":"xCwDBkn+XEl5dU5qCABFAACERTYAAG4RtBdoLigxwKgCFOziwIIAcHm6AAEAVCESpEI8yF2moGJ4zvU2wuEABgAJeld5azpncHBlAAAAACQABG7\/\/v+AKQAIAAAAAAACl5OAVAABMQAAAIBwAAQAAAADAAgAFHnv8xovieyQrsQ6j2MMyqg8GNj1gCgABORvfhY="} 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1501061916690803,"flow_dst_last_pkt_time":1501061916653642,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":114,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":114,"pkt_l4_len":80,"thread_ts_usec":1501061916690803,"pkt":"XEl5dU5qxCwDBkn+CABFAABkjWYAAEARmgfAqAIUaC4oMcCC7OIAUFnEAQEANCESpEI8yF2moGJ4zvU2wuEAIAAIAAHN8Ek8jHOAcAAEAAAAAwAIABSgsacIkgIOfzKEQbuerkeFTLj204AoAASK\/70B"} -01861{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916821040,"flow_dst_last_pkt_time":1501061916812989,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":167,"flow_src_tot_l4_payload_len":6417,"flow_dst_tot_l4_payload_len":1824,"midstream":0,"thread_ts_usec":1501061916821040,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":59,"avg":11013.6,"max":100094,"stddev":22446.4,"var":503839616.0,"ent":3.0,"data": [7339,44500,54477,177,54879,336,10342,20091,24441,100094,319,61,211,59,179,235,59,177,199,208,82,2810,14708,381,241,219,267,215,202,197,3718]},"pktlen": {"min":77,"avg":299.5,"max":957,"stddev":317.0,"var":100457.8,"ent":4.4,"data": [146,146,114,114,146,114,150,152,145,137,209,77,169,169,169,169,169,169,169,169,169,169,114,85,957,957,957,957,957,957,169,135]},"bins": {"c_to_s": [0,1,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,2,12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02260{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061916821040,"flow_dst_last_pkt_time":1501061916812989,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":167,"flow_src_tot_l4_payload_len":6417,"flow_dst_tot_l4_payload_len":1824,"midstream":0,"thread_ts_usec":1501061916821040,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":59,"avg":11013.6,"max":100094,"stddev":22446.4,"var":503839616.0,"ent":3.0,"data": [7339,44500,54477,177,54879,336,10342,20091,24441,100094,319,61,211,59,179,235,59,177,199,208,82,2810,14708,381,241,219,267,215,202,197,3718]},"pktlen": {"min":63,"avg":285.5,"max":943,"stddev":317.0,"var":100457.8,"ent":4.3,"data": [132,132,100,100,132,100,136,138,131,123,195,63,155,155,155,155,155,155,155,155,155,155,100,71,943,943,943,943,943,943,155,121]},"bins": {"c_to_s": [0,1,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,2,12,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0,0],"entropies": [5.475533962,5.430079460,5.716311932,5.616310120,5.445230961,5.668762684,5.554492950,6.549376011,6.536014080,6.412748814,6.806855679,5.203801155,6.467489243,6.520809174,6.645484924,6.590196609,6.458263397,6.501328468,6.432456017,6.550292969,6.547129631,6.477230072,5.552665234,5.568275928,7.755900860,7.787482262,7.793358326,7.793142319,7.798308849,7.784828663,6.622673988,6.318281174]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01077{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":200,"source":"skype-conference-call.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":133,"flow_dst_packets_processed":67,"flow_first_seen":1501061916646303,"flow_src_last_pkt_time":1501061918126158,"flow_dst_last_pkt_time":1501061918151791,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":915,"flow_dst_max_l4_payload_len":915,"flow_src_tot_l4_payload_len":19259,"flow_dst_tot_l4_payload_len":12028,"midstream":0,"thread_ts_usec":1501061918151791,"l3_proto":"ip4","src_ip":"192.168.2.20","dst_ip":"104.46.40.49","src_port":49282,"dst_port":60642,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00577{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":200,"source":"skype-conference-call.pcap","alias":"nDPId-test","packets-captured":200,"packets-processed":200,"total-skipped-flows":0,"total-l4-payload-len":31287,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1501061918151791} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6049673 bytes -~~ total memory freed........: 6049673 bytes -~~ total allocations/frees...: 121689/121689 +~~ total memory allocated....: 6049809 bytes +~~ total memory freed........: 6049809 bytes +~~ total allocations/frees...: 121690/121690 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 506 chars -~~ json string max len.......: 1866 chars -~~ json string avg len.......: 1135 chars +~~ json string max len.......: 2265 chars +~~ json string avg len.......: 1309 chars diff --git a/test/results/skype.pcap.out b/test/results/skype.pcap.out index db1ab3a18..45195eb71 100644 --- a/test/results/skype.pcap.out +++ b/test/results/skype.pcap.out @@ -78,7 +78,7 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":71,"source":"skype.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643343414,"flow_dst_last_pkt_time":1431969642337316,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":76,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":76,"pkt_l4_len":42,"thread_ts_usec":1431969643343414,"pkt":"0NQSxnP1PBXCt3IOCABFAAA+7pYAAEARCKXAqAEiwKgBAf4VADUAKsDYd8YBAAABAAAAAAAABGRzbjQBZAVza3lwZQNuZXQAABwAAQ=="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"skype.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643486691,"flow_dst_last_pkt_time":1431969642398483,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969643486691,"pkt":"0NQSxnP1PBXCt3IOCABFAABK1twAAEARIFPAqAEiwKgBAd\/IADUANro4UU4BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDYBcgVza3lwZQNuZXQAABwAAQ=="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":75,"source":"skype.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1431969643486838,"flow_dst_last_pkt_time":1431969642398350,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969643486838,"pkt":"0NQSxnP1PBXCt3IOCABFAABKJUgAAEAR0efAqAEiwKgBAcNGADUANrH\/diQBAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDYBcgVza3lwZQNuZXQAAAEAAQ=="} -01866{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969642444382,"flow_src_last_pkt_time":1431969643732696,"flow_dst_last_pkt_time":1431969643732623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431969643732696,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83114.7,"max":300868,"stddev":84343.9,"var":7113900544.0,"ent":4.2,"data": [75158,75224,28759,111209,161,82580,77181,227,77415,12662,300868,288212,83419,83480,324,86654,86327,3080,96533,93421,270,253866,5,253632,1,362,87184,86820,115773,3,115745]},"pktlen": {"min":66,"avg":371.8,"max":1506,"stddev":468.9,"var":219872.6,"ent":4.1,"data": [78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,279,66,66,631,167,1383,1506,71,66]},"bins": {"c_to_s": [10,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [4,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,1,0,0,0,1,0,1,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02265{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":86,"source":"skype.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969642444382,"flow_src_last_pkt_time":1431969643732696,"flow_dst_last_pkt_time":1431969643732623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431969643732696,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":50028,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83114.7,"max":300868,"stddev":84343.9,"var":7113900544.0,"ent":4.2,"data": [75158,75224,28759,111209,161,82580,77181,227,77415,12662,300868,288212,83419,83480,324,86654,86327,3080,96533,93421,270,253866,5,253632,1,362,87184,86820,115773,3,115745]},"pktlen": {"min":52,"avg":357.8,"max":1492,"stddev":468.9,"var":219872.6,"ent":4.0,"data": [64,56,52,146,1492,72,52,1492,850,52,159,52,111,111,52,281,233,52,681,233,52,249,745,265,52,52,617,153,1369,1492,57,52]},"bins": {"c_to_s": [10,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [4,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,1,0,0,0,1,0,1,1,0],"entropies": [4.566831589,5.351820469,5.169486523,5.800713062,7.041554928,5.648954391,5.207947731,7.520295143,7.684464455,5.207947731,6.679992676,5.207947731,5.987671375,6.112873554,5.131024837,7.175582409,7.117172718,5.169486523,7.686713219,7.039489746,5.169486523,7.041594028,7.715633392,7.181105614,5.169486523,5.092563629,7.678602695,6.704249382,7.873626232,7.885951519,5.348513603,5.131024361]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":109,"source":"skype.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969643944313,"flow_src_last_pkt_time":1431969643944313,"flow_dst_last_pkt_time":1431969643944313,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969643944313,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.33","src_port":50030,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":109,"source":"skype.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1431969643944313,"flow_dst_last_pkt_time":1431969643944313,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969643944313,"pkt":"0NQSxnP1PBXCt3IOCABFAABAYXlAAEAG9xvAqAEiQTffIcNuAbtcUOQ7AAAAALAC\/\/9\/kQAAAgQFtAEDAwUBAQgKPiKRcAAAAAAEAgAA"} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":112,"source":"skype.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969643971809,"flow_src_last_pkt_time":1431969643971809,"flow_dst_last_pkt_time":1431969643971809,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969643971809,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":60288,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -824,7 +824,7 @@ 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1528,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":1,"flow_src_last_pkt_time":1431969707326642,"flow_dst_last_pkt_time":1431969707326642,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969707326642,"pkt":"0NQSxnP1PBXCt3IOCABFAABA1ORAAEAGTF\/AqAEiQAQXpsO3Abu4qWeDAAAAALAC\/\/9x6QAAAgQFtAEDAwUBAQgKPiOH3AAAAAAEAgAA"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1531,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":2,"flow_src_last_pkt_time":1431969707326642,"flow_dst_last_pkt_time":1431969707546419,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1431969707546419,"pkt":"PBXCt3IO0NQSxnP1CABFAAA8AABAADYGK0hABBemwKgBIgG7w7ccEsw5uKlnhKASOJDGigAAAgQFrAQCCApMP087PiOH3AEDAwk="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1532,"source":"skype.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":3,"flow_src_last_pkt_time":1431969707546527,"flow_dst_last_pkt_time":1431969707546419,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969707546527,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0EpBAAEAGDsDAqAEiQAQXpsO3Abu4qWeEHBLMOoAQECwc2gAAAQEICj4jiLdMP087"} -01766{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1547,"source":"skype.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431969648258514,"flow_src_last_pkt_time":1431969708341272,"flow_dst_last_pkt_time":1431969648258514,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10560,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969708341272,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14698,"avg":1938153.5,"max":19850743,"stddev":5863265.0,"var":34377878732800.0,"ent":1.7,"data": [15861,16704,16998,17146,15818,17029,16643,16363,16834,19850743,15743,18751,14698,83170,16831,19850724,16057,16593,16866,16918,16233,17002,16501,16455,16854,19850599,16277,16449,16736,16676,16486]},"pktlen": {"min":327,"avg":372.0,"max":405,"stddev":29.2,"var":851.5,"ent":5.0,"data": [333,351,405,397,327,369,401,347,399,393,333,351,405,397,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,3,10,6,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02165{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1547,"source":"skype.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431969648258514,"flow_src_last_pkt_time":1431969708341272,"flow_dst_last_pkt_time":1431969648258514,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10560,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969708341272,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14698,"avg":1938153.5,"max":19850743,"stddev":5863265.0,"var":34377878732800.0,"ent":1.7,"data": [15861,16704,16998,17146,15818,17029,16643,16363,16834,19850743,15743,18751,14698,83170,16831,19850724,16057,16593,16866,16918,16233,17002,16501,16455,16854,19850599,16277,16449,16736,16676,16486]},"pktlen": {"min":313,"avg":358.0,"max":391,"stddev":29.2,"var":851.5,"ent":5.0,"data": [319,337,391,383,313,355,387,333,385,379,319,337,391,383,385,379,319,337,391,383,313,355,387,333,385,379,319,337,391,383,313,355]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,3,10,6,13,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [5.771956921,5.745192528,5.705901623,5.747788906,5.703627110,5.702535152,5.702753544,5.689080238,5.666057110,5.690359116,5.771956921,5.737018108,5.707276821,5.747788906,5.667453766,5.678885460,5.757758617,5.745192528,5.721078873,5.742736340,5.694825172,5.702535152,5.718088150,5.701518059,5.681470871,5.690359116,5.765686989,5.734481335,5.721078873,5.754981518,5.697237015,5.696901798]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1578,"source":"skype.pcap","alias":"nDPId-test","flow_id":69,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969659392325,"flow_src_last_pkt_time":1431969659392325,"flow_dst_last_pkt_time":1431969659392325,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969710229250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.24","src_port":13021,"dst_port":40001,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1578,"source":"skype.pcap","alias":"nDPId-test","flow_id":76,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969660403962,"flow_src_last_pkt_time":1431969660403962,"flow_dst_last_pkt_time":1431969660403962,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969710229250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.21","src_port":13021,"dst_port":40004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1578,"source":"skype.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969656410539,"flow_src_last_pkt_time":1431969656410539,"flow_dst_last_pkt_time":1431969656410539,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969710229250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.33","src_port":13021,"dst_port":40011,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} @@ -903,7 +903,7 @@ 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1625,"source":"skype.pcap","alias":"nDPId-test","flow_id":232,"flow_packet_id":3,"flow_src_last_pkt_time":1431969712981073,"flow_dst_last_pkt_time":1431969712980992,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969712981073,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoyL5AAEAGfAvAqAEiW77YfcO9MD57jsMtWI4CD1AQIAAMeQAA"} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1632,"source":"skype.pcap","alias":"nDPId-test","flow_id":230,"flow_packet_id":2,"flow_src_last_pkt_time":1431969713175058,"flow_dst_last_pkt_time":1431969712913984,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969713175058,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoTzkAAEARqBjAqAEiwKgBAdMzFOcAFCBsAAEAADLdMt0AAA4Q"} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1633,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packet_id":2,"flow_src_last_pkt_time":1431969713177253,"flow_dst_last_pkt_time":1431969712918145,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431969713177253,"pkt":"PBXCt3IO0NQSxnP1CABFwABEBYIAAEAB8QPAqAEBwKgBIgMDgJYAAAAARQAAKE85AABAEagYwKgBIsCoAQHTMxTnABQgbAABAAAy3TLdAAAOEA=="} -01593{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":176171.6,"max":964718,"stddev":204459.3,"var":41803603968.0,"ent":4.2,"data": [243983,244064,543,204260,761004,964718,546,202004,201464,40219,40223,162241,162248,40183,40179,200900,6,200973,204113,204068,127,240781,240640,207489,6,207586,2955,4516,199645,198010,41627]},"pktlen": {"min":66,"avg":178.6,"max":1506,"stddev":286.0,"var":81813.5,"ent":4.0,"data": [78,74,66,138,66,123,66,74,74,66,66,102,134,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,619,549,66]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,1]}} +01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":176171.6,"max":964718,"stddev":204459.3,"var":41803603968.0,"ent":4.2,"data": [243983,244064,543,204260,761004,964718,546,202004,201464,40219,40223,162241,162248,40183,40179,200900,6,200973,204113,204068,127,240781,240640,207489,6,207586,2955,4516,199645,198010,41627]},"pktlen": {"min":52,"avg":164.6,"max":1492,"stddev":286.0,"var":81813.5,"ent":3.9,"data": [64,60,52,124,52,109,52,60,60,52,52,88,120,52,52,91,52,55,52,196,52,56,52,661,52,56,52,1492,106,605,535,52]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,1],"entropies": [4.654482365,5.212701321,5.101990700,6.432995319,5.118428230,6.083127022,5.116507530,5.534151554,5.402482510,5.231892586,5.118428230,6.070055008,6.375442505,5.116507530,5.156889915,5.975852489,5.062724113,5.142062187,5.193430901,6.836936951,5.140452385,5.287363052,5.118428230,7.709677696,5.065449715,5.231198311,5.125935555,7.866834641,6.284335136,7.671433449,7.556340218,5.014835358]}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1658,"source":"skype.pcap","alias":"nDPId-test","flow_id":227,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431969710853799,"flow_src_last_pkt_time":1431969713563704,"flow_dst_last_pkt_time":1431969713605215,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1305,"flow_dst_tot_l4_payload_len":2277,"midstream":0,"thread_ts_usec":1431969713605215,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.28","src_port":50108,"dst_port":40009,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1659,"source":"skype.pcap","alias":"nDPId-test","flow_id":230,"flow_packet_id":3,"flow_src_last_pkt_time":1431969713715848,"flow_dst_last_pkt_time":1431969712913984,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969713715848,"pkt":"0NQSxnP1PBXCt3IOCABFAAAorjMAAEARSR7AqAEiwKgBAdMzFOcAFCBsAAEAADLdMt0AAA4Q"} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1660,"source":"skype.pcap","alias":"nDPId-test","flow_id":231,"flow_packet_id":3,"flow_src_last_pkt_time":1431969713717677,"flow_dst_last_pkt_time":1431969712918145,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431969713717677,"pkt":"PBXCt3IO0NQSxnP1CABFwABEBYMAAEAB8QLAqAEBwKgBIgMDgJYAAAAARQAAKK4zAABAEUkewKgBIsCoAQHTMxTnABQgbAABAAAy3TLdAAAOEA=="} @@ -981,7 +981,7 @@ 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1857,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":1,"flow_src_last_pkt_time":1431969716182666,"flow_dst_last_pkt_time":1431969716182666,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969716182666,"pkt":"0NQSxnP1PBXCt3IOCABFAABAI3FAAEAG8D7AqAEiUYUTucPKrY8W93X3AAAAALAC\/\/8pggAAAgQFtAEDAwUBAQgKPiOqBgAAAAAEAgAA"} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1877,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":2,"flow_src_last_pkt_time":1431969716182666,"flow_dst_last_pkt_time":1431969716265530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969716265530,"pkt":"PBXCt3IO0NQSxnP1CABFAABAivNAADAGmLxRhRO5wKgBIq2Pw8rX0EaLFvd1+LAS\/\/\/WdwAAAgQFrAEDAwUBAQgKArAx9T4jqgYEAgAA"} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1878,"source":"skype.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716265616,"flow_dst_last_pkt_time":1431969716265530,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969716265616,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0OVVAAEAG2mbAqAEiUYUTucPKrY8W93X419BGjIAQECwFxAAAAQEICj4jqlUCsDH1"} -01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":62827.2,"max":199756,"stddev":60860.2,"var":3703968000.0,"ent":4.2,"data": [83391,83495,120,64053,63956,403,68492,68085,2947,71202,68249,199756,199749,154162,154128,2646,133845,131248,179,107,71,64327,8428,55511,127901,188,164,70489,3,70121,226]},"pktlen": {"min":66,"avg":173.8,"max":1249,"stddev":252.0,"var":63524.5,"ent":4.2,"data": [78,74,66,126,113,66,83,80,66,820,80,66,66,70,1249,66,623,166,144,94,133,123,66,66,146,66,94,87,361,66,66,93]},"bins": {"c_to_s": [14,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,1,1,0,0]}} +01966{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":62827.2,"max":199756,"stddev":60860.2,"var":3703968000.0,"ent":4.2,"data": [83391,83495,120,64053,63956,403,68492,68085,2947,71202,68249,199756,199749,154162,154128,2646,133845,131248,179,107,71,64327,8428,55511,127901,188,164,70489,3,70121,226]},"pktlen": {"min":52,"avg":159.8,"max":1235,"stddev":252.0,"var":63524.5,"ent":4.0,"data": [64,60,52,112,99,52,69,66,52,806,66,52,52,56,1235,52,609,152,130,80,119,109,52,52,132,52,80,73,347,52,52,79]},"bins": {"c_to_s": [14,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,1,1,1,0,0,0,1,1,0,0],"entropies": [4.654482365,5.333454132,5.195351601,6.316112518,6.194816113,5.156889915,5.495990753,5.445763588,5.118428230,7.748650074,5.476066589,5.118428230,5.115703106,5.253432751,7.862428188,5.079966545,7.627686024,6.621866226,6.402141094,5.698502541,6.358891010,6.256488323,5.154164791,5.171407223,6.388115883,5.233812809,5.866852760,5.718504906,7.269364357,5.171407223,5.094483376,5.681488514]}} 00813{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1914,"source":"skype.pcap","alias":"nDPId-test","flow_id":250,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1431969715511238,"flow_src_last_pkt_time":1431969716485221,"flow_dst_last_pkt_time":1431969716484897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":754,"flow_dst_max_l4_payload_len":1183,"flow_src_tot_l4_payload_len":1698,"flow_dst_tot_l4_payload_len":1733,"midstream":0,"thread_ts_usec":1431969716485221,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"86.31.35.30","src_port":50119,"dst_port":59621,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 01183{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1947,"source":"skype.pcap","alias":"nDPId-test","flow_id":45,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716797621,"flow_dst_last_pkt_time":1431969656652360,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1431969716797621,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAAISY\/IAAEARUx\/AqAEi\/\/\/\/\/0RcRFwB\/vqceyJob3N0X2ludCI6IDE1NzMxOTU0NDUsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} 01178{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1948,"source":"skype.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1431969716797900,"flow_dst_last_pkt_time":1431969656652710,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1431969716797900,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAAISf8oAAEARdJ\/AqAEiwKgB\/0RcRFwB\/jf1eyJob3N0X2ludCI6IDE1NzMxOTU0NDUsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} @@ -1031,7 +1031,7 @@ 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2164,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":1,"flow_src_last_pkt_time":1431969719561453,"flow_dst_last_pkt_time":1431969719561453,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431969719561453,"pkt":"0NQSxnP1PBXCt3IOCABFAABAR+5AAEAG+sPAqAEiW77afcPRMD4OYtZAAAAAALAC\/\/9xPAAAAgQFtAEDAwUBAQgKPiO25AAAAAAEAgAA"} 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2177,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":2,"flow_src_last_pkt_time":1431969719561453,"flow_dst_last_pkt_time":1431969719623289,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431969719623289,"pkt":"PBXCt3IO0NQSxnP1CABFAAA0Hj5AAPQGcH9bvtp9wKgBIjA+w9E3PWT9DmLWQYASH\/7iJQAAAgQFoAEDAwQBAQQC"} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2180,"source":"skype.pcap","alias":"nDPId-test","flow_id":261,"flow_packet_id":3,"flow_src_last_pkt_time":1431969719623434,"flow_dst_last_pkt_time":1431969719623289,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431969719623434,"pkt":"0NQSxnP1PBXCt3IOCABFAAAo4VtAAEAGYW7AqAEiW77afcPRMD4OYtZBNz1k\/lAQIAAi3wAA"} -01835{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2213,"source":"skype.pcap","alias":"nDPId-test","flow_id":260,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1431969719110749,"flow_src_last_pkt_time":1431969720072924,"flow_dst_last_pkt_time":1431969720249898,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2665,"flow_dst_tot_l4_payload_len":3500,"midstream":0,"thread_ts_usec":1431969720249898,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":50128,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":67784.6,"max":604696,"stddev":135914.5,"var":18472736768.0,"ent":3.0,"data": [148679,148806,840,151642,7,49,150807,1,231,1,31483,95,153251,682,32561,5239,16750,14,176748,67,2129,1532,4,3534,1,449491,70,604696,5454,16453,7]},"pktlen": {"min":54,"avg":248.9,"max":1494,"stddev":350.9,"var":123149.1,"ent":4.0,"data": [78,60,54,287,60,146,91,54,54,60,91,680,620,60,60,60,60,387,90,54,54,1494,1221,80,54,54,673,632,60,60,387,90]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,3,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02234{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2213,"source":"skype.pcap","alias":"nDPId-test","flow_id":260,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1431969719110749,"flow_src_last_pkt_time":1431969720072924,"flow_dst_last_pkt_time":1431969720249898,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2665,"flow_dst_tot_l4_payload_len":3500,"midstream":0,"thread_ts_usec":1431969720249898,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":50128,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":67784.6,"max":604696,"stddev":135914.5,"var":18472736768.0,"ent":3.0,"data": [148679,148806,840,151642,7,49,150807,1,231,1,31483,95,153251,682,32561,5239,16750,14,176748,67,2129,1532,4,3534,1,449491,70,604696,5454,16453,7]},"pktlen": {"min":40,"avg":234.9,"max":1480,"stddev":350.9,"var":123149.1,"ent":3.9,"data": [64,46,40,273,46,132,77,40,40,46,77,666,606,46,46,46,46,373,76,40,40,1480,1207,66,40,40,659,618,46,46,373,76]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,3,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,1,0,0,1,1,1,0,0,0,0,1,1,1,1],"entropies": [4.566831589,5.009399891,4.831687450,6.027278900,4.565872192,6.096841335,5.810150623,4.781687260,4.831687450,4.838567257,5.654305935,7.685338974,7.680083275,4.565872192,4.609350681,4.652828693,4.522393227,7.430202484,5.691814423,4.731687546,4.781687260,7.874620914,7.827808857,5.536673069,4.831687450,4.781687260,7.725860596,7.639239788,4.609350204,4.565871716,7.405247211,5.760828972]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleiCloud","proto_id":"91.143","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":108,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969666429312,"flow_src_last_pkt_time":1431969666429312,"flow_dst_last_pkt_time":1431969666429312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720514647,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.26","src_port":13021,"dst_port":40026,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":111,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969666429312,"flow_src_last_pkt_time":1431969666429312,"flow_dst_last_pkt_time":1431969666429312,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720514647,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.52.47","src_port":13021,"dst_port":40029,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2226,"source":"skype.pcap","alias":"nDPId-test","flow_id":104,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969665416767,"flow_src_last_pkt_time":1431969665416767,"flow_dst_last_pkt_time":1431969665416767,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720514647,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"64.4.23.146","src_port":13021,"dst_port":33033,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} @@ -1074,7 +1074,7 @@ 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969720556330,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":46,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":46,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720556330,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":56387,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_packet_id":1,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969720556330,"pkt":"0NQSxnP1PBXCt3IOCABFAABK65gAAEARC5fAqAEiwKgBAdxDADUANtEePu0BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAABwAAQ=="} 01019{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2227,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969720556330,"flow_src_last_pkt_time":1431969720556330,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":46,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":46,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":46,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969720556330,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":56387,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"335.0.7.7.3.rst5.r.skype.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":28,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01603{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":104,"avg":325100.5,"max":1782015,"stddev":509745.4,"var":259840393216.0,"ent":3.6,"data": [60786,60878,104,60135,60019,392,72414,72021,2895,63202,60274,262292,262312,157419,157474,3644,187775,184138,1852,62855,110047,171036,158,63674,63522,1468105,1782015,746099,1060012,1410290,1410276]},"pktlen": {"min":66,"avg":157.3,"max":1190,"stddev":243.1,"var":59118.2,"ent":4.1,"data": [78,74,66,111,127,66,82,80,66,819,80,66,66,70,1190,66,623,111,102,86,66,109,66,95,94,66,103,66,104,66,105,66]},"bins": {"c_to_s": [14,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,1,0]}} +01995{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":104,"avg":325100.5,"max":1782015,"stddev":509745.4,"var":259840393216.0,"ent":3.6,"data": [60786,60878,104,60135,60019,392,72414,72021,2895,63202,60274,262292,262312,157419,157474,3644,187775,184138,1852,62855,110047,171036,158,63674,63522,1468105,1782015,746099,1060012,1410290,1410276]},"pktlen": {"min":52,"avg":143.3,"max":1176,"stddev":243.1,"var":59118.2,"ent":3.9,"data": [64,60,52,97,113,52,68,66,52,805,66,52,52,56,1176,52,609,97,88,72,52,95,52,81,80,52,89,52,90,52,91,52]},"bins": {"c_to_s": [14,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,0,1,1,0,1,0],"entropies": [4.685732365,5.340227127,5.233813286,6.019866467,6.368683815,5.195351601,5.624080658,5.536673069,5.195351601,7.760460854,5.585841656,5.156889915,5.154164791,5.266912937,7.819509983,5.195351601,7.645509243,6.085315704,5.933692455,5.598238945,5.231087685,5.933996201,5.195351601,5.713249207,5.826287746,5.233813286,5.866018772,5.171407223,5.955576897,5.094483852,6.043343544,5.154164791]}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":2241,"source":"skype.pcap","alias":"nDPId-test","flow_id":251,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969716015431,"flow_src_last_pkt_time":1431969721054543,"flow_dst_last_pkt_time":1431969721054434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":753,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1497,"flow_dst_tot_l4_payload_len":1406,"midstream":0,"thread_ts_usec":1431969721054543,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":50121,"dst_port":17639,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2273,"source":"skype.pcap","alias":"nDPId-test","flow_id":262,"flow_packet_id":2,"flow_src_last_pkt_time":1431969721596689,"flow_dst_last_pkt_time":1431969720556111,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969721596689,"pkt":"0NQSxnP1PBXCt3IOCABFAABKt0gAAEARP+fAqAEiwKgBAc4GADUANhjrBXkBAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAAAEAAQ=="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2274,"source":"skype.pcap","alias":"nDPId-test","flow_id":263,"flow_packet_id":2,"flow_src_last_pkt_time":1431969721596772,"flow_dst_last_pkt_time":1431969720556330,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":88,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":88,"pkt_l4_len":54,"thread_ts_usec":1431969721596772,"pkt":"0NQSxnP1PBXCt3IOCABFAABKslEAAEARRN7AqAEiwKgBAdxDADUANtEePu0BAAABAAAAAAAAAzMzNQEwATcBNwEzBHJzdDUBcgVza3lwZQNuZXQAABwAAQ=="} @@ -1193,7 +1193,7 @@ 00932{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2553,"source":"skype.pcap","alias":"nDPId-test","flow_id":199,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969689470981,"flow_src_last_pkt_time":1431969689470981,"flow_dst_last_pkt_time":1431969689470981,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":22,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":22,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969740588701,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"213.199.179.152","src_port":13021,"dst_port":40023,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2553,"source":"skype.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":0,"flow_first_seen":1431969642337316,"flow_src_last_pkt_time":1431969668794605,"flow_dst_last_pkt_time":1431969642337316,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":34,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":34,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969740588701,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":65045,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00932{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":2553,"source":"skype.pcap","alias":"nDPId-test","flow_id":206,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969691496472,"flow_src_last_pkt_time":1431969691496472,"flow_dst_last_pkt_time":1431969691496472,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969740588701,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"213.199.179.145","src_port":13021,"dst_port":40027,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01609{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":1926523.6,"max":25523822,"stddev":6196933.5,"var":38401982070784.0,"ent":2.0,"data": [228112,228245,119,219602,219451,352,214503,214173,209707,209682,96,381818,2061048,2011661,148181,480497,212142,212191,3594,275159,271497,162,220246,3,220142,134,216099,215969,136225,25387599,25523822]},"pktlen": {"min":66,"avg":156.5,"max":1090,"stddev":232.3,"var":53983.1,"ent":4.1,"data": [78,78,66,123,101,66,83,80,66,80,66,70,66,843,66,1090,66,156,66,623,108,134,93,66,112,66,95,122,66,66,81,66]},"bins": {"c_to_s": [14,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,1,0]}} +02005{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":1926523.6,"max":25523822,"stddev":6196933.5,"var":38401982070784.0,"ent":2.0,"data": [228112,228245,119,219602,219451,352,214503,214173,209707,209682,96,381818,2061048,2011661,148181,480497,212142,212191,3594,275159,271497,162,220246,3,220142,134,216099,215969,136225,25387599,25523822]},"pktlen": {"min":52,"avg":142.5,"max":1076,"stddev":232.3,"var":53983.1,"ent":4.0,"data": [64,64,52,109,87,52,69,66,52,66,52,56,52,829,52,1076,52,142,52,609,94,120,79,52,98,52,81,108,52,52,67,52]},"bins": {"c_to_s": [14,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,1,0],"entropies": [4.611437321,4.654482365,4.944975376,6.187591553,5.911162853,5.308815479,5.697440624,5.646447659,5.308815479,5.676750660,5.308815479,5.323077679,5.233812809,7.755376339,5.101185799,7.836594582,5.231892586,6.520278931,5.078045845,7.657844543,5.946936607,6.397566319,5.868788719,5.233813286,6.106810570,5.231892586,5.915599823,6.143779278,5.270353794,5.272274494,5.762140274,5.270353794]}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":2580,"source":"skype.pcap","alias":"nDPId-test","flow_id":248,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431969715510906,"flow_src_last_pkt_time":1431969745372080,"flow_dst_last_pkt_time":1431969745371963,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":777,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1536,"flow_dst_tot_l4_payload_len":1336,"midstream":0,"thread_ts_usec":1431969745372080,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50117,"dst_port":18767,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2593,"source":"skype.pcap","alias":"nDPId-test","flow_id":274,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969745776534,"flow_src_last_pkt_time":1431969745776534,"flow_dst_last_pkt_time":1431969745776534,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":133,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":133,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":133,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969745776534,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"239.255.255.250","src_port":56886,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00681{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2593,"source":"skype.pcap","alias":"nDPId-test","flow_id":274,"flow_packet_id":1,"flow_src_last_pkt_time":1431969745776534,"flow_dst_last_pkt_time":1431969745776534,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":175,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":175,"pkt_l4_len":141,"thread_ts_usec":1431969745776534,"pkt":"AQBef\/\/6PBXCt3IOCABFAACh3hQAAAERKXPAqAEi7\/\/\/+t42B2wAjVUWTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KTVg6IDINCkhPU1Q6IDIzOS4yNTUuMjU1LjI1MDoxOTAwDQpNQU46ICJzc2RwOmRpc2NvdmVyIg0KU1Q6IHVybjpzY2hlbWFzLXVwbnAtb3JnOnNlcnZpY2U6V0FOUFBQQ29ubmVjdGlvbjoxDQoNCg=="} @@ -1494,7 +1494,7 @@ 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":29,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969653376578,"flow_src_last_pkt_time":1431969653376578,"flow_dst_last_pkt_time":1431969653376578,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":24,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":24,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":24,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.15","src_port":13021,"dst_port":40026,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00930{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969653376411,"flow_src_last_pkt_time":1431969653376411,"flow_dst_last_pkt_time":1431969653376411,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.55.130.155","src_port":13021,"dst_port":40020,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00930{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":3251,"source":"skype.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431969654389222,"flow_src_last_pkt_time":1431969654389222,"flow_dst_last_pkt_time":1431969654389222,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431969802019013,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.55.235.176","src_port":13021,"dst_port":40022,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01612{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":1348559.6,"max":30125563,"stddev":5301136.0,"var":28102044418048.0,"ent":1.9,"data": [214728,214808,140,223488,223372,360,217535,217176,213636,213655,98,315319,2988490,3022192,145311,494208,215912,215930,3576,275623,272053,209,291401,291140,160,74979,137019,211866,164254,30125563,821148]},"pktlen": {"min":66,"avg":155.4,"max":1090,"stddev":232.5,"var":54056.9,"ent":4.1,"data": [78,78,66,106,101,66,83,80,66,80,66,70,66,842,66,1090,66,156,66,622,101,146,95,111,66,95,66,114,66,66,66,66]},"bins": {"c_to_s": [15,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,0,1,1,0,1,0,0]}} +02007{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":1348559.6,"max":30125563,"stddev":5301136.0,"var":28102044418048.0,"ent":1.9,"data": [214728,214808,140,223488,223372,360,217535,217176,213636,213655,98,315319,2988490,3022192,145311,494208,215912,215930,3576,275623,272053,209,291401,291140,160,74979,137019,211866,164254,30125563,821148]},"pktlen": {"min":52,"avg":141.4,"max":1076,"stddev":232.5,"var":54056.9,"ent":4.0,"data": [64,64,52,92,87,52,69,66,52,66,52,56,52,828,52,1076,52,142,52,608,87,132,81,97,52,81,52,100,52,52,52,52]},"bins": {"c_to_s": [15,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,1,0,0,1,1,0,1,0,0],"entropies": [4.654482365,4.685732365,4.944975376,5.966120720,5.970302582,5.308815479,5.715485096,5.705540657,5.270353794,5.705540657,5.270353794,5.300843716,5.347277164,7.737775803,5.385738850,7.811435223,5.116507530,6.632953644,5.231892586,7.624665260,6.070933819,6.535917759,5.915600300,6.177032948,5.154969215,5.788875103,5.231892586,6.220213890,5.193430901,5.347277164,5.193430901,5.270353794]}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":3269,"source":"skype.pcap","alias":"nDPId-test","flow_id":283,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1431969771806353,"flow_src_last_pkt_time":1431969808100305,"flow_dst_last_pkt_time":1431969777317750,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":776,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":1531,"flow_dst_tot_l4_payload_len":1305,"midstream":0,"thread_ts_usec":1431969808100305,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"71.238.7.203","src_port":50138,"dst_port":18767,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00808{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":3284,"source":"skype.pcap","alias":"nDPId-test","flow_id":221,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":4,"flow_first_seen":1431969704664322,"flow_src_last_pkt_time":1431969723753428,"flow_dst_last_pkt_time":1431969723753303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":1431969808951480,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.15","src_port":50098,"dst_port":40026,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00763{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":3284,"source":"skype.pcap","alias":"nDPId-test","flow_id":221,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":4,"flow_first_seen":1431969704664322,"flow_src_last_pkt_time":1431969723753428,"flow_dst_last_pkt_time":1431969723753303,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":81,"flow_dst_max_l4_payload_len":87,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":114,"midstream":0,"thread_ts_usec":1431969808951480,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"65.55.223.15","src_port":50098,"dst_port":40026,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -1866,10 +1866,10 @@ ~~ total active/idle flows...: 293/293 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6825056 bytes -~~ total memory freed........: 6825056 bytes -~~ total allocations/frees...: 127591/127591 +~~ total memory allocated....: 6864904 bytes +~~ total memory freed........: 6864904 bytes +~~ total allocations/frees...: 127884/127884 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 1871 chars -~~ json string avg len.......: 1180 chars +~~ json string max len.......: 2270 chars +~~ json string avg len.......: 1380 chars diff --git a/test/results/skype_no_unknown.pcap.out b/test/results/skype_no_unknown.pcap.out index cec1e8b7c..ba6094e20 100644 --- a/test/results/skype_no_unknown.pcap.out +++ b/test/results/skype_no_unknown.pcap.out @@ -79,7 +79,7 @@ 01007{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":72,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636044810,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636044810,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":197,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":197,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1431970636044810,"l3_proto":"ip4","src_ip":"17.143.160.149","dst_ip":"192.168.1.34","src_port":5223,"dst_port":50407,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636044874,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1431970636044874,"pkt":"0NQSxnP1PBXCt3IOCABFAAA0K69AAEAGmybAqAEiEY+glcTnFGcgAvEUyi6rq4AQD\/mVBgAAAQEICj4xjDlVV93M"} 00658{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":74,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":3,"flow_src_last_pkt_time":1431970636044810,"flow_dst_last_pkt_time":1431970636045750,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":156,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":156,"pkt_l4_len":122,"thread_ts_usec":1431970636045750,"pkt":"0NQSxnP1PBXCt3IOCABFAACO6xNAAEAG22fAqAEiEY+glcTnFGcgAvEUyi6rq4AYEAB7VwAAAQEICj4xjDlVV93MFwMBACDcBm8C5CuEds5WH7uOVSaoSAeWe3pVfjpiQwGsBHUCdhcDAQAwqX6WBIxQfVe36rHY2TMg9Ev1HCHJmLbDku3Ki37TObTq6YVIEEF1VGVKw\/q+D6y6"} -01879{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970634729598,"flow_src_last_pkt_time":1431970635881910,"flow_dst_last_pkt_time":1431970636210299,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431970636210299,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":84935.9,"max":302172,"stddev":91274.9,"var":8331100672.0,"ent":4.1,"data": [75602,75664,27532,108847,162,81462,75632,793,76430,15396,302172,286823,74727,74702,490,91055,90550,1676,83562,81907,257,247113,246931,287,176,301,92281,92015,289787,38677,4]},"pktlen": {"min":66,"avg":371.8,"max":1506,"stddev":468.9,"var":219872.6,"ent":4.1,"data": [78,70,66,160,1506,86,66,1506,864,66,173,66,125,125,66,295,247,66,695,247,66,263,759,66,279,66,631,167,1383,66,1506,71]},"bins": {"c_to_s": [9,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [5,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02278{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":77,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970634729598,"flow_src_last_pkt_time":1431970635881910,"flow_dst_last_pkt_time":1431970636210299,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1317,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3197,"flow_dst_tot_l4_payload_len":6571,"midstream":0,"thread_ts_usec":1431970636210299,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"157.56.126.211","src_port":51230,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":84935.9,"max":302172,"stddev":91274.9,"var":8331100672.0,"ent":4.1,"data": [75602,75664,27532,108847,162,81462,75632,793,76430,15396,302172,286823,74727,74702,490,91055,90550,1676,83562,81907,257,247113,246931,287,176,301,92281,92015,289787,38677,4]},"pktlen": {"min":52,"avg":357.8,"max":1492,"stddev":468.9,"var":219872.6,"ent":4.0,"data": [64,56,52,146,1492,72,52,1492,850,52,159,52,111,111,52,281,233,52,681,233,52,249,745,52,265,52,617,153,1369,52,1492,57]},"bins": {"c_to_s": [9,1,1,1,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [5,1,0,1,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,1,0,1,1,1],"entropies": [4.566831589,5.231197834,5.207947731,5.674067974,7.049631596,5.565620899,5.131024837,7.511627674,7.685983658,5.092563152,6.689486980,5.207948208,6.034001350,6.063236237,5.131024361,7.255164623,6.962138176,5.078045845,7.665988445,7.021088123,5.092563152,7.174606800,7.695394039,5.169486046,7.219842434,5.169486046,7.676120758,6.637963295,7.867539883,5.207947731,7.870429039,5.313425064]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Skype_Teams","proto_id":"91.125","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636300980,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970636300980,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":50055,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970636300980,"pkt":"0NQSxnP1PBXCt3IOCABFAABLV\/cAAEARnzfAqAEiwKgBAcOHADUANwqgVG4BAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAABAAE="} 01027{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970636300980,"flow_src_last_pkt_time":1431970636300980,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970636300980,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.1","src_port":50055,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Skype_Teams","proto_id":"5.125","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"pipe.prd.skypedata.akadns.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -111,7 +111,7 @@ 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":273,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1431970637443973,"flow_dst_last_pkt_time":1431970635325136,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":72,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":72,"pkt_l4_len":38,"thread_ts_usec":1431970637443973,"pkt":"0NQSxnP1PBXCt3IOCABFAAA6+FgAAEAR\/ubAqAEiwKgBAfgaADUAJptGWcsBAAABAAAAAAAAAnVpBXNreXBlA2NvbQAAAQAB"} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":439,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1431970638471236,"flow_dst_last_pkt_time":1431970636300980,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970638471236,"pkt":"0NQSxnP1PBXCt3IOCABFAABLoPEAAEARVj3AqAEiwKgBAcOHADUANwqgVG4BAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAABAAE="} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1431970638471318,"flow_dst_last_pkt_time":1431970636301275,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1431970638471318,"pkt":"0NQSxnP1PBXCt3IOCABFAABL\/NIAAEAR+lvAqAEiwKgBAcopADUAN1kA5GsBAAABAAAAAAAABHBpcGUDcHJkCXNreXBlZGF0YQZha2FkbnMDbmV0AAAcAAE="} -01689{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":448,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431970637197675,"flow_src_last_pkt_time":1431970639484015,"flow_dst_last_pkt_time":1431970639483962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":607,"flow_src_tot_l4_payload_len":3514,"flow_dst_tot_l4_payload_len":2368,"midstream":1,"thread_ts_usec":1431970639484015,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":51227,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":169356.6,"max":1077385,"stddev":340339.8,"var":115831160832.0,"ent":2.7,"data": [72,141755,4583,11838,4,158204,1417,4,1400,933119,61,1077385,3887,16084,4,164206,1860,3,1840,866377,142,1010555,4963,11788,160778,157,141]},"pktlen": {"min":54,"avg":238.9,"max":680,"stddev":252.7,"var":63877.7,"ent":4.3,"data": [680,622,60,60,387,90,54,54,656,80,54,54,673,630,60,60,387,90,54,54,661,80,54,54,677,556,60,60,387,54,90,54]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,3,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02088{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":448,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1431970637197675,"flow_src_last_pkt_time":1431970639484015,"flow_dst_last_pkt_time":1431970639483962,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":626,"flow_dst_max_l4_payload_len":607,"flow_src_tot_l4_payload_len":3514,"flow_dst_tot_l4_payload_len":2368,"midstream":1,"thread_ts_usec":1431970639484015,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"17.172.100.36","src_port":51227,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":169356.6,"max":1077385,"stddev":340339.8,"var":115831160832.0,"ent":2.7,"data": [72,141755,4583,11838,4,158204,1417,4,1400,933119,61,1077385,3887,16084,4,164206,1860,3,1840,866377,142,1010555,4963,11788,160778,157,141]},"pktlen": {"min":40,"avg":224.9,"max":666,"stddev":252.7,"var":63877.7,"ent":4.2,"data": [666,608,46,46,373,76,40,40,642,66,40,40,659,616,46,46,373,76,40,40,647,66,40,40,663,542,46,46,373,40,76,40]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,3,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,1,0,0,1,1,0,0,0,0,1,1,1,0,1,0],"entropies": [7.674015522,7.668118000,4.652828693,4.505982399,7.427917480,5.699883461,4.831687450,4.881687164,7.645244122,5.566976070,4.831687450,4.831687450,7.688735008,7.679184437,4.609350681,4.565872192,7.476705551,5.708197594,4.781687260,4.831687450,7.687032700,5.555538654,4.831687450,4.881687164,7.666993618,7.641694546,4.565872192,4.522393227,7.411273003,4.831687450,5.770762444,4.831687450]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970642408833,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970642408833,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00579{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1431970642408833,"pkt":"\/\/\/\/\/\/\/\/PBXCt3IOCABFAABOkRoAAEARZRPAqAEiwKgB\/wCJAIkAOosFRXIBEAABAAAAAAAAIEFCQUNGUEZQRU5GREVDRkNFUEZIRkRFRkZQRlBBQ0FCAAAgAAE="} 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":477,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970642408833,"flow_src_last_pkt_time":1431970642408833,"flow_dst_last_pkt_time":1431970642408833,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970642408833,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"192.168.1.255","src_port":137,"dst_port":137,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS","proto_id":"10","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"__msbrowse__"}} @@ -817,7 +817,7 @@ 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1353,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":228,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686381625,"flow_dst_last_pkt_time":1431970686381504,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970686381625,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoqoZAAEAGmEPAqAEiW77afchVMD6WWeS3Rpk1L1AQIACoYAAA"} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1361,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":225,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686624286,"flow_dst_last_pkt_time":1431970685835490,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970686624286,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoWF8AAEARnvLAqAEiwKgBAeasFOcAFAzzAAEAADLdMt0AAA4Q"} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1362,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":226,"flow_packet_id":3,"flow_src_last_pkt_time":1431970686627227,"flow_dst_last_pkt_time":1431970685839326,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1431970686627227,"pkt":"PBXCt3IO0NQSxnP1CABFwABElr8AAEABX8bAqAEBwKgBIgMDgJYAAAAARQAAKFhfAABAEZ7ywKgBIsCoAQHmrBTnABQM8wABAAAy3TLdAAAOEA=="} -01606{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":244603.4,"max":1296903,"stddev":277928.5,"var":77244252160.0,"ent":4.1,"data": [1006187,1296903,290818,554,292771,2163,294344,530,293322,292842,39566,39558,253265,253274,40127,40121,350396,3,350380,293934,293924,133,334278,334179,299989,7,300043,2124,4226,292441,290303]},"pktlen": {"min":66,"avg":180.6,"max":1506,"stddev":288.6,"var":83264.9,"ent":4.0,"data": [78,78,74,66,116,66,169,66,74,74,66,66,112,95,66,66,105,66,69,66,210,66,70,66,675,66,70,66,1506,120,617,609]},"bins": {"c_to_s": [11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0]}} +02003{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":244603.4,"max":1296903,"stddev":277928.5,"var":77244252160.0,"ent":4.1,"data": [1006187,1296903,290818,554,292771,2163,294344,530,293322,292842,39566,39558,253265,253274,40127,40121,350396,3,350380,293934,293924,133,334278,334179,299989,7,300043,2124,4226,292441,290303]},"pktlen": {"min":52,"avg":166.6,"max":1492,"stddev":288.6,"var":83264.9,"ent":3.9,"data": [64,64,60,52,102,52,155,52,60,60,52,52,98,81,52,52,91,52,55,52,196,52,56,52,661,52,56,52,1492,106,603,595]},"bins": {"c_to_s": [11,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0],"entropies": [4.591982365,4.685732365,5.379368782,5.156889439,6.098606110,5.310736179,6.719574928,5.231892586,5.434151649,5.435815811,5.217375278,5.192625999,6.264057159,5.966215611,5.193430901,5.118428230,6.152135849,5.272274494,5.217365742,5.270353794,6.867547989,5.193430901,5.336557388,5.233812809,7.669265747,5.195351124,5.302626133,5.231892586,7.881810188,6.162669659,7.661843300,7.626007080]}} 00826{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1368,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":210,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1431970682971895,"flow_src_last_pkt_time":1431970686763311,"flow_dst_last_pkt_time":1431970686763184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":609,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":1353,"flow_dst_tot_l4_payload_len":2282,"midstream":0,"thread_ts_usec":1431970686763311,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"111.221.74.48","src_port":51279,"dst_port":40008,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1372,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":229,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970686843964,"flow_src_last_pkt_time":1431970686843964,"flow_dst_last_pkt_time":1431970686843964,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970686843964,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"91.190.218.125","src_port":51286,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1372,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":229,"flow_packet_id":1,"flow_src_last_pkt_time":1431970686843964,"flow_dst_last_pkt_time":1431970686843964,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970686843964,"pkt":"0NQSxnP1PBXCt3IOCABFAABAXdpAAEAG5NfAqAEiW77afchWAbv9gi8BAAAAALAC\/\/+4gAAAAgQFtAEDAwUBAQgKPjJRrgAAAAAEAgAA"} @@ -931,7 +931,7 @@ 00521{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1755,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":251,"flow_packet_id":3,"flow_src_last_pkt_time":1431970693239613,"flow_dst_last_pkt_time":1431970693239490,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1431970693239613,"pkt":"0NQSxnP1PBXCt3IOCABFAAAoI6NAAEAGISfAqAEiW77YfchmAbumoVhkgmR6JFAQIADUHQAA"} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1790,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970694308651,"flow_src_last_pkt_time":1431970694308651,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970694308651,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"80.121.84.93","src_port":51303,"dst_port":62381,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1790,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":1,"flow_src_last_pkt_time":1431970694308651,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970694308651,"pkt":"0NQSxnP1PBXCt3IOCABFAABA0wpAAEAGAQ3AqAEiUHlUXchn861MQWgbAAAAALAC\/\/+zaQAAAgQFtAEDAwUBAQgKPjJuTgAAAAAEAgAA"} -01609{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":281313.8,"max":2004084,"stddev":501089.8,"var":251090993152.0,"ent":3.5,"data": [69753,69875,128,64112,63941,396,65391,64977,1952,66745,64884,268026,267948,126507,126511,3724,173414,169731,172,68870,95737,164424,174,67018,66860,198434,1936170,2004084,795927,1062252,592589]},"pktlen": {"min":66,"avg":157.2,"max":1190,"stddev":243.0,"var":59065.6,"ent":4.1,"data": [78,74,66,131,94,66,82,80,66,818,80,66,66,70,1190,66,622,109,110,92,66,109,66,93,87,66,66,104,66,105,66,111]},"bins": {"c_to_s": [13,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1]}} +02002{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":281313.8,"max":2004084,"stddev":501089.8,"var":251090993152.0,"ent":3.5,"data": [69753,69875,128,64112,63941,396,65391,64977,1952,66745,64884,268026,267948,126507,126511,3724,173414,169731,172,68870,95737,164424,174,67018,66860,198434,1936170,2004084,795927,1062252,592589]},"pktlen": {"min":52,"avg":143.2,"max":1176,"stddev":243.0,"var":59065.6,"ent":3.9,"data": [64,60,52,117,80,52,68,66,52,804,66,52,52,56,1176,52,608,95,96,78,52,95,52,79,73,52,52,90,52,91,52,97]},"bins": {"c_to_s": [13,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1],"entropies": [4.623232365,5.300120831,5.195351124,6.325283527,5.743623257,5.195351601,5.572466850,5.597279072,5.156889915,7.729978561,5.597279072,5.156889915,5.192626476,5.302627087,7.848286152,5.195351601,7.719808578,6.123468399,6.165541172,5.733872414,5.115703106,6.010258675,5.118427753,5.870053768,5.680767059,5.156889915,5.192626476,6.012281418,5.209868431,6.007682800,5.156889915,6.122959137]}} 00825{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":1791,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":242,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1431970689672643,"flow_src_last_pkt_time":1431970693736762,"flow_dst_last_pkt_time":1431970694329250,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":752,"flow_dst_max_l4_payload_len":1124,"flow_src_tot_l4_payload_len":1528,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":1431970694329250,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"81.83.77.141","src_port":51294,"dst_port":17639,"l4_proto":"tcp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1812,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":252,"flow_packet_id":2,"flow_src_last_pkt_time":1431970695316316,"flow_dst_last_pkt_time":1431970694308651,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970695316316,"pkt":"0NQSxnP1PBXCt3IOCABFAABAwedAAEAGEjDAqAEiUHlUXchn861MQWgbAAAAALAC\/\/+vgAAAAgQFtAEDAwUBAQgKPjJyNwAAAAAEAgAA"} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1817,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":253,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970695865959,"flow_src_last_pkt_time":1431970695865959,"flow_dst_last_pkt_time":1431970695865959,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970695865959,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"149.13.32.15","src_port":51305,"dst_port":13392,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -1051,7 +1051,7 @@ 00770{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970707911507,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970707911507,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"133.236.67.25","src_port":13021,"dst_port":49195,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_packet_id":1,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":26,"thread_ts_usec":1431970707911507,"pkt":"0NQSxnP1PBXCt3IOCABFAAAu+nsAAEAR9XPAqAEihexDGTLdwCsAGiMOfdMCo1rvIegrMqRysYXm5vlz"} 00900{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2131,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":266,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970707911507,"flow_src_last_pkt_time":1431970707911507,"flow_dst_last_pkt_time":1431970707911507,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970707911507,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"133.236.67.25","src_port":13021,"dst_port":49195,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} -01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2139,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431970648367692,"flow_src_last_pkt_time":1431970708344887,"flow_dst_last_pkt_time":1431970648367692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10518,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708344887,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":491,"avg":1934748.2,"max":19856559,"stddev":5865016.5,"var":34398418239488.0,"ent":1.7,"data": [557,584,518,491,526,99678,590,558,630,19856559,16227,16968,16620,16461,16743,19850608,16179,16542,16730,16663,16557,16953,16553,16675,16584,19850616,15995,16653,16828,16721,16628]},"pktlen": {"min":327,"avg":370.7,"max":405,"stddev":29.1,"var":844.3,"ent":5.0,"data": [333,351,405,397,327,369,401,347,399,393,327,369,401,347,399,393,333,351,405,397,327,369,401,347,399,393,333,351,405,397,327,369]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,4,9,7,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02157{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2139,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1431970648367692,"flow_src_last_pkt_time":1431970708344887,"flow_dst_last_pkt_time":1431970648367692,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":285,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":363,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":10518,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708344887,"l3_proto":"ip4","src_ip":"192.168.0.254","dst_ip":"239.255.255.250","src_port":1025,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":491,"avg":1934748.2,"max":19856559,"stddev":5865016.5,"var":34398418239488.0,"ent":1.7,"data": [557,584,518,491,526,99678,590,558,630,19856559,16227,16968,16620,16461,16743,19850608,16179,16542,16730,16663,16557,16953,16553,16675,16584,19850616,15995,16653,16828,16721,16628]},"pktlen": {"min":313,"avg":356.7,"max":391,"stddev":29.1,"var":844.3,"ent":5.0,"data": [319,337,391,383,313,355,387,333,385,379,313,355,387,333,385,379,319,337,391,383,313,355,387,333,385,379,319,337,391,383,313,355]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,4,9,7,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [5.764857769,5.738472939,5.706055641,5.738885880,5.696391106,5.696156025,5.702908993,5.694716930,5.666212559,5.684383869,5.696391106,5.696156025,5.712235928,5.682279587,5.675588608,5.684383869,5.764857769,5.732538223,5.701994896,5.740596294,5.696391106,5.685169697,5.698806763,5.694716930,5.662089348,5.677114964,5.764857769,5.738472939,5.715287209,5.736823559,5.684858322,5.687015057]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00767{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2145,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":267,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970708715662,"flow_src_last_pkt_time":1431970708715662,"flow_dst_last_pkt_time":1431970708715662,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708715662,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"212.161.8.36","src_port":51319,"dst_port":13392,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2145,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":267,"flow_packet_id":1,"flow_src_last_pkt_time":1431970708715662,"flow_dst_last_pkt_time":1431970708715662,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1431970708715662,"pkt":"0NQSxnP1PBXCt3IOCABFAABAWHtAAEAGQ63AqAEi1KEIJMh3NFBvQ5mUAAAAALAC\/\/+uawAAAgQFtAEDAwUBAQgKPjKmLwAAAAAEAgAA"} 00941{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2146,"source":"skype_no_unknown.pcap","alias":"nDPId-test","flow_id":233,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1431970687262098,"flow_src_last_pkt_time":1431970687262098,"flow_dst_last_pkt_time":1431970687262098,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":18,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":18,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":18,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1431970708726988,"l3_proto":"ip4","src_ip":"192.168.1.34","dst_ip":"189.188.134.174","src_port":13021,"dst_port":22436,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Skype_Teams.Skype_TeamsCall","proto_id":"125.38","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} @@ -1394,10 +1394,10 @@ ~~ total active/idle flows...: 267/267 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6707058 bytes -~~ total memory freed........: 6707058 bytes -~~ total allocations/frees...: 126318/126318 +~~ total memory allocated....: 6743370 bytes +~~ total memory freed........: 6743370 bytes +~~ total allocations/frees...: 126585/126585 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 200 chars -~~ json string max len.......: 1884 chars -~~ json string avg len.......: 1042 chars +~~ json string max len.......: 2283 chars +~~ json string avg len.......: 1241 chars diff --git a/test/results/skype_udp.pcap.out b/test/results/skype_udp.pcap.out index 2c7c52967..76dca639e 100644 --- a/test/results/skype_udp.pcap.out +++ b/test/results/skype_udp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035786 bytes -~~ total memory freed........: 6035786 bytes -~~ total allocations/frees...: 121492/121492 +~~ total memory allocated....: 6035922 bytes +~~ total memory freed........: 6035922 bytes +~~ total allocations/frees...: 121493/121493 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 916 chars diff --git a/test/results/smb_deletefile.pcap.out b/test/results/smb_deletefile.pcap.out index 240d955ad..c41cac9d0 100644 --- a/test/results/smb_deletefile.pcap.out +++ b/test/results/smb_deletefile.pcap.out @@ -5,7 +5,7 @@ 00898{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368315417275,"flow_dst_last_pkt_time":1584368315417275,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":380,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":380,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":380,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1584368315417275,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":""}} 01193{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1584368315417275,"flow_dst_last_pkt_time":1584368315418447,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":554,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":554,"pkt_l4_len":520,"thread_ts_usec":1584368315418447,"pkt":"KDc3AG3I2MuK4S0uCABFAAIcOK5AAIAGO6zAqAG7wKgBdgG93hDyQzIj6KAG5lAYEAjw+QAAAAAB8P5TTUJAAAEAAAAAAAUAAAABAAAAmAAAAJwPAAAAAAAA\/\/4AABEAAAAdAAAAACgAAAAAAAAAAAAAAAAAAAAAAABZAAAAAQAAAPJad+s0itQBeC8Pcpz71QGM0O1xnPvVAYzQ7XGc+9UBACAAAAAAAAAAIAAAAAAAABEAAAAAAAAAEgQAAAoAAABlAAAACgAAAAAAAAAAAAAA\/lNNQkAAAQAAAAAADgAAAAUAAADYAAAAnQ8AAAAAAAD\/\/gAAEQAAAB0AAAAAKAAAAAAAAAAAAAAAAAAAAAAAAAkASACOAAAAAAAAAAAAAAAzwlM5LZjUATN2tkyb+9UBqrZQPC2Y1AHHrtHNIlnVAYD0HQAAAAAAAAAeAAAAAAAgAAAAJgAAAAAAAAAYAEkATgBOAE8AUwBFAH4AMQAuAEUAWABFAAAAq04CAAAAAQBpAG4AbgBvAHMAZQB0AHUAcAAtADUALgA2AC4AMQAuAGUAeABlAAAA\/lNNQkAAAQAAAAAABgADAAUAAAAAAAAAng8AAAAAAAD\/\/gAAEQAAAB0AAAAAKAAAAAAAAAAAAAAAAAAAAAAAADwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1584368315418500,"flow_dst_last_pkt_time":1584368315418447,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1584368315418500,"pkt":"2MuK4S0uKDc3AG3ICABFAAAoAABAAEAGtk7AqAF2wKgBu94QAb3ooAbm8kM0F1AQqfyLpgAA"} -01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317627960,"flow_dst_last_pkt_time":1584368317628867,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":412,"flow_dst_max_l4_payload_len":500,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":3826,"midstream":1,"thread_ts_usec":1584368317628867,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":20,"avg":142654.1,"max":2158424,"stddev":529256.2,"var":280112168960.0,"ent":1.2,"data": [1172,1225,2157281,2158424,1159,87,1253,1160,7461,9355,1883,124,103,75,20,492,151,550,5618,5637,4741,5866,1131,107,1245,1127,130,997,857,25951,26895]},"pktlen": {"min":54,"avg":266.6,"max":554,"stddev":190.9,"var":36432.9,"ent":4.6,"data": [434,554,54,378,522,54,394,538,54,466,180,54,554,54,158,154,60,158,54,130,54,394,538,54,434,410,54,298,370,54,402,466]},"bins": {"c_to_s": [10,0,0,2,0,0,0,1,0,0,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,1,2,0,0,0,0,0,1,0,1,1,0,1,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} +02121{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317627960,"flow_dst_last_pkt_time":1584368317628867,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":412,"flow_dst_max_l4_payload_len":500,"flow_src_tot_l4_payload_len":2972,"flow_dst_tot_l4_payload_len":3826,"midstream":1,"thread_ts_usec":1584368317628867,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":20,"avg":142654.1,"max":2158424,"stddev":529256.2,"var":280112168960.0,"ent":1.2,"data": [1172,1225,2157281,2158424,1159,87,1253,1160,7461,9355,1883,124,103,75,20,492,151,550,5618,5637,4741,5866,1131,107,1245,1127,130,997,857,25951,26895]},"pktlen": {"min":40,"avg":252.6,"max":540,"stddev":190.9,"var":36432.9,"ent":4.5,"data": [420,540,40,364,508,40,380,524,40,452,166,40,540,40,144,140,46,144,40,116,40,380,524,40,420,396,40,284,356,40,388,452]},"bins": {"c_to_s": [10,0,0,2,0,0,0,1,0,0,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,1,2,0,0,0,0,0,1,0,1,1,0,1,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,1,1,0,1,0,0,1,0,0,1,0,0,1,0,0,1],"entropies": [3.069277287,3.365245581,4.461769104,2.731584549,2.957580328,4.511769295,2.886561632,3.152696133,4.511769295,2.994292021,3.490118504,4.511769295,2.920198441,4.511769295,3.495491743,3.175110340,4.402616024,3.673908472,4.461769104,3.397419930,4.511769295,2.886561632,3.164842129,4.511769295,3.078800917,2.788191795,4.461769104,2.814971924,2.968542337,4.511769295,2.599048853,2.976962328]},"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00934{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":101,"source":"smb_deletefile.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":39,"flow_first_seen":1584368315417275,"flow_src_last_pkt_time":1584368317802053,"flow_dst_last_pkt_time":1584368317801987,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":476,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":11034,"flow_dst_tot_l4_payload_len":14218,"midstream":1,"thread_ts_usec":1584368317802053,"l3_proto":"ip4","src_ip":"192.168.1.118","dst_ip":"192.168.1.187","src_port":56848,"dst_port":445,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv23","proto_id":"10.41","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System"}} 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":101,"source":"smb_deletefile.pcap","alias":"nDPId-test","packets-captured":101,"packets-processed":101,"total-skipped-flows":0,"total-l4-payload-len":25252,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":1584368317802053} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038570 bytes -~~ total memory freed........: 6038570 bytes -~~ total allocations/frees...: 121588/121588 +~~ total memory allocated....: 6038706 bytes +~~ total memory freed........: 6038706 bytes +~~ total allocations/frees...: 121589/121589 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars -~~ json string max len.......: 1727 chars -~~ json string avg len.......: 1075 chars +~~ json string max len.......: 2126 chars +~~ json string avg len.......: 1249 chars diff --git a/test/results/smb_frags.pcap.out b/test/results/smb_frags.pcap.out index 6dd606770..36651c5fe 100644 --- a/test/results/smb_frags.pcap.out +++ b/test/results/smb_frags.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037954 bytes -~~ total memory freed........: 6037954 bytes -~~ total allocations/frees...: 121498/121498 +~~ total memory allocated....: 6038090 bytes +~~ total memory freed........: 6038090 bytes +~~ total allocations/frees...: 121499/121499 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 1265 chars diff --git a/test/results/smbv1.pcap.out b/test/results/smbv1.pcap.out index b606e5ebd..535a01aad 100644 --- a/test/results/smbv1.pcap.out +++ b/test/results/smbv1.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037925 bytes -~~ total memory freed........: 6037925 bytes -~~ total allocations/frees...: 121497/121497 +~~ total memory allocated....: 6038061 bytes +~~ total memory freed........: 6038061 bytes +~~ total allocations/frees...: 121498/121498 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 1263 chars diff --git a/test/results/smpp_in_general.pcap.out b/test/results/smpp_in_general.pcap.out index bdf4ce745..bba1ee1ae 100644 --- a/test/results/smpp_in_general.pcap.out +++ b/test/results/smpp_in_general.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038182 bytes -~~ total memory freed........: 6038182 bytes -~~ total allocations/frees...: 121505/121505 +~~ total memory allocated....: 6038318 bytes +~~ total memory freed........: 6038318 bytes +~~ total allocations/frees...: 121506/121506 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 919 chars diff --git a/test/results/smtp-starttls.pcap.out b/test/results/smtp-starttls.pcap.out index b6b406dba..ab654ddff 100644 --- a/test/results/smtp-starttls.pcap.out +++ b/test/results/smtp-starttls.pcap.out @@ -9,7 +9,7 @@ 01016{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":5,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124864532,"flow_dst_last_pkt_time":1388017124864365,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":154,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":235,"midstream":0,"thread_ts_usec":1388017124864532,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 01018{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":12,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124864532,"flow_dst_last_pkt_time":1388017124876575,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":1653,"midstream":0,"thread_ts_usec":1388017124876575,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 01018{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":15,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":7,"flow_dst_packets_processed":8,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017124876854,"flow_dst_last_pkt_time":1388017124876863,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":3924,"midstream":0,"thread_ts_usec":1388017124876863,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} -01870{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125217215,"flow_dst_last_pkt_time":1388017125228642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1388017125228642,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":29682.5,"max":156957,"stddev":34710.8,"var":1204840832.0,"ent":4.2,"data": [11168,11193,11857,11849,79,11152,39169,67072,28169,11489,12210,262,12322,26,24821,37890,13457,11887,11608,11639,11817,51431,103694,156957,13622,11529,11126,16410,67319,42853,94080]},"pktlen": {"min":66,"avg":254.3,"max":1484,"stddev":368.1,"var":135468.5,"ent":4.1,"data": [74,74,66,117,66,94,66,220,76,96,178,1484,1484,66,919,380,276,119,231,127,131,127,66,172,752,66,94,66,142,66,97,147]},"bins": {"c_to_s": [9,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,3,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} +02269{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125217215,"flow_dst_last_pkt_time":1388017125228642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1388017125228642,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":29682.5,"max":156957,"stddev":34710.8,"var":1204840832.0,"ent":4.2,"data": [11168,11193,11857,11849,79,11152,39169,67072,28169,11489,12210,262,12322,26,24821,37890,13457,11887,11608,11639,11817,51431,103694,156957,13622,11529,11126,16410,67319,42853,94080]},"pktlen": {"min":52,"avg":240.3,"max":1470,"stddev":368.1,"var":135468.5,"ent":4.0,"data": [60,60,52,103,52,80,52,206,62,82,164,1470,1470,52,905,366,262,105,217,113,117,113,52,158,738,52,80,52,128,52,83,133]},"bins": {"c_to_s": [9,3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,3,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,0,1],"entropies": [4.527644634,5.164738178,4.944975376,5.655648708,4.868052483,4.887005329,4.983437061,5.795777798,5.058248043,5.413370609,5.231037617,6.553743362,7.414661884,4.893245220,7.240818024,7.277081490,6.869879723,5.969118595,6.897389412,6.050327778,6.234992027,6.200943947,4.944975376,6.499523640,7.703155994,4.906513691,5.556689262,4.868052006,6.265826702,4.776611805,5.571072102,6.285814285]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 00563{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","packets-captured":37,"packets-processed":36,"total-skipped-flows":0,"total-l4-payload-len":6011,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1524746968365832} 00792{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968365832,"flow_dst_last_pkt_time":1524746968365832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1524746968365832,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00563{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1524746968365832,"flow_dst_last_pkt_time":1524746968365832,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":34525,"pkt_l3_offset":18,"pkt_l4_offset":58,"pkt_len":90,"pkt_l4_len":32,"thread_ts_usec":1524746968365832,"pkt":"tAwlBY4TAAwpwTTcgQAAfYbdYAAAAAAgBkAgAwDeIBYBJfw2gxdOhstyIAMA3iAWASAAAAAACggAUx2KABlaBfS8AAAAAIACIAC67wAAAgQFoAEDAwIBAQQC"} @@ -18,7 +18,7 @@ 00993{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":43,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":4,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968396333,"flow_dst_last_pkt_time":1524746968396833,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":210,"midstream":0,"thread_ts_usec":1524746968396833,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"jw-vm08-int-dns.webernetz.net","smtp": {"user":"","password":"","auth_failed":0}}} 01042{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":46,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968398581,"flow_dst_last_pkt_time":1524746968397832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":242,"flow_dst_tot_l4_payload_len":240,"midstream":0,"thread_ts_usec":1524746968398581,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01148{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968398581,"flow_dst_last_pkt_time":1524746968403958,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":242,"flow_dst_tot_l4_payload_len":1380,"midstream":0,"thread_ts_usec":1524746968403958,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} -01977{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":68,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968661622,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968662121,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":19099.3,"max":202908,"stddev":48707.1,"var":2372380928.0,"ent":2.8,"data": [744,995,19017,29506,11113,127,1248,999,1000,6126,12754,624,8625,202034,202908,998,7251,6751,7252,7260,1247,2128,2995,378,21009,21750,990,6762,2,6750,736]},"pktlen": {"min":78,"avg":198.5,"max":1218,"stddev":257.1,"var":66086.8,"ent":4.3,"data": [90,90,78,136,128,78,230,88,108,260,1218,204,157,336,245,78,167,121,141,121,113,144,78,1112,78,143,113,122,109,78,109,78]},"bins": {"c_to_s": [7,4,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,4,2,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0]},"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} +02371{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":68,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968661622,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968662121,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":19099.3,"max":202908,"stddev":48707.1,"var":2372380928.0,"ent":2.8,"data": [744,995,19017,29506,11113,127,1248,999,1000,6126,12754,624,8625,202034,202908,998,7251,6751,7252,7260,1247,2128,2995,378,21009,21750,990,6762,2,6750,736]},"pktlen": {"min":60,"avg":180.5,"max":1200,"stddev":257.1,"var":66086.8,"ent":4.2,"data": [72,72,60,118,110,60,212,70,90,242,1200,186,139,318,227,60,149,103,123,103,95,126,60,1094,60,125,95,104,91,60,91,60]},"bins": {"c_to_s": [7,4,2,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,4,2,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0],"entropies": [4.281427383,4.959185600,4.579100609,5.619654655,5.411477089,4.829739571,5.596319675,4.894675732,5.166758537,5.366472721,7.601028442,6.201757908,5.921764851,7.156020164,6.896310806,4.658349514,6.097513199,5.672229767,5.596776009,5.715824604,5.162304878,6.073466778,4.799921513,7.803120613,4.833254814,6.058705330,5.062202930,5.764057636,4.995513916,4.579101086,5.463903904,4.446732044]},"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01182{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":17,"flow_first_seen":1524746968365832,"flow_src_last_pkt_time":1524746968662121,"flow_dst_last_pkt_time":1524746968663137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1034,"flow_dst_max_l4_payload_len":1140,"flow_src_tot_l4_payload_len":1734,"flow_dst_tot_l4_payload_len":2097,"midstream":0,"thread_ts_usec":1524746968663137,"l3_proto":"ip6","src_ip":"2003:de:2016:125:fc36:8317:4e86:cb72","dst_ip":"2003:de:2016:120::a08:53","src_port":7562,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"6": {"risk":"Self-signed Cert","severity":"High","risk_score": {"total":500,"client":450,"server":50}},"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"SMTPS","proto_id":"29","encrypted":1,"breed":"Safe","category_id":3,"category":"Email"}} 01051{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":19,"flow_first_seen":1388017124762850,"flow_src_last_pkt_time":1388017125228821,"flow_dst_last_pkt_time":1388017125239930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":686,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1384,"flow_dst_tot_l4_payload_len":4627,"midstream":0,"thread_ts_usec":1524746968663137,"l3_proto":"ip4","src_ip":"10.0.0.1","dst_ip":"173.194.68.26","src_port":57406,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"SMTPS.Google","proto_id":"29.126","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 00565{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":69,"source":"smtp-starttls.pcap","alias":"nDPId-test","packets-captured":69,"packets-processed":69,"total-skipped-flows":0,"total-l4-payload-len":9842,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":6,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":24,"global_ts_usec":1524746968663137} @@ -30,10 +30,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6061628 bytes -~~ total memory freed........: 6061628 bytes -~~ total allocations/frees...: 121601/121601 +~~ total memory allocated....: 6061900 bytes +~~ total memory freed........: 6061900 bytes +~~ total allocations/frees...: 121603/121603 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars -~~ json string max len.......: 1982 chars -~~ json string avg len.......: 1236 chars +~~ json string max len.......: 2376 chars +~~ json string avg len.......: 1433 chars diff --git a/test/results/smtp.pcap.out b/test/results/smtp.pcap.out index 778dd86dd..b5003977f 100644 --- a/test/results/smtp.pcap.out +++ b/test/results/smtp.pcap.out @@ -5,7 +5,7 @@ 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":934028408568957,"flow_dst_last_pkt_time":934028408569273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":934028408569273,"pkt":"ABB7OEYzAMBPo1fbCABFAAAsFcQAAEAGi4esEHLPwgf4mQAZCE+jURBm5ahCFGASf+Ba2AAAAgQFtAW0"} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":934028408570091,"flow_dst_last_pkt_time":934028408569273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":934028408570091,"pkt":"AMBPo1fbABB7OEYzCABFAAAoEDRAAD8GUhvCB\/iZrBByzwhPABnlqEIUo1EQZ1AQfXh0\/QAAAAAAAAAA"} 00936{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":10,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408647164,"flow_dst_last_pkt_time":934028408647434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":22,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":154,"midstream":0,"thread_ts_usec":934028408647434,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email","hostname":"pigeon.eyrie.af.mil","smtp": {"user":"","password":"","auth_failed":0}}} -01668{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408659170,"flow_dst_last_pkt_time":934028408659389,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":469,"flow_dst_tot_l4_payload_len":576,"midstream":0,"thread_ts_usec":934028408659389,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":316,"avg":5827.3,"max":55118,"stddev":11962.2,"var":143094448.0,"ent":3.2,"data": [316,1134,19693,31096,24595,55118,2208,21382,1142,1166,1125,1230,1225,1086,1083,1063,1064,1068,1066,1077,1106,1085,1057,1068,1067,1048,1046,1060,1062,1055,1054]},"pktlen": {"min":60,"avg":87.6,"max":138,"stddev":15.2,"var":230.1,"ent":5.0,"data": [60,60,60,138,60,76,60,80,76,98,90,97,93,92,93,92,94,93,93,92,93,92,94,93,92,91,91,90,94,93,92,91]},"bins": {"c_to_s": [5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,12,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} +02067{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408659170,"flow_dst_last_pkt_time":934028408659389,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":469,"flow_dst_tot_l4_payload_len":576,"midstream":0,"thread_ts_usec":934028408659389,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":316,"avg":5827.3,"max":55118,"stddev":11962.2,"var":143094448.0,"ent":3.2,"data": [316,1134,19693,31096,24595,55118,2208,21382,1142,1166,1125,1230,1225,1086,1083,1063,1064,1068,1066,1077,1106,1085,1057,1068,1067,1048,1046,1060,1062,1055,1054]},"pktlen": {"min":46,"avg":73.6,"max":124,"stddev":15.2,"var":230.1,"ent":5.0,"data": [46,46,46,124,46,62,46,66,62,84,76,83,79,78,79,78,80,79,79,78,79,78,80,79,78,77,77,76,80,79,78,77]},"bins": {"c_to_s": [5,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,12,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.217956066,4.965921402,4.414441109,5.606353760,4.414441109,5.401541233,4.398030758,5.373719692,5.366997719,5.482748032,5.540370464,5.525596142,5.518477440,5.566954136,5.471196175,5.560668945,5.565314293,5.578667164,5.537589550,5.586310863,5.547144890,5.611951351,5.485757828,5.482342720,5.493423939,5.506668091,5.516471386,5.546820641,5.505877972,5.562905312,5.524069786,5.501934052]},"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} 00899{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":95,"source":"smtp.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":51,"flow_dst_packets_processed":44,"flow_first_seen":934028408568957,"flow_src_last_pkt_time":934028408801393,"flow_dst_last_pkt_time":934028408801610,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":84,"flow_src_tot_l4_payload_len":16527,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":934028408801610,"l3_proto":"ip4","src_ip":"194.7.248.153","dst_ip":"172.16.114.207","src_port":2127,"dst_port":25,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"SMTP","proto_id":"3","encrypted":0,"breed":"Acceptable","category_id":3,"category":"Email"}} 00556{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":95,"source":"smtp.pcap","alias":"nDPId-test","packets-captured":95,"packets-processed":95,"total-skipped-flows":0,"total-l4-payload-len":17955,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":10,"global_ts_usec":934028408801610} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -16,10 +16,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6040444 bytes -~~ total memory freed........: 6040444 bytes -~~ total allocations/frees...: 121583/121583 +~~ total memory allocated....: 6040580 bytes +~~ total memory freed........: 6040580 bytes +~~ total allocations/frees...: 121584/121584 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1673 chars -~~ json string avg len.......: 1028 chars +~~ json string max len.......: 2072 chars +~~ json string avg len.......: 1202 chars diff --git a/test/results/smtps.pcapng.out b/test/results/smtps.pcapng.out index 1afd81042..a75307688 100644 --- a/test/results/smtps.pcapng.out +++ b/test/results/smtps.pcapng.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039861 bytes -~~ total memory freed........: 6039861 bytes -~~ total allocations/frees...: 121494/121494 +~~ total memory allocated....: 6039997 bytes +~~ total memory freed........: 6039997 bytes +~~ total allocations/frees...: 121495/121495 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 1210 chars diff --git a/test/results/snapchat.pcap.out b/test/results/snapchat.pcap.out index 734891b9c..3692fe384 100644 --- a/test/results/snapchat.pcap.out +++ b/test/results/snapchat.pcap.out @@ -30,9 +30,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6052827 bytes -~~ total memory freed........: 6052827 bytes -~~ total allocations/frees...: 121572/121572 +~~ total memory allocated....: 6053235 bytes +~~ total memory freed........: 6053235 bytes +~~ total allocations/frees...: 121575/121575 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 1323 chars diff --git a/test/results/snapchat_call.pcapng.out b/test/results/snapchat_call.pcapng.out index 627e57870..9fc18cdc4 100644 --- a/test/results/snapchat_call.pcapng.out +++ b/test/results/snapchat_call.pcapng.out @@ -6,7 +6,7 @@ 02340{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1595865799020160,"flow_dst_last_pkt_time":1595865799037006,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1595865799037006,"pkt":"mt9Y+uvcCL6sCxduCABFAAVi60BAACUR+rISuIqOwKgMqQG7pGMFThqhw1EwNDYFw4BG53qjBuoAAAABHHnqt4ztMz51vP6XgAFSRUoABwAAAFNUSwA5AAAAU05PAG0AAABQUk9GtAAAAFNDRkc7AQAAUlJFSj8BAABTVFRMRwEAAENSVP9OBwAAbUU2ixV5Jj1qHEQQZYOHtdotUTPKCy0omzKN6SE7STZ4\/rKMxZ9\/rrj8l9tx+PhU9mRQzeJZ+1Dabp0JaMw4Ax2lLo8wBUBdtg1GpS3urBIhqVx\/8nRPLB1cTLrUpB570Ce5EPUwnKR9lOYP4jBFAiB3SpfbIfQpyAe+ZsA1KXWbSYFVXmlAhM9hKVIcNwAFzwIhAKINNKjm9Y0DRmywB4GeockL0Y3PJJ2PTHmxvqAl6rucU0NGRwYAAABBRUFECAAAAFNDSUQYAAAAUFVCUzsAAABLRVhTPwAAAE9CSVRHAAAARVhQWU8AAABBRVNHQ0MyMAO\/Pud+GiRqUM930xoSwNMgAAAzgoMwBXTcjfX\/uLgWESbe\/GDn3+Z5Wy5eude5hIrxK0MyNTUy3iwBeDJ0hdzKD01zAQAADAAAAHLO80MAAAAAAQEA6ggAAHi7IlF+sTNiZQCWXKx6Bk0smxcAyyAmJgFO2z2LJtgwHuFZfF6JuflcqgEXGwewWDpny8LMbOCDWiSJGghD0i2PS2Z6Jqg4ACVbQzWg\/8FJRBYu7OrsjFmUAwsFIwNgXkJkLSMjUNYyNAJzDVJQbYOmUQ5hLmdg+knLL8rLTIQ5gV2YJzgxryRRwTc\/Dxh4hkIGAhCXcQbnJRZAMhNUKTMPj5YeMFhzMstS9TLzDSKBwuxgHzIxQr3KzMjO7MTA0igTPiXBhk\/onni666rTEwW2GV7P0HIt5RAIXKgqHG0lyz+LaQ37Sb9X68wmMzzfpJMbI+6\/war2EINr2z3pHSav6hc3MccaNDFHokTO4rnP5H\/esvQ\/kPdi4umpS28ZPuKaj1RHBL7\/ujNAPVOn37WS752O83bRN1k7DJRB0oIsMgZSTShub+JC8gdKYcjeQKjszISUlUkGCQZ6C3QWaLVpIMpKY72UTKR8UVycnKibmpysm24IrtEw1JvgV+8DKQhdDZyBxSOkYfA3h5ERX\/GLYp5zQLABBxtbeiMPMIEaVCPltXyDXNx5DdkMA1ekvGYJc3kiSLoY1TJYkgWmWEiCRSp3StBqrCbGWjYucEl5rZKJhYmliTEXiDMZ0xnKGNyWhr4u\/TVRwWDros7ML59rBXUcS\/b99dzRuvrTn4J\/ue4MDIyF97xNnBgYWJgZ3A1cmRQZZl+WnuB1dsnif3fPXLu66NVPttQQNgnXFyeSpjbviVMPvsSkkKnJ8SbX7sSrj30mcX6\/VAWXm72+rLYpIjtI\/4Pe2rlv1IH2Krm6skeGqoRNs1+o\/\/F7btsDZbXktQe862OPNcfkPeJngtqrDrdXwUB1507jl12PbQL\/ybLt+9VWcsd2\/4OdQYxPekSfzHnGdBnksoD\/k8V3L9Lbv0bDO\/WlV93k58q8IeJ7Shd\/k5gaMNlDhaGUIXDxhq9\/GSvnhOXuMK\/o51lSdUZa\/fT3eR1Os3j\/XelmfQq11x5sr5uBC5NC2tpbFwyfLJZe8nnhYvF5pYurJx\/i93xZwbWvt+mx29md\/5kUgrJ0vgl\/6lq870XJzFvZL9lvZZeX8D\/9s4v3bXp609M\/CshlE3Mmg0EakyHDDbOtMsq6skVXu5mVPu76eNXwNe+pKj\/OfovXBece+Cifdpz8TnOjJcPFhjtTSzUqxSSAWrZv6p0iOl+y6nXK3m9XXNa84pm1qPWQefDM"} 02314{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1595865799020160,"flow_dst_last_pkt_time":1595865799037074,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1595865799037074,"pkt":"mt9Y+uvcCL6sCxduCABFAAVi60FAACUR+rESuIqOwKgMqQG7pGMFTlWjw1EwNDYFw4BG53qjBuoAAAACYTy54mZ50XnS5MjxpAEFJgJoF8maXr+sg1zn\/py4s01uT+X8o3fm32Z\/27aBGVRqMq8xaGKaAi01uU5r7HKLe2rJUVZS8PnsMSHkxhwPsDGXSFTBCa1buYUF0POAoYKBHKRMFYfrgNSNCkH5+SWw9rKxgbGBBbT4BJamyFwql91lwAIWXmqyajeyMCgxJzGwPOJwelV+Q+XeAp2UJcLnHOYoF61k4uIzt1c029EbLPLt6sSp3p+nMfUWyh25cXr5\/Lj3C57VR00SnBac\/\/rAaft1f6Pt3VWez2LXm7Zvhf7ucIn1hUv2VljJvYi2yU4R1D5jot2zuIlREZjtZA2E4BmRw4ANSDEBW4soJSBjm4EJUkmhYaBGZEnhBCkYrUGNuQWmC4zbDHEWjLAggsQEKCIgzRMDW0iJZwas2ozYWIBMBpIKO0R1gLW2QK5OmO8FmIZd9Nmd9mHxI2npw9M32V4MRUt84P7L8a4Fzt5vSk4eXX1V3sDULG9GWLXHGtbkddWzwlXCz+T\/urc6d87xbbvenHt+qjjl9n0Wcy4Gz83289XWTuxReCHfwaf1O838hMGLS4dUlrt66L5iDPAynCJ8vzf+ltZuT5vEz5Un5qRNkpqm9aXaLGKxjqNAidTltx7bLu3uYnMtNBYwqKqaoXhXZeebOVsnsa9tPnYk60f5M9N9wvzqKZuc9ze\/LA+7zdE+xV3ka7zG+sUZPs39Cd+nNVS2ZpWpzZ3Ko8Dca\/euSiM1JW3JzeZXM0vO5vnWyrzu3XR0vZi034nPoa86LARNZAXX27Ov8M+6VCKor\/WneHv8IVFn1pxrtbeY9irN9r\/8sxwAcED2UAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01044{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":20,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":11,"flow_dst_packets_processed":9,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865799615597,"flow_dst_last_pkt_time":1595865799120864,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3730,"flow_dst_tot_l4_payload_len":4552,"midstream":0,"thread_ts_usec":1595865799615597,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","quic": {}}} -01872{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865802042641,"flow_dst_last_pkt_time":1595865802853531,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3902,"flow_dst_tot_l4_payload_len":5824,"midstream":0,"thread_ts_usec":1595865802853531,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":221156.5,"max":1447282,"stddev":397282.2,"var":157833134080.0,"ent":3.2,"data": [16846,68,30414,96,24231,5110,25,16,20308,29142,5531,102,7,211,2051,54351,38,19,507575,1447282,48721,53521,57932,1172660,3328,7500,379723,803486,440070,1155688,589800]},"pktlen": {"min":62,"avg":345.9,"max":1392,"stddev":468.5,"var":219532.9,"ent":4.0,"data": [1392,1392,1392,1392,625,78,1392,62,428,70,86,80,80,80,201,100,62,62,62,86,351,303,351,303,86,70,70,86,70,86,86,86]},"bins": {"c_to_s": [4,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [4,4,0,0,0,0,0,0,2,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,0,0,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02270{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865802042641,"flow_dst_last_pkt_time":1595865802853531,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3902,"flow_dst_tot_l4_payload_len":5824,"midstream":0,"thread_ts_usec":1595865802853531,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":221156.5,"max":1447282,"stddev":397282.2,"var":157833134080.0,"ent":3.2,"data": [16846,68,30414,96,24231,5110,25,16,20308,29142,5531,102,7,211,2051,54351,38,19,507575,1447282,48721,53521,57932,1172660,3328,7500,379723,803486,440070,1155688,589800]},"pktlen": {"min":48,"avg":331.9,"max":1378,"stddev":468.5,"var":219532.9,"ent":3.9,"data": [1378,1378,1378,1378,611,64,1378,48,414,56,72,66,66,66,187,86,48,48,48,72,337,289,337,289,72,56,56,72,56,72,72,72]},"bins": {"c_to_s": [4,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [4,4,0,0,0,0,0,0,2,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,1,0,1,1,1,1,0,0,0,1,0,0,1,1],"entropies": [2.189238071,7.706800461,4.743436813,3.984874964,7.719462395,5.249389172,7.849965572,5.376628876,7.440353394,5.374054909,5.683540821,5.644934177,5.675237656,5.595766544,6.808179855,6.041157246,5.293295383,5.251628876,5.209962368,5.540976048,7.375632763,7.234831333,7.426898956,7.225734234,5.603883266,5.407986164,5.336557388,5.692057133,5.063577652,5.570461750,5.619208336,5.674763680]},"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01065{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":50,"source":"snapchat_call.pcapng","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":25,"flow_first_seen":1595865799020160,"flow_src_last_pkt_time":1595865807298358,"flow_dst_last_pkt_time":1595865807311868,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":4245,"flow_dst_tot_l4_payload_len":6427,"midstream":0,"thread_ts_usec":1595865807311868,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.184.138.142","src_port":42083,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"QUIC.SnapchatCall","proto_id":"188.255","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00568{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":50,"source":"snapchat_call.pcapng","alias":"nDPId-test","packets-captured":50,"packets-processed":50,"total-skipped-flows":0,"total-l4-payload-len":10672,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1595865807311868} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037091 bytes -~~ total memory freed........: 6037091 bytes -~~ total allocations/frees...: 121537/121537 +~~ total memory allocated....: 6037227 bytes +~~ total memory freed........: 6037227 bytes +~~ total allocations/frees...: 121538/121538 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 2345 chars diff --git a/test/results/snmp.pcap.out b/test/results/snmp.pcap.out index 61c702367..3fc040b9b 100644 --- a/test/results/snmp.pcap.out +++ b/test/results/snmp.pcap.out @@ -124,9 +124,9 @@ ~~ total active/idle flows...: 17/17 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6063628 bytes -~~ total memory freed........: 6063628 bytes -~~ total allocations/frees...: 121717/121717 +~~ total memory allocated....: 6065940 bytes +~~ total memory freed........: 6065940 bytes +~~ total allocations/frees...: 121734/121734 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 1970 chars diff --git a/test/results/soap.pcap.out b/test/results/soap.pcap.out index 45f7df878..b33f0446d 100644 --- a/test/results/soap.pcap.out +++ b/test/results/soap.pcap.out @@ -26,9 +26,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043707 bytes -~~ total memory freed........: 6043707 bytes -~~ total allocations/frees...: 121535/121535 +~~ total memory allocated....: 6044115 bytes +~~ total memory freed........: 6044115 bytes +~~ total allocations/frees...: 121538/121538 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 2452 chars diff --git a/test/results/socks-http-example.pcap.out b/test/results/socks-http-example.pcap.out index 413d5bc08..1669b880c 100644 --- a/test/results/socks-http-example.pcap.out +++ b/test/results/socks-http-example.pcap.out @@ -27,9 +27,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046367 bytes -~~ total memory freed........: 6046367 bytes -~~ total allocations/frees...: 121556/121556 +~~ total memory allocated....: 6046775 bytes +~~ total memory freed........: 6046775 bytes +~~ total allocations/frees...: 121559/121559 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 503 chars ~~ json string max len.......: 924 chars diff --git a/test/results/softether.pcap.out b/test/results/softether.pcap.out index 08bc0eced..f259bfd7a 100644 --- a/test/results/softether.pcap.out +++ b/test/results/softether.pcap.out @@ -79,7 +79,7 @@ 00915{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":128,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":13,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657906405961000,"flow_dst_last_pkt_time":1657906406215000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":972,"flow_dst_tot_l4_payload_len":964,"midstream":0,"thread_ts_usec":1657906406215000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00915{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":131,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":14,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657906456047000,"flow_dst_last_pkt_time":1657906431208000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":974,"flow_dst_tot_l4_payload_len":992,"midstream":0,"thread_ts_usec":1657906456047000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00564{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":131,"source":"softether.pcap","alias":"nDPId-test","packets-captured":131,"packets-processed":130,"total-skipped-flows":0,"total-l4-payload-len":10412,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":6,"total-detection-updates":6,"total-updates":29,"current-active-flows":1,"total-active-flows":6,"total-idle-flows":5,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":81,"global_ts_usec":1657907318692000} -01841{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":257000,"avg":36711136.0,"max":1566080232,"stddev":451865472.0,"var":204182401654456320.0,"ent":2.7,"data": [257000,27676000,27674000,26195000,26194000,26159000,26161000,10299000,10301000,14858000,14853000,27814000,27815000,25788000,1540291232,1566080232,18689000,18689000,5427000,5426000,27856000,27856000,26072000,26072000,26524000,26524000,24993000,24993000,25093000,862645000,887738000]},"pktlen": {"min":43,"avg":104.3,"max":522,"stddev":132.5,"var":17556.2,"ent":4.3,"data": [43,70,43,70,43,70,43,70,522,370,43,70,43,70,43,43,70,522,370,43,70,43,70,43,70,43,70,43,70,43,43,70]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02239{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":132,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":257000,"avg":36711136.0,"max":1566080232,"stddev":451865472.0,"var":204182401654456320.0,"ent":2.7,"data": [257000,27676000,27674000,26195000,26194000,26159000,26161000,10299000,10301000,14858000,14853000,27814000,27815000,25788000,1540291232,1566080232,18689000,18689000,5427000,5426000,27856000,27856000,26072000,26072000,26524000,26524000,24993000,24993000,25093000,862645000,887738000]},"pktlen": {"min":29,"avg":90.3,"max":508,"stddev":132.5,"var":17556.2,"ent":4.1,"data": [29,56,29,56,29,56,29,56,508,356,29,56,29,56,29,29,56,508,356,29,56,29,56,29,56,29,56,29,56,29,29,56]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,0,1],"entropies": [4.513154984,5.059597492,4.582120895,5.059597492,4.582120895,4.988168716,4.582120895,5.059597492,5.016859055,4.526149750,4.582120895,5.059597492,4.513154984,5.010403156,4.582120895,4.582120895,5.001649380,5.023393631,4.521674156,4.582120895,5.001649380,4.582120895,5.059597492,4.513154984,5.059597492,4.582120895,5.059597492,4.582120895,5.059597492,4.582120895,4.582120895,4.988168716]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00916{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":133,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907318692000,"flow_dst_last_pkt_time":1657907318946000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":1020,"midstream":0,"thread_ts_usec":1657907318946000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00916{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":137,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":17,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907371998000,"flow_dst_last_pkt_time":1657907372252000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":977,"flow_dst_tot_l4_payload_len":1076,"midstream":0,"thread_ts_usec":1657907372252000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00916{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":141,"source":"softether.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":19,"flow_first_seen":1657762868392000,"flow_src_last_pkt_time":1657907422129000,"flow_dst_last_pkt_time":1657907422383000,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":480,"flow_dst_max_l4_payload_len":328,"flow_src_tot_l4_payload_len":979,"flow_dst_tot_l4_payload_len":1132,"midstream":0,"thread_ts_usec":1657907422383000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"130.158.6.113","src_port":51381,"dst_port":5004,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"Softether","proto_id":"290","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} @@ -103,10 +103,10 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6049142 bytes -~~ total memory freed........: 6049142 bytes -~~ total allocations/frees...: 121720/121720 +~~ total memory allocated....: 6049958 bytes +~~ total memory freed........: 6049958 bytes +~~ total allocations/frees...: 121726/121726 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars -~~ json string max len.......: 1846 chars -~~ json string avg len.......: 1169 chars +~~ json string max len.......: 2244 chars +~~ json string avg len.......: 1368 chars diff --git a/test/results/someip-tp.pcap.out b/test/results/someip-tp.pcap.out index 4604882da..a7fef2786 100644 --- a/test/results/someip-tp.pcap.out +++ b/test/results/someip-tp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035902 bytes -~~ total memory freed........: 6035902 bytes -~~ total allocations/frees...: 121496/121496 +~~ total memory allocated....: 6036038 bytes +~~ total memory freed........: 6036038 bytes +~~ total allocations/frees...: 121497/121497 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2417 chars diff --git a/test/results/someip-udp-method-call.pcapng.out b/test/results/someip-udp-method-call.pcapng.out index 4459d1199..b310b22e7 100644 --- a/test/results/someip-udp-method-call.pcapng.out +++ b/test/results/someip-udp-method-call.pcapng.out @@ -18,9 +18,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037324 bytes -~~ total memory freed........: 6037324 bytes -~~ total allocations/frees...: 121499/121499 +~~ total memory allocated....: 6037596 bytes +~~ total memory freed........: 6037596 bytes +~~ total allocations/frees...: 121501/121501 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 509 chars ~~ json string max len.......: 1055 chars diff --git a/test/results/sql_injection.pcap.out b/test/results/sql_injection.pcap.out index 1cc3996a5..6c0610a27 100644 --- a/test/results/sql_injection.pcap.out +++ b/test/results/sql_injection.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036249 bytes -~~ total memory freed........: 6036249 bytes -~~ total allocations/frees...: 121499/121499 +~~ total memory allocated....: 6036385 bytes +~~ total memory freed........: 6036385 bytes +~~ total allocations/frees...: 121500/121500 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 2491 chars diff --git a/test/results/ssdp-m-search-ua.pcap.out b/test/results/ssdp-m-search-ua.pcap.out index 1fb085ec8..8f149554d 100644 --- a/test/results/ssdp-m-search-ua.pcap.out +++ b/test/results/ssdp-m-search-ua.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035765 bytes -~~ total memory freed........: 6035765 bytes -~~ total allocations/frees...: 121491/121491 +~~ total memory allocated....: 6035901 bytes +~~ total memory freed........: 6035901 bytes +~~ total allocations/frees...: 121492/121492 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars ~~ json string max len.......: 920 chars diff --git a/test/results/ssdp-m-search.pcap.out b/test/results/ssdp-m-search.pcap.out index 064e5e8fa..16a54e5f0 100644 --- a/test/results/ssdp-m-search.pcap.out +++ b/test/results/ssdp-m-search.pcap.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036164 bytes -~~ total memory freed........: 6036164 bytes -~~ total allocations/frees...: 121505/121505 +~~ total memory allocated....: 6036300 bytes +~~ total memory freed........: 6036300 bytes +~~ total allocations/frees...: 121506/121506 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 919 chars diff --git a/test/results/ssh.pcap.out b/test/results/ssh.pcap.out index c7a0e9767..da6507bbe 100644 --- a/test/results/ssh.pcap.out +++ b/test/results/ssh.pcap.out @@ -9,7 +9,7 @@ 01252{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464768726,"flow_dst_last_pkt_time":1320435464768382,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":21,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":21,"flow_dst_tot_l4_payload_len":21,"midstream":0,"thread_ts_usec":1320435464768726,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"","hassh_server":""}}} 01286{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":3,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464769196,"flow_dst_last_pkt_time":1320435464769170,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":21,"flow_src_tot_l4_payload_len":925,"flow_dst_tot_l4_payload_len":21,"midstream":0,"thread_ts_usec":1320435464769196,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"21B457A327CE7A2D4FCE5EF2C42400BD","hassh_server":""}}} 01321{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":10,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435464769196,"flow_dst_last_pkt_time":1320435464770779,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":925,"flow_dst_tot_l4_payload_len":805,"midstream":0,"thread_ts_usec":1320435464770779,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess","ssh": {"client_signature":"SSH-2.0-OpenSSH_5.3","server_signature":"SSH-2.0-OpenSSH_5.6","hassh_client":"21B457A327CE7A2D4FCE5EF2C42400BD","hassh_server":"B1C6C0D56317555B85C7005A3DE29325"}}} -01964{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435472330349,"flow_dst_last_pkt_time":1320435469423179,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":1885,"midstream":0,"thread_ts_usec":1320435472330349,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":394614.2,"max":2907110,"stddev":888738.9,"var":789856780288.0,"ent":2.5,"data": [26,41,8112,8146,295,788,470,140,1469,1611,306,1791,1560,1614,14729,13069,1842,42337,40496,170,257,393,251,40593,51194,91555,2632288,2632557,1868772,1869058,2907110]},"pktlen": {"min":66,"avg":172.7,"max":970,"stddev":230.1,"var":52961.8,"ent":4.2,"data": [78,74,66,87,66,87,66,970,66,850,66,90,218,66,210,786,66,82,66,114,66,114,66,130,66,146,66,210,66,146,66,210]},"bins": {"c_to_s": [12,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +02363{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435472330349,"flow_dst_last_pkt_time":1320435469423179,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":784,"flow_src_tot_l4_payload_len":1509,"flow_dst_tot_l4_payload_len":1885,"midstream":0,"thread_ts_usec":1320435472330349,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":26,"avg":394614.2,"max":2907110,"stddev":888738.9,"var":789856780288.0,"ent":2.5,"data": [26,41,8112,8146,295,788,470,140,1469,1611,306,1791,1560,1614,14729,13069,1842,42337,40496,170,257,393,251,40593,51194,91555,2632288,2632557,1868772,1869058,2907110]},"pktlen": {"min":52,"avg":158.7,"max":956,"stddev":230.1,"var":52961.8,"ent":4.1,"data": [64,60,52,73,52,73,52,956,52,836,52,76,204,52,196,772,52,68,52,100,52,100,52,116,52,132,52,196,52,132,52,196]},"bins": {"c_to_s": [12,1,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0],"entropies": [4.495864868,5.031404495,4.947339535,5.395304680,4.870416641,5.379396915,4.940637589,5.147055149,4.940637589,5.183596134,4.923395157,4.404554367,6.511710644,4.985801220,6.696379662,7.508841991,4.884933472,4.511087418,4.815073490,5.981212139,4.902175903,6.028761387,4.894361019,6.251031399,4.940637589,6.350845814,4.932822704,6.810175419,4.853535175,6.303876877,4.902175426,6.814750671]},"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01168{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":258,"source":"ssh.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":159,"flow_dst_packets_processed":99,"flow_first_seen":1320435464760244,"flow_src_last_pkt_time":1320435713237065,"flow_dst_last_pkt_time":1320435713237024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":904,"flow_dst_max_l4_payload_len":1280,"flow_src_tot_l4_payload_len":5109,"flow_dst_tot_l4_payload_len":13389,"midstream":0,"thread_ts_usec":1320435713237065,"l3_proto":"ip4","src_ip":"172.16.238.1","dst_ip":"172.16.238.168","src_port":58395,"dst_port":22,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"18": {"risk":"SSH Obsolete Cli Vers\/Cipher","severity":"High","risk_score": {"total":500,"client":350,"server":150}},"19": {"risk":"SSH Obsolete Ser Vers\/Cipher","severity":"Medium","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"SSH","proto_id":"92","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00559{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":258,"source":"ssh.pcap","alias":"nDPId-test","packets-captured":258,"packets-processed":258,"total-skipped-flows":0,"total-l4-payload-len":18498,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":4,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":14,"global_ts_usec":1320435713237065} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -20,10 +20,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045127 bytes -~~ total memory freed........: 6045127 bytes -~~ total allocations/frees...: 121749/121749 +~~ total memory allocated....: 6045263 bytes +~~ total memory freed........: 6045263 bytes +~~ total allocations/frees...: 121750/121750 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1969 chars -~~ json string avg len.......: 1184 chars +~~ json string max len.......: 2368 chars +~~ json string avg len.......: 1359 chars diff --git a/test/results/ssl-cert-name-mismatch.pcap.out b/test/results/ssl-cert-name-mismatch.pcap.out index 73073825c..ef1938076 100644 --- a/test/results/ssl-cert-name-mismatch.pcap.out +++ b/test/results/ssl-cert-name-mismatch.pcap.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046506 bytes -~~ total memory freed........: 6046506 bytes -~~ total allocations/frees...: 121517/121517 +~~ total memory allocated....: 6046642 bytes +~~ total memory freed........: 6046642 bytes +~~ total allocations/frees...: 121518/121518 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 507 chars ~~ json string max len.......: 1421 chars diff --git a/test/results/starcraft_battle.pcap.out b/test/results/starcraft_battle.pcap.out index a46c8e215..1719680be 100644 --- a/test/results/starcraft_battle.pcap.out +++ b/test/results/starcraft_battle.pcap.out @@ -73,7 +73,7 @@ 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":59,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":3,"flow_src_last_pkt_time":1437389964848564,"flow_dst_last_pkt_time":1437389964848509,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389964848564,"pkt":"hCYVPnXEIImEa8W6CABFAAAoFwpAAIAG68LAqAFkV\/jd\/g20AFApaAexwNDY71AQBADa8wAA"} 01219{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964848660,"flow_dst_last_pkt_time":1437389964848509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389964848660,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"llnw.blizzard.com","http": {"url":"llnw.blizzard.com\/sc2-pod-retail\/AF11CD00\/EU\/24621.direct\/s2-36281-BA356DD57557728843CAF63A12C79AA3.mfil","code":0,"content_type":"","user_agent":"Blizzard Web Client"}}} 01374{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":62,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964848660,"flow_dst_last_pkt_time":1437389964921004,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1437389964921004,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"llnw.blizzard.com","http": {"url":"llnw.blizzard.com\/sc2-pod-retail\/AF11CD00\/EU\/24621.direct\/s2-36281-BA356DD57557728843CAF63A12C79AA3.mfil","code":200,"content_type":"application\/octet-stream","user_agent":"Blizzard Web Client"}}} -01942{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964979632,"flow_dst_last_pkt_time":1437389964979854,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":20440,"midstream":0,"thread_ts_usec":1437389964979854,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":74,"avg":12212.4,"max":72387,"stddev":23706.7,"var":562007808.0,"ent":2.8,"data": [58058,58113,96,58244,14251,72387,112,82,193,195,145,152,166,165,184,184,148,146,165,165,56805,56877,234,178,216,245,157,122,91,74,234]},"pktlen": {"min":54,"avg":699.5,"max":1514,"stddev":719.0,"var":516967.3,"ent":4.1,"data": [66,66,54,241,60,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514,54,1514]},"bins": {"c_to_s": [15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +02341{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":88,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1437389964790451,"flow_src_last_pkt_time":1437389964979632,"flow_dst_last_pkt_time":1437389964979854,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":20440,"midstream":0,"thread_ts_usec":1437389964979854,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"87.248.221.254","src_port":3508,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":74,"avg":12212.4,"max":72387,"stddev":23706.7,"var":562007808.0,"ent":2.8,"data": [58058,58113,96,58244,14251,72387,112,82,193,195,145,152,166,165,184,184,148,146,165,165,56805,56877,234,178,216,245,157,122,91,74,234]},"pktlen": {"min":40,"avg":685.5,"max":1500,"stddev":719.0,"var":516967.3,"ent":4.1,"data": [52,52,40,227,46,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500,40,1500]},"bins": {"c_to_s": [15,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.624014378,4.863714218,4.730640888,5.822455883,4.457919598,5.306115150,4.661768913,5.107864380,4.580640793,5.186793804,4.730640888,5.093457222,4.680640697,5.097416878,4.630640984,5.152558804,4.621928215,5.157567024,4.621928215,5.123836517,4.680641174,5.187242508,4.730640888,5.148094177,4.730640888,5.081175804,4.680641174,5.152382851,4.680641174,5.186464310,4.680641174,5.134456635]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":234,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389967432431,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967432431,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389967432431,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"12.129.222.54","src_port":3512,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":234,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":1,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967432431,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389967432431,"pkt":"hCYVPnXEIImEa8W6CABFAAA0U2dAAIAG+pjAqAFkDIHeNg24AFDXJA2NAAAAAIACIACvkgAAAgQFtAEDAwgBAQQC"} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":235,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1437389967432431,"flow_dst_last_pkt_time":1437389967630455,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389967630455,"pkt":"IImEa8W6hCYVPnXECABFAAA0AABAAC0GoQAMgd42wKgBZABQDbj6JMXG1yQNjoASFtD4xgAAAgQFtAEBBAIBAwMH"} @@ -163,7 +163,7 @@ 00528{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":335,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":2,"flow_src_last_pkt_time":1437389982269189,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":24,"thread_ts_usec":1437389982326953,"pkt":"IImEa8W6hCYVPnXECABFAAAsAABAADMGertQ77oVwKgBZABQDb8Q\/FwJfHOL6GASOQgOjQAAAgQFtAAA"} 00520{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":336,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1437389982327018,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389982327018,"pkt":"hCYVPnXEIImEa8W6CABFAAAoREtAAIAG6XPAqAFkUO+6FQ2\/AFB8c4voEPxcClAQ+vBkYQAA"} 01035{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":337,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389982269189,"flow_src_last_pkt_time":1437389982327086,"flow_dst_last_pkt_time":1437389982326953,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":200,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":200,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982327086,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"80.239.186.21","src_port":3519,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"eu.launcher.battle.net","http": {"url":"eu.launcher.battle.net\/service\/s2\/alert\/en-gb","code":0,"content_type":"","user_agent":"Battle.net Web Client"}}} -01680{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1437389982130449,"flow_src_last_pkt_time":1437389982733601,"flow_dst_last_pkt_time":1437389982710820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":743,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":1074,"midstream":0,"thread_ts_usec":1437389982733601,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"213.248.127.130","src_port":3517,"dst_port":1119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":38178.2,"max":166321,"stddev":53269.1,"var":2837592064.0,"ent":3.6,"data": [52549,52614,94628,145687,24327,95105,95914,166321,70940,49609,160290,31197,128649,15235,41,28,25,24,29,35,25,23,24,30,27,23,28,23,22,29,22]},"pktlen": {"min":54,"avg":116.4,"max":797,"stddev":136.0,"var":18494.5,"ent":4.5,"data": [66,60,54,156,60,797,54,234,317,54,249,60,122,56,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77,77]},"bins": {"c_to_s": [23,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} +02079{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":373,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1437389982130449,"flow_src_last_pkt_time":1437389982733601,"flow_dst_last_pkt_time":1437389982710820,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":743,"flow_src_tot_l4_payload_len":893,"flow_dst_tot_l4_payload_len":1074,"midstream":0,"thread_ts_usec":1437389982733601,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"213.248.127.130","src_port":3517,"dst_port":1119,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":22,"avg":38178.2,"max":166321,"stddev":53269.1,"var":2837592064.0,"ent":3.6,"data": [52549,52614,94628,145687,24327,95105,95914,166321,70940,49609,160290,31197,128649,15235,41,28,25,24,29,35,25,23,24,30,27,23,28,23,22,29,22]},"pktlen": {"min":40,"avg":102.4,"max":783,"stddev":136.0,"var":18494.5,"ent":4.3,"data": [52,46,40,142,46,783,40,220,303,40,235,46,108,42,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63,63]},"bins": {"c_to_s": [23,0,0,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.463548183,4.642490387,4.665311337,5.407479763,4.522393227,7.766187668,4.981687546,7.105029583,7.198122978,4.931687355,6.211636543,4.652828693,5.019042969,4.830181599,5.558794022,5.515064716,5.602522373,5.570774555,5.634266376,5.666012287,5.451573372,5.475538254,5.539031029,5.666014194,5.729505062,5.697759151,5.515064716,5.602520943,5.590539455,5.666013718,5.602520943,5.570777416]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":377,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389982769377,"flow_src_last_pkt_time":1437389982769377,"flow_dst_last_pkt_time":1437389982769377,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982769377,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"5.42.180.154","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00506{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":377,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":34,"flow_packet_id":1,"flow_src_last_pkt_time":1437389982769377,"flow_dst_last_pkt_time":1437389982769377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":44,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":44,"pkt_l4_len":10,"thread_ts_usec":1437389982769377,"pkt":"hCYVPnXEIImEa8W6CABFAAAeGS0AAIARpdHAqAFkBSq0ms+aBF8ACqcOCQE="} 00765{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":378,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982769429,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389982769429,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -249,7 +249,7 @@ 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":686,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":2,"flow_src_last_pkt_time":1437389985925643,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1437389985962002,"pkt":"IImEa8W6hCYVPnXECABFAAA0AABAADkGTmQC5C5wwKgBZABQDc1+R6dFIysb3oASOQjP5wAAAgQFtAEBBAIBAwMF"} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":687,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_packet_id":3,"flow_src_last_pkt_time":1437389985962022,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1437389985962022,"pkt":"hCYVPnXEIImEa8W6CABFAAAoLPpAAIAG2nXAqAFkAuQucA3NAFAjKxvefkenRlAQAQBIwAAA"} 01064{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":688,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1437389985925643,"flow_src_last_pkt_time":1437389985962058,"flow_dst_last_pkt_time":1437389985962002,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":146,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":146,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1437389985962058,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3533,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"bnetcmsus-a.akamaihd.net","http": {"url":"bnetcmsus-a.akamaihd.net\/cms\/bnet_header\/mf\/MFTH8TS42HKX1430183778319.jpg","code":0,"content_type":"","user_agent":"Battle.net Web Client"}}} -01706{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":791,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1437389985891466,"flow_src_last_pkt_time":1437389985995179,"flow_dst_last_pkt_time":1437389985995168,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":26280,"midstream":0,"thread_ts_usec":1437389985995179,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3527,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":65,"avg":6690.8,"max":34324,"stddev":13000.1,"var":169003376.0,"ent":2.9,"data": [32476,32510,1623,34324,1138,65,33880,153,130,283,141,278,419,213,122,339,108,139,244,139,597,734,100,131,232,130,134,265,32899,285,33184]},"pktlen": {"min":54,"avg":880.8,"max":1514,"stddev":718.4,"var":516058.3,"ent":4.4,"data": [66,66,54,203,60,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54,1514,1514,54]},"bins": {"c_to_s": [11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02105{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":791,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1437389985891466,"flow_src_last_pkt_time":1437389985995179,"flow_dst_last_pkt_time":1437389985995168,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":149,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":149,"flow_dst_tot_l4_payload_len":26280,"midstream":0,"thread_ts_usec":1437389985995179,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"2.228.46.112","src_port":3527,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":65,"avg":6690.8,"max":34324,"stddev":13000.1,"var":169003376.0,"ent":2.9,"data": [32476,32510,1623,34324,1138,65,33880,153,130,283,141,278,419,213,122,339,108,139,244,139,597,734,100,131,232,130,134,265,32899,285,33184]},"pktlen": {"min":40,"avg":866.8,"max":1500,"stddev":718.4,"var":516058.3,"ent":4.3,"data": [52,52,40,189,46,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40,1500,1500,40]},"bins": {"c_to_s": [11,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,18,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0],"entropies": [4.545560837,4.801308632,4.730640888,5.763886929,4.501398087,5.907708645,7.721281052,4.730640888,7.812506199,7.777710438,4.730640888,7.794231415,7.742146015,4.680641174,7.749040604,7.800151825,4.680641174,7.781608105,7.754264832,4.730640888,7.783253193,7.795304775,4.730640888,7.746140480,7.751955986,4.680641174,7.805341244,7.749295712,4.730640888,7.808876514,7.796334743,4.680641174]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00875{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982825686,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","ndpi": {"confidence": {"1":"Match by port"},"proto":"Starcraft","proto_id":"213","encrypted":0,"breed":"Fun","category_id":8,"category":"Game"}} 00766{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389982769429,"flow_src_last_pkt_time":1437389982769429,"flow_dst_last_pkt_time":1437389982825686,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":2,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2,"flow_dst_max_l4_payload_len":2,"flow_src_tot_l4_payload_len":2,"flow_dst_tot_l4_payload_len":2,"midstream":0,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"62.115.246.51","src_port":53146,"dst_port":1119,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00877{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":800,"source":"starcraft_battle.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1437389961548711,"flow_src_last_pkt_time":1437389961548711,"flow_dst_last_pkt_time":1437389961598805,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1437389985996137,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"64.233.184.188","src_port":2759,"dst_port":5228,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Google","proto_id":"126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} @@ -324,10 +324,10 @@ ~~ total active/idle flows...: 52/52 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6170425 bytes -~~ total memory freed........: 6170425 bytes -~~ total allocations/frees...: 122884/122884 +~~ total memory allocated....: 6177497 bytes +~~ total memory freed........: 6177497 bytes +~~ total allocations/frees...: 122936/122936 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 202 chars -~~ json string max len.......: 1947 chars -~~ json string avg len.......: 1074 chars +~~ json string max len.......: 2346 chars +~~ json string avg len.......: 1274 chars diff --git a/test/results/steam.pcap.out b/test/results/steam.pcap.out index 3613aa449..b4a98a637 100644 --- a/test/results/steam.pcap.out +++ b/test/results/steam.pcap.out @@ -270,9 +270,9 @@ ~~ total active/idle flows...: 55/55 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6126353 bytes -~~ total memory freed........: 6126353 bytes -~~ total allocations/frees...: 122131/122131 +~~ total memory allocated....: 6133833 bytes +~~ total memory freed........: 6133833 bytes +~~ total allocations/frees...: 122186/122186 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 906 chars diff --git a/test/results/steam_datagram_relay_ping.pcapng.out b/test/results/steam_datagram_relay_ping.pcapng.out index 242a6ca8e..68eebb79c 100644 --- a/test/results/steam_datagram_relay_ping.pcapng.out +++ b/test/results/steam_datagram_relay_ping.pcapng.out @@ -14,9 +14,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035699 bytes -~~ total memory freed........: 6035699 bytes -~~ total allocations/frees...: 121489/121489 +~~ total memory allocated....: 6035835 bytes +~~ total memory freed........: 6035835 bytes +~~ total allocations/frees...: 121490/121490 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 512 chars ~~ json string max len.......: 2258 chars diff --git a/test/results/stun.pcap.out b/test/results/stun.pcap.out index bf0a40b97..da885f4c7 100644 --- a/test/results/stun.pcap.out +++ b/test/results/stun.pcap.out @@ -7,7 +7,7 @@ 00995{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938042789437,"flow_dst_last_pkt_time":1614938042793385,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":132,"midstream":0,"thread_ts_usec":1614938042793385,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"","stun": {"num_pkts":3,"num_binding_requests":4,"num_processed_pkts":3}}} 00953{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":15,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":7,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938072959021,"flow_dst_last_pkt_time":1614938072965856,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":140,"flow_dst_tot_l4_payload_len":308,"midstream":0,"thread_ts_usec":1614938072965856,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00955{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":25,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":12,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938123200754,"flow_dst_last_pkt_time":1614938123207596,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":240,"flow_dst_tot_l4_payload_len":528,"midstream":0,"thread_ts_usec":1614938123207596,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01862{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938163424247,"flow_dst_last_pkt_time":1614938163431063,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":320,"flow_dst_tot_l4_payload_len":704,"midstream":0,"thread_ts_usec":1614938163431063,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2867,"avg":9105286.0,"max":10358549,"stddev":2980037.5,"var":8880623976448.0,"ent":4.8,"data": [6861,10132226,10132257,10358549,2935,10358540,2867,10055433,10055494,10056921,10056927,10057230,10057183,10053930,10053957,10069481,10069496,10027109,10027105,10027261,10027286,10063952,10063896,10098322,10098363,10035461,10035403,10061356,10061442,10028354,10028259]},"pktlen": {"min":82,"avg":94.0,"max":106,"stddev":12.0,"var":144.0,"ent":5.0,"data": [82,106,82,106,82,82,106,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106,82,106]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02244{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938163424247,"flow_dst_last_pkt_time":1614938163431063,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":320,"flow_dst_tot_l4_payload_len":704,"midstream":0,"thread_ts_usec":1614938163431063,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2867,"avg":9105286.0,"max":10358549,"stddev":2980037.5,"var":8880623976448.0,"ent":4.8,"data": [6861,10132226,10132257,10358549,2935,10358540,2867,10055433,10055494,10056921,10056927,10057230,10057183,10053930,10053957,10069481,10069496,10027109,10027105,10027261,10027286,10063952,10063896,10098322,10098363,10035461,10035403,10061356,10061442,10028354,10028259]},"pktlen": {"min":68,"avg":80.0,"max":92,"stddev":12.0,"var":144.0,"ent":5.0,"data": [68,92,68,92,68,68,92,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92,68,92]},"bins": {"c_to_s": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.422471046,5.541838169,5.422470093,5.514770508,5.451882362,5.451882362,5.536509514,5.536509514,5.481293678,5.593521595,5.451882362,5.558248997,5.393059731,5.558248997,5.510704994,5.571783066,5.352545738,5.460210800,5.451882362,5.514770508,5.422471046,5.550043106,5.422470093,5.541838169,5.451882362,5.550043583,5.451882362,5.593522072,5.451882362,5.541838169,5.393058777,5.528304577]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00955{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":35,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":17,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938173452831,"flow_dst_last_pkt_time":1614938173459694,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":340,"flow_dst_tot_l4_payload_len":748,"midstream":0,"thread_ts_usec":1614938173459694,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00554{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":43,"source":"stun.pcap","alias":"nDPId-test","packets-captured":43,"packets-processed":42,"total-skipped-flows":0,"total-l4-payload-len":1344,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":3,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1629291451242856} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":43,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291451242856,"flow_dst_last_pkt_time":1629291451242856,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1629291451242856,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -15,7 +15,7 @@ 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1629291451242856,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":146,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":146,"pkt_l4_len":112,"thread_ts_usec":1629291451254377,"pkt":"mt9Y+uvcCL6sCxduCABFAACER+pAAFURmuofDVY2wKgMqZxDlOsAcMgPARMAVCESpEJBSzdRUHlQSzlldVYACQAQAAAEAXVuYXV0aG9yaXplZAAVAChiYjAzMWQ2MWNjYzFiZTgyZTI0MDE0NDM1ZWQ1MmYyNmZiYTYyNDgzABQAD3R1cm5lci5mYWNlYm9vawA="} 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291451242856,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":28,"flow_dst_tot_l4_payload_len":104,"midstream":0,"thread_ts_usec":1629291451254377,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"turner.facebook","stun": {"num_pkts":2,"num_binding_requests":0,"num_processed_pkts":1}}} 00675{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":45,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1629291451258494,"flow_dst_last_pkt_time":1629291451254377,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":178,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":178,"pkt_l4_len":144,"thread_ts_usec":1629291451258494,"pkt":"CL6sCxdumt9Y+uvcCABFAACkVYNAAEARojHAqAypHw1WNpTrnEMAkHyWAAMAdCESpEI1elVqTVhIdmV3K3MAGQAEEQAAAAAGABBNZjJoOUhpNWFQTVJwbEYxABQAD3R1cm5lci5mYWNlYm9vawAAFQAoYmIwMzFkNjFjY2MxYmU4MmUyNDAxNDQzNWVkNTJmMjZmYmE2MjQ4MwAIABSHhqaIN2rgJVJbblyGsNjNga5wAA=="} -01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":74,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291458067482,"flow_dst_last_pkt_time":1629291458262623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":140,"flow_dst_max_l4_payload_len":132,"flow_src_tot_l4_payload_len":2076,"flow_dst_tot_l4_payload_len":1496,"midstream":0,"thread_ts_usec":1629291458262623,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":446593.3,"max":6004359,"stddev":1462539.6,"var":2139022032896.0,"ent":1.9,"data": [11521,15638,15947,6004359,4743,5997443,4483,7520,7140,108439,344493,499169,68464,195,19689,29038,92171,23636,96419,1566,50324,48303,277,50092,3265,34,52919,437,9663,44853,232153]},"pktlen": {"min":70,"avg":153.6,"max":182,"stddev":32.1,"var":1033.4,"ent":5.0,"data": [70,146,178,118,182,182,154,182,154,86,178,178,174,182,142,86,178,142,174,142,178,174,142,178,142,174,142,182,142,86,174,174]},"bins": {"c_to_s": [1,0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,3,1,6,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02283{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":74,"source":"stun.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1629291451242856,"flow_src_last_pkt_time":1629291458067482,"flow_dst_last_pkt_time":1629291458262623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":140,"flow_dst_max_l4_payload_len":132,"flow_src_tot_l4_payload_len":2076,"flow_dst_tot_l4_payload_len":1496,"midstream":0,"thread_ts_usec":1629291458262623,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"31.13.86.54","src_port":38123,"dst_port":40003,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":34,"avg":446593.3,"max":6004359,"stddev":1462539.6,"var":2139022032896.0,"ent":1.9,"data": [11521,15638,15947,6004359,4743,5997443,4483,7520,7140,108439,344493,499169,68464,195,19689,29038,92171,23636,96419,1566,50324,48303,277,50092,3265,34,52919,437,9663,44853,232153]},"pktlen": {"min":56,"avg":139.6,"max":168,"stddev":32.1,"var":1033.4,"ent":5.0,"data": [56,132,164,104,168,168,140,168,140,72,164,164,160,168,128,72,164,128,160,128,164,160,128,164,128,160,128,168,128,72,160,160]},"bins": {"c_to_s": [1,0,0,4,12,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,3,1,6,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,1,0,0,1,0,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,1,0,1],"entropies": [4.949250221,5.629978180,5.902420998,5.787013531,5.926646233,5.987994671,5.561037540,5.822503567,5.524854183,5.646986008,5.864535809,5.979504585,5.991234303,5.944041729,5.750370979,5.532198906,5.952124596,5.921264172,5.968927860,5.858764172,5.939929485,5.964835167,5.834393978,6.016089916,5.896893978,6.048427582,5.933710575,5.919234276,5.831344128,5.608724117,6.145952225,6.009518147]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.FacebookVoip","proto_id":"78.268","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00954{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":114,"source":"stun.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":21,"flow_first_seen":1614938022295727,"flow_src_last_pkt_time":1614938213778839,"flow_dst_last_pkt_time":1614938213785682,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":924,"midstream":0,"thread_ts_usec":1629291461216501,"l3_proto":"ip6","src_ip":"3516:bf0b:fc53:75e7:70af:f67f:8e49:f603","dst_ip":"2a38:e156:8167:a333:face:b00c::24d9","src_port":56880,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":118,"source":"stun.pcap","alias":"nDPId-test","packets-captured":118,"packets-processed":117,"total-skipped-flows":0,"total-l4-payload-len":8748,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":3,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":20,"global_ts_usec":1643626018009166} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":118,"source":"stun.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1643626018009166,"flow_src_last_pkt_time":1643626018009166,"flow_dst_last_pkt_time":1643626018009166,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1643626018009166,"l3_proto":"ip4","src_ip":"87.47.100.17","dst_ip":"54.1.57.155","src_port":3478,"dst_port":37257,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -30,7 +30,7 @@ 00616{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":139,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1647958145472010,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":134,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":134,"pkt_l4_len":100,"thread_ts_usec":1647958145494943,"pkt":"mt9Y+uvcCL6sCxduCABFgAB4CTMAAGgRmhOO+lJjwKgMqQ2WwAEAZP2fAQEASCESpEJ3bGtZRHRGSndEMi8ABgAVVlVBazZBeTdodnVMbkxHTzp0eUd1AAAAACAACAABDpd8PUUEAAgAFMkvMxJ2ZVgNos4I+G8Cki6KP0KSgCgABEOVy9w="} 00698{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":140,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1647958145497647,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":195,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":195,"pkt_l4_len":161,"thread_ts_usec":1647958145497647,"pkt":"CL6sCxdumt9Y+uvcCABFAAC1XMZAAEARLsPAqAypjvpSY8ABDZYAoaIVFv7\/AAAAAAAAAAAAjAEAAIAAAAAAAAAAgP791X1ylaTuNVSstdiIoIYfSIMff5WF4WIe0fPoTt2GU88AAAAWwCvAL8ypzKjACcATwArAFACcAC8ANQEAAEAAFwAA\/wEAAQAACgAIAAYAHQAXABgACwACAQAAIwAAAA0AFAASBAMIBAQBBQMIBQUBCAYGAQIBAA4ABQACAAEA"} 00970{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":141,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958145516401,"flow_dst_last_pkt_time":1647958145494943,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":108,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":153,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":373,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1647958145516401,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":3,"num_binding_requests":2,"num_processed_pkts":3}}} -01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":169,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147569135,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2034,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147569135,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10,"avg":131323.2,"max":835905,"stddev":227053.5,"var":51553292288.0,"ent":3.4,"data": [22933,25637,18754,26966,8994,16545,8218,21,95990,9415,96088,13935,9667,14034,28,10,28365,12045,233249,17389,835905,625348,352669,699812,203670,550729,72132,9045,20632,28113,14681]},"pktlen": {"min":76,"avg":193.2,"max":1240,"stddev":221.3,"var":48965.1,"ent":4.5,"data": [150,134,195,154,1240,588,134,123,612,123,154,159,175,134,155,107,111,107,127,76,107,154,134,76,124,154,134,108,108,109,109,109]},"bins": {"c_to_s": [0,0,9,5,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02151{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":169,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147569135,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2034,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147569135,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10,"avg":131323.2,"max":835905,"stddev":227053.5,"var":51553292288.0,"ent":3.4,"data": [22933,25637,18754,26966,8994,16545,8218,21,95990,9415,96088,13935,9667,14034,28,10,28365,12045,233249,17389,835905,625348,352669,699812,203670,550729,72132,9045,20632,28113,14681]},"pktlen": {"min":62,"avg":179.2,"max":1226,"stddev":221.3,"var":48965.1,"ent":4.4,"data": [136,120,181,140,1226,574,120,109,598,109,140,145,161,120,141,93,97,93,113,62,93,140,120,62,110,140,120,94,94,95,95,95]},"bins": {"c_to_s": [0,0,9,5,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,9,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,1,1,1,0,0,1,0,1,1,1,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,0],"entropies": [5.892770290,5.917269707,5.007872105,5.887039185,7.338845253,6.721559048,5.830899239,5.701940536,7.409162045,5.674040794,6.041372776,6.178256989,6.436406612,5.927646160,6.099106312,5.359262466,5.425189495,5.590319157,5.866630077,5.268241882,5.246464729,5.907410622,5.825631142,5.235982895,6.120714188,5.927108288,5.950603008,6.068934917,6.005105495,5.939156055,6.060311317,5.943433762]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":170,"source":"stun.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":15,"flow_first_seen":1647958145472010,"flow_src_last_pkt_time":1647958147591534,"flow_dst_last_pkt_time":1647958147445904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":65,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":546,"flow_dst_max_l4_payload_len":1198,"flow_src_tot_l4_payload_len":2100,"flow_dst_tot_l4_payload_len":2806,"midstream":0,"thread_ts_usec":1647958147591534,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"142.250.82.99","src_port":49153,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00905{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":170,"source":"stun.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":11,"flow_first_seen":1643626018009166,"flow_src_last_pkt_time":1643626018957379,"flow_dst_last_pkt_time":1643626018908035,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":168,"flow_dst_max_l4_payload_len":288,"flow_src_tot_l4_payload_len":892,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1647958147591534,"l3_proto":"ip4","src_ip":"87.47.100.17","dst_ip":"54.1.57.155","src_port":3478,"dst_port":37257,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN","proto_id":"78","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00560{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":170,"source":"stun.pcap","alias":"nDPId-test","packets-captured":170,"packets-processed":170,"total-skipped-flows":0,"total-l4-payload-len":15998,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":3,"current-active-flows":0,"total-active-flows":4,"total-idle-flows":4,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":36,"global_ts_usec":1647958147591534} @@ -42,10 +42,10 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6055723 bytes -~~ total memory freed........: 6055723 bytes -~~ total allocations/frees...: 121690/121690 +~~ total memory allocated....: 6056267 bytes +~~ total memory freed........: 6056267 bytes +~~ total allocations/frees...: 121694/121694 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1889 chars -~~ json string avg len.......: 1188 chars +~~ json string max len.......: 2288 chars +~~ json string avg len.......: 1387 chars diff --git a/test/results/stun_signal.pcapng.out b/test/results/stun_signal.pcapng.out index 3618d7b74..abf313641 100644 --- a/test/results/stun_signal.pcapng.out +++ b/test/results/stun_signal.pcapng.out @@ -67,11 +67,11 @@ 00590{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":100,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378136,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":1636901958378136,"pkt":"mt9Y+uvcCL6sCxduCABFSABcrnFAAAMRZTQSw4OPwKgMqe7kqDwASOO3AQEALCESpEJyRHdyaGtEci8vOWUAIAAIAAEPmHw9RVEACAAUZTe+q2TI1x26\/6LLBdUUDVZaZoOAKAAEsQfEQQ=="} 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":101,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378173,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636901958378173,"pkt":"mt9Y+uvcCL6sCxduCABFSAB8rnJAAAMRZRMSw4OPwKgMqe7kqDwAaODiAAEATCESpEJ2dFg5dWZIQUdCakMABgAJbU53cTpXSnN1AAAAwFcABAADA4SAKQAIQYCdgvFBqWUAJAAEbn8g\/wAIABSzQMYtF7YKfV2BCR2ZgRKFjKrZ7YAoAASRLc2k"} 01106{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":101,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":2,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901958294242,"flow_dst_last_pkt_time":1636901958378173,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":160,"midstream":0,"thread_ts_usec":1636901958378173,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","stun": {"num_pkts":3,"num_binding_requests":2,"num_processed_pkts":3}}} -01880{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901960601813,"flow_dst_last_pkt_time":1636901960620966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":1012,"midstream":0,"thread_ts_usec":1636901960620966,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":149493.4,"max":679364,"stddev":200828.1,"var":40331911168.0,"ent":3.9,"data": [83894,37,92476,7793,46066,91419,25,37867,39955,9097,41868,367689,125,441001,43,600796,610250,117949,49918,49758,64212,212886,679364,8747,45,503798,102888,200994,101814,9344,62177]},"pktlen": {"min":70,"avg":105.9,"max":146,"stddev":24.9,"var":621.5,"ent":5.0,"data": [138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,98,98,138,106,70,98,70,70,70,138,106,98,70,98]},"bins": {"c_to_s": [4,3,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,4,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,1,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02269{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":150,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636901958294242,"flow_src_last_pkt_time":1636901960601813,"flow_dst_last_pkt_time":1636901960620966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":1012,"midstream":0,"thread_ts_usec":1636901960620966,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":43068,"dst_port":61156,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":149493.4,"max":679364,"stddev":200828.1,"var":40331911168.0,"ent":3.9,"data": [83894,37,92476,7793,46066,91419,25,37867,39955,9097,41868,367689,125,441001,43,600796,610250,117949,49918,49758,64212,212886,679364,8747,45,503798,102888,200994,101814,9344,62177]},"pktlen": {"min":56,"avg":91.9,"max":132,"stddev":24.9,"var":621.5,"ent":4.9,"data": [124,92,124,92,132,132,92,124,92,92,124,92,84,56,84,56,124,92,84,84,124,92,56,84,56,56,56,124,92,84,56,84]},"bins": {"c_to_s": [4,3,4,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,4,5,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,0,1,1,0,0,1,1,1,0,0,1,0,0,1],"entropies": [5.768973827,5.811776161,5.931350708,5.819116592,5.739065170,5.636717796,5.871664047,5.907987118,5.819117546,5.781831741,5.903046608,5.775639534,5.668575764,5.083614826,5.811898232,5.271638393,5.861793995,5.810910702,5.781786919,5.698687553,5.893005371,5.819117069,5.083614826,5.770115376,5.235924244,5.200210571,5.083615780,5.835623741,5.811777115,5.606133938,5.119328976,5.779102325]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00888{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":201,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":2,"flow_first_seen":1636901936083692,"flow_src_last_pkt_time":1636901964741654,"flow_dst_last_pkt_time":1636901940925734,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":56,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1636901966826937,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01106{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":208,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1636901956900169,"flow_src_last_pkt_time":1636901967279945,"flow_dst_last_pkt_time":1636901957525218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":60,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1636901967279945,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":43068,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","stun": {"num_pkts":2,"num_binding_requests":2,"num_processed_pkts":2}}} 01112{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":215,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1636901956921410,"flow_src_last_pkt_time":1636901967553880,"flow_dst_last_pkt_time":1636901967684533,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":96,"midstream":0,"thread_ts_usec":1636901967684533,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":39950,"dst_port":19302,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.GoogleHangoutDuo","proto_id":"78.201","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":3,"num_binding_requests":4,"num_processed_pkts":3}}} -01705{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":30,"flow_dst_packets_processed":2,"flow_first_seen":1636901936083692,"flow_src_last_pkt_time":1636901980739508,"flow_dst_last_pkt_time":1636901940925734,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":56,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":1760,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1636901980739508,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":1596705.0,"max":17079364,"stddev":3547473.5,"var":12584568750080.0,"ent":2.8,"data": [4084,63003,42,180775,3510,1499231,2002773,15,4841966,76,17079364,30045,28084,9989,178591,30710,1472432,2000483,30998,3968781,29896,37348,7808,7927339,28492,35381,6539,7931223,29238,34577,5065]},"pktlen": {"min":90,"avg":95.5,"max":138,"stddev":11.6,"var":133.8,"ent":5.0,"data": [90,90,98,98,90,90,90,90,90,138,138,90,90,98,98,90,90,90,90,90,90,90,98,98,90,90,98,98,90,90,98,98]},"bins": {"c_to_s": [0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02104{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":278,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":30,"flow_dst_packets_processed":2,"flow_first_seen":1636901936083692,"flow_src_last_pkt_time":1636901980739508,"flow_dst_last_pkt_time":1636901940925734,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":56,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":64,"flow_dst_max_l4_payload_len":104,"flow_src_tot_l4_payload_len":1760,"flow_dst_tot_l4_payload_len":208,"midstream":0,"thread_ts_usec":1636901980739508,"l3_proto":"ip4","src_ip":"35.158.183.167","dst_ip":"192.168.12.169","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":1596705.0,"max":17079364,"stddev":3547473.5,"var":12584568750080.0,"ent":2.8,"data": [4084,63003,42,180775,3510,1499231,2002773,15,4841966,76,17079364,30045,28084,9989,178591,30710,1472432,2000483,30998,3968781,29896,37348,7808,7927339,28492,35381,6539,7931223,29238,34577,5065]},"pktlen": {"min":76,"avg":81.5,"max":124,"stddev":11.6,"var":133.8,"ent":5.0,"data": [76,76,84,84,76,76,76,76,76,124,124,76,76,84,84,76,76,76,76,76,76,76,84,84,76,76,84,84,76,76,84,84]},"bins": {"c_to_s": [0,20,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [5.045846939,5.151109695,5.089153290,5.017724991,5.072162628,5.124794006,5.045846939,5.035913944,5.088545322,5.533661366,5.689179420,4.953483582,4.999665260,4.975942135,4.999751568,4.937100887,4.999665260,5.025980949,5.025980949,4.999665260,4.989732265,4.983282089,4.999751568,4.975942135,5.025980949,5.062229633,5.056357384,5.008738518,4.999665260,5.035913944,5.008738041,5.056357384]},"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01058{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":0,"flow_first_seen":1636901936065479,"flow_src_last_pkt_time":1636901939886818,"flow_dst_last_pkt_time":1636901936065479,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":240,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636901987911616,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":47204,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00773{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1636901936040699,"flow_src_last_pkt_time":1636901936292790,"flow_dst_last_pkt_time":1636901936667023,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":1636901987911616,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":47204,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01058{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":289,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":0,"flow_first_seen":1636901936070410,"flow_src_last_pkt_time":1636901939887803,"flow_dst_last_pkt_time":1636901936070410,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":240,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636901987911616,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39518,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} @@ -123,7 +123,7 @@ 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":346,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1636902000024715,"flow_dst_last_pkt_time":1636902000107063,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636902000107063,"pkt":"mt9Y+uvcCL6sCxduCABFSAB8w7NAAAYRTNISw4OPwKgMqdMmupcAaK01AAEATCESpEJBbDNpSTF1eStSR1UABgAJN2tzczoxRVpzAAAAwFcABAAAA+eAKQAIiflXHs5q0dMAJAAEbgAg\/wAIABQSmjpLVWLcQ98KImy+h9G3RC6S1IAoAATBitk4"} 00591{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1636902000073738,"flow_dst_last_pkt_time":1636902000142220,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":106,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":106,"pkt_l4_len":72,"thread_ts_usec":1636902000142220,"pkt":"mt9Y+uvcCL6sCxduCABFAABcw7ZAAAYRTTcSw4OPwKgMqfA6upcASKsWAQEALCESpEI3OHB2NXh3VHhSY2IAIAAIAAEPjnw9RVEACAAUJEyhW79\/NO7EtgfmN47ncd2\/SCyAKAAE6dNIHg=="} 00631{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1636902000073738,"flow_dst_last_pkt_time":1636902000142270,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1636902000142270,"pkt":"mt9Y+uvcCL6sCxduCABFAAB8w7dAAAYRTRYSw4OPwKgMqfA6upcAaP5PAAEATCESpEIwbFM2UjdmdjFzOTMABgAJN2tzczoxRVpzAAAAwFcABAADA4SAKQAIiflXHs5q0dMAJAAEbn8g\/wAIABT+u0FmMYg2qxKb1bY78Qe06uM1KoAoAAQrkPMA"} -01886{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":393,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636902000073738,"flow_src_last_pkt_time":1636902002442030,"flow_dst_last_pkt_time":1636902002440493,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1068,"flow_dst_tot_l4_payload_len":1052,"midstream":0,"thread_ts_usec":1636902002442030,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":152743.5,"max":665020,"stddev":189167.3,"var":35784253440.0,"ent":4.0,"data": [68482,50,70303,29273,44732,113365,45,43187,26522,8477,31033,313588,306,410657,43,665020,630540,122450,190474,61616,378076,7868,325508,42160,76005,424878,96788,5410,434339,47676,66176]},"pktlen": {"min":70,"avg":108.2,"max":146,"stddev":24.6,"var":605.9,"ent":5.0,"data": [138,106,138,106,146,146,106,138,106,106,138,106,98,70,98,70,138,106,138,106,98,98,70,70,70,98,138,98,70,106,138,106]},"bins": {"c_to_s": [3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,1,1,0,1,1,0,0,0,1,1,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02274{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":393,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1636902000073738,"flow_src_last_pkt_time":1636902002442030,"flow_dst_last_pkt_time":1636902002440493,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":28,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":104,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":1068,"flow_dst_tot_l4_payload_len":1052,"midstream":0,"thread_ts_usec":1636902002442030,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"18.195.131.143","src_port":47767,"dst_port":61498,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":43,"avg":152743.5,"max":665020,"stddev":189167.3,"var":35784253440.0,"ent":4.0,"data": [68482,50,70303,29273,44732,113365,45,43187,26522,8477,31033,313588,306,410657,43,665020,630540,122450,190474,61616,378076,7868,325508,42160,76005,424878,96788,5410,434339,47676,66176]},"pktlen": {"min":56,"avg":94.2,"max":132,"stddev":24.6,"var":605.9,"ent":4.9,"data": [124,92,124,92,132,132,92,124,92,92,124,92,84,56,84,56,124,92,124,92,84,84,56,56,56,84,124,84,56,92,124,92]},"bins": {"c_to_s": [3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,5,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,1,1,0,0,0,1,1,0,1,1,0,0,1,1,0,1,1,0,0,0,1,1,0],"entropies": [5.861794472,5.759229183,5.867881298,5.702216148,5.875429153,5.754216671,5.819118500,5.958508492,5.832649708,5.805582047,5.875729084,5.797377586,5.796609879,5.155043602,5.748991013,5.105850220,5.758409977,5.819116116,5.891858101,5.702215672,5.716967583,5.862202168,5.155044079,5.141563416,5.119328976,5.772800446,5.887964725,5.772800446,5.119329453,5.783843040,5.817300797,5.830357552]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00933{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":423,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":11,"flow_dst_packets_processed":11,"flow_first_seen":1636901956930390,"flow_src_last_pkt_time":1636901987891969,"flow_dst_last_pkt_time":1636901987908068,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":820,"flow_dst_tot_l4_payload_len":828,"midstream":0,"thread_ts_usec":1636902006440608,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":39950,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.SignalVoip","proto_id":"78.269","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01058{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":423,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":0,"flow_first_seen":1636901956899977,"flow_src_last_pkt_time":1636901980718780,"flow_dst_last_pkt_time":1636901956899977,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":28,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":384,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1636902006440608,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"35.158.183.167","src_port":43068,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 01064{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":423,"source":"stun_signal.pcapng","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1636901956900169,"flow_src_last_pkt_time":1636901977907336,"flow_dst_last_pkt_time":1636901978278487,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":20,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":192,"midstream":0,"thread_ts_usec":1636902006440608,"l3_proto":"ip4","src_ip":"192.168.12.169","dst_ip":"172.253.121.127","src_port":43068,"dst_port":19302,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.AmazonAWS","proto_id":"78.265","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -165,10 +165,10 @@ ~~ total active/idle flows...: 23/23 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6093073 bytes -~~ total memory freed........: 6093073 bytes -~~ total allocations/frees...: 122175/122175 +~~ total memory allocated....: 6096201 bytes +~~ total memory freed........: 6096201 bytes +~~ total allocations/frees...: 122198/122198 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars -~~ json string max len.......: 1891 chars -~~ json string avg len.......: 1193 chars +~~ json string max len.......: 2279 chars +~~ json string avg len.......: 1387 chars diff --git a/test/results/syncthing.pcap.out b/test/results/syncthing.pcap.out index 22f282fd6..2be5e4200 100644 --- a/test/results/syncthing.pcap.out +++ b/test/results/syncthing.pcap.out @@ -42,9 +42,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6041387 bytes -~~ total memory freed........: 6041387 bytes -~~ total allocations/frees...: 121547/121547 +~~ total memory allocated....: 6041931 bytes +~~ total memory freed........: 6041931 bytes +~~ total allocations/frees...: 121551/121551 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 1160 chars diff --git a/test/results/synscan.pcap.out b/test/results/synscan.pcap.out index 9f0f256c4..06ba24ae9 100644 --- a/test/results/synscan.pcap.out +++ b/test/results/synscan.pcap.out @@ -7996,9 +7996,9 @@ ~~ total active/idle flows...: 1994/1994 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 9330612 bytes -~~ total memory freed........: 9330612 bytes -~~ total allocations/frees...: 143430/143430 +~~ total memory allocated....: 9601796 bytes +~~ total memory freed........: 9601796 bytes +~~ total allocations/frees...: 145424/145424 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 1042 chars diff --git a/test/results/syslog.pcap.out b/test/results/syslog.pcap.out index 3dd1a45ee..ead301672 100644 --- a/test/results/syslog.pcap.out +++ b/test/results/syslog.pcap.out @@ -142,9 +142,9 @@ ~~ total active/idle flows...: 19/19 ~~ total timeout flows.......: 2 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6069669 bytes -~~ total memory freed........: 6069669 bytes -~~ total allocations/frees...: 121763/121763 +~~ total memory allocated....: 6072253 bytes +~~ total memory freed........: 6072253 bytes +~~ total allocations/frees...: 121782/121782 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 184 chars ~~ json string max len.......: 2202 chars diff --git a/test/results/targusdataspeed_false_positives.pcap.out b/test/results/targusdataspeed_false_positives.pcap.out index 1b805f742..af8232eb7 100644 --- a/test/results/targusdataspeed_false_positives.pcap.out +++ b/test/results/targusdataspeed_false_positives.pcap.out @@ -18,9 +18,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6299621 bytes -~~ total memory freed........: 6299621 bytes -~~ total allocations/frees...: 121505/121505 +~~ total memory allocated....: 6299893 bytes +~~ total memory freed........: 6299893 bytes +~~ total allocations/frees...: 121507/121507 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 516 chars ~~ json string max len.......: 1019 chars diff --git a/test/results/teams.pcap.out b/test/results/teams.pcap.out index dbe0d9acc..081218874 100644 --- a/test/results/teams.pcap.out +++ b/test/results/teams.pcap.out @@ -34,7 +34,7 @@ 01058{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":18,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676449862,"flow_dst_last_pkt_time":1587041676448366,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676449862,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01380{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":26,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676464401,"flow_dst_last_pkt_time":1587041676464459,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":6025,"midstream":0,"thread_ts_usec":1587041676464459,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} 01177{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":37,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676499766,"flow_dst_last_pkt_time":1587041676405623,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676499766,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} -01545{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6449.2,"max":29755,"stddev":8827.8,"var":77930416.0,"ent":3.7,"data": [12466,12563,1399,13862,1628,233,14289,254,250,114,2,99,4851,16541,1120,12847,339,301,11408,365,232,23032,26,11077,443,29285,29755,471,122,15,537]},"pktlen": {"min":54,"avg":407.9,"max":1506,"stddev":548.1,"var":300365.6,"ent":3.9,"data": [78,66,54,264,60,1506,1506,54,1506,54,1506,271,54,212,60,380,54,123,54,147,92,312,92,60,54,60,570,54,1506,1506,685,54]},"bins": {"c_to_s": [10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0]}} +01944{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":6449.2,"max":29755,"stddev":8827.8,"var":77930416.0,"ent":3.7,"data": [12466,12563,1399,13862,1628,233,14289,254,250,114,2,99,4851,16541,1120,12847,339,301,11408,365,232,23032,26,11077,443,29285,29755,471,122,15,537]},"pktlen": {"min":40,"avg":393.9,"max":1492,"stddev":548.1,"var":300365.6,"ent":3.9,"data": [64,52,40,250,46,1492,1492,40,1492,40,1492,257,40,198,46,366,40,109,40,133,78,298,78,46,40,46,556,40,1492,1492,671,40]},"bins": {"c_to_s": [10,1,1,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,0,0,0,0,1,1,0,1,1,0,1,1,1,0],"entropies": [4.365527153,4.946223736,4.521928787,5.447622776,4.609350681,7.356091499,7.445232391,4.680641174,7.544306755,4.571928501,7.621133804,7.081102371,4.630641460,6.624766827,4.609350681,7.169972897,4.680641174,6.030838013,4.630641460,6.150182247,5.105917454,7.025798798,5.428217888,4.565872192,4.680641174,4.565872192,7.556540489,4.680641174,7.827769756,7.840335846,7.703694820,4.680641174]}} 01383{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":47,"source":"teams.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041676435900,"flow_src_last_pkt_time":1587041676535873,"flow_dst_last_pkt_time":1587041676535853,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":258,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":757,"flow_dst_tot_l4_payload_len":10509,"midstream":0,"thread_ts_usec":1587041676535873,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60533,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} 01709{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":59,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676545644,"flow_dst_last_pkt_time":1587041676545713,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041676545713,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":64,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041676611249} @@ -45,7 +45,7 @@ 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":67,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1587041676642755,"flow_dst_last_pkt_time":1587041676642642,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041676642755,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGR5PAqAEGKH4JBex2AbukS07qokMa3IAQEAn5EwAAAQEICjCEmIFVAL3h"} 01109{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":68,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041676612882,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676642642,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041676643404,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"login.microsoftonline.com","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01123{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"teams.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041676612882,"flow_src_last_pkt_time":1587041676643404,"flow_dst_last_pkt_time":1587041676675374,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":246,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":246,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041676675374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"40.126.9.5","src_port":60534,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"login.microsoftonline.com","tls": {"version":"TLSv1.2","ja3":"a69708a64f853c3bcc214c2c5faf84f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} -01561{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":32055.5,"max":221245,"stddev":54144.2,"var":2931591680.0,"ent":3.4,"data": [43237,43341,94039,139750,215,45878,125,102,1406,46781,45438,177198,6,1,221245,44042,6,2,2,21255,21237,4,23005,23005,5,2,3,1223,1159,4,3]},"pktlen": {"min":66,"avg":921.9,"max":1506,"stddev":687.5,"var":472618.5,"ent":4.5,"data": [78,74,66,240,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494]},"bins": {"c_to_s": [5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0]}} +01960{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":32055.5,"max":221245,"stddev":54144.2,"var":2931591680.0,"ent":3.4,"data": [43237,43341,94039,139750,215,45878,125,102,1406,46781,45438,177198,6,1,221245,44042,6,2,2,21255,21237,4,23005,23005,5,2,3,1223,1159,4,3]},"pktlen": {"min":52,"avg":907.9,"max":1492,"stddev":687.5,"var":472618.5,"ent":4.4,"data": [64,60,52,226,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480]},"bins": {"c_to_s": [5,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0],"s_to_c": [5,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0,0,0],"entropies": [4.428027153,5.210652828,4.884933472,5.556665897,7.283374786,7.268235207,4.923395157,7.674625397,4.884933472,5.901349068,5.537203789,4.923394680,7.865010738,7.865353107,7.863998413,5.116508007,7.872262955,7.872727394,7.850155830,7.872891426,5.101991177,7.883207798,7.861774921,5.078046322,7.883695126,7.860937595,7.861885548,7.869150639,5.092563629,7.862890244,7.881820202,7.880939960]}} 01714{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":109,"source":"teams.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1587041676362386,"flow_src_last_pkt_time":1587041676859269,"flow_dst_last_pkt_time":1587041676859222,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":23115,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041676859269,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60532,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":153,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041677042751,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00542{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":153,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1587041677042751,"flow_dst_last_pkt_time":1587041677042751,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041677042751,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG93bAqAEGNHJNIex3AbvbPWM6AAAAALAC\/\/\/8iwAAAgQFtAEDAwUBAQgKMISaAAAAAAAEAgAA"} @@ -58,8 +58,8 @@ 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":177,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1587041677255227,"flow_dst_last_pkt_time":1587041677255126,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041677255227,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGgizAqAEGNHHChOx4Abt\/TkvWpItVFFAQIAAkOAAA"} 01059{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":178,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677255452,"flow_dst_last_pkt_time":1587041677255126,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":214,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":214,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041677255452,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01381{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":186,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":7,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677269406,"flow_dst_last_pkt_time":1587041677269476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":214,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":214,"flow_dst_tot_l4_payload_len":6025,"midstream":0,"thread_ts_usec":1587041677269476,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} -01839{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":216,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677328754,"flow_dst_last_pkt_time":1587041677327352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":15383,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041677328754,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":18406.6,"max":49836,"stddev":21194.3,"var":449200096.0,"ent":3.9,"data": [45263,45409,339,49216,21,48838,224,177,1271,46526,45316,1920,4,2,47729,45783,4,2,3,37748,37711,4,8018,8058,5,734,37027,7756,4339,49836,1321]},"pktlen": {"min":66,"avg":694.6,"max":1506,"stddev":673.1,"var":453031.8,"ent":4.2,"data": [78,74,66,272,1506,1389,78,1506,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,839,66,66,66,511,66,97]},"bins": {"c_to_s": [7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} -01538{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":5148.5,"max":50397,"stddev":9740.5,"var":94877928.0,"ent":3.3,"data": [11421,11522,225,11256,2751,92,13830,124,124,124,3,141,4803,15532,11803,1342,15,233,10,306,235,4,56,10886,31,10351,1699,244,14,50397,30]},"pktlen": {"min":54,"avg":430.0,"max":1506,"stddev":569.7,"var":324516.5,"ent":3.9,"data": [78,66,54,268,60,1506,1506,54,1506,54,1506,271,54,212,60,147,380,123,54,54,92,1494,1061,138,60,92,54,60,60,60,1506,1069]},"bins": {"c_to_s": [8,1,2,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [7,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,0,0,0,0,1,1,0,1,1,1,1,1]}} +02238{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":216,"source":"teams.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041677042751,"flow_src_last_pkt_time":1587041677328754,"flow_dst_last_pkt_time":1587041677327352,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":15383,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041677328754,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60535,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":18406.6,"max":49836,"stddev":21194.3,"var":449200096.0,"ent":3.9,"data": [45263,45409,339,49216,21,48838,224,177,1271,46526,45316,1920,4,2,47729,45783,4,2,3,37748,37711,4,8018,8058,5,734,37027,7756,4339,49836,1321]},"pktlen": {"min":52,"avg":680.6,"max":1492,"stddev":673.1,"var":453031.8,"ent":4.2,"data": [64,60,52,258,1492,1375,64,1492,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,825,52,52,52,497,52,83]},"bins": {"c_to_s": [7,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,1,1,1,1,0,0],"entropies": [4.340968132,5.220872402,4.976373672,5.983667850,7.275708199,7.688739777,5.052015305,7.275113583,4.976373672,6.006431580,5.733948708,5.053297043,7.842315674,7.876612663,7.858495712,5.246409416,7.872724533,7.868679523,7.873967648,7.874578953,5.207947731,7.865746021,7.852710724,5.169486046,7.855942726,7.767035484,5.116507530,5.169486046,5.207947731,7.497245789,4.961856842,5.338891983]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} +01937{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":5148.5,"max":50397,"stddev":9740.5,"var":94877928.0,"ent":3.3,"data": [11421,11522,225,11256,2751,92,13830,124,124,124,3,141,4803,15532,11803,1342,15,233,10,306,235,4,56,10886,31,10351,1699,244,14,50397,30]},"pktlen": {"min":40,"avg":416.0,"max":1492,"stddev":569.7,"var":324516.5,"ent":3.8,"data": [64,52,40,254,46,1492,1492,40,1492,40,1492,257,40,198,46,133,366,109,40,40,78,1480,1047,124,46,78,40,46,46,46,1492,1055]},"bins": {"c_to_s": [8,1,2,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [7,1,1,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,0,0,0,0,1,1,0,1,1,1,1,1],"entropies": [4.396777153,4.893245220,4.571928501,5.470339298,4.549461365,7.348021507,7.445699215,4.680641174,7.531925678,4.571928501,7.607865810,7.056878567,4.680641174,6.474961758,4.505983353,6.083388805,7.209881783,5.879484177,4.680641174,4.630641460,5.102818012,7.881052494,7.824805737,6.119441986,4.457919598,5.412868977,4.630641460,4.565872192,4.565871716,4.522393703,7.843515396,7.832207680]}} 01385{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":219,"source":"teams.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041677243705,"flow_src_last_pkt_time":1587041677297348,"flow_dst_last_pkt_time":1587041677349666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3034,"flow_dst_tot_l4_payload_len":8925,"midstream":0,"thread_ts_usec":1587041677349666,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60536,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"teams.microsoft.com","ja3":"74d5fa154a7fc0a7c655d8eaa34b89bf","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"68:1E:E8:3C:83:70:6F:E3:86:F4:E8:8C:C4:E6:A0:9A:3E:E0:9C:0E"}}} 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":403,"source":"teams.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1587041677380886,"flow_dst_last_pkt_time":1587041673094451,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041677380886,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGPCzAqAEGlZqnW+SlAbsZTPC8DAoX91AUECaMmwAA"} 00187{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":607,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041677408485} @@ -191,7 +191,7 @@ 01068{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1212,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682744342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":219,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":219,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682744658,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"presence.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01348{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1213,"source":"teams.pcap","alias":"nDPId-test","flow_id":29,"flow_packet_id":3,"flow_src_last_pkt_time":1587041682740607,"flow_dst_last_pkt_time":1587041682745381,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":665,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":665,"pkt_l4_len":631,"thread_ts_usec":1587041682745381,"pkt":"EBMx8Tl2KDc3AG3ICABFAAKLAABAAEAGwL7AqAEGon0Tg+u4AbuLprsOEqsiiIAYEAA0LgAAAQEICjCEr+ORzaKrFwMDAlK2BaXSajSAVWEKj3frXxijYpT3GD2Cuos6bxaeeEb0O6UJhzmzPZI\/SWy+fgBnTfneCwusduYkx4s3F4xCn2MY3DEvpr\/P48ATzKlJ++OHqI7OI3KpokJ1bF8YwJjJpFyWkPT0\/gdDA2C0thwexYlLgVCHe4dECfAKO3ai6a9AkpIGftSCmWnSsB7\/GodcDd1wDIWHn+mS6A9bTO\/2sRCfLQjmwaqnM\/0Kd1DorrQMm9TT6\/w11NzOyGJGqVRWfthWKCJ2r5CEFaogXR64MxPpr2FM6spcuDUY4C3Hc53Q7uc97BndljPBEgsGGu2WIs1hpBKyBrbp4cakeWFrgRHILDge\/JLjoB\/we0ie6rPfHdzAzbH+CVHboc7ECVvIV6N2Rd\/z5fI6cJ5y1i\/CGpe9JS\/DjF+npNlL3gVvBs3y7VpT4ziTRBRlbzG6hzfaYWVE\/I1GNwloup0kRP0\/\/fFg59buQBmTxdHJsfm4laPDQEGg2\/E9TD5wbcmagME1tYB8Z6HaDDAe1MbrBXtLSM8VMS0ZeI23LZfgw6dIscXGQh+EZCVohYQ2K\/dCOtZqYIGlXsZd11O+bX\/KPVaVnsGCQqimWVbYkJXTdkE5fdL4ibwUdj8vI7+8IXUv8oArxAdVEWB2+pth6d9Zti7C4SxMlmajA50jkJHElO8G4w6Wzb86qkyK4WbkuYLazUSRxEvrQrVtZjtDDcEAhbB3i\/CCiXoyK9403MAI7UV+NXn0+Iqmacnoi+GSVKkccDjbrlFQ3qxHSBpnh\/Zt22FSB4TV4eA="} 01082{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1228,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041682744658,"flow_dst_last_pkt_time":1587041682792228,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":219,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":219,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1587041682792228,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"presence.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} -01561{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":27969.4,"max":152917,"stddev":40324.3,"var":1626047232.0,"ent":3.6,"data": [50532,50647,291,64604,72036,210,136507,124,96,1421,68048,86231,152917,2268,6,3,46387,44112,4,2,3,23630,23615,4,20861,20866,7,7,3,845,765]},"pktlen": {"min":66,"avg":833.7,"max":1506,"stddev":699.2,"var":488828.9,"ent":4.4,"data": [78,74,66,272,66,1506,1506,66,1389,66,159,66,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,1494,1494,1494,1494,66,1494]},"bins": {"c_to_s": [5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0]}} +01960{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":27969.4,"max":152917,"stddev":40324.3,"var":1626047232.0,"ent":3.6,"data": [50532,50647,291,64604,72036,210,136507,124,96,1421,68048,86231,152917,2268,6,3,46387,44112,4,2,3,23630,23615,4,20861,20866,7,7,3,845,765]},"pktlen": {"min":52,"avg":819.7,"max":1492,"stddev":699.2,"var":488828.9,"ent":4.3,"data": [64,60,52,258,52,1492,1492,52,1375,52,145,52,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,1480,1480,1480,1480,52,1480]},"bins": {"c_to_s": [5,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,14,0,0,0],"s_to_c": [7,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,0,0,0,1,0],"entropies": [4.384982109,5.323234558,4.961856842,5.939832211,5.116507530,7.288343430,7.267649651,5.000318527,7.662917614,4.961856842,5.882802486,5.193430901,5.624773026,4.961856842,7.851280689,7.841383457,7.873037815,5.154969692,7.851320267,7.856824398,7.856104374,7.863511562,5.154969215,7.862011433,7.862949848,5.154969215,7.888728619,7.861488342,7.847744942,7.865393639,5.193430901,7.879679203]}} 01717{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1244,"source":"teams.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041682369801,"flow_src_last_pkt_time":1587041682803345,"flow_dst_last_pkt_time":1587041682803309,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":20291,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041682803345,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60543,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1249,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682809173,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1249,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1587041682809173,"flow_dst_last_pkt_time":1587041682809173,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041682809173,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAG+gHAqAEGp2PXpOyCEVImrEWfAAAAALAC\/\/+rgAAAAgQFtAEDAwUBAQgKMISwIQAAAAAEAgAA"} @@ -199,7 +199,7 @@ 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1299,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1587041682862738,"flow_dst_last_pkt_time":1587041682862686,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041682862738,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG+g3AqAEGp2PXpOyCEVImrEWgy3y3uIAQECwqYQAAAQEICjCEsFATeRnV"} 01237{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1300,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682863165,"flow_dst_last_pkt_time":1587041682862686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041682863165,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"dati.ntop.org","tls": {"version":"TLSv1.2","ja3":"7120d65624bcd2e02ed4b01388d84cdb","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01295{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1345,"source":"teams.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1587041682809173,"flow_src_last_pkt_time":1587041682863165,"flow_dst_last_pkt_time":1587041682917561,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":152,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":152,"midstream":0,"thread_ts_usec":1587041682917561,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"167.99.215.164","src_port":60546,"dst_port":4434,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TLS.ntop","proto_id":"91.26","encrypted":1,"breed":"Safe","category_id":14,"category":"Network","hostname":"dati.ntop.org","tls": {"version":"TLSv1.2","ja3":"7120d65624bcd2e02ed4b01388d84cdb","ja3s":"410b9bedaf65dd26c6fe547154d60db4","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01706{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1439,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041683063920,"flow_dst_last_pkt_time":1587041683109441,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2687,"flow_dst_tot_l4_payload_len":6860,"midstream":0,"thread_ts_usec":1587041683109441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":25031.7,"max":201410,"stddev":47065.5,"var":2215158784.0,"ent":3.2,"data": [45653,45756,213,47886,30,47672,17,83,202,104,167,9896,9950,3499,10390,395,51386,37078,221,190,155,7115,7018,1251,1197,79250,201410,7,34,167536,222]},"pktlen": {"min":54,"avg":354.2,"max":1506,"stddev":510.3,"var":260451.7,"ent":3.9,"data": [78,66,54,273,1506,1506,66,54,54,1506,1506,54,467,54,212,147,517,105,54,123,54,92,92,54,493,54,60,1494,164,220,60,96]},"bins": {"c_to_s": [11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +02104{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1439,"source":"teams.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041682698689,"flow_src_last_pkt_time":1587041683063920,"flow_dst_last_pkt_time":1587041683109441,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2687,"flow_dst_tot_l4_payload_len":6860,"midstream":0,"thread_ts_usec":1587041683109441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.58","src_port":60545,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":25031.7,"max":201410,"stddev":47065.5,"var":2215158784.0,"ent":3.2,"data": [45653,45756,213,47886,30,47672,17,83,202,104,167,9896,9950,3499,10390,395,51386,37078,221,190,155,7115,7018,1251,1197,79250,201410,7,34,167536,222]},"pktlen": {"min":40,"avg":340.2,"max":1492,"stddev":510.3,"var":260451.7,"ent":3.8,"data": [64,52,40,259,1492,1492,52,40,40,1492,1492,40,453,40,198,133,503,91,40,109,40,78,78,40,479,40,46,1480,150,206,46,82]},"bins": {"c_to_s": [11,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,3,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,0,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,0,1,1],"entropies": [4.396777153,4.984685898,4.571928501,5.447037697,7.103639126,7.377305508,4.748330116,4.680641174,4.521928787,7.565583706,7.619148254,4.680641174,7.502402782,4.680641174,6.615381718,6.130319118,7.576011658,5.374610424,4.630640984,5.982717991,4.530641556,5.189125538,5.402576923,4.680641174,7.496559143,4.680641174,4.505983353,7.866451740,6.633583069,6.711987019,4.522393703,5.435414791]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041683142905,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041683142905,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57504,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":92,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":92,"pkt_l4_len":58,"thread_ts_usec":1587041683142905,"pkt":"EBMx8Tl2KDc3AG3ICABFAABOVgkAAP8R4j3AqAEGwKgBAeCgADUAOmwyTTEBAAABAAAAAAAACmNoYXRzdmNhZ2cEc3ZjcwV0ZWFtcwZvZmZpY2UDY29tAAABAAE="} 01017{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1443,"source":"teams.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041683142905,"flow_src_last_pkt_time":1587041683142905,"flow_dst_last_pkt_time":1587041683142905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":50,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":50,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":50,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041683142905,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":57504,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Teams","proto_id":"5.250","encrypted":0,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"chatsvcagg.svcs.teams.office.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -218,7 +218,7 @@ 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1499,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041683406443} 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":1499,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041683396534,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01712{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1503,"source":"teams.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1587041683333389,"flow_src_last_pkt_time":1587041683430891,"flow_dst_last_pkt_time":1587041683431072,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041683431072,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60548,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} -01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1516,"source":"teams.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041683186164,"flow_src_last_pkt_time":1587041683511604,"flow_dst_last_pkt_time":1587041683511700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2582,"flow_dst_tot_l4_payload_len":7792,"midstream":0,"thread_ts_usec":1587041683511700,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.88.59","src_port":60547,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":20999.2,"max":115070,"stddev":31123.6,"var":968681216.0,"ent":3.5,"data": [34191,34298,279,36871,33,36580,20,190,171,120,2,98,1011,12039,309,36028,22727,226,163,129,10387,10298,599,557,77127,91684,7,49137,80440,115070,185]},"pktlen": {"min":66,"avg":391.2,"max":1506,"stddev":521.7,"var":272149.2,"ent":4.0,"data": [78,74,66,287,1506,1506,78,66,1506,66,1506,316,66,192,159,547,117,66,135,66,104,104,66,428,66,66,1494,261,66,241,66,1153]},"bins": {"c_to_s": [11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0],"s_to_c": [3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +02106{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1516,"source":"teams.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041683186164,"flow_src_last_pkt_time":1587041683511604,"flow_dst_last_pkt_time":1587041683511700,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2582,"flow_dst_tot_l4_payload_len":7792,"midstream":0,"thread_ts_usec":1587041683511700,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.88.59","src_port":60547,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":20999.2,"max":115070,"stddev":31123.6,"var":968681216.0,"ent":3.5,"data": [34191,34298,279,36871,33,36580,20,190,171,120,2,98,1011,12039,309,36028,22727,226,163,129,10387,10298,599,557,77127,91684,7,49137,80440,115070,185]},"pktlen": {"min":52,"avg":377.2,"max":1492,"stddev":521.7,"var":272149.2,"ent":3.9,"data": [64,60,52,273,1492,1492,64,52,1492,52,1492,302,52,178,145,533,103,52,121,52,90,90,52,414,52,52,1480,247,52,227,52,1139]},"bins": {"c_to_s": [11,1,1,1,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0],"s_to_c": [3,2,1,0,0,1,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,0,1,0,0,1,0,1,0,1,0,0,1,1,0,1],"entropies": [4.278468132,5.100120544,4.678913116,5.492300034,7.395298958,7.335471153,4.813810349,4.784870625,7.534573555,4.736229897,7.601704121,7.355720520,4.823332310,6.256767273,6.195283890,7.525622368,5.556344509,4.861793995,6.029422760,4.861793995,5.382391453,5.548377514,4.823332310,7.376307011,4.861793995,5.063529015,7.847518921,6.993651390,4.986605644,6.825597286,4.731892109,7.799232483]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1533,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041683611241} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1533,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041683605577,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1685,"source":"teams.pcap","alias":"nDPId-test","flow_id":34,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041684291077,"flow_src_last_pkt_time":1587041684291077,"flow_dst_last_pkt_time":1587041684291077,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":38,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":38,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041684291077,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":59403,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -232,11 +232,11 @@ 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1698,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_packet_id":3,"flow_src_last_pkt_time":1587041684317725,"flow_dst_last_pkt_time":1587041684317619,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1587041684317725,"pkt":"EBMx8Tl2KDc3AG3ICABFAAAoAABAAEAGWazAqAEGDWsSC+yFAbvNnLiaNd4cNVAQIADoJAAA"} 01073{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1699,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684317987,"flow_dst_last_pkt_time":1587041684317619,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041684317987,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01897{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1722,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684362150,"flow_dst_last_pkt_time":1587041684362335,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":211,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":211,"flow_dst_tot_l4_payload_len":4396,"midstream":0,"thread_ts_usec":1587041684362335,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","alpn":"h2,http\/1.1","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}} -01563{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":146055.7,"max":2009785,"stddev":489503.9,"var":239614050304.0,"ent":1.7,"data": [12667,12766,154,12385,2459,251,14879,502,529,250,3,817,4854,17134,1376,20,13097,4,249,321,136,11841,14,11155,108,621,112917,113684,1998116,2009785,174632]},"pktlen": {"min":54,"avg":319.2,"max":1506,"stddev":468.1,"var":219152.8,"ent":3.9,"data": [78,66,54,271,60,1506,1506,54,1506,54,1506,195,54,212,60,380,123,54,54,147,92,575,60,92,54,60,60,454,54,356,60,359]},"bins": {"c_to_s": [9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1]}} +01962{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":146055.7,"max":2009785,"stddev":489503.9,"var":239614050304.0,"ent":1.7,"data": [12667,12766,154,12385,2459,251,14879,502,529,250,3,817,4854,17134,1376,20,13097,4,249,321,136,11841,14,11155,108,621,112917,113684,1998116,2009785,174632]},"pktlen": {"min":40,"avg":305.2,"max":1492,"stddev":468.1,"var":219152.8,"ent":3.8,"data": [64,52,40,257,46,1492,1492,40,1492,40,1492,181,40,198,46,366,109,40,40,133,78,561,46,78,40,46,46,440,40,342,46,345]},"bins": {"c_to_s": [9,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,1,0,1,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,1,0,0,0,0,0,1,1,0,1,1,1,0,0,1,1],"entropies": [4.396777153,4.984685421,4.571928501,5.492863178,4.462504387,7.269914627,7.475378990,4.630641460,7.477076530,4.571928501,7.667408466,6.767431736,4.680641174,6.542833328,4.505983353,7.221371651,5.957443714,4.630641460,4.630640984,6.221683502,5.214766979,7.578815937,4.414441109,5.396905422,4.571928501,4.457919598,4.522393703,7.482207775,4.680641174,7.242818356,4.478915691,7.266457558]}} 01436{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1751,"source":"teams.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1587041682144166,"flow_src_last_pkt_time":1587041684314927,"flow_dst_last_pkt_time":1587041684501131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":521,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1329,"flow_dst_tot_l4_payload_len":7087,"midstream":0,"thread_ts_usec":1587041684501131,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60542,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"0f14538e1c9070becdad7739c67d6363","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","alpn":"h2,http\/1.1","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1753,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041684611243} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1753,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041684501226,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} -01549{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":24145.7,"max":539594,"stddev":94604.1,"var":8949939200.0,"ent":1.9,"data": [11504,11610,262,11878,32500,90,44163,247,1,223,3839,7741,325,72,14634,1492,13,4159,11,266,6513,474,6734,4309,9884,14215,10718,10725,539594,6,314]},"pktlen": {"min":54,"avg":345.5,"max":1506,"stddev":473.5,"var":224192.2,"ent":4.0,"data": [78,66,54,265,60,1506,1506,54,1506,94,54,212,147,592,186,60,380,123,54,54,92,60,92,54,60,703,54,373,54,1494,708,262]},"bins": {"c_to_s": [9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0]}} +01948{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":24145.7,"max":539594,"stddev":94604.1,"var":8949939200.0,"ent":1.9,"data": [11504,11610,262,11878,32500,90,44163,247,1,223,3839,7741,325,72,14634,1492,13,4159,11,266,6513,474,6734,4309,9884,14215,10718,10725,539594,6,314]},"pktlen": {"min":40,"avg":331.5,"max":1492,"stddev":473.5,"var":224192.2,"ent":3.9,"data": [64,52,40,251,46,1492,1492,40,1492,80,40,198,133,578,172,46,366,109,40,40,78,46,78,40,46,689,40,359,40,1480,694,248]},"bins": {"c_to_s": [9,1,1,0,2,0,2,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [5,2,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,0,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,0,0,0,0],"entropies": [4.428027153,4.893245220,4.521928310,5.397158146,4.505983353,6.671830177,7.464404583,4.630641460,7.577803612,5.737496376,4.680641174,6.516131401,6.154890537,7.647973537,6.500202656,4.505983353,7.196300030,5.817581654,4.611769199,4.561769485,5.250086308,4.457919598,5.392898560,4.630641460,4.522393227,7.690679073,4.680641174,7.335716724,4.680641174,7.846065521,7.720572472,6.957527637]}} 01901{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1756,"source":"teams.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041684306115,"flow_src_last_pkt_time":1587041684950374,"flow_dst_last_pkt_time":1587041684410372,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":3472,"flow_dst_tot_l4_payload_len":5797,"midstream":0,"thread_ts_usec":1587041684950374,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"13.107.18.11","src_port":60549,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Microsoft365","proto_id":"91.219","encrypted":1,"breed":"Acceptable","category_id":15,"category":"Collaborative","hostname":"substrate.office.com","tls": {"version":"TLSv1.2","server_names":"outlook.office.com,attachment.outlook.office.net,attachment.outlook.officeppe.net,bookings.office.com,delve.office.com,edge.outlook.office365.com,edgesdf.outlook.com,img.delve.office.com,outlook.live.com,outlook-sdf.live.com,outlook-sdf.office.com,sdfedge-pilot.outlook.com,substrate.office.com,substrate-sdf.office.com,afd-k-acdc-direct.office.com,beta-sdf.yammer.com,teams-sdf.yammer.com,beta.yammer.com,teams.yammer.com,attachments.office.net,attachments-sdf.office.net,afd-k.office.com,afd-k-sdf.office.com","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"a66ea560599a2f5c89eec8c3a0d69cee","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert Cloud Services CA-1","subjectDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, CN=Outlook.office.com","alpn":"h2,http\/1.1","fingerprint":"AA:D3:F5:66:06:48:AA:F8:8E:9B:79:D6:7F:1D:53:EA:3F:97:03:A2"}}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1775,"source":"teams.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041685090830,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":45,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":45,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041685090830,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":61245,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00552{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1775,"source":"teams.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_src_last_pkt_time":1587041685090830,"flow_dst_last_pkt_time":1587041685090830,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":87,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":87,"pkt_l4_len":53,"thread_ts_usec":1587041685090830,"pkt":"EBMx8Tl2KDc3AG3ICABFAABJHhYAAP8RGjbAqAEGwKgBAe89ADUANcKVVKoBAAABAAAAAAAABGV1YXoCdHIFdGVhbXMJbWljcm9zb2Z0A2NvbQAAAQAB"} @@ -300,7 +300,7 @@ 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1897,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041685406369} 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":1897,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041685403983,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01587{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1908,"source":"teams.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1587041685106192,"flow_src_last_pkt_time":1587041685420065,"flow_dst_last_pkt_time":1587041685420103,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":203,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":5962,"midstream":0,"thread_ts_usec":1587041685420103,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.15.45","src_port":60551,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"trouter2-asse-a.trouter.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.trouter.teams.microsoft.com,go.trouter.io,*.drip.trouter.io,*.dc.trouter.io","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"986571066668055ae9481cb84fda634a","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 2","subjectDN":"CN=*.trouter.teams.microsoft.com","fingerprint":"DD:24:DF:0E:F3:63:CC:10:B5:03:CF:34:EB:A5:14:8B:97:90:9B:D4"}}} -01567{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":14797.2,"max":153955,"stddev":35697.7,"var":1274323968.0,"ent":2.8,"data": [12903,12995,473,12371,1988,1502,15362,129,134,115,3,85,21608,33026,11480,11732,109,11784,570,13396,140399,715,153955,248,230,250,250,503,25,129,243]},"pktlen": {"min":54,"avg":599.7,"max":1506,"stddev":671.4,"var":450756.0,"ent":4.1,"data": [78,66,54,240,60,1506,1506,54,1506,54,1506,182,54,161,60,105,60,105,54,1136,60,1506,1506,54,1331,54,1506,1506,54,54,1506,1506]},"bins": {"c_to_s": [10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1]}} +01964{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":14797.2,"max":153955,"stddev":35697.7,"var":1274323968.0,"ent":2.8,"data": [12903,12995,473,12371,1988,1502,15362,129,134,115,3,85,21608,33026,11480,11732,109,11784,570,13396,140399,715,153955,248,230,250,250,503,25,129,243]},"pktlen": {"min":40,"avg":585.7,"max":1492,"stddev":671.4,"var":450756.0,"ent":4.0,"data": [64,52,40,226,46,1492,1492,40,1492,40,1492,168,40,147,46,91,46,91,40,1122,46,1492,1492,40,1317,40,1492,1492,40,40,1492,1492]},"bins": {"c_to_s": [10,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,10,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,1,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1],"entropies": [4.365527153,4.878727913,4.471928596,5.502106190,4.402616024,7.277978420,7.489027023,4.630640984,7.478912354,4.521928310,7.663036823,6.686788082,4.630640984,6.493359089,4.462505341,5.681205750,4.462504864,5.560394764,4.580641270,7.802004814,4.565872192,7.879904747,7.863986492,4.580641270,7.860152721,4.580640793,7.874552727,7.850657463,4.580641270,4.471928596,7.869473934,7.878328800]}} 01552{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1936,"source":"teams.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1587041685240465,"flow_src_last_pkt_time":1587041685469669,"flow_dst_last_pkt_time":1587041685469973,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1082,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":1426,"flow_dst_tot_l4_payload_len":15976,"midstream":0,"thread_ts_usec":1587041685469973,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.113.194.132","src_port":60554,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"config.teams.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.config.teams.microsoft.com,config.teams.microsoft.com","ja3":"e4d448cdfe06dc1243c1eb026c74ac9a","ja3s":"7d8fd34fdb13a7fff30d5a52846b6c4c","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 1","subjectDN":"CN=config.teams.microsoft.com","fingerprint":"B9:54:54:12:C9:E9:43:65:10:70:04:7B:AD:B6:0C:46:06:38:A5:FA"}}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1979,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041685611278} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":1979,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041685546646,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} @@ -316,7 +316,7 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2045,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_packet_id":3,"flow_src_last_pkt_time":1587041686288255,"flow_dst_last_pkt_time":1587041686288146,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041686288255,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAG94LAqAEGNHJNIeyPAbtgh2e+U\/RRNYAQEAkdGQAAAQEICjCEvUBhH1u7"} 01180{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2046,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686288562,"flow_dst_last_pkt_time":1587041686288146,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041686288562,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01194{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2047,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686288562,"flow_dst_last_pkt_time":1587041686339149,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":206,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041686339149,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} -01840{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2074,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686542441,"flow_dst_last_pkt_time":1587041686541501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":14115,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041686542441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":19511.4,"max":52987,"stddev":22191.7,"var":492470496.0,"ent":3.9,"data": [48601,48710,307,51003,89,50699,16,253,253,1686,49778,48144,1391,5,2,50498,49101,4,2,3,37233,37219,5,11525,11515,965,36039,15972,52987,736,111]},"pktlen": {"min":66,"avg":654.9,"max":1506,"stddev":667.9,"var":446080.7,"ent":4.2,"data": [78,74,66,272,1506,1506,78,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,66,999,66,66,511,66,97,66]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} +02239{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2074,"source":"teams.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":21,"flow_dst_packets_processed":11,"flow_first_seen":1587041686239545,"flow_src_last_pkt_time":1587041686542441,"flow_dst_last_pkt_time":1587041686541501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":14115,"flow_dst_tot_l4_payload_len":4699,"midstream":0,"thread_ts_usec":1587041686542441,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60559,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":19511.4,"max":52987,"stddev":22191.7,"var":492470496.0,"ent":3.9,"data": [48601,48710,307,51003,89,50699,16,253,253,1686,49778,48144,1391,5,2,50498,49101,4,2,3,37233,37219,5,11525,11515,965,36039,15972,52987,736,111]},"pktlen": {"min":52,"avg":640.9,"max":1492,"stddev":667.9,"var":446080.7,"ent":4.1,"data": [64,60,52,258,1492,1492,64,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,52,985,52,52,497,52,83,52]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,9,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,1,0,1,1,1,0,0,0],"entropies": [4.396777153,5.256567955,4.923395157,6.033491611,7.275527000,7.277948856,5.071470261,4.945419312,7.645617962,4.976373672,5.915142536,5.707202435,4.976374149,7.861220360,7.878036976,7.850315571,5.131024837,7.877380371,7.857055187,7.886486053,7.876827240,5.169486523,7.849795818,7.874622822,5.078045845,7.791067600,5.131024837,5.207948208,7.563468933,5.053297043,5.290699482,4.969671726]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud"}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2076,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041686611252} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2076,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041686589907,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2077,"source":"teams.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041686659283,"flow_src_last_pkt_time":1587041686659283,"flow_dst_last_pkt_time":1587041686659283,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":40,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041686659283,"l3_proto":"ip4","src_ip":"192.168.1.112","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -348,7 +348,7 @@ 01712{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2226,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687544052,"flow_dst_last_pkt_time":1587041687544137,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":206,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":412,"flow_dst_tot_l4_payload_len":4203,"midstream":0,"thread_ts_usec":1587041687544137,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2238,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041687611308} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2238,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041687600094,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} -01707{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2258,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041687436782,"flow_src_last_pkt_time":1587041687725655,"flow_dst_last_pkt_time":1587041687725568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2206,"flow_dst_tot_l4_payload_len":7143,"midstream":0,"thread_ts_usec":1587041687725655,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":18634.2,"max":125561,"stddev":31723.1,"var":1006353792.0,"ent":3.4,"data": [29516,29616,237,45747,220,45693,117,89,54,132,3,86,615,23250,232,30155,31,6115,4,245,22863,22646,1494,1434,2892,30,32749,246,30074,125513,125561]},"pktlen": {"min":66,"avg":359.2,"max":1506,"stddev":499.9,"var":249913.2,"ent":4.0,"data": [78,74,66,280,1506,1506,78,1506,66,66,1506,295,66,159,159,438,117,135,66,66,104,104,66,562,66,1379,149,66,108,66,524,66]},"bins": {"c_to_s": [12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} +02103{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2258,"source":"teams.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041687436782,"flow_src_last_pkt_time":1587041687725655,"flow_dst_last_pkt_time":1587041687725568,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1313,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2206,"flow_dst_tot_l4_payload_len":7143,"midstream":0,"thread_ts_usec":1587041687725655,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"104.40.187.151","src_port":60562,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":18634.2,"max":125561,"stddev":31723.1,"var":1006353792.0,"ent":3.4,"data": [29516,29616,237,45747,220,45693,117,89,54,132,3,86,615,23250,232,30155,31,6115,4,245,22863,22646,1494,1434,2892,30,32749,246,30074,125513,125561]},"pktlen": {"min":52,"avg":345.2,"max":1492,"stddev":499.9,"var":249913.2,"ent":3.9,"data": [64,60,52,266,1492,1492,64,1492,52,52,1492,281,52,145,145,424,103,121,52,52,90,90,52,548,52,1365,135,52,94,52,510,52]},"bins": {"c_to_s": [12,1,3,0,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0],"s_to_c": [2,3,1,0,0,0,0,1,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,0,0,1,1,0,1,0],"entropies": [4.365527153,5.169149399,4.868495941,5.580047131,7.357915878,7.526344776,4.919355392,7.363313675,4.945419312,4.786791325,7.588277340,7.143245697,4.983880997,5.918394089,6.257330894,7.398386002,5.555244923,6.105889320,4.945419312,4.945419312,5.368302345,5.567127228,4.945419312,7.528010845,4.983880997,7.854734421,6.103594780,5.100070000,5.655968666,4.983880520,7.545987606,4.861793995]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} 00752{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687731296,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1587041687731296,"pkt":"EBMx8Tl2KDc3AG3ICABFAABM83AAAP8RRNjAqAEGwKgBAfUPADUAOAAFY+UBAAABAAAAAAAABmV1bm8tMQNhcGkPbWljcm9zb2Z0c3RyZWFtA2NvbQAAAQAB"} 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2259,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687731296,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687731296,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"euno-1.api.microsoftstream.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -356,7 +356,7 @@ 01024{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2260,"source":"teams.pcap","alias":"nDPId-test","flow_id":54,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1587041687731296,"flow_src_last_pkt_time":1587041687731296,"flow_dst_last_pkt_time":1587041687745080,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":48,"flow_dst_max_l4_payload_len":183,"flow_src_tot_l4_payload_len":48,"flow_dst_tot_l4_payload_len":183,"midstream":0,"thread_ts_usec":1587041687745080,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"192.168.1.1","src_port":62735,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS","proto_id":"5","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"euno-1.api.microsoftstream.com","dns": {"num_queries":1,"num_answers":4,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"52.169.186.119"}}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2261,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041687745932,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041687745932,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.169.186.119","src_port":60563,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2261,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687745932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1587041687745932,"pkt":"EBMx8Tl2KDc3AG3ICABFAABAAABAAEAGienAqAEGNKm6d+yTAbth0wzHAAAAALAC\/\/81+QAAAgQFtAEDAwUBAQgKMITCxwAAAAAEAgAA"} -01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":32165.6,"max":161774,"stddev":44327.4,"var":1964919296.0,"ent":3.6,"data": [48418,48527,459,88180,136486,113743,249,161774,129,117,1072,74551,73518,1076,4,2,50124,49022,3,3,12,48400,48413,4,15,2,1599,1536,46881,1065,1749]},"pktlen": {"min":66,"avg":750.7,"max":1506,"stddev":694.0,"var":481656.1,"ent":4.3,"data": [78,74,66,272,272,78,1506,1506,66,1389,66,159,117,66,1494,1494,1494,66,1494,1494,1494,1494,66,1494,1494,1494,1494,66,1476,66,66,66]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1]}} +01965{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":32165.6,"max":161774,"stddev":44327.4,"var":1964919296.0,"ent":3.6,"data": [48418,48527,459,88180,136486,113743,249,161774,129,117,1072,74551,73518,1076,4,2,50124,49022,3,3,12,48400,48413,4,15,2,1599,1536,46881,1065,1749]},"pktlen": {"min":52,"avg":736.7,"max":1492,"stddev":694.0,"var":481656.1,"ent":4.2,"data": [64,60,52,258,258,64,1492,1492,52,1375,52,145,103,52,1480,1480,1480,52,1480,1480,1480,1480,52,1480,1480,1480,1480,52,1462,52,52,52]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,0,1,0,0,0,0,1,0,0,0,0,1,0,0,0,0,1,0,1,1,1],"entropies": [4.396777153,5.256567478,4.923395157,5.966666698,5.971492767,5.091578960,7.290405750,7.275161743,4.961856842,7.668800354,5.000318527,6.002202988,5.583368301,4.961856842,7.860765934,7.857263088,7.894361019,5.193430901,7.864349842,7.853641510,7.869278908,7.874048233,5.054101944,7.853607655,7.866478443,7.865472317,7.878810406,5.154969692,7.853725433,5.193431377,5.154969692,5.154969692]}} 01717{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2264,"source":"teams.pcap","alias":"nDPId-test","flow_id":51,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1587041687245112,"flow_src_last_pkt_time":1587041687718851,"flow_dst_last_pkt_time":1587041687768506,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":17623,"flow_dst_tot_l4_payload_len":4254,"midstream":0,"thread_ts_usec":1587041687768506,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.77.33","src_port":60561,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Microsoft","proto_id":"91.212","encrypted":1,"breed":"Safe","category_id":13,"category":"Cloud","hostname":"mobile.pipe.aria.microsoft.com","tls": {"version":"TLSv1.2","server_names":"*.events.data.microsoft.com,events.data.microsoft.com,*.pipe.aria.microsoft.com,pipe.skype.com,*.pipe.skype.com,*.mobile.events.data.microsoft.com,mobile.events.data.microsoft.com,*.events.data.msn.com,events.data.msn.com","ja3":"a1674500365bdd882188db63730e69a2","ja3s":"ae4edc6faf64d08308082ad26be60767","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, ST=Washington, L=Redmond, O=Microsoft Corporation, OU=Microsoft IT, CN=Microsoft IT TLS CA 4","subjectDN":"CN=*.events.data.microsoft.com","fingerprint":"33:B3:B7:E9:DA:25:F5:A0:04:E9:63:87:B6:FB:54:77:DB:ED:27:EB"}}} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2265,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1587041687745932,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1587041687789261,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA8GLFAAGwGRTw0qbp3wKgBBgG77JMQ1B2QYdMMyKASIACACgAAAgQFoAEDAwgEAggKASJ3bTCEwsc="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2266,"source":"teams.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1587041687789367,"flow_dst_last_pkt_time":1587041687789261,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041687789367,"pkt":"EBMx8Tl2KDc3AG3ICABFAAA0AABAAEAGifXAqAEGNKm6d+yTAbth0wzIENQdkYAQEAm+kQAAAQEICjCEwvABIndt"} @@ -393,10 +393,10 @@ 01085{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2356,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691169247,"flow_dst_last_pkt_time":1587041691190981,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":222,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":222,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1587041691190981,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative","hostname":"emea.ng.msg.teams.microsoft.com","tls": {"version":"TLSv1.2","ja3":"ebf5e0e525258d7a8dcb54aa1564ecbd","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 00188{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2416,"source":"teams.pcap","alias":"nDPId-test","layer_type":34969,"global_ts_usec":1587041691410839} 00361{"packet_event_id":1,"packet_event_name":"packet","packet_id":2416,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":34969,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041691399733,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWriJklgAAA2A0X1lWrAACAAADYDRfWVauACAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2417,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691305451,"flow_dst_last_pkt_time":1587041691582252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":994,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2028,"flow_dst_tot_l4_payload_len":8121,"midstream":0,"thread_ts_usec":1587041691582252,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":18972.7,"max":276869,"stddev":49493.9,"var":2449644032.0,"ent":2.9,"data": [19199,19302,171,22008,34,21827,18,184,203,246,14,193,1070,12295,280,19893,29,6313,3,603,11971,11399,1472,1415,54998,62106,42,25528,33,18437,276869]},"pktlen": {"min":66,"avg":384.2,"max":1506,"stddev":512.1,"var":262257.7,"ent":4.0,"data": [78,74,66,288,1506,1506,78,66,1506,66,1506,485,66,192,159,539,117,135,66,66,104,104,66,525,66,66,1060,148,66,108,66,1349]},"bins": {"c_to_s": [11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +02105{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2417,"source":"teams.pcap","alias":"nDPId-test","flow_id":59,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1587041691149774,"flow_src_last_pkt_time":1587041691305451,"flow_dst_last_pkt_time":1587041691582252,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":994,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":2028,"flow_dst_tot_l4_payload_len":8121,"midstream":0,"thread_ts_usec":1587041691582252,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.108.8","src_port":60565,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":18972.7,"max":276869,"stddev":49493.9,"var":2449644032.0,"ent":2.9,"data": [19199,19302,171,22008,34,21827,18,184,203,246,14,193,1070,12295,280,19893,29,6313,3,603,11971,11399,1472,1415,54998,62106,42,25528,33,18437,276869]},"pktlen": {"min":52,"avg":370.2,"max":1492,"stddev":512.1,"var":262257.7,"ent":3.9,"data": [64,60,52,274,1492,1492,64,52,1492,52,1492,471,52,178,145,525,103,121,52,52,90,90,52,511,52,52,1046,134,52,94,52,1335]},"bins": {"c_to_s": [11,1,2,1,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,3,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,0,0,1,1,0,0,0,1,0,1,0,1,0,0,1,1,0,1],"entropies": [4.396777153,5.256567478,4.923395634,5.577177048,7.100010395,7.346216679,4.975505829,4.976374149,7.520713806,4.854287148,7.591184139,7.492725372,4.937912464,6.281796932,6.325607300,7.565563679,5.628156662,5.942033768,4.976374149,4.937912464,5.421134472,5.660066128,5.014835358,7.536164761,4.976373672,5.169486523,7.784315586,6.192806721,5.169486523,5.596017838,5.014835358,7.848025322]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2419,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041691611256} 00350{"packet_event_id":1,"packet_event_name":"packet","packet_id":2419,"source":"teams.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1587041691582349,"pkt":"AYDCAAAAeCjKBfrMACZCQgMAAAAAAJAAeCjKBfrMAAAAAJAAeCjKBfrMgAEAAAYAAQAEAKWlpaWlpaWl"} -01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2430,"source":"teams.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1587041682376166,"flow_src_last_pkt_time":1587041682938651,"flow_dst_last_pkt_time":1587041692001418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1060,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":7396,"midstream":0,"thread_ts_usec":1587041692001418,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.76.48","src_port":60544,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":328636.7,"max":8978171,"stddev":1582353.1,"var":2503841415168.0,"ent":0.8,"data": [47150,47228,506,44398,29,43913,16,46,186,124,2,213,4,4433,9743,291,46519,32116,477,409,98,18910,1378,20235,62883,403234,424977,8978171,32,9,7]},"pktlen": {"min":54,"avg":353.2,"max":1506,"stddev":486.1,"var":236250.5,"ent":4.0,"data": [78,66,54,290,1506,1506,66,54,54,1506,1506,323,54,54,212,147,582,105,54,123,54,92,60,423,54,60,1114,60,425,429,100,92]},"bins": {"c_to_s": [10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +02106{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2430,"source":"teams.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1587041682376166,"flow_src_last_pkt_time":1587041682938651,"flow_dst_last_pkt_time":1587041692001418,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1060,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2113,"flow_dst_tot_l4_payload_len":7396,"midstream":0,"thread_ts_usec":1587041692001418,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.76.48","src_port":60544,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":328636.7,"max":8978171,"stddev":1582353.1,"var":2503841415168.0,"ent":0.8,"data": [47150,47228,506,44398,29,43913,16,46,186,124,2,213,4,4433,9743,291,46519,32116,477,409,98,18910,1378,20235,62883,403234,424977,8978171,32,9,7]},"pktlen": {"min":40,"avg":339.2,"max":1492,"stddev":486.1,"var":236250.5,"ent":3.9,"data": [64,52,40,276,1492,1492,52,40,40,1492,1492,309,40,40,198,133,568,91,40,109,40,78,46,409,40,46,1100,46,411,415,86,78]},"bins": {"c_to_s": [10,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,1,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,0,0,0,0,1,0,1,0,0,1,1,0,1,0,1,1,1,1,1],"entropies": [4.334277153,4.946223736,4.571928501,5.576080799,7.377434731,7.334023952,4.748329639,4.630640984,4.571928501,7.530410290,7.590536594,7.109602451,4.680641174,4.630641460,6.484649181,6.111595631,7.563093662,5.442209721,4.630641460,5.902398109,4.630641460,5.214766979,4.462505341,7.402733803,4.680641174,4.505983353,7.828750610,4.609350681,7.428915024,7.453095436,5.564571857,5.463537216]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2438,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041692528594,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528594,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":120,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1587041692528594,"l3_proto":"ip4","src_ip":"151.11.50.139","dst_ip":"192.168.1.6","src_port":2222,"dst_port":54750,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00693{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2438,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":1,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528594,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1587041692528594,"pkt":"KDc3AG3IEBMx8Tl2CABFAACscMtAADIGTDyXCzKLwKgBBgiu1d6yibcLw8sjj4AYAfWSMAAAAQEICnMgXuAwhCbwdBDZH1X2LNSHenV0XPT5UOuNQPq3DAtDODIIsZ4L3xE8W9ceOtMh\/taRn1i3oYCG\/lk5DiXu3JH7RFT8gb0ANFHp9LfVVHPD+A0sB0\/WJaUdO\/QQPvH9sYa9nCylNS5SUfWnuhHHtKPL+2Ql1DSrQI\/KjFfe6Sr3"} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2439,"source":"teams.pcap","alias":"nDPId-test","flow_id":60,"flow_packet_id":2,"flow_src_last_pkt_time":1587041692528594,"flow_dst_last_pkt_time":1587041692528684,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1587041692528684,"pkt":"EBMx8Tl2KDc3AG3ICABFSAA0AABAAEAGrzfAqAEGlwsyi9XeCK7DyyOPsom3g4AQD\/zTvAAAAQEICjCE1UVzIF7g"} @@ -515,7 +515,7 @@ 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2683,"source":"teams.pcap","alias":"nDPId-test","flow_id":81,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041695422685,"flow_src_last_pkt_time":1587041695422685,"flow_dst_last_pkt_time":1587041695422685,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":124,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":124,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":124,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041695422685,"l3_proto":"ip4","src_ip":"52.114.252.8","dst_ip":"192.168.1.6","src_port":3479,"dst_port":50016,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} 00634{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2685,"source":"teams.pcap","alias":"nDPId-test","flow_id":81,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695422685,"flow_dst_last_pkt_time":1587041695432665,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1587041695432665,"pkt":"EBMx8Tl2KDc3AG3ICABFAACA0aoAAEARtpnAqAEGNHL8CMNgDZcAbO2O\/xAAYN6qKWcI9wj8AQEARCESpEKBJ1p+KLNk2I89FPmAcAAEAAAABwAgAAgAASyFFWBYSoA3AAQAAAACgDYABAAAAAEACAAUmYtT\/sgffZE\/GPjMTGRSk5h1N+2AKAAEPqesNg=="} 00632{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2688,"source":"teams.pcap","alias":"nDPId-test","flow_id":80,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695421892,"flow_dst_last_pkt_time":1587041695433333,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":142,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":142,"pkt_l4_len":108,"thread_ts_usec":1587041695433333,"pkt":"EBMx8Tl2KDc3AG3ICABFAACAFs8AAEARcWjAqAEGNHL8FcN0DZgAbMYz\/xAAYGUfNM4ueRX8AQEARCESpEK59F1PLtIJs2rQCYqAcAAEAAAABwAgAAgAASyKFWBYV4A3AAQAAAACgDYABAAAAAEACAAUb+d2GMvNHhGxBtT1sjJNLSVYAvSAKAAEqoFJXQ=="} -01831{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2690,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041693824623,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041695435566,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":71850.4,"max":1566873,"stddev":274680.6,"var":75449425920.0,"ent":1.9,"data": [44968,45079,183,47440,47249,164,13,124,2,107,17,104,3,107,2,120,2,1,8026,8,35,52434,1246,45626,48613,92238,43679,69083,272,113543,1566873]},"pktlen": {"min":54,"avg":270.9,"max":1506,"stddev":427.0,"var":182315.3,"ent":3.8,"data": [78,66,54,241,1506,66,1506,602,66,66,1506,602,66,54,602,180,54,54,54,161,60,99,60,105,54,155,238,54,85,54,60,60]},"bins": {"c_to_s": [15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} +02229{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2690,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041693824623,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041695435566,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":71850.4,"max":1566873,"stddev":274680.6,"var":75449425920.0,"ent":1.9,"data": [44968,45079,183,47440,47249,164,13,124,2,107,17,104,3,107,2,120,2,1,8026,8,35,52434,1246,45626,48613,92238,43679,69083,272,113543,1566873]},"pktlen": {"min":40,"avg":256.9,"max":1492,"stddev":427.0,"var":182315.3,"ent":3.7,"data": [64,52,40,227,1492,52,1492,588,52,52,1492,588,52,40,588,166,40,40,40,147,46,85,46,91,40,141,224,40,71,40,46,46]},"bins": {"c_to_s": [15,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,0,0,0,0,1,1,0,0,1,0,0,0,1,1],"entropies": [4.396777153,4.946223736,4.453056812,5.436062336,7.472877979,4.624014378,7.357961178,6.174726009,4.707639694,4.669178009,7.651301384,7.035131931,4.669178009,4.492897511,7.576755524,6.572272301,4.384184361,4.492897511,4.492897034,6.376044750,4.495644569,5.773638725,4.565871716,5.388861179,4.561769009,6.442826271,6.864662647,4.511769295,5.438062191,4.384184361,4.565872192,4.565872192]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 00650{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2696,"source":"teams.pcap","alias":"nDPId-test","flow_id":76,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695586059,"flow_dst_last_pkt_time":1587041695278787,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":1587041695586059,"pkt":"EBMx8Tl2KDc3AG3ICABFAACMZh4AAEARkejAqAEGwKgABMNgw1UAeNtRAAEAXCESpELGQpqANK6irJWNCoEABgAJbzUvSTpGWTMyAAAAgCoACAAAf4pShlgAgHAABAAAAAeANgAEAAAAAQAkAARu\/\/7\/gDcABAAAAAIACAAUNaR7w6XgHLmtRZxpBWKVkGuwhq2AKAAE+3W4lQ=="} 00652{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2697,"source":"teams.pcap","alias":"nDPId-test","flow_id":77,"flow_packet_id":2,"flow_src_last_pkt_time":1587041695586146,"flow_dst_last_pkt_time":1587041695278905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":154,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":154,"pkt_l4_len":120,"thread_ts_usec":1587041695586146,"pkt":"EBMx8Tl2KDc3AG3ICABFAACMyucAAEARLR\/AqAEGwKgABMN0w2QAeBWjAAEAXCESpEJMnOcpR8XuRjfgdwcABgAJSkZ3ajorbUl2AAAAgCoACAAAf4pShlgAgHAABAAAAAeANgAEAAAAAQAkAARu\/\/7\/gDcABAAAAAIACAAUZBvpMZrPL2uguq2xDA1A6CBjF+2AKAAEncV\/3g=="} 00185{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":2699,"source":"teams.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1587041695611288} @@ -538,7 +538,7 @@ 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":1,"flow_src_last_pkt_time":1587041697660621,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1587041697660621,"pkt":"KDc3AG3IEBMx8Tl2CABFoAA40fgAADUBJWpdR27NwKgBBgMDcCsAAAAARQAASh2AAAAyEd1gwKgBBl1Hbs3DdD\/NADaJWQ=="} 00849{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2767,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1587041697660621,"flow_src_last_pkt_time":1587041697660621,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1587041697660621,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.321296}} 00533{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2774,"source":"teams.pcap","alias":"nDPId-test","flow_id":83,"flow_packet_id":2,"flow_src_last_pkt_time":1587041697673040,"flow_dst_last_pkt_time":1587041697660621,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1587041697673040,"pkt":"KDc3AG3IEBMx8Tl2CABFoAA4akMAADUBjR9dR27NwKgBBgMDcBsAAAAARQAAWp4wAAAyEVygwKgBBl1Hbs3DdD\/NAEaJWQ=="} -01885{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2805,"source":"teams.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":7,"flow_first_seen":1587041695305290,"flow_src_last_pkt_time":1587041697913583,"flow_dst_last_pkt_time":1587041697668816,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1214,"flow_dst_max_l4_payload_len":1214,"flow_src_tot_l4_payload_len":4324,"flow_dst_tot_l4_payload_len":2890,"midstream":0,"thread_ts_usec":1587041697913583,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","src_port":16332,"dst_port":50016,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":160381.3,"max":1168245,"stddev":365653.3,"var":133702352896.0,"ent":2.7,"data": [24795,221,101349,1168245,1167037,967065,50759,1119237,13,25,50990,80302,1990,2655,3736,4,1,2,10681,24170,9306,21453,4525,19907,25341,9245,24382,24626,9496,26004,24257]},"pktlen": {"min":80,"avg":267.4,"max":1256,"stddev":374.4,"var":140199.2,"ent":4.1,"data": [154,130,154,130,158,130,152,150,80,1256,1256,150,115,80,1256,1256,84,208,140,108,110,117,122,124,116,112,126,120,117,115,116,116]},"bins": {"c_to_s": [0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02281{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":2805,"source":"teams.pcap","alias":"nDPId-test","flow_id":78,"flow_state":"finished","flow_src_packets_processed":25,"flow_dst_packets_processed":7,"flow_first_seen":1587041695305290,"flow_src_last_pkt_time":1587041697913583,"flow_dst_last_pkt_time":1587041697668816,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1214,"flow_dst_max_l4_payload_len":1214,"flow_src_tot_l4_payload_len":4324,"flow_dst_tot_l4_payload_len":2890,"midstream":0,"thread_ts_usec":1587041697913583,"l3_proto":"ip4","src_ip":"93.71.110.205","dst_ip":"192.168.1.6","src_port":16332,"dst_port":50016,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":160381.3,"max":1168245,"stddev":365653.3,"var":133702352896.0,"ent":2.7,"data": [24795,221,101349,1168245,1167037,967065,50759,1119237,13,25,50990,80302,1990,2655,3736,4,1,2,10681,24170,9306,21453,4525,19907,25341,9245,24382,24626,9496,26004,24257]},"pktlen": {"min":66,"avg":253.4,"max":1242,"stddev":374.4,"var":140199.2,"ent":4.0,"data": [140,116,140,116,144,116,138,136,66,1242,1242,136,101,66,1242,1242,70,194,126,94,96,103,108,110,102,98,112,106,103,101,102,102]},"bins": {"c_to_s": [0,2,16,4,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,1,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [5.443928242,5.441569805,5.550033092,5.533423424,5.469605446,5.457950115,6.418050289,5.494081497,5.274568558,7.835727215,7.805037022,5.427760124,6.064149857,5.328952789,7.830739975,7.834946632,5.426148415,6.862842083,6.378197670,5.942782402,6.043297768,6.096649170,5.395052433,6.251680851,6.123402596,6.007471561,6.260177612,6.012121677,6.079421997,6.215091705,6.135609150,6.155217648]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.Skype_TeamsCall","proto_id":"78.38","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00767{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":11,"flow_first_seen":1587041693828302,"flow_src_last_pkt_time":1587041694047808,"flow_dst_last_pkt_time":1587041694047695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":235,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":567,"flow_dst_tot_l4_payload_len":6363,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.152","src_port":50014,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 01055{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":64,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":13,"flow_first_seen":1587041693516414,"flow_src_last_pkt_time":1587041695435668,"flow_dst_last_pkt_time":1587041695435566,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50018,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} 01055{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":2817,"source":"teams.pcap","alias":"nDPId-test","flow_id":67,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":13,"flow_first_seen":1587041693582610,"flow_src_last_pkt_time":1587041694243274,"flow_dst_last_pkt_time":1587041694243144,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":477,"flow_dst_tot_l4_payload_len":6361,"midstream":0,"thread_ts_usec":1587041698021081,"l3_proto":"ip4","src_ip":"192.168.1.6","dst_ip":"52.114.250.123","src_port":50021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Teams","proto_id":"91.250","encrypted":1,"breed":"Safe","category_id":15,"category":"Collaborative"}} @@ -634,10 +634,10 @@ ~~ total active/idle flows...: 83/83 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7178132 bytes -~~ total memory freed........: 7178132 bytes -~~ total allocations/frees...: 125478/125478 +~~ total memory allocated....: 7189420 bytes +~~ total memory freed........: 7189420 bytes +~~ total allocations/frees...: 125561/125561 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 187 chars -~~ json string max len.......: 2008 chars -~~ json string avg len.......: 1097 chars +~~ json string max len.......: 2286 chars +~~ json string avg len.......: 1236 chars diff --git a/test/results/teamspeak3.pcap.out b/test/results/teamspeak3.pcap.out index b9214a5f4..a3dcddc54 100644 --- a/test/results/teamspeak3.pcap.out +++ b/test/results/teamspeak3.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6036018 bytes -~~ total memory freed........: 6036018 bytes -~~ total allocations/frees...: 121500/121500 +~~ total memory allocated....: 6036154 bytes +~~ total memory freed........: 6036154 bytes +~~ total allocations/frees...: 121501/121501 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars ~~ json string max len.......: 903 chars diff --git a/test/results/teamviewer.pcap.out b/test/results/teamviewer.pcap.out index 42d7a5105..08224eb9a 100644 --- a/test/results/teamviewer.pcap.out +++ b/test/results/teamviewer.pcap.out @@ -4,13 +4,13 @@ 00499{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":330297046,"flow_dst_last_pkt_time":330433319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":58,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":58,"pkt_l4_len":24,"thread_ts_usec":330433319,"pkt":"CAAns+YuUlQAEjUCCABFAAAsCdUAAEAGv0Si+gKqCgACDxcyi5QCaioBKWjIKmAS\/\/8lnwAAAgQFtA=="} 00497{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":330434281,"flow_dst_last_pkt_time":330433319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":330434281,"pkt":"UlQAEjUCCAAns+YuCABFAAAoOl1AAEAGTsAKAAIPovoCqouUFzIpaMgqAmoqAlAQ+vBCawAAAAAAAAAA"} 00845{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":330297046,"flow_src_last_pkt_time":330434854,"flow_dst_last_pkt_time":330433319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":37,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":37,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":330434854,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"162.250.2.170","src_port":35732,"dst_port":5938,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":330297046,"flow_src_last_pkt_time":331331838,"flow_dst_last_pkt_time":331332084,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6059,"flow_dst_tot_l4_payload_len":4420,"midstream":0,"thread_ts_usec":331332084,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"162.250.2.170","src_port":35732,"dst_port":5938,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":66768.7,"max":274397,"stddev":88285.8,"var":7794386432.0,"ent":3.8,"data": [136273,137235,573,1795,12093,11937,35737,56,35774,25,88318,88631,11617,11587,151937,89,151972,35682,35919,255841,274397,18558,256484,257570,1057,306,258,28908,45,29127,29]},"pktlen": {"min":54,"avg":383.0,"max":1514,"stddev":516.4,"var":266637.3,"ent":3.9,"data": [74,58,60,91,54,120,54,1514,432,54,54,102,60,201,60,1514,1290,60,1132,54,1143,1155,54,494,110,54,102,54,1514,429,54,54]},"bins": {"c_to_s": [5,3,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [11,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +02106{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":330297046,"flow_src_last_pkt_time":331331838,"flow_dst_last_pkt_time":331332084,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":6059,"flow_dst_tot_l4_payload_len":4420,"midstream":0,"thread_ts_usec":331332084,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"162.250.2.170","src_port":35732,"dst_port":5938,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":66768.7,"max":274397,"stddev":88285.8,"var":7794386432.0,"ent":3.8,"data": [136273,137235,573,1795,12093,11937,35737,56,35774,25,88318,88631,11617,11587,151937,89,151972,35682,35919,255841,274397,18558,256484,257570,1057,306,258,28908,45,29127,29]},"pktlen": {"min":40,"avg":369.0,"max":1500,"stddev":516.4,"var":266637.3,"ent":3.8,"data": [60,44,46,77,40,106,40,1500,418,40,40,88,46,187,46,1500,1276,46,1118,40,1129,1141,40,480,96,40,88,40,1500,415,40,40]},"bins": {"c_to_s": [5,3,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [11,1,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,0,1,1],"entropies": [4.625016212,4.740079880,4.284006119,4.619223595,4.580641747,3.968942165,4.580641747,7.564378738,7.341676235,4.461769581,4.530641556,4.904301167,4.311073780,3.852114439,4.354552269,7.724319935,7.804080486,4.398030758,7.655926228,4.661769390,7.519716263,7.677883148,4.661769390,6.491265774,4.556527615,4.661769390,3.810093641,4.611769676,7.550663948,7.375458717,4.661769390,4.661769390]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00730{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":238,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520136114,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":520136114,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":238,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520136114,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":520136114,"pkt":"UlQAEjUCCAAns+YuCABFAAB8z5cAAEARYKoKAAIPXS\/g8YZxjMUAaPehAAAAAAAAAAAAAAMXJEdQAAUAAAAAAAAAAAAAADkzLjQ3LjIyNC4yNDEAAADFjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":239,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520148441,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":520148441,"pkt":"CAAns+YuUlQAEjUCCABFAAB8FPQAAEARG05dL+DxCgACD4zFhnEAaPihAAAAAAAAAAAAAAMXJEdQAAUAAAAAAAAAAAAAADkzLjQ3LjIyNC4yNDEAAADEjAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01097{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":240,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520160692,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":506,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":506,"pkt_l4_len":472,"thread_ts_usec":520160692,"pkt":"CAAns+YuUlQAEjUCCABFAAHsFPcAAEARGdtdL+DxCgACD4zFhnEB2EYbAAAAAAAAAAAAAAMXJEfAAQQAAAA7Jmk0CQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAMABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA="} 01097{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":241,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":3,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":520160749,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":1584,"midstream":0,"thread_ts_usec":520160749,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01922{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":521274313,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":13050,"midstream":0,"thread_ts_usec":521274313,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":36716.1,"max":442863,"stddev":96766.6,"var":9363771392.0,"ent":2.6,"data": [12327,12251,57,40726,3898,3159,6600,81845,9028,72,7415,9247,442863,41858,345075,64,9,8,11,9,7,2034,57,13,9567,57,8,51028,58831,63,12]},"pktlen": {"min":58,"avg":452.8,"max":1066,"stddev":450.4,"var":202865.5,"ent":4.3,"data": [138,138,506,1066,62,98,90,90,90,191,118,66,66,90,90,1066,1066,1066,1066,1066,1066,1066,1066,1066,1066,182,118,118,58,239,131,85]},"bins": {"c_to_s": [0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,7,4,1,2,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +02321{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":269,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":31,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":521274313,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":13050,"midstream":0,"thread_ts_usec":521274313,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7,"avg":36716.1,"max":442863,"stddev":96766.6,"var":9363771392.0,"ent":2.6,"data": [12327,12251,57,40726,3898,3159,6600,81845,9028,72,7415,9247,442863,41858,345075,64,9,8,11,9,7,2034,57,13,9567,57,8,51028,58831,63,12]},"pktlen": {"min":44,"avg":438.8,"max":1052,"stddev":450.4,"var":202865.5,"ent":4.2,"data": [124,124,492,1052,48,84,76,76,76,177,104,52,52,76,76,1052,1052,1052,1052,1052,1052,1052,1052,1052,1052,168,104,104,44,225,117,71]},"bins": {"c_to_s": [0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,7,4,1,2,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [2.665547609,2.681676626,0.777366042,0.400940508,3.903489351,2.792044401,3.098856926,2.998324156,3.315334082,4.078965187,4.029050350,3.961237431,3.922775745,3.062608480,3.152767181,0.385090381,0.379928052,0.378026903,0.379928052,0.378026903,0.379928052,0.379928052,0.379928052,0.378026903,0.390793800,4.132575512,3.859765768,5.537042618,4.036628723,3.928550959,4.210556507,4.727299213]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01144{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1259,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1008,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":558067677,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":520398,"midstream":0,"thread_ts_usec":579147460,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00561{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":1283,"source":"teamviewer.pcap","alias":"nDPId-test","packets-captured":1283,"packets-processed":1282,"total-skipped-flows":0,"total-l4-payload-len":643545,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":1,"current-active-flows":2,"total-active-flows":2,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":15,"global_ts_usec":633881700} 01144{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1289,"source":"teamviewer.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1008,"flow_first_seen":520136114,"flow_src_last_pkt_time":520136114,"flow_dst_last_pkt_time":558067677,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":1024,"flow_src_tot_l4_payload_len":96,"flow_dst_tot_l4_payload_len":520398,"midstream":0,"thread_ts_usec":639022187,"l3_proto":"ip4","src_ip":"10.0.2.15","dst_ip":"93.47.224.241","src_port":34417,"dst_port":36037,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"TeamViewer","proto_id":"148","encrypted":1,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} @@ -25,10 +25,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6074924 bytes -~~ total memory freed........: 6074924 bytes -~~ total allocations/frees...: 122796/122796 +~~ total memory allocated....: 6075196 bytes +~~ total memory freed........: 6075196 bytes +~~ total allocations/frees...: 122798/122798 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars -~~ json string max len.......: 1927 chars -~~ json string avg len.......: 1210 chars +~~ json string max len.......: 2326 chars +~~ json string avg len.......: 1409 chars diff --git a/test/results/telegram.pcap.out b/test/results/telegram.pcap.out index c54fb6369..20ca1888c 100644 --- a/test/results/telegram.pcap.out +++ b/test/results/telegram.pcap.out @@ -50,8 +50,8 @@ 00759{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":76,"source":"telegram.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1588779604297208,"flow_dst_last_pkt_time":1588779596464729,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":238,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":238,"pkt_l4_len":204,"thread_ts_usec":1588779604297208,"pkt":"AQBeAAD7wJrQLWJ0CABFAADgDXQAAP8RCsDAqAE14AAA+xTpFOkAzL4AAAAAAAADAAMAAAABCF9ob21la2l0BF90Y3AFbG9jYWwAAAwAAQ9fY29tcGFuaW9uLWxpbmvAFQAMAAEMX3NsZWVwLXByb3h5BF91ZHDAGgAMAAHAJQAMAAEAABGUABANTHVjYeKAmXMgaU1hY8AlwCUADAABAAARlAAOC0x1Y2EncyBpUGFkwCXAOwAMAAEAABGUABIPNTAtMzUtMTAtNzAuMSAxwDsAACkFoAAAEZQAEgAEAA4AMeKa0C1idMCa0C1idA=="} 00788{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":77,"source":"telegram.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1588779604297420,"flow_dst_last_pkt_time":1588779603292829,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":258,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":258,"pkt_l4_len":204,"thread_ts_usec":1588779604297420,"pkt":"MzMAAAD7wJrQLWJ0ht1gBqDxAMwR\/\/6AAAAAAAAAGKCkEok1wBv\/AgAAAAAAAAAAAAAAAAD7FOkU6QDMXFcAAAAAAAMAAwAAAAEIX2hvbWVraXQEX3RjcAVsb2NhbAAADAABD19jb21wYW5pb24tbGlua8AVAAwAAQxfc2xlZXAtcHJveHkEX3VkcMAaAAwAAcAlAAwAAQAAEZQAEA1MdWNh4oCZcyBpTWFjwCXAJQAMAAEAABGUAA4LTHVjYSdzIGlQYWTAJcA7AAwAAQAAEZQAEg81MC0zNS0xMC03MC4xIDHAOwAAKQWgAAARlAASAAQADgAx4prQLWJ0wJrQLWJ0"} 00869{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":78,"source":"telegram.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1588779604398986,"flow_dst_last_pkt_time":1588779597291316,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":320,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":320,"pkt_l4_len":286,"thread_ts_usec":1588779604398986,"pkt":"jP5XIzfkKDc3AG3ICABFAAEy\/rUAAP8ROBzAqAFNwKgBSxTpFOkBHhkOAACEAAAAAAEAAAAED19jb21wYW5pb24tbGluawRfdGNwBWxvY2FsAAAMAAEAABGUABANTHVjYeKAmXMgaU1hY8AMwDIAIYABAAAAeAATAAAAAMAFCkx1Y2FzLWlNYWPAIcAyABCAAQAAEZQAWBZycEJBPTM5OjJBOjg4OkFDOjQxOkFCCnJwVnI9MTUyLjERcnBIST1mOWM0NmM2ZGQwN2QRcnBITj0zYzVkYzVjZTk1NzgRcnBIQT04Y2E4Y2I3MzFjMWMNTHVjYeKAmXMgaU1hYwxfZGV2aWNlLWluZm\/AHAAQAAEAABGUABoObW9kZWw9aU1hYzExLDMKb3N4dmVycz0xN8BUAAGAAQAAAHgABMCoAU0="} -01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":81,"source":"telegram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708234,"flow_src_last_pkt_time":1588779604771519,"flow_dst_last_pkt_time":1588779596708234,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771519,"l3_proto":"ip4","src_ip":"192.168.1.75","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":424,"avg":260106.0,"max":1089013,"stddev":238284.9,"var":56779681792.0,"ent":4.4,"data": [549364,840,252816,249231,102809,152763,104881,141371,2649,102162,252500,506171,1089013,524484,451,254547,249123,108883,146831,101026,145194,2416,102114,255962,497942,504741,600172,564928,424,248284,249193]},"pktlen": {"min":142,"avg":198.7,"max":308,"stddev":56.4,"var":3176.8,"ent":4.9,"data": [142,233,308,169,153,169,153,211,184,308,153,167,275,142,233,308,169,153,169,153,211,184,308,153,167,211,167,142,233,308,169,153]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01770{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":82,"source":"telegram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708683,"flow_src_last_pkt_time":1588779604771558,"flow_dst_last_pkt_time":1588779596708683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771558,"l3_proto":"ip6","src_ip":"fe80::4ba:91a:7817:e318","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":368,"avg":260092.7,"max":1088510,"stddev":238249.1,"var":56762626048.0,"ent":4.4,"data": [549636,368,252675,249340,102637,153314,104807,140890,2645,102602,252497,506250,1088510,524637,499,254511,249377,108993,147062,100772,145197,1893,102609,256062,497966,504718,600438,564206,375,249009,248380]},"pktlen": {"min":162,"avg":218.7,"max":328,"stddev":56.4,"var":3176.8,"ent":5.0,"data": [162,253,328,189,173,189,173,231,204,328,173,187,295,162,253,328,189,173,189,173,231,204,328,173,187,231,187,162,253,328,189,173]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02161{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":81,"source":"telegram.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708234,"flow_src_last_pkt_time":1588779604771519,"flow_dst_last_pkt_time":1588779596708234,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771519,"l3_proto":"ip4","src_ip":"192.168.1.75","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":424,"avg":260106.0,"max":1089013,"stddev":238284.9,"var":56779681792.0,"ent":4.4,"data": [549364,840,252816,249231,102809,152763,104881,141371,2649,102162,252500,506171,1089013,524484,451,254547,249123,108883,146831,101026,145194,2416,102114,255962,497942,504741,600172,564928,424,248284,249193]},"pktlen": {"min":128,"avg":184.7,"max":294,"stddev":56.4,"var":3176.8,"ent":4.9,"data": [128,219,294,155,139,155,139,197,170,294,139,153,261,128,219,294,155,139,155,139,197,170,294,139,153,197,153,128,219,294,155,139]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [5.085784912,5.440144539,5.167281628,5.217712402,4.744915485,5.209679604,4.709530830,5.181225777,5.157635212,5.184309006,4.657408237,4.791635990,5.077552319,5.091682434,5.425326347,5.176321030,5.207327843,4.744915009,5.230615616,4.669892788,5.180718899,5.192929745,5.173479080,4.723919392,4.791635990,5.190871239,4.722968102,5.085784912,5.449277401,5.181741714,5.181521416,4.739484310]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02169{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":82,"source":"telegram.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1588779596708683,"flow_src_last_pkt_time":1588779604771558,"flow_dst_last_pkt_time":1588779596708683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":100,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":266,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":5014,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779604771558,"l3_proto":"ip6","src_ip":"fe80::4ba:91a:7817:e318","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":368,"avg":260092.7,"max":1088510,"stddev":238249.1,"var":56762626048.0,"ent":4.4,"data": [549636,368,252675,249340,102637,153314,104807,140890,2645,102602,252497,506250,1088510,524637,499,254511,249377,108993,147062,100772,145197,1893,102609,256062,497966,504718,600438,564206,375,249009,248380]},"pktlen": {"min":148,"avg":204.7,"max":314,"stddev":56.4,"var":3176.8,"ent":4.9,"data": [148,239,314,175,159,175,159,217,190,314,159,173,281,148,239,314,175,159,175,159,217,190,314,159,173,217,173,148,239,314,175,159]},"bins": {"c_to_s": [0,0,0,18,2,6,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.905550957,5.334246159,5.128689289,5.078598976,4.487797260,5.078598976,4.471708298,5.059122086,5.029262066,5.128689289,4.471708298,4.521756649,4.957518101,4.905550957,5.322719574,5.127128124,5.090027332,4.483049393,5.090027332,4.471708298,5.044167519,5.029262066,5.127128124,4.471708298,4.533317089,5.044167519,4.533317089,4.886936188,5.334246159,5.125041962,5.090027332,4.500375748]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00881{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":99,"source":"telegram.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1588779606465822,"flow_dst_last_pkt_time":1588779596451825,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":321,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":321,"pkt_l4_len":287,"thread_ts_usec":1588779606465822,"pkt":"\/\/\/\/\/\/\/\/2A0X1lWrCABFAAEzGJdAAEARYHrAqAAB\/\/\/\/\/wBEAEMBHwAAAQEGABAmSTUAAIAAAAAAAAAAAAAAAAAAAAAAANgNF9ZVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwIBAwwJVEwtU0cxMTZFPAlUTC1TRzExNkU9BwHYDRfWVav\/"} 00918{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":102,"source":"telegram.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":0,"flow_first_seen":1588779596464729,"flow_src_last_pkt_time":1588779607307651,"flow_dst_last_pkt_time":1588779596464729,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":45,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":196,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779607307651,"l3_proto":"ip4","src_ip":"192.168.1.53","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_sleep-proxy._udp.local","mdns": {}}} 00661{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":103,"source":"telegram.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1588779607308336,"flow_dst_last_pkt_time":1588779603292829,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":162,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":162,"pkt_l4_len":108,"thread_ts_usec":1588779607308336,"pkt":"MzMAAAD7wJrQLWJ0ht1gBqDxAGwR\/\/6AAAAAAAAAGKCkEok1wBv\/AgAAAAAAAAAAAAAAAAD7FOkU6QBsCTwAAAAAAAEAAQAAAAEMX3NsZWVwLXByb3h5BF91ZHAFbG9jYWwAAAwAAcAMAAwAAQAAEZEAEg81MC0zNS0xMC03MC4xIDHADAAAKQWgAAARlAASAAQADgAx4prQLWJ0wJrQLWJ0"} @@ -118,14 +118,14 @@ 00997{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":248,"source":"telegram.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779617174225,"flow_src_last_pkt_time":1588779617174225,"flow_dst_last_pkt_time":1588779617174225,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779617174225,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"87.11.205.195","src_port":23174,"dst_port":60723,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"OpenVPN","proto_id":"159","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00604{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1588779617174153,"flow_dst_last_pkt_time":1588779617350710,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779617350710,"pkt":"KDc3AG3I8KNaMBgSCABFAABsUAUAAEARpqrAqAE0wKgBTXr4WoYAWLDM6Td5ePjQrnTyke2EPHu3iQJhxLIf06esu8RwrHmFIT7cHf5ycIamk2yhxwjAfE09exZIgAEDzMDiso7KFMuIe8fjwzyyS3MKiG+Cd3eNuy0="} 00606{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":283,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_src_last_pkt_time":1588779617174153,"flow_dst_last_pkt_time":1588779617856441,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779617856441,"pkt":"KDc3AG3I8KNaMBgSCABFAABsRZ4AAEARsRHAqAE0wKgBTXr4WoYAWPxjToIQs5m5XoZB1qDehmfhJomQUeopOlZuJIIaL6qE8BgtmXQ6sqxHJAacGMTU5S5RgUjUPrOpUP\/aPObI3ORz5PRGJjnynufzdcsxdb\/ZTPY="} -01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":285,"source":"telegram.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1588779616036528,"flow_src_last_pkt_time":1588779617856756,"flow_dst_last_pkt_time":1588779617876992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":3040,"midstream":0,"thread_ts_usec":1588779617876992,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.7","src_port":23174,"dst_port":521,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":658,"avg":118086.8,"max":500928,"stddev":112055.1,"var":12556351488.0,"ent":4.4,"data": [33725,303789,500928,195774,135671,308435,212114,658,38919,154099,154494,74510,133656,63749,29902,38640,63854,177395,37753,25997,43596,64156,189778,58771,4478,63507,64504,42995,64523,315929,64393]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":57.3,"var":3288.0,"ent":4.9,"data": [82,106,138,82,106,138,138,74,138,90,82,106,234,138,234,138,234,218,138,138,218,234,218,82,106,218,218,202,218,218,138,234]},"bins": {"c_to_s": [0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02144{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":285,"source":"telegram.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":22,"flow_first_seen":1588779616036528,"flow_src_last_pkt_time":1588779617856756,"flow_dst_last_pkt_time":1588779617876992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":3040,"midstream":0,"thread_ts_usec":1588779617876992,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.7","src_port":23174,"dst_port":521,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":658,"avg":118086.8,"max":500928,"stddev":112055.1,"var":12556351488.0,"ent":4.4,"data": [33725,303789,500928,195774,135671,308435,212114,658,38919,154099,154494,74510,133656,63749,29902,38640,63854,177395,37753,25997,43596,64156,189778,58771,4478,63507,64504,42995,64523,315929,64393]},"pktlen": {"min":60,"avg":144.0,"max":220,"stddev":57.3,"var":3288.0,"ent":4.9,"data": [68,92,124,68,92,124,124,60,124,76,68,92,220,124,220,124,220,204,124,124,204,220,204,68,92,204,204,188,204,204,124,220]},"bins": {"c_to_s": [0,5,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,8,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,1,1,0,1,1,1,1,0,1,1,1,1,1,1,0,1],"entropies": [4.868813038,5.080193996,6.484322071,4.938737869,5.058454990,6.613354206,6.541945457,4.581729889,6.581096649,5.095970154,4.909326553,5.058454990,7.109486580,6.431981564,6.988621235,6.484322548,7.029896736,7.015371323,6.468193054,6.439083576,6.959566116,7.054485798,6.952973843,4.898225307,5.050249577,6.888344765,6.828825951,6.886248589,6.965054512,6.968754292,6.432657719,7.008387089]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":340,"source":"telegram.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":2,"flow_src_last_pkt_time":1588779618677198,"flow_dst_last_pkt_time":1588779617174225,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1588779618677198,"pkt":"EBMx8Tl2KDc3AG3ICABFAABMg0kAAEAREJTAqAFNVwvNw1qG7TMAOE0OU2RiXNjy8sJRKs8KhnTyEy6Nhnt95vQlharNkBkXr2lvtMgl2dlHhYY4WvPjXQkp"} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779619914905,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":1,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":85,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":85,"pkt_l4_len":51,"thread_ts_usec":1588779619914905,"pkt":"EBMx8Tl2KDc3AG3ICABFAABHqTUAAEARTdLAqAFNwKgBAbgXADUAM25TALgBAAABAAAAAAAAA3d3dxFnb29nbGV0YWdzZXJ2aWNlcwNjb20AAAEAAQ=="} 01017{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":389,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619914905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779619914905,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} 00576{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_packet_id":2,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619916408,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":101,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":101,"pkt_l4_len":67,"thread_ts_usec":1588779619916408,"pkt":"KDc3AG3IAICPmq69CABFAABXwqhAAEAR9E7AqAEBwKgBTQA1uBcAQ5UvALiBgAABAAEAAAAAA3d3dxFnb29nbGV0YWdzZXJ2aWNlcwNjb20AAAEAAcAMAAEAAQAAAAAABMCoAZ0="} 01160{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":390,"source":"telegram.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1588779619914905,"flow_src_last_pkt_time":1588779619914905,"flow_dst_last_pkt_time":1588779619916408,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":43,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":43,"flow_dst_max_l4_payload_len":59,"flow_src_tot_l4_payload_len":43,"flow_dst_tot_l4_payload_len":59,"midstream":0,"thread_ts_usec":1588779619916408,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.1","src_port":47127,"dst_port":53,"l4_proto":"udp","ndpi": {"flow_risk": {"23": {"risk":"Suspicious DNS Traffic","severity":"High","risk_score": {"total":760,"client":580,"server":180}}},"confidence": {"6":"DPI"},"proto":"DNS.GoogleServices","proto_id":"5.239","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.googletagservices.com","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":1,"rsp_type":1,"rsp_addr":"192.168.1.157"}}} -01620{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42308,"avg":260899.1,"max":1998754,"stddev":472680.0,"var":223426379776.0,"ent":3.6,"data": [176557,505731,492773,1175336,327643,331901,1681273,64229,63452,64312,42308,63943,1998754,63768,58341,64131,69558,64360,57812,43094,58078,62201,58103,63786,58195,64166,58195,62003,69553,66619,57696]},"pktlen": {"min":90,"avg":205.5,"max":282,"stddev":54.5,"var":2971.8,"ent":4.9,"data": [122,122,122,90,106,90,106,234,266,282,266,266,250,218,234,234,234,218,202,234,218,218,218,234,218,218,218,218,234,218,234,234]},"bins": {"c_to_s": [0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]}} +02017{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":42308,"avg":260899.1,"max":1998754,"stddev":472680.0,"var":223426379776.0,"ent":3.6,"data": [176557,505731,492773,1175336,327643,331901,1681273,64229,63452,64312,42308,63943,1998754,63768,58341,64131,69558,64360,57812,43094,58078,62201,58103,63786,58195,64166,58195,62003,69553,66619,57696]},"pktlen": {"min":76,"avg":191.5,"max":268,"stddev":54.5,"var":2971.8,"ent":4.9,"data": [108,108,108,76,92,76,92,220,252,268,252,252,236,204,220,220,220,204,188,220,204,204,204,220,204,204,204,204,220,204,220,220]},"bins": {"c_to_s": [0,1,2,0,0,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,3,0,0,5,6,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,1,0,0,1,1,1,1,1,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [6.355636597,6.144942760,6.288552284,5.822080135,6.003186226,5.769448280,5.982532501,6.929369450,7.114085197,7.222516537,7.114981174,7.110270023,7.085702419,6.970178127,6.995306969,7.109033108,6.973239422,6.927752018,6.818934441,7.038531780,6.999271870,7.012288094,6.925349712,6.947623730,6.895937443,6.919244766,6.867631435,6.885515690,7.022007465,6.852213383,7.018121719,7.103372574]}} 00814{"flow_event_id":9,"flow_event_name":"not-detected","thread_id":0,"packet_id":435,"source":"telegram.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1588779617174153,"flow_src_last_pkt_time":1588779621221417,"flow_dst_last_pkt_time":1588779621214760,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":48,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":240,"flow_src_tot_l4_payload_len":2016,"flow_dst_tot_l4_payload_len":3216,"midstream":0,"thread_ts_usec":1588779621221417,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"192.168.1.52","src_port":23174,"dst_port":31480,"l4_proto":"udp","ndpi": {"proto":"Unknown","proto_id":"0","encrypted":0,"breed":"Unrated"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779625981468,"flow_src_last_pkt_time":1588779625981468,"flow_dst_last_pkt_time":1588779625981468,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":355,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":355,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":355,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779625981468,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00990{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":597,"source":"telegram.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1588779625981468,"flow_dst_last_pkt_time":1588779625981468,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":397,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":397,"pkt_l4_len":363,"thread_ts_usec":1588779625981468,"pkt":"\/\/\/\/\/\/\/\/AICPmq69CABFAAF\/jrEAAEAR6r0AAAAA\/\/\/\/\/wBEAEMBa16\/AQEGAN7JmyKFuQAAAAAAAAAAAAAAAAAAAAAAAACAj5quvQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBPRP\/j5quvQABAAEfyzfOuCfrPQjbUAB0AQE5AgXcPC1kaGNwY2QtNi4xMC4xOkxpbnV4LTQuOS41Ny12Nys6YXJtdjdsOkJDTTI4MzUMDHBpMy5udG9wLm9yZ5EBATcPAXkhAwYMDxocKjM2Ojt3\/w=="} @@ -205,10 +205,10 @@ 00569{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":753,"source":"telegram.pcap","alias":"nDPId-test","flow_id":41,"flow_packet_id":3,"flow_src_last_pkt_time":1588779638048873,"flow_dst_last_pkt_time":1588779637682180,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1588779638048873,"pkt":"EBMx8Tl2KDc3AG3ICABFAABE8IoAAEARYLjAqAFNW2wMBW32AhkAMMg9L+Sfp2xOtDPLzYKhu+piHv\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/8fmAjwvVRcdw=="} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":754,"source":"telegram.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_src_last_pkt_time":1588779638048996,"flow_dst_last_pkt_time":1588779637712776,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":82,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":82,"pkt_l4_len":48,"thread_ts_usec":1588779638048996,"pkt":"EBMx8Tl2KDc3AG3ICABFAABE3R0AAEARcCfAqAFNW2wQA232AhkAMFmIL+Sfp2xOtDPLzYKhu+piHv\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/7\/\/\/\/13zLCZd4eiw=="} 00735{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":825,"source":"telegram.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":2,"flow_src_last_pkt_time":1588779638831421,"flow_dst_last_pkt_time":1588779637830278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"thread_ts_usec":1588779638831421,"pkt":"AQBef\/\/6KDc3AG3ICABFAADKuMQAAAERTm\/AqAFN7\/\/\/+sufB2wAtsJkTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KVVNFUi1BR0VOVDogR29vZ2xlIENocm9tZS84My4wLjQxMDMuMzQgTWFjIE9TIFgNCg0K"} -01741{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":845,"source":"telegram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1588779637543816,"flow_src_last_pkt_time":1588779639059745,"flow_dst_last_pkt_time":1588779639085148,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":3024,"flow_dst_tot_l4_payload_len":688,"midstream":0,"thread_ts_usec":1588779639085148,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.8","src_port":28150,"dst_port":529,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8183,"avg":98621.3,"max":504672,"stddev":137715.2,"var":18965475328.0,"ent":4.0,"data": [38704,504672,472194,31371,48787,83063,90104,75511,57499,58021,58053,58125,51991,386634,9517,8470,27260,36050,21667,40197,58112,58011,58152,57862,69999,57869,58016,8183,436304,11258,25605]},"pktlen": {"min":74,"avg":158.0,"max":234,"stddev":55.4,"var":3064.0,"ent":4.9,"data": [82,106,82,138,106,138,138,74,218,218,218,234,218,82,138,138,218,106,138,218,90,218,218,202,218,202,218,218,82,138,138,106]},"bins": {"c_to_s": [0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02136{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":845,"source":"telegram.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1588779637543816,"flow_src_last_pkt_time":1588779639059745,"flow_dst_last_pkt_time":1588779639085148,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":192,"flow_dst_max_l4_payload_len":96,"flow_src_tot_l4_payload_len":3024,"flow_dst_tot_l4_payload_len":688,"midstream":0,"thread_ts_usec":1588779639085148,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.8","src_port":28150,"dst_port":529,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8183,"avg":98621.3,"max":504672,"stddev":137715.2,"var":18965475328.0,"ent":4.0,"data": [38704,504672,472194,31371,48787,83063,90104,75511,57499,58021,58053,58125,51991,386634,9517,8470,27260,36050,21667,40197,58112,58011,58152,57862,69999,57869,58016,8183,436304,11258,25605]},"pktlen": {"min":60,"avg":144.0,"max":220,"stddev":55.4,"var":3064.0,"ent":4.9,"data": [68,92,68,124,92,124,124,60,204,204,204,220,204,68,124,124,204,92,124,204,76,204,204,188,204,188,204,204,68,124,124,92]},"bins": {"c_to_s": [0,5,0,4,0,13,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,1,0,0,0,0,0,0,0,1,0,0,1,0,0,1,0,0,0,0,0,0,0,0,1,0,1],"entropies": [4.808521748,5.009398460,4.808521271,6.399723530,4.941553116,6.478234291,6.493558407,4.513398170,6.960375786,6.945446968,6.939341545,6.983797073,6.888330936,4.878446102,6.548838615,6.455212116,7.004271030,5.031137943,6.436948776,6.903464317,5.093001842,6.935152531,6.904445171,6.829572678,6.978069782,6.828165054,6.847532749,7.033680439,4.937269211,6.449124336,6.467387676,4.965919971]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":853,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1588779639103009,"flow_src_last_pkt_time":1588779639103009,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":80,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":80,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1588779639103009,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"87.11.205.195","src_port":28150,"dst_port":59772,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00605{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":853,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1588779639103009,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":122,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":122,"pkt_l4_len":88,"thread_ts_usec":1588779639103009,"pkt":"EBMx8Tl2KDc3AG3ICABFAABsKQMAAEARarrAqAFNVwvNw2326XwAWFNj2ajstQcU9VmrWsN2RmlsiodFzsmW0mXr5Gv8o0f2aR9YWQKIE34PAz\/0T4VwEA0DXBRrws2ycCoPovMV6p5YsfJULcJS2cwqBKkU3Xys+SQ="} -01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":875,"source":"telegram.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1588779637543824,"flow_src_last_pkt_time":1588779639102885,"flow_dst_last_pkt_time":1588779639500175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":176,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":3200,"midstream":0,"thread_ts_usec":1588779639500175,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.1","src_port":28150,"dst_port":533,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7087,"avg":113400.4,"max":504936,"stddev":151181.6,"var":22855886848.0,"ent":4.1,"data": [34096,504936,476895,26281,48588,90140,359286,474896,22927,53992,44091,48774,32735,70515,63740,63677,64572,42031,447918,51385,12513,7087,54201,56023,36226,28925,63945,41904,63934,64562,64617]},"pktlen": {"min":74,"avg":157.0,"max":218,"stddev":54.2,"var":2943.0,"ent":4.9,"data": [82,106,82,138,106,138,74,82,138,106,138,90,138,218,218,202,218,218,218,82,138,218,106,138,218,138,218,218,202,218,202,218]},"bins": {"c_to_s": [0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02140{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":875,"source":"telegram.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":8,"flow_dst_packets_processed":24,"flow_first_seen":1588779637543824,"flow_src_last_pkt_time":1588779639102885,"flow_dst_last_pkt_time":1588779639500175,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":96,"flow_dst_max_l4_payload_len":176,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":3200,"midstream":0,"thread_ts_usec":1588779639500175,"l3_proto":"ip4","src_ip":"192.168.1.77","dst_ip":"91.108.8.1","src_port":28150,"dst_port":533,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":7087,"avg":113400.4,"max":504936,"stddev":151181.6,"var":22855886848.0,"ent":4.1,"data": [34096,504936,476895,26281,48588,90140,359286,474896,22927,53992,44091,48774,32735,70515,63740,63677,64572,42031,447918,51385,12513,7087,54201,56023,36226,28925,63945,41904,63934,64562,64617]},"pktlen": {"min":60,"avg":143.0,"max":204,"stddev":54.2,"var":2943.0,"ent":4.9,"data": [68,92,68,124,92,124,60,68,124,92,124,76,124,204,204,188,204,204,204,68,124,204,92,124,204,124,204,204,188,204,188,204]},"bins": {"c_to_s": [0,5,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,1,4,5,0,14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,1,1,1,0,1,1,1,1,1,1,1,1],"entropies": [4.966681004,5.096354961,4.937269211,6.506538868,5.044672012,6.487470627,4.580064774,4.937269211,6.484322548,5.052877426,6.310050964,5.093001842,6.474280834,6.938044071,6.986575603,6.864440918,6.966351032,6.935151577,6.996869087,4.937269211,6.502585888,6.988362312,5.031137943,6.294727325,6.920350552,6.415852547,6.915544987,6.900125980,6.926725864,7.031893730,6.898294926,7.013583183]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Telegram","proto_id":"185","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00734{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":899,"source":"telegram.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":3,"flow_src_last_pkt_time":1588779639832508,"flow_dst_last_pkt_time":1588779637830278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":216,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":216,"pkt_l4_len":182,"thread_ts_usec":1588779639832508,"pkt":"AQBef\/\/6KDc3AG3ICABFAADKAckAAAERBWvAqAFN7\/\/\/+sufB2wAtsJkTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMQ0KU1Q6IHVybjpkaWFsLW11bHRpc2NyZWVuLW9yZzpzZXJ2aWNlOmRpYWw6MQ0KVVNFUi1BR0VOVDogR29vZ2xlIENocm9tZS84My4wLjQxMDMuMzQgTWFjIE9TIFgNCg0K"} 00560{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":915,"source":"telegram.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1588779640101988,"flow_dst_last_pkt_time":1588779639103009,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":90,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":90,"pkt_l4_len":56,"thread_ts_usec":1588779640101988,"pkt":"EBMx8Tl2KDc3AG3ICABFAABMml0AAEAR+X\/AqAFNVwvNw2326XwAOMsSsmK\/vWlJHJOqyuLBG8kWaad6RX1I27GljGkLPfHdr93dNQ8yPA7ggZLrS4Zn185b"} 00913{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1129,"source":"telegram.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1588779645375046,"flow_dst_last_pkt_time":1588779596465053,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":353,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":353,"pkt_l4_len":319,"thread_ts_usec":1588779645375046,"pkt":"AQBeAAD7eCjKBfrMCABFAAFTiPpAAAERTLfAqAFF4AAA+xTpFOkBP9DmAACEAAAAAAEAAAADEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAAADAABAAAAeAAvEXNvbm9zNzgyOENBMDVGQUNDEF9zcG90aWZ5LWNvbm5lY3QEX3RjcAVsb2NhbAARc29ub3M3ODI4Q0EwNUZBQ0MQX3Nwb3RpZnktY29ubmVjdARfdGNwBWxvY2FsAAAQgAEAABGUAB0LVkVSU0lPTj0xLjAQQ1BhdGg9L3Nwb3RpZnl6YxFzb25vczc4MjhDQTA1RkFDQxBfc3BvdGlmeS1jb25uZWN0BF90Y3AFbG9jYWwAACGAAQAAAHgAHwAAAAAFeBFzb25vczc4MjhDQTA1RkFDQwVsb2NhbAARc29ub3M3ODI4Q0EwNUZBQ0MFbG9jYWwAAAGAAQAAAHgABMCoAUU="} @@ -301,9 +301,9 @@ ~~ total active/idle flows...: 48/48 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6157022 bytes -~~ total memory freed........: 6157022 bytes -~~ total allocations/frees...: 123509/123509 +~~ total memory allocated....: 6163550 bytes +~~ total memory freed........: 6163550 bytes +~~ total allocations/frees...: 123557/123557 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2337 chars diff --git a/test/results/telnet.pcap.out b/test/results/telnet.pcap.out index 5e5071cd1..1dab0fff8 100644 --- a/test/results/telnet.pcap.out +++ b/test/results/telnet.pcap.out @@ -7,7 +7,7 @@ 01012{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":2,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755158537777,"flow_dst_last_pkt_time":943755158537538,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":27,"flow_dst_max_l4_payload_len":3,"flow_src_tot_l4_payload_len":30,"flow_dst_tot_l4_payload_len":3,"midstream":0,"thread_ts_usec":943755158537777,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"","password":""}}} 01027{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":29,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755158616442,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":197,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755159705066,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"","password":""}}} 01031{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":31,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160949196,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160949196,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"fake","password":""}}} -01546{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":172,"avg":125200.9,"max":1232764,"stddev":336743.6,"var":113396252672.0,"ent":2.2,"data": [2525,2572,1588,147810,146242,172,1611,1711,3291,1327,593,1791,1069,2370,3571,617,1174,22251,20360,1248,13791,15049,1196,784,12789,12241,20023,1107336,1099990,1232764,1372]},"pktlen": {"min":66,"avg":77.2,"max":151,"stddev":18.8,"var":354.0,"ent":5.0,"data": [74,74,66,93,69,66,69,66,91,130,66,84,75,66,90,66,151,66,69,69,66,78,72,66,81,66,98,66,73,66,72,66]},"bins": {"c_to_s": [15,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0]}} +01945{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":172,"avg":125200.9,"max":1232764,"stddev":336743.6,"var":113396252672.0,"ent":2.2,"data": [2525,2572,1588,147810,146242,172,1611,1711,3291,1327,593,1791,1069,2370,3571,617,1174,22251,20360,1248,13791,15049,1196,784,12789,12241,20023,1107336,1099990,1232764,1372]},"pktlen": {"min":52,"avg":63.2,"max":137,"stddev":18.8,"var":354.0,"ent":4.9,"data": [60,60,52,79,55,52,55,52,77,116,52,70,61,52,76,52,137,52,55,55,52,64,58,52,67,52,84,52,59,52,58,52]},"bins": {"c_to_s": [15,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,0,0,1,1,0,1,1,0,1,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,0],"entropies": [4.315444469,4.777318954,4.791129112,5.044729233,4.800010681,4.791129112,4.871557236,4.662475586,5.051413059,5.269734383,4.647958755,5.011583805,5.044849873,4.777860641,4.820554256,4.791128635,5.556590080,4.868052006,4.850099087,4.862643719,4.777860641,4.944003105,4.924550533,4.739398956,4.948766708,4.791129112,5.493695259,4.829590797,5.035621166,4.686420441,5.042736053,4.829590321]}} 01031{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755160950568,"flow_dst_last_pkt_time":943755159705066,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":32,"flow_src_tot_l4_payload_len":203,"flow_dst_tot_l4_payload_len":139,"midstream":0,"thread_ts_usec":943755160950568,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess","telnet": {"username":"fake","password":""}}} 01019{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":92,"source":"telnet.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":48,"flow_dst_packets_processed":44,"flow_first_seen":943755158387203,"flow_src_last_pkt_time":943755197957149,"flow_dst_last_pkt_time":943755197958477,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":85,"flow_dst_max_l4_payload_len":488,"flow_src_tot_l4_payload_len":289,"flow_dst_tot_l4_payload_len":1371,"midstream":0,"thread_ts_usec":943755197958477,"l3_proto":"ip4","src_ip":"192.168.0.2","dst_ip":"192.168.0.1","src_port":1550,"dst_port":23,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Telnet","proto_id":"77","encrypted":0,"breed":"Unsafe","category_id":12,"category":"RemoteAccess"}} 00557{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":92,"source":"telnet.pcap","alias":"nDPId-test","packets-captured":92,"packets-processed":92,"total-skipped-flows":0,"total-l4-payload-len":1660,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":943755197958477} @@ -19,10 +19,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6040357 bytes -~~ total memory freed........: 6040357 bytes -~~ total allocations/frees...: 121580/121580 +~~ total memory allocated....: 6040493 bytes +~~ total memory freed........: 6040493 bytes +~~ total allocations/frees...: 121581/121581 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1551 chars -~~ json string avg len.......: 1003 chars +~~ json string max len.......: 1950 chars +~~ json string avg len.......: 1190 chars diff --git a/test/results/teredo.pcap.out b/test/results/teredo.pcap.out index fd8903d27..5e3715c7c 100644 --- a/test/results/teredo.pcap.out +++ b/test/results/teredo.pcap.out @@ -36,9 +36,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042833 bytes -~~ total memory freed........: 6042833 bytes -~~ total allocations/frees...: 121551/121551 +~~ total memory allocated....: 6043513 bytes +~~ total memory freed........: 6043513 bytes +~~ total allocations/frees...: 121556/121556 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 914 chars diff --git a/test/results/tftp.pcap.out b/test/results/tftp.pcap.out index e69c5adcb..66a8a1b2c 100644 --- a/test/results/tftp.pcap.out +++ b/test/results/tftp.pcap.out @@ -14,7 +14,7 @@ 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":5,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":12,"thread_ts_usec":946730124846355,"pkt":"AFCN14tDAAu+GJpACABFAAAgAAEAAP8ROXTAqAD9wKgACsW6DXUADKpJAAQAAQAAAAAAAAAAAAAAAAAA"} 01176{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":6,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":558,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":558,"pkt_l4_len":524,"thread_ts_usec":946730124846355,"pkt":"AAu+GJpAAFCN14tDCABFAAIgkycAAIARI07AqAAKwKgA\/Q11xboCDOXlAAMAAkIgT2ZmaWNpYWwgUHJvdG9jb2wKICAgU3RhbmRhcmRzIiBmb3IgdGhlIHN0YW5kYXJkaXphdGlvbiBzdGF0ZSBhbmQgc3RhdHVzIG9mIHRoaXMgcHJvdG9jb2wuCiAgIERpc3RyaWJ1dGlvbiBvZiB0aGlzIG1lbW8gaXMgdW5saW1pdGVkLgoKU3VtbWFyeQoKICAgVEZUUCBpcyBhIHZlcnkgc2ltcGxlIHByb3RvY29sIHVzZWQgdG8gdHJhbnNmZXIgZmlsZXMuICBJdCBpcyBmcm9tCiAgIHRoaXMgdGhhdCBpdHMgbmFtZSBjb21lcywgVHJpdmlhbCBGaWxlIFRyYW5zZmVyIFByb3RvY29sIG9yIFRGVFAuCiAgIEVhY2ggbm9udGVybWluYWwgcGFja2V0IGlzIGFja25vd2xlZGdlZCBzZXBhcmF0ZWx5LiAgVGhpcyBkb2N1bWVudAogICBkZXNjcmliZXMgdGhlIHByb3RvY29sIGFuZCBpdHMgdHlwZXMgb2YgcGFja2V0cy4gIFRoZSBkb2N1bWVudCBhbHNvCiAgIGV4cGxhaW5zIHRoZSByZWFzb25zIGJlaGluZCBzb21lIG9mIHRoZSBkZXNpZ24gZGVjaXNpb25zLgoKQWNrbm93bGVnZW1lbnRzCgogICBUaGUg"} 00994{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":1032,"flow_dst_tot_l4_payload_len":8,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} -01650{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":35,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":8256,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":60,"avg":309.0,"max":558,"stddev":249.0,"var":62001.0,"ent":4.5,"data": [558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60,558,60]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} +02049{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":35,"source":"tftp.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":946730124846355,"flow_src_last_pkt_time":946730124846355,"flow_dst_last_pkt_time":946730124846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":516,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":516,"flow_dst_max_l4_payload_len":4,"flow_src_tot_l4_payload_len":8256,"flow_dst_tot_l4_payload_len":64,"midstream":0,"thread_ts_usec":946730124846355,"l3_proto":"ip4","src_ip":"192.168.0.10","dst_ip":"192.168.0.253","src_port":3445,"dst_port":50618,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":0,"avg":0.0,"max":0,"stddev":0.0,"var":0.0,"ent":0.0,"data": []},"pktlen": {"min":46,"avg":295.0,"max":544,"stddev":249.0,"var":62001.0,"ent":4.4,"data": [544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46,544,46]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.265709877,3.000972986,4.623624802,3.000972986,4.859318733,3.000972986,4.935849667,2.941084146,4.381216049,2.957494497,4.600720406,3.000972986,4.634294987,3.000972986,4.567757130,3.000972986,4.459813595,3.000972986,4.388016701,2.941084146,4.358253002,3.000972986,4.537627220,2.941084146,4.658279419,2.941084146,4.567505836,3.000972986,4.506970406,3.000972986,4.253873825,3.000972986]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TFTP","proto_id":"96","encrypted":0,"breed":"Acceptable","category_id":4,"category":"DataTransfer"}} 00557{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","packets-captured":102,"packets-processed":101,"total-skipped-flows":0,"total-l4-payload-len":25039,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":4,"total-detection-updates":0,"total-updates":0,"current-active-flows":4,"total-active-flows":4,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":18,"global_ts_usec":946733724846355} 00746{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":946733724846355,"flow_src_last_pkt_time":946733724846355,"flow_dst_last_pkt_time":946733724846355,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":19,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":19,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":19,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":946733724846355,"l3_proto":"ip4","src_ip":"172.28.4.53","dst_ip":"172.16.5.170","src_port":54627,"dst_port":69,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":102,"source":"tftp.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":946733724846355,"flow_dst_last_pkt_time":946733724846355,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":61,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":61,"pkt_l4_len":27,"thread_ts_usec":946733724846355,"pkt":"9Opn97JCCAAnntJbCABFAAAv+hlAAEAR3pisHAQ1rBAFqtVjAEUAGx52AAFzeXNtYW4ubGlzAG9jdGV0AA=="} @@ -44,10 +44,10 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6048606 bytes -~~ total memory freed........: 6048606 bytes -~~ total allocations/frees...: 121656/121656 +~~ total memory allocated....: 6049558 bytes +~~ total memory freed........: 6049558 bytes +~~ total allocations/frees...: 121663/121663 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1655 chars -~~ json string avg len.......: 1071 chars +~~ json string max len.......: 2054 chars +~~ json string avg len.......: 1270 chars diff --git a/test/results/threema.pcap.out b/test/results/threema.pcap.out index 75dd601a7..885b15803 100644 --- a/test/results/threema.pcap.out +++ b/test/results/threema.pcap.out @@ -48,9 +48,9 @@ ~~ total active/idle flows...: 6/6 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6058456 bytes -~~ total memory freed........: 6058456 bytes -~~ total allocations/frees...: 121626/121626 +~~ total memory allocated....: 6059272 bytes +~~ total memory freed........: 6059272 bytes +~~ total allocations/frees...: 121632/121632 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 915 chars diff --git a/test/results/tinc.pcap.out b/test/results/tinc.pcap.out index 25b3e3f44..6a88fd34c 100644 --- a/test/results/tinc.pcap.out +++ b/test/results/tinc.pcap.out @@ -20,8 +20,8 @@ 01002{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":53,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983428043218,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":724,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":724,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":724,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1495983428043218,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} 02451{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":54,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1495983428043268,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1486,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1486,"pkt_l4_len":1452,"thread_ts_usec":1495983428043268,"pkt":"ACbGCvpSABcILL3nCABFCAXAAABAADERhNO5U9pwg3KoG9lo2WgFrCCQQfVUKnrm4XUK3wfxxn8qlQ5ZlUxAsin94OmtvvCqeiNDv9hCgysXgIe\/Jwp6foEgyUgSLwbFE+jFX5EiTbzvLxw+eE+9kkIbIypcFMAA862am\/h5EhYX9oyZgZit\/ohLFdBZAd\/9piW+TIg1JYKUHUk24mSNhkzehqNGbaa8v1XNXvCAKUf+je80JL2ztiSjDNtOMrbTSNyuOyDQhbbpaRAakKCJ88rhmRVZWPpGUvSoCLUQLdy+ls4UP9VbLIv60yNlhG\/tIZF+Y9AgYJgNK7469NXCZUoHPgebmwGoSIBvEupGZ2HWMq5tD1YtSNLd5mdcZ4U6bdW57PJT8Mqpobu5nNKCEUTKU8fv54QllT27onCmdTrjSLU7i56qGCPKz8Pmgpd+4MU1sOXlteqk11G5kxvUePU9AHDMWVZcDsBw+8w6+Ab\/JxYo4ilYPsOkX7nL+VL0USjj5AuG8wFeeDnvZeQURQeN12MuZewRpRzkJa5jIqIQqHHvEIR3I+NlcYV0IJXsrpavQ6RSGtYmR7+94hoEShFxTK6D2mPtrdLiAqRfmJptPiSWLm5Mqo0iayfkgY6sd6M1vwIpwRPc0qQOtn1doDjup9IIauyzdANQF9x2voU4Z8dsvHyVyVE9VF\/Qdb\/Bbe15\/vrLpOF+cB00\/TXrJ07AVZHqEwel\/iScs2S9kgqiIjzb1T0G6y8xlHQV7ktrErMlC4GXnRqlxWayYa4G266nN6wc0wTy9MD7G5DpqxUPZwZIrxZiMHXc4mPXA210XTsNG7LVVQM581lStiGr1a4pUZOImjoO\/gk5frgMuu6jHFgEA+vJuy5sW5lQpb37IXQqFXKKxN2z8Ke+x4zy7ALHVigelzuNCf3HZfol1uD4eeP+2tpVITMiH4O5PCcLDMT1yYFhbvLg8pREkBITQB+rUBzFhHXEVteh6noPH6hIRkDIrLyfEHdswFs6MATwSlSxKkz0QuaSV8BEXCeHOM+JmmNRCgSmcHuzwrDdDGG7eSF7kzVOXV4KPQtBdbB4rq\/rFfGJFSiBXn2huFIeNdQhj4gFtDQIfYjXMsmhSsrScwjLj7C7jg2Rwm\/XuhfLgws3rBZC6s4ClAl8Lku7gDzAWOdYgK2FafJmEnZR3NXAFEI8JF5r5ITwwBATJADMcv7GO51VLOgFAuacu5w0kk1gxapzbHcSOdPeKJB+9voPecizTzqOKMuqIngnpb\/qfLXWqnLz7U6\/\/ui4aHgWF+lKp0xsjiPYD9YnVxFJE08oruybimAl5F4KHctwad6wrnqDh7AMDE3spgEO04z6pL2VZXL\/wvq6pxHL80kORMsGZgPOmyHtPCRE5Jd+RFgmwBejwRrNJFCuLc2P622GjZ1t\/hPuud14khvjnfHdyfKsl19iLyzwv7qu0oEoiwBrYf06g7MzcULZl4XUxJNSE9RYU15rJmRxguh4eXuIOqgIqrfkbI\/\/vDyBWYyc45utTloDIm+GnDiAeigtPF4FijLPE9qVDfQilPuHMnf6UDvllbgNqo19g3gnmLroqXep+7LyRYp4sWr4\/d\/TZKaCucaaCwVm1u\/1te\/n+aOftes5xygxK+OaKehbJ47nnj4GJRcueg7KFHNq2ES0Uj1Rh2+lhguZLWYwLh4\/FPK0vdBcca9l29F4kxSaDHn6BeoZpX+wivGn5jMTbID2EPugYpELm+yXQDHU1W7JBJkdRRhJfBWIKo8UZofXK4qgL2\/MqCqF2T2\/hEjt9sAO7DVGx2T23++65+kzCDH2qiAfrQdQFlN08V17FGkydmcJibPSSbSe7aLjPjiXuGdc7ip\/LMmiTS0sCJq6zHCBk5aHilHCEqmTl+eL9Q9vwrMeAdX+cTIhD7xTxK6aeGzriTEJFQi6+ZDkO2+SfJZlZhRSLhc55JEaOH4LdN2VABhAfw=="} 01734{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1495983428043295,"flow_dst_last_pkt_time":1495983428043218,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":958,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":958,"pkt_l4_len":924,"thread_ts_usec":1495983428043295,"pkt":"ACbGCvpSABcILL3nCABFCAOwAABAADERhuO5U9pwg3KoG9lo2WgDnO+CxkvMU5czu375VqRfqLEu7HGryDGh\/bfeaQJnEYyovrmntDxt74C8PKQJMHvY4MA1ZHuHhnLJLLc7h764zEbGLw\/vzqsaP4XOJmX3J5ZoXTmAMsXnjvJUPqVeWdg0PXJhqa6st9hNynxv5D0rpJqm0\/zV192qcE59jCUVvmB8PfyMGzNb8iu7j79YvIHCzFHzmycvx5sIdKuzv+9aaD2+9O1fWAuPwq8\/8DIg8DeQB7htbL3\/j6lwDGupSOVHCsI1+lYyNr8A5\/OFujJsJCBzKGXQVn+oJRoQMsFgr0giRTOfhVQb+GlZOLXTcVvxl6mNiWSoDQXoxAfPuixrlp8F\/MUrFtVqJYJIqlWUSZ0FHJzKiXJ5yQvwNmnsvYHqMQNW6ZCn++1tGEto8r5tq\/BDe0FvMAOQC\/Iq49d9xjtHRJaZkPSuUT0Ue8\/0Y0g7e7MLBCNRDp3pFvP\/SDROeSBv+1Hrsd3VgZ3eZsdET6SE7O+jiB1npy8XRuCERu\/h5FlX8FbvbKHJP4IXbapoGYosv9tEU2XONo65wz3MCF\/bVbrUPcOASb6j+c55C5rFZMKjA9llC2lki+5ox8NX3C0rsVb9ezbzAq4pvwBxx6yeMVlmBhRxjwXLWviN6bjb8+kKUMxdeqvtFZ90hWLG3av8x5N1D1shhjp\/Pkh3vfzESwJoedvps7xxuR16c9ku4Rlje1SzPbiXWLLd2ctB3NoWHVeTFrvLRU2yqM5LNXQpjLOWYVqndimokWzm3PvfsX2+ickLKvqhiNB8NMbCQKKllVtQtaf37M0W3hxij8fNqkfQ3Dwvv36xYQY6aA2cxZJ7cAJfgWt3+2IqzsbQ\/hOa1lDnl8uliASJ4hjXOWhi4prZ86H1uoSeDR53SAlBdMQQ3YoaLSv6kQQOXAUwHuZQi7+x\/RE5HfoAvVeNzG90OcOnL2uiCxjhyp3\/swc9NGfoqhpvTPlS\/HF6E4gzQu+uwm3Kmj7AsKixik3ciIBb6VqLoyiaQR35wKSQydm3qyc2A8RxVwJEHM9ChZNid+PGF9MC3cdjsTP6IG4AOw3VS8jLQznT38vyJvgWelWwQ+I9gJ2zh8MbfaLP+EWNQPI478wMYlCsuyg5uNNDg0lSF1epToqo6+lky+h2nAa21hKOviRtVRN8LV88QPWbYJx4n3gM4sg9yVPde6y+bdl\/hYGe1J5JIAW7OGyTqN+C43dvapKXMw=="} -01880{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":104,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983431160747,"flow_dst_last_pkt_time":1495983430158623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19148,"flow_dst_tot_l4_payload_len":16284,"midstream":0,"thread_ts_usec":1495983431160747,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":171568.9,"max":1069532,"stddev":377387.1,"var":142420983808.0,"ent":2.5,"data": [157,27472,47,25,27522,244,68,237,181,126,15445,30,41839,33,23,1057953,304,258,1003680,53,1840,184,45315,102,25,1024085,82,1069532,137,1001358,279]},"pktlen": {"min":190,"avg":1149.2,"max":1510,"stddev":450.4,"var":202833.5,"ent":4.9,"data": [686,734,238,1486,782,230,1270,190,1310,1478,774,686,734,1278,190,1310,1358,1478,1374,1486,1502,1486,1494,1358,1486,1374,1502,1502,1502,1494,1510,1494]},"bins": {"c_to_s": [0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,2,6,0,0],"s_to_c": [0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,0,6,0,0]},"directions": [0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01881{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983432571150,"flow_dst_last_pkt_time":1495983432526055,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":10944,"flow_dst_tot_l4_payload_len":20512,"midstream":0,"thread_ts_usec":1495983432571150,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":290670.0,"max":2412459,"stddev":558680.6,"var":312123949056.0,"ent":2.9,"data": [50,27,594,482,207,142,1049148,39,24,1048033,86,239,119,120,91,44079,43,25,1044735,279,1021999,20586,1001463,275,241,363633,1001240,149,123,2412459,39]},"pktlen": {"min":118,"avg":1025.0,"max":1494,"stddev":450.3,"var":202783.0,"ent":4.8,"data": [766,1486,958,734,1270,1486,958,1070,670,334,1062,190,1310,526,670,334,190,1310,526,1478,1374,1374,1374,1486,1350,1318,118,1494,1478,1342,1390,1374]},"bins": {"c_to_s": [0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,2,1,0,0,1,0,0],"s_to_c": [0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,1,2,2,2,0,0,2,3,0,0]},"directions": [0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02279{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":104,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983431160747,"flow_dst_last_pkt_time":1495983430158623,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19148,"flow_dst_tot_l4_payload_len":16284,"midstream":0,"thread_ts_usec":1495983431160747,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":171568.9,"max":1069532,"stddev":377387.1,"var":142420983808.0,"ent":2.5,"data": [157,27472,47,25,27522,244,68,237,181,126,15445,30,41839,33,23,1057953,304,258,1003680,53,1840,184,45315,102,25,1024085,82,1069532,137,1001358,279]},"pktlen": {"min":176,"avg":1135.2,"max":1496,"stddev":450.4,"var":202833.5,"ent":4.9,"data": [672,720,224,1472,768,216,1256,176,1296,1464,760,672,720,1264,176,1296,1344,1464,1360,1472,1488,1472,1480,1344,1472,1360,1488,1488,1488,1480,1496,1480]},"bins": {"c_to_s": [0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,2,6,0,0],"s_to_c": [0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,2,0,0,0,6,0,0]},"directions": [0,0,1,1,1,0,0,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,0,1,1,1,1,1,0,0,0,0],"entropies": [7.665557861,7.732561588,7.082343578,7.846774578,7.752214432,6.906925201,7.855091572,6.755141735,7.856310368,7.846433163,7.747685909,7.710433006,7.733560562,7.868661880,6.790736675,7.858621597,7.869617462,7.873907566,7.874854565,7.877315998,7.870153904,7.874608040,7.878478050,7.845719337,7.883452892,7.855854511,7.886187077,7.874522686,7.870358467,7.871251106,7.874283314,7.868322849]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02280{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983432571150,"flow_dst_last_pkt_time":1495983432526055,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":148,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1444,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":10944,"flow_dst_tot_l4_payload_len":20512,"midstream":0,"thread_ts_usec":1495983432571150,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":290670.0,"max":2412459,"stddev":558680.6,"var":312123949056.0,"ent":2.9,"data": [50,27,594,482,207,142,1049148,39,24,1048033,86,239,119,120,91,44079,43,25,1044735,279,1021999,20586,1001463,275,241,363633,1001240,149,123,2412459,39]},"pktlen": {"min":104,"avg":1011.0,"max":1480,"stddev":450.3,"var":202783.0,"ent":4.8,"data": [752,1472,944,720,1256,1472,944,1056,656,320,1048,176,1296,512,656,320,176,1296,512,1464,1360,1360,1360,1472,1336,1304,104,1480,1464,1328,1376,1360]},"bins": {"c_to_s": [0,0,0,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,1,0,2,1,0,0,1,0,0],"s_to_c": [0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,1,0,1,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,1,2,2,2,0,0,2,3,0,0]},"directions": [0,0,0,1,1,1,1,0,0,0,1,1,1,1,1,1,0,0,0,1,1,0,1,1,1,1,1,1,1,1,0,0],"entropies": [7.690577507,7.881368160,7.775002003,7.728326797,7.851398468,7.867018700,7.774654388,7.831391335,7.688314915,7.329430103,7.812694550,6.669548035,7.843146801,7.557564259,7.679370403,7.194211483,6.957363605,7.850227833,7.572175503,7.873534679,7.858608246,7.866045952,7.839975357,7.845044613,7.866905689,7.841031551,6.193184853,7.882274628,7.896846294,7.859506130,7.852632523,7.876025200]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01042{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":13,"flow_first_seen":1495983427744301,"flow_src_last_pkt_time":1495983475109122,"flow_dst_last_pkt_time":1495983475109062,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1039,"flow_dst_max_l4_payload_len":1037,"flow_src_tot_l4_payload_len":3036,"flow_dst_tot_l4_payload_len":2354,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":49290,"dst_port":55656,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01055{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":101,"flow_dst_packets_processed":29,"flow_first_seen":1495983428000367,"flow_src_last_pkt_time":1495983470930418,"flow_dst_last_pkt_time":1495983470973187,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":76,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1468,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":132724,"flow_dst_tot_l4_payload_len":31332,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"131.114.168.27","dst_ip":"185.83.218.112","src_port":55655,"dst_port":55655,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01056{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":317,"source":"tinc.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":29,"flow_dst_packets_processed":105,"flow_first_seen":1495983428043218,"flow_src_last_pkt_time":1495983463866065,"flow_dst_last_pkt_time":1495983463817214,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":116,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1468,"flow_src_tot_l4_payload_len":28820,"flow_dst_tot_l4_payload_len":135316,"midstream":0,"thread_ts_usec":1495983475109122,"l3_proto":"ip4","src_ip":"185.83.218.112","dst_ip":"131.114.168.27","src_port":55656,"dst_port":55656,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"5":"DPI (cache)"},"proto":"TINC","proto_id":"209","encrypted":0,"breed":"Acceptable","category_id":2,"category":"VPN"}} @@ -35,9 +35,9 @@ ~~ total active/idle flows...: 4/4 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6054030 bytes -~~ total memory freed........: 6054030 bytes -~~ total allocations/frees...: 121844/121844 +~~ total memory allocated....: 6054574 bytes +~~ total memory freed........: 6054574 bytes +~~ total allocations/frees...: 121848/121848 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 2456 chars diff --git a/test/results/tk.pcap.out b/test/results/tk.pcap.out index 9d35b8827..bfd40b706 100644 --- a/test/results/tk.pcap.out +++ b/test/results/tk.pcap.out @@ -27,9 +27,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6039063 bytes -~~ total memory freed........: 6039063 bytes -~~ total allocations/frees...: 121513/121513 +~~ total memory allocated....: 6039471 bytes +~~ total memory freed........: 6039471 bytes +~~ total allocations/frees...: 121516/121516 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 487 chars ~~ json string max len.......: 1004 chars diff --git a/test/results/tls-appdata.pcap.out b/test/results/tls-appdata.pcap.out index bafe24e2e..978c8519b 100644 --- a/test/results/tls-appdata.pcap.out +++ b/test/results/tls-appdata.pcap.out @@ -12,7 +12,7 @@ 00870{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":8,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610288724000,"flow_dst_last_pkt_time":1643610288722000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1472,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1643610288724000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitch","proto_id":"91.195","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":9,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1643610288724000,"flow_dst_last_pkt_time":1643610288737000,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1643610288737000,"pkt":"YDjgxTWgeJS0JASgCABFAAAoJklAADkGXZQ038YHwKgCZAG75mCdFTAgOSeK4VAQCRZvcQAAAAAAAAAA"} 00765{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":31,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1642636825083000,"flow_src_last_pkt_time":1642636825195000,"flow_dst_last_pkt_time":1642636825303000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":135,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":159,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":429,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1643610288741000,"l3_proto":"ip4","src_ip":"179.60.195.173","dst_ip":"192.168.2.100","src_port":443,"dst_port":60636,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} -01514{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":2458615.5,"max":15956000,"stddev":5752110.0,"var":33086771298304.0,"ent":1.0,"data": [2000,15000,3000,16000,1000,1000,15941000,1000,15956000,5000,19000,1000,1000]},"pktlen": {"min":54,"avg":1143.2,"max":2958,"stddev":1252.1,"var":1567845.5,"ent":4.0,"data": [1506,74,60,1506,2958,54,2958,54,54,2958,2885,54,54,54,54,1506,74,60,1506,2958,54,2958,54,2958,1506,74,60,1506,2958,54,2958,54]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,9]},"directions": [0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,1,1,1,0,1,0]}} +01913{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1000,"avg":2458615.5,"max":15956000,"stddev":5752110.0,"var":33086771298304.0,"ent":1.0,"data": [2000,15000,3000,16000,1000,1000,15941000,1000,15956000,5000,19000,1000,1000]},"pktlen": {"min":40,"avg":1129.2,"max":2944,"stddev":1252.1,"var":1567845.6,"ent":4.0,"data": [1492,60,46,1492,2944,40,2944,40,40,2944,2871,40,40,40,40,1492,60,46,1492,2944,40,2944,40,2944,1492,60,46,1492,2944,40,2944,40]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,9]},"directions": [0,0,1,1,1,0,1,0,0,1,1,0,0,0,0,0,0,1,1,1,0,1,0,1,0,0,1,1,1,0,1,0],"entropies": [7.874306679,5.500818253,4.652828693,7.888679028,7.939795017,4.981687069,7.939328194,4.931686878,4.931686878,7.934259415,7.938295841,4.981687069,4.931687355,4.931687355,4.981687069,7.885500431,5.513399124,4.565871716,7.865909100,7.927158833,4.881687164,7.936643124,4.881687164,7.934941769,7.882087708,5.613399506,4.522394180,7.860544682,7.936390877,4.881687641,7.928893089,4.912815094]}} 00887{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":38,"source":"tls-appdata.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1643610288722000,"flow_src_last_pkt_time":1643610304703000,"flow_dst_last_pkt_time":1643610304703000,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1452,"flow_dst_max_l4_payload_len":2904,"flow_src_tot_l4_payload_len":4416,"flow_dst_tot_l4_payload_len":30419,"midstream":1,"thread_ts_usec":1643610304703000,"l3_proto":"ip4","src_ip":"192.168.2.100","dst_ip":"52.223.198.7","src_port":58976,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Twitch","proto_id":"91.195","encrypted":1,"breed":"Fun","category_id":26,"category":"Video"}} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":46,"source":"tls-appdata.pcap","alias":"nDPId-test","packets-captured":46,"packets-processed":45,"total-skipped-flows":0,"total-l4-payload-len":41014,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1643611942615000} 00562{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":76,"source":"tls-appdata.pcap","alias":"nDPId-test","packets-captured":76,"packets-processed":75,"total-skipped-flows":0,"total-l4-payload-len":70000,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":1,"total-updates":0,"current-active-flows":1,"total-active-flows":2,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":18,"global_ts_usec":1643612754900000} @@ -27,9 +27,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6081668 bytes -~~ total memory freed........: 6081668 bytes -~~ total allocations/frees...: 121624/121624 +~~ total memory allocated....: 6081940 bytes +~~ total memory freed........: 6081940 bytes +~~ total allocations/frees...: 121626/121626 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 496 chars ~~ json string max len.......: 2475 chars diff --git a/test/results/tls-esni-fuzzed.pcap.out b/test/results/tls-esni-fuzzed.pcap.out index e802c13c0..b62bd74c7 100644 --- a/test/results/tls-esni-fuzzed.pcap.out +++ b/test/results/tls-esni-fuzzed.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6046416 bytes -~~ total memory freed........: 6046416 bytes -~~ total allocations/frees...: 121521/121521 +~~ total memory allocated....: 6046824 bytes +~~ total memory freed........: 6046824 bytes +~~ total allocations/frees...: 121524/121524 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 1492 chars diff --git a/test/results/tls-rdn-extract.pcap.out b/test/results/tls-rdn-extract.pcap.out index 196d746c3..210bc6cf9 100644 --- a/test/results/tls-rdn-extract.pcap.out +++ b/test/results/tls-rdn-extract.pcap.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6079616 bytes -~~ total memory freed........: 6079616 bytes -~~ total allocations/frees...: 121546/121546 +~~ total memory allocated....: 6079752 bytes +~~ total memory freed........: 6079752 bytes +~~ total allocations/frees...: 121547/121547 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 3535 chars diff --git a/test/results/tls_2_reasms.pcapng.out b/test/results/tls_2_reasms.pcapng.out index cac5b82ce..9a0d447d3 100644 --- a/test/results/tls_2_reasms.pcapng.out +++ b/test/results/tls_2_reasms.pcapng.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6040184 bytes -~~ total memory freed........: 6040184 bytes -~~ total allocations/frees...: 121505/121505 +~~ total memory allocated....: 6040320 bytes +~~ total memory freed........: 6040320 bytes +~~ total allocations/frees...: 121506/121506 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 499 chars ~~ json string max len.......: 2369 chars diff --git a/test/results/tls_2_reasms_b.pcapng.out b/test/results/tls_2_reasms_b.pcapng.out index ba4d36256..c0a239780 100644 --- a/test/results/tls_2_reasms_b.pcapng.out +++ b/test/results/tls_2_reasms_b.pcapng.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6076606 bytes -~~ total memory freed........: 6076606 bytes -~~ total allocations/frees...: 121512/121512 +~~ total memory allocated....: 6076742 bytes +~~ total memory freed........: 6076742 bytes +~~ total allocations/frees...: 121513/121513 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 501 chars ~~ json string max len.......: 1184 chars diff --git a/test/results/tls_alert.pcap.out b/test/results/tls_alert.pcap.out index 78fe87230..ec0a3730b 100644 --- a/test/results/tls_alert.pcap.out +++ b/test/results/tls_alert.pcap.out @@ -22,9 +22,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043983 bytes -~~ total memory freed........: 6043983 bytes -~~ total allocations/frees...: 121520/121520 +~~ total memory allocated....: 6044255 bytes +~~ total memory freed........: 6044255 bytes +~~ total allocations/frees...: 121522/121522 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 1244 chars diff --git a/test/results/tls_certificate_too_long.pcap.out b/test/results/tls_certificate_too_long.pcap.out index 6c0207904..7cd10c349 100644 --- a/test/results/tls_certificate_too_long.pcap.out +++ b/test/results/tls_certificate_too_long.pcap.out @@ -123,8 +123,8 @@ 02205{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":115,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":3,"flow_src_last_pkt_time":1626168078674936,"flow_dst_last_pkt_time":1626168078673880,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1292,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1292,"pkt_l4_len":1258,"thread_ts_usec":1626168078674936,"pkt":"WNVuaKQA8BiYFWV8CABFAgT+AABAAEAGnGLAqAF5NGKjEtC0AbvnBmXsyo5yyVAYEACH9AAAFwMDBNEAAAAAAAAA3P9mE\/WxzRlzhJVvrME7arSt4cc4b80\/fLZ45lg2jTLN+h8OznVOp0v0YJHlvGb6zo1R0y0127nCMLhWICtDPy2FtY028GLgaBdr\/YLaP88jpPC2wcimHwfty2x4WKI+LPeYoEPRAYicmmTAxPlFzZuaf1iKs+Yu1pMdI4311+rTrqclcjjttiygU+MPtoh4rbcQQi4hllQZ9bpYWoVqJ+iSt2BigYH05vsyHmu879GAhVkohrBF89b4NLKyNAMo0\/QxqgG1rqZTGisx7FjNs8y8uxtw5iKWrSpnhwqsK8HdkzdODGF90yeLdn3CCNJgdm3aNHt1MWZ4JOUy5GzAb47y2cy051il96yYxnPjPoqHZ+sb8GqydD+Wdtw8hwTtkDW7xa7mACJTwuWOIU79l2oDnl63ylL8+JOFMkvCyqpvRSJQTp84k5efBKX3KzQjur4Xu79lO0LFF2NRDD6HkdNIzdZ6GrjQ6cfeKSx84X\/NzyeoBGfExOO\/4zYWpKYV5emN2qK2WwFz9V6yUT4FYCEpMENn4zKRUt2gX3+QJ3UggRDfQ8Atlul6XoqofW\/JfCf+PszhgtXLpc9QxVs3UVfeC+BCBsI\/evJsy+X2zvUBACJp1Cao7EAa\/un53A8cu1w+QQ\/3\/qpgFcwuebDk+bTd2XwEmQcRY5ntXb11cm+t6EgiuWMc8LtkZLW4g6Qk7C3exETENqr8qaKtA57iz69EbEaWfUTp590Cm1yhdVWnzQVccpyZRGULka\/D5PTiR6o3UCqpNAg8I43q9sRPGdaOzmk6LqC8kGMMj1N8P2DVYvcwJb3HB14BO5Blfb4kQNaSZCX81P5eekubMcrCkaYeLnnSigA4c2KBCJI0\/apWCuj0F93qKZChgzKT77EQe9PNeEwH9qa2yEnfxe42M9M\/dR+ZqezhwWXFtPpr0H\/z1rdkNoyBVAssfrasWrQx8flrDgnBIYD1460XCzVYLXxrhZgLoJb3EnAJ7vXCxsY0pXppBEZDDdim91oHmoHdPCYl0He7JYRSbPjtQSoUoTzcJp7PxKyOdGVLYBgNJz7zY+ZgHgZgGwjl0V0nqegEjC35a9y8SnKE63ljmDCyN8pWus5ViXGLvQ2Q\/1YgRAjjfufkIFVVjlXa01yHVzB76HDZ1tJk9CCm9ap34gzfAiHToNIXmogCeGqn2CdKyBeaiMSGkpYWcPn2x5217jPoRlFNQrlxxA+bM2VQvFdzsWSjAthvEYT8M0NKxSkvF5fH3eNJZYaUGLIiBrgIGbm4pAM\/x0xPOGKmtUmoLltnDzmkCbUcHYiWy3Y7nJHL865N2SK80a9Zp+7VINzLRf\/Ervx7NR7ytI7hPsERS2gR+t5ngZO4VMBVWlnWrW+Q0k4Q1KqCHh7RRwRxv5sH62zb+RmG6I1XbjkIiH\/fDv5F+LoUplAhBWHtQdc4gcY6R330O9wWahGV3oVm2bRxt8RZJJruLD1DYhwwT99J89GgAfYqHkYbcpYCi6LHqYqrQ6UmOTNERlSpwcXx4Ujj\/ftQuU3MAdSrHpDwvlJG8V3434OyaQQ78dblNHDOqOcIm3UL5vFVeeu11Ar10lwqpNk+NFgn+2DriZe1BIfTkQZAL4Pitnn2QjlLKFQ="} 00653{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1626168078654016,"flow_dst_last_pkt_time":1626168078676716,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":147,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":147,"pkt_l4_len":113,"thread_ts_usec":1626168078676716,"pkt":"8BiYFWV8WNVuaKQACABFAACFmUUAAHgR1vEICAgIwKgBeQA1yx4AcZEiotGBgAABAAEAAAAAAzIzNQIzMwIyMgEyB2luLWFkZHIEYXJwYQAADAABwAwADAABAABT5QAzDGEyLTIyLTMzLTIzNQZkZXBsb3kGc3RhdGljEmFrYW1haXRlY2hub2xvZ2llcwNjb20A"} 01035{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1626168078653044,"flow_src_last_pkt_time":1626168078654016,"flow_dst_last_pkt_time":1626168078676716,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":42,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":105,"flow_src_tot_l4_payload_len":86,"flow_dst_tot_l4_payload_len":105,"midstream":0,"thread_ts_usec":1626168078676716,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"8.8.8.8","src_port":51998,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Google","proto_id":"5.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"235.33.22.2.in-addr.arpa","dns": {"num_queries":1,"num_answers":1,"reply_code":0,"query_type":12,"rsp_type":12,"rsp_addr":"0.0.0.0"}}} -01661{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":155,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1626168078673569,"flow_src_last_pkt_time":1626168078741395,"flow_dst_last_pkt_time":1626168078741532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1318,"flow_src_tot_l4_payload_len":6192,"flow_dst_tot_l4_payload_len":5635,"midstream":1,"thread_ts_usec":1626168078741532,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":4849.6,"max":66556,"stddev":14734.4,"var":217103472.0,"ent":1.7,"data": [1268,1,22712,2791,42219,7,1,1,2,1,1,3,1,2,1,1,1,1,2,1,1,1,66556,1,207,4,1,1]},"pktlen": {"min":54,"avg":423.6,"max":1502,"stddev":443.8,"var":196953.1,"ent":4.4,"data": [1502,936,1502,1502,1020,54,54,1372,166,112,269,281,285,281,267,273,287,273,275,275,271,281,273,283,273,114,54,54,254,275,341,96]},"bins": {"c_to_s": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [2,3,0,1,0,0,11,6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} -01694{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":182,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1626168078673880,"flow_src_last_pkt_time":1626168078802752,"flow_dst_last_pkt_time":1626168078815501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1312,"flow_src_tot_l4_payload_len":8443,"flow_dst_tot_l4_payload_len":4308,"midstream":1,"thread_ts_usec":1626168078815501,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53428,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8725.6,"max":48024,"stddev":14356.9,"var":206121952.0,"ent":3.3,"data": [1,1055,23210,47617,37039,8,1,2,1,1,11720,448,454,9939,10211,1,619,25332,48024,32224,8,8662,433,9,3,3,2,1,2,508,12955]},"pktlen": {"min":54,"avg":453.2,"max":1502,"stddev":490.6,"var":240677.5,"ent":4.2,"data": [1502,936,1292,54,1292,1366,189,273,452,96,99,54,88,54,66,1502,935,708,54,708,1003,445,54,193,253,295,137,96,99,88,54,66]},"bins": {"c_to_s": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0],"s_to_c": [4,6,1,0,2,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,1,1,1,1,0,1,0,1,0,0,0,1,0,1,1,0,1,1,1,1,1,1,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} +02059{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":155,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"finished","flow_src_packets_processed":7,"flow_dst_packets_processed":25,"flow_first_seen":1626168078673569,"flow_src_last_pkt_time":1626168078741395,"flow_dst_last_pkt_time":1626168078741532,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1318,"flow_src_tot_l4_payload_len":6192,"flow_dst_tot_l4_payload_len":5635,"midstream":1,"thread_ts_usec":1626168078741532,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53429,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":4849.6,"max":66556,"stddev":14734.4,"var":217103472.0,"ent":1.7,"data": [1268,1,22712,2791,42219,7,1,1,2,1,1,3,1,2,1,1,1,1,2,1,1,1,66556,1,207,4,1,1]},"pktlen": {"min":40,"avg":409.6,"max":1488,"stddev":443.8,"var":196953.1,"ent":4.3,"data": [1488,922,1488,1488,1006,40,40,1358,152,98,255,267,271,267,253,259,273,259,261,261,257,267,259,269,259,100,40,40,240,261,327,82]},"bins": {"c_to_s": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0],"s_to_c": [2,3,0,1,0,0,11,6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,0,0,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,0,0,1,1,1,1],"entropies": [7.844867706,7.768162727,7.838919640,7.877963066,7.801912785,4.931687355,4.931687355,7.872855663,6.611027718,5.917587280,7.063786030,7.077864647,7.070313454,7.063032150,7.077404976,7.132514954,7.133229256,7.145859718,7.155868053,7.036940575,7.138390064,7.124177456,7.128092766,7.045049191,6.969915390,5.878566742,4.680641174,4.680641174,7.009124756,7.071732044,7.305675030,5.664766788]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} +02092{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":182,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1626168078673880,"flow_src_last_pkt_time":1626168078802752,"flow_dst_last_pkt_time":1626168078815501,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1448,"flow_dst_max_l4_payload_len":1312,"flow_src_tot_l4_payload_len":8443,"flow_dst_tot_l4_payload_len":4308,"midstream":1,"thread_ts_usec":1626168078815501,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"52.98.163.18","src_port":53428,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8725.6,"max":48024,"stddev":14356.9,"var":206121952.0,"ent":3.3,"data": [1,1055,23210,47617,37039,8,1,2,1,1,11720,448,454,9939,10211,1,619,25332,48024,32224,8,8662,433,9,3,3,2,1,2,508,12955]},"pktlen": {"min":40,"avg":439.2,"max":1488,"stddev":490.6,"var":240677.5,"ent":4.2,"data": [1488,922,1278,40,1278,1352,175,259,438,82,85,40,74,40,52,1488,921,694,40,694,989,431,40,179,239,281,123,82,85,74,40,52]},"bins": {"c_to_s": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,2,0,0],"s_to_c": [4,6,1,0,2,0,2,1,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0]},"directions": [0,0,0,1,0,1,1,1,1,1,1,0,1,0,1,0,0,0,1,0,1,1,0,1,1,1,1,1,1,1,0,1],"entropies": [7.851675034,7.762215614,7.854618549,4.931687355,7.853376865,7.847486019,6.592478275,7.073016644,7.479730606,5.652988434,5.603165150,4.680641174,5.374660492,4.680641174,4.887658596,7.882281303,7.798806667,7.618238926,4.862814903,7.611861229,7.774961472,7.463752747,4.630641460,6.593664169,7.007197857,7.177185059,6.230616570,5.640376568,5.764585972,5.533047199,4.680641174,4.962661743]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Outlook","proto_id":"91.21","encrypted":1,"breed":"Acceptable","category_id":3,"category":"Email"}} 00772{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":236,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1626168079158693,"flow_src_last_pkt_time":1626168079158693,"flow_dst_last_pkt_time":1626168079158693,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1626168079158693,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53914,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00561{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":236,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":26,"flow_packet_id":1,"flow_src_last_pkt_time":1626168079158693,"flow_dst_last_pkt_time":1626168079158693,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1626168079158693,"pkt":"WNVuaKQA8BiYFWV8CABFAABAAABAAEAGRffAqAF5KHEKL9KaAbvsuitsAAAAALAC\/\/8ZDgAAAgQFtAEDAwYBAQgKPdH+3gAAAAAEAgAA"} 00772{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":237,"source":"tls_certificate_too_long.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1626168079191811,"flow_src_last_pkt_time":1626168079191811,"flow_dst_last_pkt_time":1626168079191811,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1626168079191811,"l3_proto":"ip4","src_ip":"192.168.1.121","dst_ip":"40.113.10.47","src_port":53915,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -224,9 +224,9 @@ ~~ total active/idle flows...: 35/35 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6219525 bytes -~~ total memory freed........: 6219525 bytes -~~ total allocations/frees...: 122271/122271 +~~ total memory allocated....: 6224285 bytes +~~ total memory freed........: 6224285 bytes +~~ total allocations/frees...: 122306/122306 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 509 chars ~~ json string max len.......: 2504 chars diff --git a/test/results/tls_cipher_lens.pcap.out b/test/results/tls_cipher_lens.pcap.out index 16c7cda4b..7cc01abf6 100644 --- a/test/results/tls_cipher_lens.pcap.out +++ b/test/results/tls_cipher_lens.pcap.out @@ -29,9 +29,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6052552 bytes -~~ total memory freed........: 6052552 bytes -~~ total allocations/frees...: 121542/121542 +~~ total memory allocated....: 6053232 bytes +~~ total memory freed........: 6053232 bytes +~~ total allocations/frees...: 121547/121547 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 500 chars ~~ json string max len.......: 1173 chars diff --git a/test/results/tls_esni_sni_both.pcap.out b/test/results/tls_esni_sni_both.pcap.out index 014faafe6..e0bdaac94 100644 --- a/test/results/tls_esni_sni_both.pcap.out +++ b/test/results/tls_esni_sni_both.pcap.out @@ -23,9 +23,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6061017 bytes -~~ total memory freed........: 6061017 bytes -~~ total allocations/frees...: 121551/121551 +~~ total memory allocated....: 6061289 bytes +~~ total memory freed........: 6061289 bytes +~~ total allocations/frees...: 121553/121553 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 502 chars ~~ json string max len.......: 1424 chars diff --git a/test/results/tls_false_positives.pcapng.out b/test/results/tls_false_positives.pcapng.out index f45e3c26b..6008ef0c1 100644 --- a/test/results/tls_false_positives.pcapng.out +++ b/test/results/tls_false_positives.pcapng.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038559 bytes -~~ total memory freed........: 6038559 bytes -~~ total allocations/frees...: 121518/121518 +~~ total memory allocated....: 6038695 bytes +~~ total memory freed........: 6038695 bytes +~~ total allocations/frees...: 121519/121519 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 506 chars ~~ json string max len.......: 828 chars diff --git a/test/results/tls_invalid_reads.pcap.out b/test/results/tls_invalid_reads.pcap.out index 4f38a0780..6c0c83292 100644 --- a/test/results/tls_invalid_reads.pcap.out +++ b/test/results/tls_invalid_reads.pcap.out @@ -29,9 +29,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6043676 bytes -~~ total memory freed........: 6043676 bytes -~~ total allocations/frees...: 121510/121510 +~~ total memory allocated....: 6043948 bytes +~~ total memory freed........: 6043948 bytes +~~ total allocations/frees...: 121512/121512 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 203 chars ~~ json string max len.......: 1156 chars diff --git a/test/results/tls_long_cert.pcap.out b/test/results/tls_long_cert.pcap.out index ca2a8bd31..cc954949f 100644 --- a/test/results/tls_long_cert.pcap.out +++ b/test/results/tls_long_cert.pcap.out @@ -7,7 +7,7 @@ 01108{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078058827,"flow_dst_last_pkt_time":1553619078058439,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1553619078058827,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01168{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078058827,"flow_dst_last_pkt_time":1553619078091883,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1553619078091883,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 02634{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":9,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":5,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078093048,"flow_dst_last_pkt_time":1553619078093749,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4096,"midstream":0,"thread_ts_usec":1553619078093749,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.repubblica.it","tls": {"version":"TLSv1.2","server_names":"www.repstatic.it,repstatic.it,amp-video.lastampa.it,www.repubblica.it,amp-video.deejay.it,amp-video.d.repubblica.it,www.gelestatic.it,oasjs.kataweb.it,video.d.repubblica.it,www.test.capital.it,napoli.repubblica.it,video.ilsecoloxix.it,genova.repubblica.it,cdn.gelestatic.it,video.gelocal.it,media.deejay.it,media.m2o.it,amp-video.espresso.repubblica.it,download.gelocal.it,amp-video.m2o.it,bologna.repubblica.it,torino.repubblica.it,scripts.kataweb.it,palermo.repubblica.it,roma.repubblica.it,video.xl.repubblica.it,amp-video.gelocal.it,video.espresso.repubblica.it,www.capital.it,video.limesonline.com,media.capital.it,syndication-vod-pro.akamai.media.kataweb.it,test.capital.it,video.deejay.it,video.repubblica.it,milano.repubblica.it,video.lanuovasardegna.it,video.m2o.it,parma.repubblica.it,video.3nz.it,syndication-vod-hds.akamai.media.kataweb.it,amp-video.repubblica.it,video.lastampa.it,webfragments.repubblica.it,amp-video.xl.repubblica.it,amp-video.limesonline.com,media.kataweb.it,bari.repubblica.it,syndication-vod-hls.akamai.media.kataweb.it,amp-video.3nz.it,syndication3rd-vod-pro.akamai.media.kataweb.it,firenze.repubblica.it,amp-video.ilsecoloxix.it,amp-video.lanuovasardegna.it,cdn.flv.kataweb.it","ja3":"66918128f1b9b03303d77c6f2eefd128","ja3s":"35af4c8cd9495354f7d701ce8ad7fd2d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=GeoTrust RSA CA 2018","subjectDN":"C=IT, ST=Roma, L=Roma, O=GEDI Digital S.r.l., CN=www.repstatic.it","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"0C:9F:21:DB:65:A1:BE:EB:D8:89:38:D3:FF:7A:D9:02:8B:F1:60:A1"}}} -01688{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078157096,"flow_dst_last_pkt_time":1553619078157742,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1610,"flow_dst_tot_l4_payload_len":13760,"midstream":0,"thread_ts_usec":1553619078157742,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8011.5,"max":34221,"stddev":11402.3,"var":130012760.0,"ent":3.6,"data": [25199,25284,303,30105,3339,1074,34221,792,742,1850,1850,782,8352,423,28143,18603,6453,607,7069,119,26007,3,43,25894,1,59,186,154,696,4,1]},"pktlen": {"min":66,"avg":546.9,"max":1514,"stddev":584.9,"var":342142.3,"ent":4.2,"data": [78,74,66,583,66,1514,1514,66,1266,66,855,66,192,159,902,308,66,66,143,66,104,1119,1119,1514,66,66,66,724,66,1514,1514,1514]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02086{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619078157096,"flow_dst_last_pkt_time":1553619078157742,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1610,"flow_dst_tot_l4_payload_len":13760,"midstream":0,"thread_ts_usec":1553619078157742,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":8011.5,"max":34221,"stddev":11402.3,"var":130012760.0,"ent":3.6,"data": [25199,25284,303,30105,3339,1074,34221,792,742,1850,1850,782,8352,423,28143,18603,6453,607,7069,119,26007,3,43,25894,1,59,186,154,696,4,1]},"pktlen": {"min":52,"avg":532.9,"max":1500,"stddev":584.9,"var":342142.3,"ent":4.1,"data": [64,60,52,569,52,1500,1500,52,1252,52,841,52,178,145,888,294,52,52,129,52,90,1105,1105,1500,52,52,52,710,52,1500,1500,1500]},"bins": {"c_to_s": [11,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,1,0,0,0,0,0,0,0,6,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,0,0,0,0,1,0,1,1,0,0,1,1,1,0,0,0,1,0,1,1,1],"entropies": [4.464972496,5.400120735,5.115703106,4.441882610,5.233812809,6.523200512,6.789650440,5.070538998,7.259748936,5.109000683,7.672616482,5.192625999,6.387032032,6.158265114,7.732074261,7.074759483,5.192625999,5.272274494,6.411020756,5.192625999,5.541742325,7.789433956,7.819917679,7.870871544,5.154164314,5.154164314,5.032077789,7.695037842,5.154164314,7.862812519,7.871836662,7.867298126]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00909{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":182,"source":"tls_long_cert.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":86,"flow_dst_packets_processed":96,"flow_first_seen":1553619078033240,"flow_src_last_pkt_time":1553619149347313,"flow_dst_last_pkt_time":1553619149372363,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":836,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":2858,"flow_dst_tot_l4_payload_len":102711,"midstream":0,"thread_ts_usec":1553619149372363,"l3_proto":"ip4","src_ip":"192.168.2.126","dst_ip":"104.111.215.93","src_port":60174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":182,"source":"tls_long_cert.pcap","alias":"nDPId-test","packets-captured":182,"packets-processed":182,"total-skipped-flows":0,"total-l4-payload-len":105569,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":2,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":12,"global_ts_usec":1553619149372363} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -18,9 +18,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6083805 bytes -~~ total memory freed........: 6083805 bytes -~~ total allocations/frees...: 121732/121732 +~~ total memory allocated....: 6083941 bytes +~~ total memory freed........: 6083941 bytes +~~ total allocations/frees...: 121733/121733 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 2639 chars diff --git a/test/results/tls_missing_ch_frag.pcap.out b/test/results/tls_missing_ch_frag.pcap.out index 7e0832a80..0764b229a 100644 --- a/test/results/tls_missing_ch_frag.pcap.out +++ b/test/results/tls_missing_ch_frag.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6047888 bytes -~~ total memory freed........: 6047888 bytes -~~ total allocations/frees...: 121505/121505 +~~ total memory allocated....: 6048024 bytes +~~ total memory freed........: 6048024 bytes +~~ total allocations/frees...: 121506/121506 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars ~~ json string max len.......: 2429 chars diff --git a/test/results/tls_multiple_synack_different_seq.pcapng.out b/test/results/tls_multiple_synack_different_seq.pcapng.out index d2f3b6a94..095684164 100644 --- a/test/results/tls_multiple_synack_different_seq.pcapng.out +++ b/test/results/tls_multiple_synack_different_seq.pcapng.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6055699 bytes -~~ total memory freed........: 6055699 bytes -~~ total allocations/frees...: 121520/121520 +~~ total memory allocated....: 6055835 bytes +~~ total memory freed........: 6055835 bytes +~~ total allocations/frees...: 121521/121521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 520 chars ~~ json string max len.......: 1937 chars diff --git a/test/results/tls_port_80.pcapng.out b/test/results/tls_port_80.pcapng.out index d2e3d0780..245d88760 100644 --- a/test/results/tls_port_80.pcapng.out +++ b/test/results/tls_port_80.pcapng.out @@ -16,9 +16,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6040227 bytes -~~ total memory freed........: 6040227 bytes -~~ total allocations/frees...: 121507/121507 +~~ total memory allocated....: 6040363 bytes +~~ total memory freed........: 6040363 bytes +~~ total allocations/frees...: 121508/121508 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 1436 chars diff --git a/test/results/tls_torrent.pcapng.out b/test/results/tls_torrent.pcapng.out index c8872aac8..f0077c946 100644 --- a/test/results/tls_torrent.pcapng.out +++ b/test/results/tls_torrent.pcapng.out @@ -17,9 +17,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6052426 bytes -~~ total memory freed........: 6052426 bytes -~~ total allocations/frees...: 121504/121504 +~~ total memory allocated....: 6052562 bytes +~~ total memory freed........: 6052562 bytes +~~ total allocations/frees...: 121505/121505 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 1551 chars diff --git a/test/results/tls_verylong_certificate.pcap.out b/test/results/tls_verylong_certificate.pcap.out index a8ecd82f3..c3984b449 100644 --- a/test/results/tls_verylong_certificate.pcap.out +++ b/test/results/tls_verylong_certificate.pcap.out @@ -7,7 +7,7 @@ 01055{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908475203,"flow_dst_last_pkt_time":1578254908469342,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1578254908475203,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01115{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908475203,"flow_dst_last_pkt_time":1578254908490162,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1578254908490162,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}} 03803{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":11,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908490465,"flow_dst_last_pkt_time":1578254908490567,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5472,"midstream":0,"thread_ts_usec":1578254908490567,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}}} -01556{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":4559.7,"max":21714,"stddev":6622.1,"var":43852844.0,"ent":3.5,"data": [11591,11712,5740,17683,3137,204,15209,67,53,134,2,140,10611,21714,11194,334,14931,21,2,14564,19,7,256,346,4,564,2,480,517,112,2]},"pktlen": {"min":66,"avg":532.6,"max":1434,"stddev":615.3,"var":378610.9,"ent":4.1,"data": [78,74,66,583,66,1434,1434,66,1434,66,1434,276,66,192,117,66,236,1434,1434,118,66,66,66,1434,1434,118,66,66,1434,66,1434,118]},"bins": {"c_to_s": [12,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,1,0,1,1]}} +01955{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":4559.7,"max":21714,"stddev":6622.1,"var":43852844.0,"ent":3.5,"data": [11591,11712,5740,17683,3137,204,15209,67,53,134,2,140,10611,21714,11194,334,14931,21,2,14564,19,7,256,346,4,564,2,480,517,112,2]},"pktlen": {"min":52,"avg":518.6,"max":1420,"stddev":615.3,"var":378610.9,"ent":4.0,"data": [64,60,52,569,52,1420,1420,52,1420,52,1420,262,52,178,103,52,222,1420,1420,104,52,52,52,1420,1420,104,52,52,1420,52,1420,104]},"bins": {"c_to_s": [12,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,10,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,0,1,1,0,0,1,0,0,1,1,1,0,0,0,1,1,1,0,0,1,0,1,1],"entropies": [4.398337364,5.146034718,4.868495941,4.434582233,5.025067329,6.773365974,4.940563202,4.983880520,6.553000927,4.900255680,7.433587551,7.043814659,4.983880520,6.336580276,5.976200581,5.022342205,6.883139610,7.866776943,7.867276192,6.143959045,4.906957150,4.791572571,4.731892109,7.850933075,7.865261078,6.040546417,4.906957626,4.906957626,7.852932453,4.823332310,7.877495766,6.208910465]}} 03806{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908528417,"flow_dst_last_pkt_time":1578254908528437,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":813,"flow_dst_tot_l4_payload_len":14097,"midstream":0,"thread_ts_usec":1578254908528437,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media","hostname":"feodotracker.abuse.ch","tls": {"version":"TLSv1.2","server_names":"p2.shared.global.fastly.net,*.12wbt.com,*.2bleacherreport.com,*.3bleacherreport.com,*.4bleacherreport.com,*.8bleacherreport.com,*.abuse.ch,*.acdn-it.ps-pantheon.com,*.cdn.livingmap.com,*.content.plastiq.com,*.dimensions.ai,*.dollarshaveclub.co.uk,*.dollarshaveclub.com,*.dontpayfull.com,*.ebisubook.com,*.foreignaffairs.com,*.fs.jibjab.com,*.fs.unitprints.com,*.ggleap.com,*.goodeggs.com,*.huevosbuenos.com,*.indy.myomnigon.com,*.jwatch.org,*.kingsfordcharcoal.com.au,*.lancenters.com,*.madebywe.com,*.minirodini.com,*.modcloth.net,*.orionlabs.io,*.ps-pantheon.com,*.scodle.com,*.steelseries.com,*.theforeman.org,*.uploads.eversign.com,*.uploads.schoox.com,*.vts.com,*.x.stg1.ebisubook.com,*.yang2020.com,12wbt.com,2bleacherreport.com,3bleacherreport.com,4bleacherreport.com,8bleacherreport.com,abuse.ch,brita.com,cdn.fwupd.org,cdn.livingmap.com,cdn.seated.com,cdn.skillacademy.com,clinicaloptions.com,clorox.com,content-preprod.beaverbrooksweb2.co.uk,content.beaverbrooks.co.uk,content.plastiq.com,coolmathgames.com,copterroyale.coolmathgames.com,d8-dev.coolmathgames.com,deflyio.coolmathgames.com,delivery-api.evadacms.com,dimensions.ai,dollarshaveclub.co.uk,dollarshaveclub.com,dontpayfull.com,eluniverso.com,email.amg-group.co,email.tekoforlife.co.uk,feedmarket.fr,freshstep.com,ggleap.com,goodeggs.com,heap.io,huevosbuenos.com,identity.linuxfoundation.org,joebiden.com,jwatch.org,kingsford.co.nz,kingsfordcharcoal.com.au,lancenters.com,lists.linuxfoundation.org,m-stage.coolmathgames.com,m.coolmathgames.com,madebywe.com,minirodini.com,modcloth.net,orionlabs.io,puritanmedproducts.com,reviews.org,rg-video-staging.ruangguru.com,rg-video.ruangguru.com,ruangguru.com,scodle.com,stage.coolmathgames.com,staging.appblade.com,steelseries.com,stg.platform.eluniverso.com,test.brita.com,test.heap.io,test.joebiden.com,test.ruangguru.com,theforeman.org,video-cdn.quipper.com,videos.calcworkshop.com,vts.com,www.101network.com,www.autos101.com,www.brita.com,www.clorox.com,www.collider.com,www.coolmathgames.com,www.eluniverso.com,www.flinto.com,www.freshstep.com,www.heap.io,www.holagente.com,www.icsydney.com.au,www.joebiden.com,www.kingsford.co.nz,www.mrnatty.com,www.myjewellerystory.com.au,www.myjs.com,www.netacea.com,www.parenting101.com,www.puritanmedproducts.com,www.reviews.org,www.sba.sa,www.shashatcom.sa,www.uat.ontariocolleges.ca,www.vacation101.com,www.walterspeople.co.uk,www.westwayelectricsupply.com","ja3":"2a26b1a62e40d25d4de3babc9d532f30","ja3s":"ae53107a2e47ea20c72ac44821a728bf","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=BE, O=GlobalSign nv-sa, CN=GlobalSign CloudSSL CA - SHA256 - G3","subjectDN":"C=US, ST=California, L=San Francisco, O=Fastly, Inc., CN=p2.shared.global.fastly.net","alpn":"http\/1.1","fingerprint":"E9:34:DF:E0:C5:31:3C:59:7E:E2:57:44:F2:82:E9:80:F5:5D:05:4B"}}} 00918{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":48,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":24,"flow_dst_packets_processed":24,"flow_first_seen":1578254908457751,"flow_src_last_pkt_time":1578254908551114,"flow_dst_last_pkt_time":1578254908551079,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":844,"flow_dst_tot_l4_payload_len":18233,"midstream":0,"thread_ts_usec":1578254908551114,"l3_proto":"ip4","src_ip":"192.168.1.160","dst_ip":"151.101.66.49","src_port":54804,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":1,"category":"Media"}} 00577{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":48,"source":"tls_verylong_certificate.pcap","alias":"nDPId-test","packets-captured":48,"packets-processed":48,"total-skipped-flows":0,"total-l4-payload-len":19077,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":13,"global_ts_usec":1578254908551114} @@ -19,9 +19,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6211360 bytes -~~ total memory freed........: 6211360 bytes -~~ total allocations/frees...: 121673/121673 +~~ total memory allocated....: 6211496 bytes +~~ total memory freed........: 6211496 bytes +~~ total allocations/frees...: 121674/121674 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 509 chars ~~ json string max len.......: 3811 chars diff --git a/test/results/toca-boca.pcap.out b/test/results/toca-boca.pcap.out index 6ee9284c6..e5d3156f9 100644 --- a/test/results/toca-boca.pcap.out +++ b/test/results/toca-boca.pcap.out @@ -116,9 +116,9 @@ ~~ total active/idle flows...: 21/21 ~~ total timeout flows.......: 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6070354 bytes -~~ total memory freed........: 6070354 bytes -~~ total allocations/frees...: 121764/121764 +~~ total memory allocated....: 6073210 bytes +~~ total memory freed........: 6073210 bytes +~~ total allocations/frees...: 121785/121785 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 2159 chars diff --git a/test/results/tor.pcap.out b/test/results/tor.pcap.out index 13e921498..88623d439 100644 --- a/test/results/tor.pcap.out +++ b/test/results/tor.pcap.out @@ -71,8 +71,8 @@ 00692{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":105,"source":"tor.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1383821703288336,"flow_dst_last_pkt_time":1383821673254958,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1383821703288336,"pkt":"\/\/\/\/\/\/\/\/UlQAwqwfCABFAACsAABAAEARtfDAqAEBwKgB\/0RcRFwAmDDeeyJob3N0X2ludCI6IDY3Njg3OTk3NiwgInZlcnNpb24iOiBbMSwgOF0sICJkaXNwbGF5bmFtZSI6ICI2NzY4Nzk5NzYiLCAicG9ydCI6IDE3NTAwLCAibmFtZXNwYWNlcyI6IFsxNjc4NDEyMTYsIDE4MTA4Mzk2OCwgMTgxMDgwMzI0LCAyOTU0NDE3M119"} 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":111,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821704212955} 00348{"packet_event_id":1,"packet_event_name":"packet","packet_id":111,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821703723048,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} -02128{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":117,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821668403824,"flow_src_last_pkt_time":1383821704424659,"flow_dst_last_pkt_time":1383821704566665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4598,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383821704566665,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":113,"avg":2328505.8,"max":31166013,"stddev":7549668.5,"var":56997495963648.0,"ent":1.9,"data": [143824,144206,386,152663,157,159633,171698,164686,190851,113,190713,627,185098,185495,145105,5747,151688,184201,104686,289985,146556,2535956,2930532,30770666,31166013,871,147027,185685,696487,885191,147130]},"pktlen": {"min":54,"avg":369.8,"max":1514,"stddev":354.9,"var":125974.5,"ent":4.3,"data": [66,66,60,278,54,983,252,113,128,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54]},"bins": {"c_to_s": [4,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} -01878{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":124,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821704889950,"flow_dst_last_pkt_time":1383821704958016,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3939,"flow_dst_tot_l4_payload_len":9093,"midstream":0,"thread_ts_usec":1383821704958016,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":120,"avg":2548633.8,"max":37995839,"stddev":9273754.0,"var":86002509021184.0,"ent":1.4,"data": [70996,71325,6669,104314,10783,112643,88567,84606,73691,120,73665,754,108431,107711,67797,2260,74630,103567,101811,113368,368689,686539,37720424,37995839,68191,67504,104050,189003,360821,68695,181]},"pktlen": {"min":54,"avg":462.8,"max":1514,"stddev":476.2,"var":226793.4,"ent":4.3,"data": [66,66,60,269,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,640,640,54,640,60,640,54,640,54,640,1514,60,1514,1514]},"bins": {"c_to_s": [5,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,0,1,0,1,1,1,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02526{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":117,"source":"tor.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821668403824,"flow_src_last_pkt_time":1383821704424659,"flow_dst_last_pkt_time":1383821704566665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4598,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383821704566665,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51112,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":113,"avg":2328505.8,"max":31166013,"stddev":7549668.5,"var":56997495963648.0,"ent":1.9,"data": [143824,144206,386,152663,157,159633,171698,164686,190851,113,190713,627,185098,185495,145105,5747,151688,184201,104686,289985,146556,2535956,2930532,30770666,31166013,871,147027,185685,696487,885191,147130]},"pktlen": {"min":40,"avg":355.8,"max":1500,"stddev":354.9,"var":125974.5,"ent":4.3,"data": [52,52,46,264,40,969,238,99,114,1500,126,46,626,40,626,40,626,626,40,626,626,40,626,46,626,40,626,626,40,626,626,40]},"bins": {"c_to_s": [4,0,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1],"entropies": [4.463158131,4.830034256,4.398030758,5.447000027,4.784183979,7.571198463,6.865525723,5.932188988,6.092850685,7.880095005,6.536722183,4.338141918,7.694956303,4.765311718,7.651318550,4.834183693,7.635929585,7.668802738,4.680641174,7.700941086,7.633764267,4.834183693,7.670955658,4.311074257,7.633520603,4.630640984,7.649660587,7.669915199,4.784183979,7.648267269,7.643295765,4.684184074]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} +02276{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":124,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821704889950,"flow_dst_last_pkt_time":1383821704958016,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3939,"flow_dst_tot_l4_payload_len":9093,"midstream":0,"thread_ts_usec":1383821704958016,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":120,"avg":2548633.8,"max":37995839,"stddev":9273754.0,"var":86002509021184.0,"ent":1.4,"data": [70996,71325,6669,104314,10783,112643,88567,84606,73691,120,73665,754,108431,107711,67797,2260,74630,103567,101811,113368,368689,686539,37720424,37995839,68191,67504,104050,189003,360821,68695,181]},"pktlen": {"min":40,"avg":448.8,"max":1500,"stddev":476.2,"var":226793.4,"ent":4.2,"data": [52,52,46,255,40,788,174,99,114,1500,142,46,626,40,626,40,626,626,626,626,40,626,46,626,40,626,40,626,1500,46,1500,1500]},"bins": {"c_to_s": [5,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,0,1,0,1,1,1,0,1,1],"entropies": [4.540081501,4.945419312,4.484987259,5.397112370,4.884183884,7.396267891,6.599942207,5.960015774,6.090528011,7.870100975,6.529747963,4.484987259,7.677678108,4.884183884,7.605023384,4.884183884,7.649974346,7.648893833,7.709483624,7.672764301,4.834183693,7.653419495,4.441509247,7.662259102,4.884183884,7.661063194,4.884183884,7.656208992,7.855939388,4.484987259,7.873313904,7.885534286]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":156,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821706213267} 00348{"packet_event_id":1,"packet_event_name":"packet","packet_id":156,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821706194070,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00182{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":185,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821708213145} @@ -148,7 +148,7 @@ 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1817,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821771201495,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1818,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821774213020} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1818,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821771201495,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} -02119{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1820,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1383821666407384,"flow_src_last_pkt_time":1383821774388112,"flow_dst_last_pkt_time":1383821702813857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3946,"flow_dst_tot_l4_payload_len":5300,"midstream":0,"thread_ts_usec":1383821774388112,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":90,"avg":4657651.5,"max":71328355,"stddev":14789051.0,"var":218716025389056.0,"ent":1.8,"data": [73367,74408,357,74070,3203,80209,86098,83238,77261,90,76164,838,117183,116350,75240,23977,101877,114494,465564,429267,3455,80828,117031,388775,507320,75910,393949,666205,34353103,34399015,71328355]},"pktlen": {"min":54,"avg":344.6,"max":1514,"stddev":347.1,"var":120444.2,"ent":4.3,"data": [66,66,60,276,54,803,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,54,640,640,54,640,640,54,640,60,640,60,60]},"bins": {"c_to_s": [6,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,0,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} +02517{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1820,"source":"tor.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1383821666407384,"flow_src_last_pkt_time":1383821774388112,"flow_dst_last_pkt_time":1383821702813857,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3946,"flow_dst_tot_l4_payload_len":5300,"midstream":0,"thread_ts_usec":1383821774388112,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"46.59.52.31","src_port":51111,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":90,"avg":4657651.5,"max":71328355,"stddev":14789051.0,"var":218716025389056.0,"ent":1.8,"data": [73367,74408,357,74070,3203,80209,86098,83238,77261,90,76164,838,117183,116350,75240,23977,101877,114494,465564,429267,3455,80828,117031,388775,507320,75910,393949,666205,34353103,34399015,71328355]},"pktlen": {"min":40,"avg":330.6,"max":1500,"stddev":347.1,"var":120444.2,"ent":4.2,"data": [52,52,46,262,40,789,174,99,114,1500,142,46,626,40,626,40,626,626,40,626,40,626,626,40,626,626,40,626,46,626,46,46]},"bins": {"c_to_s": [6,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,1,0,1,1,0,1,1,0,1,0,0],"entropies": [4.540081024,4.892440796,4.398030758,5.485852242,4.734183788,7.345484734,6.684501171,5.938382626,6.188065529,7.865236759,6.545697212,4.398030758,7.637940407,4.784183979,7.634158611,4.784183979,7.710437775,7.659512520,4.784183979,7.657443523,4.834184170,7.637063503,7.660885811,4.834184170,7.674984455,7.682085514,4.765312195,7.644844532,4.544876099,7.636578560,4.347350597,4.457919598]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1828,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821776213090} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1828,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383821774532755,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1829,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383821778213143} @@ -187,10 +187,10 @@ 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1892,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1383822131034064,"flow_dst_last_pkt_time":1383822131033681,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1383822131034064,"pkt":"UlQA2EYhUlQAWul3CABFAAAoCK9AAIAGwmLAqAH8JuVGNcfoAbv0twfgYNP3BVAQAQBhAQAAAAAAAAAA"} 01140{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1893,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822131034778,"flow_dst_last_pkt_time":1383822131033681,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1383822131034778,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.jmts2id.com","tls": {"version":"TLSv1","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01348{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1896,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822131034778,"flow_dst_last_pkt_time":1383822131220406,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":929,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":929,"midstream":0,"thread_ts_usec":1383822131220406,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"www.jmts2id.com","tls": {"version":"TLSv1","ja3":"581a3c7f54555512b8cd16e87dfe165b","ja3s":"e1691a31bfe345d2692da75636ddfb00","unsafe_cipher":0,"cipher":"TLS_DHE_RSA_WITH_AES_256_CBC_SHA","issuerDN":"CN=www.gg562izcxdvqdk.com","subjectDN":"CN=www.fcsyvnlemwxv5p.net","fingerprint":"C1:93:18:2C:A3:1D:AC:5F:C7:DE:17:8A:4E:B1:E8:13:BB:08:73:3A"}}} -02105{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1918,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822129897135,"flow_src_last_pkt_time":1383822132138706,"flow_dst_last_pkt_time":1383822132203451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4523,"flow_dst_tot_l4_payload_len":5299,"midstream":0,"thread_ts_usec":1383822132203451,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":146,"avg":146706.0,"max":990883,"stddev":220400.9,"var":48576569344.0,"ent":3.9,"data": [64392,65808,9514,82112,4238,79785,91000,88446,79568,146,78186,925,110026,109380,69120,1548,80197,113582,35660,145791,70785,343658,637547,693937,990883,1625,71983,109022,69049,180072,69902]},"pktlen": {"min":54,"avg":362.2,"max":1514,"stddev":347.1,"var":120448.8,"ent":4.4,"data": [66,66,60,267,54,802,188,113,128,1514,156,60,640,54,640,54,640,640,54,640,640,54,640,60,640,54,640,640,54,640,640,54]},"bins": {"c_to_s": [4,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} +02503{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1918,"source":"tor.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822129897135,"flow_src_last_pkt_time":1383822132138706,"flow_dst_last_pkt_time":1383822132203451,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":4523,"flow_dst_tot_l4_payload_len":5299,"midstream":0,"thread_ts_usec":1383822132203451,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51175,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":146,"avg":146706.0,"max":990883,"stddev":220400.9,"var":48576569344.0,"ent":3.9,"data": [64392,65808,9514,82112,4238,79785,91000,88446,79568,146,78186,925,110026,109380,69120,1548,80197,113582,35660,145791,70785,343658,637547,693937,990883,1625,71983,109022,69049,180072,69902]},"pktlen": {"min":40,"avg":348.2,"max":1500,"stddev":347.1,"var":120448.8,"ent":4.3,"data": [52,52,46,253,40,788,174,99,114,1500,142,46,626,40,626,40,626,626,40,626,626,40,626,46,626,40,626,626,40,626,626,40]},"bins": {"c_to_s": [4,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,1,0,1,1,0,0,1,1,0,1,1,0,1],"entropies": [4.477674961,4.945419312,4.398030758,5.406278133,4.834183693,7.371150017,6.711827278,5.947438717,6.057762146,7.837278366,6.586953163,4.398030758,7.662993908,4.834183693,7.681317329,4.734183788,7.663327694,7.608054161,4.734183788,7.639224529,7.648303986,4.734183788,7.669913292,4.441509247,7.652542591,4.834183693,7.641192913,7.661419868,4.784183979,7.663778782,7.666988373,4.734183788]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"16": {"risk":"Suspicious DGA Domain name","severity":"High","risk_score": {"total":250,"client":125,"server":125}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"TLS.Tor","proto_id":"91.163","encrypted":1,"breed":"Potentially Dangerous","category_id":2,"category":"VPN"}} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":1919,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822132212345} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":1919,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822132203451,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} -01875{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1933,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822133768898,"flow_dst_last_pkt_time":1383822133768590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3998,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383822133768898,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":215,"avg":185742.4,"max":755290,"stddev":163607.9,"var":26767544320.0,"ent":4.5,"data": [143944,144327,714,149478,37247,195972,163599,153986,192261,56166,215,255054,2118,152835,143919,143900,44572,192109,147551,608487,755290,145485,149387,149841,132696,281585,155046,87778,477208,367752,127492]},"pktlen": {"min":54,"avg":351.4,"max":1514,"stddev":355.4,"var":126324.2,"ent":4.3,"data": [66,66,60,264,54,983,252,113,128,54,1514,140,60,640,54,640,54,640,640,54,640,640,54,640,54,640,640,54,640,60,640,66]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02273{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1933,"source":"tor.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1383822130889737,"flow_src_last_pkt_time":1383822133768898,"flow_dst_last_pkt_time":1383822133768590,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":3998,"flow_dst_tot_l4_payload_len":5464,"midstream":0,"thread_ts_usec":1383822133768898,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"38.229.70.53","src_port":51176,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":215,"avg":185742.4,"max":755290,"stddev":163607.9,"var":26767544320.0,"ent":4.5,"data": [143944,144327,714,149478,37247,195972,163599,153986,192261,56166,215,255054,2118,152835,143919,143900,44572,192109,147551,608487,755290,145485,149387,149841,132696,281585,155046,87778,477208,367752,127492]},"pktlen": {"min":40,"avg":337.4,"max":1500,"stddev":355.4,"var":126324.2,"ent":4.2,"data": [52,52,46,250,40,969,238,99,114,40,1500,126,46,626,40,626,40,626,626,40,626,626,40,626,40,626,626,40,626,46,626,52]},"bins": {"c_to_s": [5,0,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,1,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,1,1,0,1,0],"entropies": [4.593060017,4.815517426,4.414441109,5.291395664,4.834184170,7.550148964,6.920053005,5.919612408,6.132238388,4.884183884,7.868963718,6.428377628,4.330940247,7.664852619,4.730641365,7.653878212,4.780641079,7.642474174,7.667881489,4.784183979,7.644913673,7.622496128,4.884183884,7.554065228,4.784183979,7.660291672,7.637899399,4.884183884,7.647337437,4.544876099,7.647919655,4.743239880]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01031{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":62,"flow_dst_packets_processed":79,"flow_first_seen":1383821665420161,"flow_src_last_pkt_time":1383821774457983,"flow_dst_last_pkt_time":1383821774457610,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1460,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":19175,"flow_dst_tot_l4_payload_len":41545,"midstream":0,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"91.143.93.242","src_port":51110,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01029{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1383821693159821,"flow_src_last_pkt_time":1383821693159821,"flow_dst_last_pkt_time":1383821693159821,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":210,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":210,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":210,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"192.168.1.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv1","proto_id":"10.16","encrypted":0,"breed":"Dangerous","category_id":18,"category":"System"}} 00871{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1936,"source":"tor.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1383821734359648,"flow_src_last_pkt_time":1383821734359648,"flow_dst_last_pkt_time":1383821734359648,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1383822133787472,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"157.56.30.46","src_port":51104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"TLS.Azure","proto_id":"91.276","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -344,7 +344,7 @@ 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3826,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822262143775,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3833,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822264211946} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3833,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822264155073,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} -01874{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3845,"source":"tor.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1383822129889928,"flow_src_last_pkt_time":1383822265160118,"flow_dst_last_pkt_time":1383822265159585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2761,"flow_dst_tot_l4_payload_len":5864,"midstream":0,"thread_ts_usec":1383822265160118,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":319,"avg":8727092.0,"max":72890007,"stddev":22568808.0,"var":509351076823040.0,"ent":2.1,"data": [59390,61607,13819,72120,2062,62909,63545,60042,79423,319,78805,1749,98338,96626,56518,4501,61844,64873,64036,73717,275721,252847,50798,9733,261423,61538274,61491411,72591366,72890007,3990,98034]},"pktlen": {"min":54,"avg":326.0,"max":1514,"stddev":345.9,"var":119666.8,"ent":4.3,"data": [66,66,60,263,54,797,188,113,128,1514,140,60,640,54,640,54,640,640,640,640,640,60,640,66,640,60,640,60,60,54,54,60]},"bins": {"c_to_s": [9,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02272{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3845,"source":"tor.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1383822129889928,"flow_src_last_pkt_time":1383822265160118,"flow_dst_last_pkt_time":1383822265159585,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":586,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":2761,"flow_dst_tot_l4_payload_len":5864,"midstream":0,"thread_ts_usec":1383822265160118,"l3_proto":"ip4","src_ip":"192.168.1.252","dst_ip":"212.83.155.250","src_port":51174,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":319,"avg":8727092.0,"max":72890007,"stddev":22568808.0,"var":509351076823040.0,"ent":2.1,"data": [59390,61607,13819,72120,2062,62909,63545,60042,79423,319,78805,1749,98338,96626,56518,4501,61844,64873,64036,73717,275721,252847,50798,9733,261423,61538274,61491411,72591366,72890007,3990,98034]},"pktlen": {"min":40,"avg":312.0,"max":1500,"stddev":345.9,"var":119666.8,"ent":4.2,"data": [52,52,46,249,40,783,174,99,114,1500,126,46,626,40,626,40,626,626,626,626,626,46,626,52,626,46,626,46,46,40,40,46]},"bins": {"c_to_s": [9,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0,1,1,0],"entropies": [4.501619816,4.930902481,4.441508770,5.332808495,4.834183693,7.397306919,6.658778667,6.048449516,6.157279968,7.876633167,6.546604156,4.441508770,7.673907757,4.834183693,7.638509750,4.884183884,7.663495541,7.670399189,7.645442486,7.664111614,7.640780926,4.484987259,7.650365353,4.880648136,7.645416737,4.544876099,7.673004150,4.457919598,4.457919598,4.734183788,4.734183788,4.501397610]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3853,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822266211911} 00349{"packet_event_id":1,"packet_event_name":"packet","packet_id":3853,"source":"tor.pcap","alias":"nDPId-test","pkt_oversize":false,"pkt_caplen":60,"pkt_type":38,"pkt_l3_offset":14,"pkt_l4_offset":0,"pkt_len":60,"pkt_l4_len":0,"thread_ts_usec":1383822265221448,"pkt":"AYDCAAAA\/lQA2EYhACZCQgMAAAAAAIAAUlQAwqwfAAAAAIAAUlQAwqwfgAMAABQAAgAAAAAAAAAAAAAA"} 00183{"error_event_id":5,"error_event_name":"Unknown packet type","datalink":1,"packet_id":3854,"source":"tor.pcap","alias":"nDPId-test","layer_type":38,"global_ts_usec":1383822268211949} @@ -373,10 +373,10 @@ ~~ total active/idle flows...: 11/11 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6188209 bytes -~~ total memory freed........: 6188209 bytes -~~ total allocations/frees...: 125319/125319 +~~ total memory allocated....: 6189705 bytes +~~ total memory freed........: 6189705 bytes +~~ total allocations/frees...: 125330/125330 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 185 chars -~~ json string max len.......: 2133 chars -~~ json string avg len.......: 1159 chars +~~ json string max len.......: 2531 chars +~~ json string avg len.......: 1358 chars diff --git a/test/results/trickbot.pcap.out b/test/results/trickbot.pcap.out index ca5beed09..5db46e3c3 100644 --- a/test/results/trickbot.pcap.out +++ b/test/results/trickbot.pcap.out @@ -6,7 +6,7 @@ 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1609266107797418,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1609266107797418,"pkt":"IOUqtpPxAAgCHEeuCABFAAAoc9JAAIAGK1IKDB1lUnbhxO+GG6gSdtdXYu1SXVAQ\/\/+p4QAA"} 01412{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107797621,"flow_dst_last_pkt_time":1609266107797175,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":349,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":349,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1609266107797621,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196","http": {"url":"82.118.225.196:7080\/OK21pqJAtyyGBEo00sk","code":0,"content_type":"","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E)","request_content_type":"application\/x-www-form-urlencoded","detected_os":"Windows 10"}}} 01552{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266107797702,"flow_dst_last_pkt_time":1609266108728827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1358,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":1358,"midstream":0,"thread_ts_usec":1609266108728827,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"82.118.225.196","http": {"url":"82.118.225.196:7080\/OK21pqJAtyyGBEo00sk","code":200,"content_type":"text\/html","user_agent":"Mozilla\/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident\/7.0; .NET4.0C; .NET4.0E)","request_content_type":"application\/x-www-form-urlencoded","detected_os":"Windows 10"}}} -02060{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266109737227,"flow_dst_last_pkt_time":1609266110219915,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":27187,"midstream":0,"thread_ts_usec":1609266110219915,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":156585.2,"max":931328,"stddev":258444.3,"var":66793451520.0,"ent":3.3,"data": [245675,245918,203,81,530,37,931085,931328,2339,2280,480234,19,480300,297566,15,8,7,8,7,8,8,7,7,6,9,297680,227938,227937,482874,14,14]},"pktlen": {"min":54,"avg":944.0,"max":1514,"stddev":662.5,"var":438885.5,"ent":4.5,"data": [66,58,54,403,982,54,54,1412,54,1412,54,1514,1337,54,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,290,54,1412,54,1514,1514,1208]},"bins": {"c_to_s": [7,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,3,0,0,14,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} +02459{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":9,"flow_dst_packets_processed":23,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266109737227,"flow_dst_last_pkt_time":1609266110219915,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":27187,"midstream":0,"thread_ts_usec":1609266110219915,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":156585.2,"max":931328,"stddev":258444.3,"var":66793451520.0,"ent":3.3,"data": [245675,245918,203,81,530,37,931085,931328,2339,2280,480234,19,480300,297566,15,8,7,8,7,8,8,7,7,6,9,297680,227938,227937,482874,14,14]},"pktlen": {"min":40,"avg":930.0,"max":1500,"stddev":662.5,"var":438885.5,"ent":4.5,"data": [52,44,40,389,968,40,40,1398,40,1398,40,1500,1323,40,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,276,40,1398,40,1500,1500,1194]},"bins": {"c_to_s": [7,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,3,0,0,14,0,0]},"directions": [0,1,0,0,0,1,1,1,0,1,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,0,1,0,1,1,1],"entropies": [4.776611805,4.925117970,4.762815475,5.824206829,6.033888340,4.784183979,4.834183693,7.786707878,4.931687355,7.831421852,4.931687355,7.870709896,7.856476307,4.931687355,7.869441509,7.864507675,7.865448475,7.873723507,7.871662140,7.892165661,7.878643513,7.860257149,7.887190342,7.870031357,7.873756886,7.255901337,4.931687355,7.870108604,4.931687355,7.875472546,7.873021603,7.864452362]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 01264{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":74,"source":"trickbot.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":28,"flow_dst_packets_processed":46,"flow_first_seen":1609266107551500,"flow_src_last_pkt_time":1609266115947454,"flow_dst_last_pkt_time":1609266115947521,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":928,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":1277,"flow_dst_tot_l4_payload_len":56713,"midstream":0,"thread_ts_usec":1609266115947521,"l3_proto":"ip4","src_ip":"10.12.29.101","dst_ip":"82.118.225.196","src_port":61318,"dst_port":7080,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"12": {"risk":"HTTP Numeric IP Address","severity":"Low","risk_score": {"total":500,"client":450,"server":50}},"25": {"risk":"HTTP Suspicious Content","severity":"High","risk_score": {"total":510,"client":355,"server":155}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":74,"source":"trickbot.pcap","alias":"nDPId-test","packets-captured":74,"packets-processed":74,"total-skipped-flows":0,"total-l4-payload-len":57990,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":1,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1609266115947521} ~~~~~~~~~~~~~~~~~~~~ SUMMARY ~~~~~~~~~~~~~~~~~~~~ @@ -17,10 +17,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6038022 bytes -~~ total memory freed........: 6038022 bytes -~~ total allocations/frees...: 121568/121568 +~~ total memory allocated....: 6038158 bytes +~~ total memory freed........: 6038158 bytes +~~ total allocations/frees...: 121569/121569 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars -~~ json string max len.......: 2065 chars -~~ json string avg len.......: 1232 chars +~~ json string max len.......: 2464 chars +~~ json string avg len.......: 1406 chars diff --git a/test/results/tumblr.pcap.out b/test/results/tumblr.pcap.out index 9eaa83a9a..ec776eefc 100644 --- a/test/results/tumblr.pcap.out +++ b/test/results/tumblr.pcap.out @@ -26,7 +26,7 @@ 00784{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":32,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292104650967,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104650967,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292104650967,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::68f4:2ac8","src_port":56782,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00553{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":32,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104650967,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292104650967,"pkt":"qtsDr8lk5EKm5WPyht1gBEqMACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABo9CrI3c4Bu\/+MQoWdXXNVgBAB9YSyAAABAQgKTYTpp8Lc6wE="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":37,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1605292104650967,"flow_dst_last_pkt_time":1605292104716333,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292104716333,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAGj0KsgqAcsBIEmLB5kd7IUo3\/YpAbvdzp1dc1X\/jEKGgBAMSBTRAAABAQgKwt2b\/U1+nj4="} -01699{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292103810303,"flow_src_last_pkt_time":1605292105112205,"flow_dst_last_pkt_time":1605292105112063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":382,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":607,"flow_dst_tot_l4_payload_len":11474,"midstream":1,"thread_ts_usec":1605292105112205,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::98c7:1593","src_port":42908,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83989.1,"max":700859,"stddev":188930.8,"var":35694845952.0,"ent":2.6,"data": [870,91738,194148,2,1,2772,104383,700859,700827,1324,5830,44963,352,357119,395282,1534,2,2,1,1,1,1,2,1529,39,13,18,11,13,13,12]},"pktlen": {"min":86,"avg":463.5,"max":1486,"stddev":576.4,"var":332266.9,"ent":4.0,"data": [468,125,125,86,86,86,125,86,958,86,121,198,86,86,1474,86,98,1486,1486,1486,1486,849,1486,1486,86,86,86,86,86,86,86,86]},"bins": {"c_to_s": [11,3,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,0,0,1,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02098{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":57,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292103810303,"flow_src_last_pkt_time":1605292105112205,"flow_dst_last_pkt_time":1605292105112063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":382,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":607,"flow_dst_tot_l4_payload_len":11474,"midstream":1,"thread_ts_usec":1605292105112205,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::98c7:1593","src_port":42908,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":83989.1,"max":700859,"stddev":188930.8,"var":35694845952.0,"ent":2.6,"data": [870,91738,194148,2,1,2772,104383,700859,700827,1324,5830,44963,352,357119,395282,1534,2,2,1,1,1,1,2,1529,39,13,18,11,13,13,12]},"pktlen": {"min":72,"avg":449.5,"max":1472,"stddev":576.4,"var":332266.9,"ent":4.0,"data": [454,111,111,72,72,72,111,72,944,72,107,184,72,72,1460,72,84,1472,1472,1472,1472,835,1472,1472,72,72,72,72,72,72,72,72]},"bins": {"c_to_s": [11,3,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,0]},"directions": [0,0,0,1,1,1,1,0,1,0,0,0,1,1,1,0,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,0],"entropies": [7.475968361,5.973469734,5.991487980,5.083631992,5.055854321,5.055854321,5.836178780,5.218127251,7.768151760,5.245904922,5.915576458,6.683409691,5.034884930,5.073147297,7.871325970,5.162571907,5.437397003,7.868166924,7.884456158,7.861326694,7.846504688,7.733069897,7.846429825,7.853037357,5.218127251,5.218127251,5.218127251,5.218127251,5.218127251,5.190349579,5.245904922,5.190349579]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":160,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105170049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00775{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":246,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":246,"pkt_l4_len":192,"thread_ts_usec":1605292105170049,"pkt":"qtsDr8lk5EKm5WPyht1gDdvHAMAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0oqZwBuzRq\/HZTRuvUgBgSELhfAAABAQgKdG+lysLdLW8XAwMAm7+VUv5v3n1cEKhvA7Obmk7hW69laavu9OZNOdP5v2aiE9LYEKQeHffn7vm6VstuW5LB+GPd1bdCCYxPrQ8cpXXvSrRBde7Ubgvulsw\/eGF6vJKgoYXL5h04lY18ojPm\/cV9tUPretg64t\/hG52\/jXKkQ9+5e1GR1KuJgn1MWQ\/97vN82J\/Jt388ivkqQMfP0T\/jvMqs33Elwytq"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105170049,"flow_dst_last_pkt_time":1605292105170049,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":160,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":160,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105170049,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -39,12 +39,12 @@ 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":93,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105170518,"flow_dst_last_pkt_time":1605292105195930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105195930,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAMAATSgqAcsBIEmLB5kd7IUo3\/YpAbupnFNG69Q0av0WgBAMvoDtAAABAQgKwt2d3XRvpco="} 00804{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105197307,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105197307,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105197307,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105197307,"pkt":"qtsDr8lk5EKm5WPyht1gCsuaACgGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5AwBu6fu9OYAAAAAoAL9IHL6AAACBAWgBAIIClFT82IAAAAAAQMDBw=="} -01554{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3326.8,"max":37135,"stddev":8084.0,"var":65351828.0,"ent":2.7,"data": [469,25881,1104,10603,37135,1897,1,1911,13,717,678,9927,9935,107,1,101,8,237,229,116,116,308,309,92,91,472,1,479,15,99,79]},"pktlen": {"min":86,"avg":472.5,"max":1486,"stddev":599.1,"var":358951.0,"ent":4.0,"data": [246,237,86,86,905,86,125,1474,86,86,98,86,1486,86,1486,1474,86,86,98,86,1486,86,1486,86,1474,86,98,1474,86,86,98,86]},"bins": {"c_to_s": [14,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,0,1,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0]}} +01953{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3326.8,"max":37135,"stddev":8084.0,"var":65351828.0,"ent":2.7,"data": [469,25881,1104,10603,37135,1897,1,1911,13,717,678,9927,9935,107,1,101,8,237,229,116,116,308,309,92,91,472,1,479,15,99,79]},"pktlen": {"min":72,"avg":458.5,"max":1472,"stddev":599.1,"var":358951.0,"ent":3.9,"data": [232,223,72,72,891,72,111,1460,72,72,84,72,1472,72,1472,1460,72,72,84,72,1472,72,1472,72,1460,72,84,1460,72,72,84,72]},"bins": {"c_to_s": [14,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0]},"directions": [0,0,1,1,1,0,1,1,0,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1,0],"entropies": [6.975117207,6.780508041,5.008678436,4.980900764,7.727560043,5.257209778,5.876837730,7.865436077,5.284987926,5.284987926,5.396960735,5.284987926,7.861420155,5.257210255,7.855777740,7.835244179,5.201654911,5.257210255,5.387974262,5.257210255,7.869387627,5.229432106,7.851236820,5.229432583,7.862463474,5.201654911,5.316545486,7.846337318,5.257210255,5.284987926,5.396960735,5.284987926]}} 00900{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":128,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105170049,"flow_src_last_pkt_time":1605292105221617,"flow_dst_last_pkt_time":1605292105221612,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":160,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":311,"flow_dst_tot_l4_payload_len":12058,"midstream":1,"thread_ts_usec":1605292105221617,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43420,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":146,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1605292105197307,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105230486,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSYGKAABNRVaI7oLKiX\/Ei0qAcsBIEmLB5kd7IUo3\/YpAbvkDMLhfl2n7vTnoBJXgHalAAACBAV4AQMDAwQCCArC3Z3zUVPzYg=="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":150,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105230554,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105230554,"pkt":"qtsDr8lk5EKm5WPyht1gCsuaACAGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5AwBu6fu9OfC4X5egBAB+\/qVAAABAQgKUVPzg8LdnfM="} 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":154,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105231042,"flow_dst_last_pkt_time":1605292105230486,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105231042,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01563{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3903.1,"max":45055,"stddev":9416.3,"var":88667112.0,"ent":2.8,"data": [365,4822,355,27249,2992,337,2701,17288,45055,519,518,603,1,579,9,7282,1,7292,34,289,2,248,25,174,1,157,27,1036,1,1005,28]},"pktlen": {"min":86,"avg":622.3,"max":1486,"stddev":669.7,"var":448506.0,"ent":4.1,"data": [198,125,197,186,86,86,86,86,1486,86,1486,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86,1486,1486,86,86]},"bins": {"c_to_s": [12,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]}} +01962{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3903.1,"max":45055,"stddev":9416.3,"var":88667112.0,"ent":2.8,"data": [365,4822,355,27249,2992,337,2701,17288,45055,519,518,603,1,579,9,7282,1,7292,34,289,2,248,25,174,1,157,27,1036,1,1005,28]},"pktlen": {"min":72,"avg":608.3,"max":1472,"stddev":669.7,"var":448506.0,"ent":4.1,"data": [184,111,183,172,72,72,72,72,1472,72,1472,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72,1472,1472,72,72]},"bins": {"c_to_s": [12,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0]},"directions": [0,0,0,0,1,1,1,1,1,0,1,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0],"entropies": [6.587406158,5.914531231,6.603403568,6.519369125,4.980900764,4.980900764,4.894209862,4.980900764,7.851428509,5.118321419,7.864492416,5.118321419,7.853987694,7.848294735,5.062766075,5.080059052,7.860019684,7.828007221,5.118321419,5.118321419,7.856985092,7.866126060,5.118321419,5.080059052,7.856244087,7.840456009,5.146099091,5.080059052,7.871989727,7.857123375,5.118321419,5.118321419]}} 00900{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":158,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105171046,"flow_src_last_pkt_time":1605292105231565,"flow_dst_last_pkt_time":1605292105231522,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":112,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":362,"flow_dst_tot_l4_payload_len":16800,"midstream":1,"thread_ts_usec":1605292105231565,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d28","src_port":43434,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00805{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":345,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105274861,"flow_dst_last_pkt_time":1605292105274861,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105274861,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105274861,"flow_dst_last_pkt_time":1605292105274861,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105274861,"pkt":"qtsDr8lk5EKm5WPyht1gA8c5ACgGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5A4Bu+LGvZYAAAAAoAL9IG8jAAACBAWgBAIIClFT868AAAAAAQMDBw=="} @@ -53,7 +53,7 @@ 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":377,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105299399,"flow_dst_last_pkt_time":1605292105299371,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292105299399,"pkt":"qtsDr8lk5EKm5WPyht1gA8c5ACAGQCoBywEgSYsHmR3shSjf9ikmBigAATUVWiO6Cyol\/xIt5A4Bu+LGvZeG572bgBAB+\/MzAAABAQgKUVPzyMLdnkM="} 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":378,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105299606,"flow_dst_last_pkt_time":1605292105299371,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105299606,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01197{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":397,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":3,"flow_first_seen":1605292105274861,"flow_src_last_pkt_time":1605292105322435,"flow_dst_last_pkt_time":1605292105340527,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":99,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":99,"midstream":0,"thread_ts_usec":1605292105340527,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58382,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"consent.cmp.oath.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"15af977ce25de452b96affa2addb1036","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01702{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":411,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105347875,"flow_dst_last_pkt_time":1605292105347850,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1519,"flow_dst_tot_l4_payload_len":5784,"midstream":0,"thread_ts_usec":1605292105347875,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11581.2,"max":47694,"stddev":16955.4,"var":287485632.0,"ent":3.2,"data": [33179,33247,488,47694,47160,1225,37725,2106,38598,23,3,754,718,796,796,2589,248,171,60,26260,592,1,74,1362,25234,8]},"pktlen": {"min":86,"avg":314.7,"max":1294,"stddev":381.9,"var":145812.8,"ent":4.2,"data": [94,94,86,603,86,185,86,609,86,1294,1294,1294,86,86,86,558,86,1069,86,160,178,343,142,86,86,86,86,341,341,182,86,86]},"bins": {"c_to_s": [10,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,2,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,0,0,0,0,1,1,1,1,1,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02101{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":411,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292105197307,"flow_src_last_pkt_time":1605292105347875,"flow_dst_last_pkt_time":1605292105347850,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":523,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":1519,"flow_dst_tot_l4_payload_len":5784,"midstream":0,"thread_ts_usec":1605292105347875,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2606:2800:135:155a:23ba:b2a:25ff:122d","src_port":58380,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":11581.2,"max":47694,"stddev":16955.4,"var":287485632.0,"ent":3.2,"data": [33179,33247,488,47694,47160,1225,37725,2106,38598,23,3,754,718,796,796,2589,248,171,60,26260,592,1,74,1362,25234,8]},"pktlen": {"min":72,"avg":300.7,"max":1280,"stddev":381.9,"var":145812.8,"ent":4.1,"data": [80,80,72,589,72,171,72,595,72,1280,1280,1280,72,72,72,544,72,1055,72,146,164,329,128,72,72,72,72,327,327,168,72,72]},"bins": {"c_to_s": [10,1,2,0,0,0,0,0,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,2,0,0,0,2,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,1,1,1,0,0,0,1,0,1,0,0,0,0,0,1,1,1,1,1,1,1,0,0],"entropies": [5.295193195,5.637294769,5.563652992,4.598795891,5.459350586,6.223492146,5.497612953,5.044443607,5.487128258,7.814322472,7.863967419,7.842244625,5.591430664,5.503256798,5.563652992,7.612953186,5.591430664,7.763548851,5.563652992,6.558448792,6.685117722,7.291459560,6.278277397,5.487128258,5.487128258,5.431572914,5.487128258,7.317289352,7.268368721,6.510692596,5.591430664,5.563652992]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00785{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":432,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292105418417,"flow_dst_last_pkt_time":1605292105418417,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105418417,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":432,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105418417,"flow_dst_last_pkt_time":1605292105418417,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292105418417,"pkt":"qtsDr8lk5EKm5WPyht1gDBurACgGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABgBgdJmPABuw7mG3sAAAAAoAL9IOHqAAACBAWgBAIIChNm5EYAAAAAAQMDBw=="} 00790{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":433,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105433892,"flow_src_last_pkt_time":1605292105433892,"flow_dst_last_pkt_time":1605292105433892,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292105433892,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2001:4998:14:800::1001","src_port":47118,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -70,7 +70,7 @@ 00886{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":454,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105669051,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":120,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":120,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":120,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105669051,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00612{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":455,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1605292105669426,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":125,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":125,"pkt_l4_len":71,"thread_ts_usec":1605292105669426,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAEcGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKOsYW2C\/9gBhA0ehRAAABAQgKBcmbrMLdLRcXAwMAIgQb59HIMHYAgoaCAJqbMMjq72ntBt\/\/eGErLyXH34Iczsk="} 00733{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":456,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1605292105669518,"flow_dst_last_pkt_time":1605292105669051,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":215,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":215,"pkt_l4_len":161,"thread_ts_usec":1605292105669518,"pkt":"qtsDr8lk5EKm5WPyht1gCP\/sAKEGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3doBu3fKOu0W2C\/9gBhA0aEtAAABAQgKBcmbrMLdLRcXAwMAfBkhBkIFqMuMKjD1\/xjqGp2hEKMP3ziLomYjJXbyDDBzMNKC8MmFqfqAj9+xvxfAO7rBldu4UpazYVXmg399TnFcypI7qckvMpQyy6kehQ5F75J5BlTYjgokme9I6h8+9mS8Y6D2WQEp5qh0Ix9\/vReZo1xT0xocl8k7wFQ="} -01547{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3795.7,"max":36646,"stddev":9087.4,"var":82581152.0,"ent":2.4,"data": [375,92,385,236,26419,36646,2159,376,10012,21697,203,197,169,221,406,8,175,469,1,620,51,101,150,197,535,21,562]},"pktlen": {"min":86,"avg":449.7,"max":1486,"stddev":586.0,"var":343353.7,"ent":4.0,"data": [206,125,215,216,157,122,86,86,86,86,86,1486,86,1486,86,1474,98,1486,86,86,1474,98,1341,117,86,86,125,1474,86,98,1474,86]},"bins": {"c_to_s": [8,2,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,7,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,1,1,1,1,0,1,0,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0]}} +01946{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":3795.7,"max":36646,"stddev":9087.4,"var":82581152.0,"ent":2.4,"data": [375,92,385,236,26419,36646,2159,376,10012,21697,203,197,169,221,406,8,175,469,1,620,51,101,150,197,535,21,562]},"pktlen": {"min":72,"avg":435.7,"max":1472,"stddev":586.0,"var":343353.7,"ent":3.9,"data": [192,111,201,202,143,108,72,72,72,72,72,1472,72,1472,72,1460,84,1472,72,72,1460,84,1327,103,72,72,111,1460,72,84,1460,72]},"bins": {"c_to_s": [8,2,1,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,7,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,1,1,1,1,0,1,0,1,1,1,0,0,1,1,1,1,0,0,1,1,0,1,1,0],"entropies": [6.771437645,5.700867176,6.623061657,6.706957817,6.270517826,5.792555332,5.008678436,5.036456108,5.008678436,5.036456108,5.008678436,7.827867985,5.069574833,7.856517315,5.080059528,7.842531681,5.292736530,7.873940468,5.069574833,5.034988403,7.877679825,5.307831764,7.852031708,5.639400959,5.146099567,5.090544224,5.719091892,7.856316566,5.118321896,5.301723003,7.853841305,5.090544224]}} 00901{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":485,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1605292105669051,"flow_src_last_pkt_time":1605292105720296,"flow_dst_last_pkt_time":1605292105720289,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":130,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":525,"flow_dst_tot_l4_payload_len":11113,"midstream":1,"thread_ts_usec":1605292105720296,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56794,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00792{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":492,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292105726518,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":127,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":127,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":127,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292105726518,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4c03","src_port":51874,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00728{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":492,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1605292105726518,"flow_dst_last_pkt_time":1605292105726518,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":213,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":213,"pkt_l4_len":159,"thread_ts_usec":1605292105726518,"pkt":"qtsDr8lk5EKm5WPyht1gBYNxAJ8GQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAEwDyqIBu7npntnZTJergBgB9damAAABAQgKLIniTsLdLfkXAwMAepLzP8oRHbXAD5D56fW\/ezxXNRxKdaqM6BwQpjw0zyORx06Rl8gHWinoWY19NxmIXl2owLgVHJ\/UEVkHmda\/PMinu6FgCqLeUi5RUsVJaGqL1ulKRH6Mi5nxYau2z9M9f+jUaBIVXH47AOoxy+jPs5YTh+8Es3OdfTIr"} @@ -96,7 +96,7 @@ 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2849,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":3,"flow_src_last_pkt_time":1605292108917920,"flow_dst_last_pkt_time":1605292108917845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292108917920,"pkt":"qtsDr8lk5EKm5WPyht1gCOgvACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAADAAE0D3goBu3qld1Md4lVGgBAB+8BsAAABAQgKBcmoXMLdrGc="} 01156{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2850,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292108918360,"flow_dst_last_pkt_time":1605292108917845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292108918360,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"64.media.tumblr.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01201{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2953,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292108918360,"flow_dst_last_pkt_time":1605292108973288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1400,"midstream":0,"thread_ts_usec":1605292108973288,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"64.media.tumblr.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01696{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3670,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292109072597,"flow_dst_last_pkt_time":1605292109072571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1335,"flow_dst_tot_l4_payload_len":7988,"midstream":0,"thread_ts_usec":1605292109072597,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13139.0,"max":70171,"stddev":20754.3,"var":430742720.0,"ent":3.1,"data": [22637,22712,440,30662,24781,1,1,54941,10,7,4,36,7,1509,240,132,59732,70171,1,28567,37136,504,1,1,500,15,4]},"pktlen": {"min":86,"avg":377.8,"max":1486,"stddev":486.5,"var":236637.8,"ent":4.1,"data": [94,94,86,603,86,1486,1486,1382,1486,86,86,86,86,207,86,150,178,417,417,86,86,86,357,86,357,148,117,1486,422,86,86,86]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,0,1,1,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02095{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3670,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292108895208,"flow_src_last_pkt_time":1605292109072597,"flow_dst_last_pkt_time":1605292109072571,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1335,"flow_dst_tot_l4_payload_len":7988,"midstream":0,"thread_ts_usec":1605292109072597,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::c000:4d03","src_port":56842,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":13139.0,"max":70171,"stddev":20754.3,"var":430742720.0,"ent":3.1,"data": [22637,22712,440,30662,24781,1,1,54941,10,7,4,36,7,1509,240,132,59732,70171,1,28567,37136,504,1,1,500,15,4]},"pktlen": {"min":72,"avg":363.8,"max":1472,"stddev":486.5,"var":236637.8,"ent":4.0,"data": [80,80,72,589,72,1472,1472,1368,1472,72,72,72,72,193,72,136,164,403,403,72,72,72,343,72,343,134,103,1472,408,72,72,72]},"bins": {"c_to_s": [11,0,2,0,0,0,0,0,0,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,1,0,0,0,0,0,1,1,1,1,0,1,1,1,1,1,0,0,0],"entropies": [4.750073910,5.171930313,5.147485733,4.504647255,5.036456108,7.837605953,7.857367039,7.841114044,7.873028755,5.147486210,5.119708538,5.175263882,5.147486210,6.592915535,5.147486210,5.952137947,6.489402294,7.443186283,7.431387901,5.036456108,4.980900764,5.008678436,7.119190693,5.175263882,7.234163284,6.096735001,5.624744892,7.869890213,7.348752975,5.175263882,5.175263882,5.175263882]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00788{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":12579,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292114506948,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114506948,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292114506948,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:798c","src_port":56558,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12579,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114506948,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292114506948,"pkt":"qtsDr8lk5EKm5WPyht1gCYCjACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAACXZXmM3O4Bu5iknWH70O\/fgBATex8tAAABAQgKqXtvnsLdEcs="} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12580,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1605292114506948,"flow_dst_last_pkt_time":1605292114736576,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292114736576,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAJdleYwqAcsBIEmLB5kd7IUo3\/YpAbvc7vvQ79+YpJ1igBBY1dkNAAABAQgKwt3C3al6v1A="} @@ -167,7 +167,7 @@ 01224{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23421,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121507997,"flow_dst_last_pkt_time":1605292121697370,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1400,"midstream":0,"thread_ts_usec":1605292121697370,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01493{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23427,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":6,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121697627,"flow_dst_last_pkt_time":1605292121698447,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5097,"midstream":0,"thread_ts_usec":1605292121698447,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}}} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23429,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":2,"flow_src_last_pkt_time":1605292121674877,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292121698552,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgXAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbvZCJmV\/O79d79\/gBALlo7gAAABAQgKwt3eUxu5BaQ="} -01585{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":28645.1,"max":189403,"stddev":50095.8,"var":2509586944.0,"ent":3.2,"data": [21421,21468,523,29545,160398,189403,235,213,14,842,826,3808,144,202,28681,1,1011,77988,2,103570,74,656,29813,79144,108203,110,95,435,441,86]},"pktlen": {"min":86,"avg":468.0,"max":1486,"stddev":568.3,"var":322990.4,"ent":4.1,"data": [94,94,86,603,86,1486,86,1486,1382,86,86,1087,86,171,177,537,86,86,86,352,156,86,86,116,86,1486,86,1486,86,1486,86,1486]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,0,1,0,1]}} +01984{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":28645.1,"max":189403,"stddev":50095.8,"var":2509586944.0,"ent":3.2,"data": [21421,21468,523,29545,160398,189403,235,213,14,842,826,3808,144,202,28681,1,1011,77988,2,103570,74,656,29813,79144,108203,110,95,435,441,86]},"pktlen": {"min":72,"avg":454.0,"max":1472,"stddev":568.3,"var":322990.4,"ent":4.0,"data": [80,80,72,589,72,1472,72,1472,1368,72,72,1073,72,157,163,523,72,72,72,338,142,72,72,102,72,1472,72,1472,72,1472,72,1472]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,1,0,0,1,0,0,0,0,1,1,1,1,1,0,0,0,1,1,0,1,0,1,0,1],"entropies": [4.847575665,5.264388561,5.273682594,4.570615292,5.139187336,7.183391094,5.218127251,7.306411743,7.637944698,5.179864883,5.245904922,7.569734573,5.218127251,6.162980080,6.493566990,7.590200424,5.139187336,5.139187336,5.083631992,7.038479328,6.319642544,5.162571907,5.162571907,5.715408325,5.083631992,7.863587856,5.218127251,7.862967491,5.245904922,7.863145828,5.190349579,7.850796700]}} 01497{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23448,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292121486006,"flow_src_last_pkt_time":1605292121915646,"flow_dst_last_pkt_time":1605292121915718,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1400,"flow_src_tot_l4_payload_len":1174,"flow_dst_tot_l4_payload_len":11033,"midstream":0,"thread_ts_usec":1605292121915718,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::4a72:9a16","src_port":43328,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Tumblr","proto_id":"91.90","encrypted":1,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"catasters.tumblr.com","tls": {"version":"TLSv1.2","server_names":"*.tumblr.com,tumblr.com","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"738f0c3c6e00286f3afac626676d352d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tumblr.com","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"14:78:BA:5B:B5:54:5D:A1:2C:D2:79:4C:42:99:BB:3A:A9:DB:86:C2"}}} 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23631,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122064463,"flow_dst_last_pkt_time":1605292122064463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122064463,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23631,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122064463,"flow_dst_last_pkt_time":1605292122064463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122064463,"pkt":"qtsDr8lk5EKm5WPyht1gAy+bACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICQAAAAAAACAOwYwBu0AeaGkAAAAAoAL9IOE8AAACBAWgBAIICthbOh0AAAAAAQMDBw=="} @@ -179,15 +179,15 @@ 01157{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":23657,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122094987,"flow_dst_last_pkt_time":1605292122094721,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122094987,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":23664,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122095843,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122095843,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00568{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":23664,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122095843,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122095843,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACgGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5CzgAAAAAoAL9IPiAAAACBAWgBAIIChLBJ8gAAAAAAQMDBw=="} -01552{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1561236.4,"max":19513573,"stddev":5287922.5,"var":27962124533760.0,"ent":1.0,"data": [19473275,346,19513573,40000,58,14,3,47,46,590,601,1080,1,1,1,1081,15,50,4,2,3,4,112,1,1]},"pktlen": {"min":86,"avg":614.1,"max":1134,"stddev":520.1,"var":270533.2,"ent":4.4,"data": [86,172,132,86,1134,86,1134,1134,86,86,1134,86,1134,86,1134,1134,1134,1134,1134,1134,1134,86,86,86,86,86,86,86,1134,1134,1134,1134]},"bins": {"c_to_s": [13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1]}} +01951{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1561236.4,"max":19513573,"stddev":5287922.5,"var":27962124533760.0,"ent":1.0,"data": [19473275,346,19513573,40000,58,14,3,47,46,590,601,1080,1,1,1,1081,15,50,4,2,3,4,112,1,1]},"pktlen": {"min":72,"avg":600.1,"max":1120,"stddev":520.1,"var":270533.2,"ent":4.4,"data": [72,158,118,72,1120,72,1120,1120,72,72,1120,72,1120,72,1120,1120,1120,1120,1120,1120,1120,72,72,72,72,72,72,72,1120,1120,1120,1120]},"bins": {"c_to_s": [13,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,1,0,0,1,0,1,0,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,1,1],"entropies": [5.300073624,6.172540188,5.808043480,5.111409664,7.793330193,5.244518280,7.816789150,7.806469440,5.188962936,5.244518280,7.817547321,5.216740131,7.782293320,5.272295952,7.814203739,7.825418949,7.833592415,7.796096325,7.794456482,7.800365925,7.831590176,5.300073624,5.244518280,5.272295952,5.300073624,5.216740608,5.244518280,5.272295475,7.782464504,7.824431896,7.817936897,7.808838844]}} 00901{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":23851,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1605292102602965,"flow_src_last_pkt_time":1605292122118409,"flow_dst_last_pkt_time":1605292122118430,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":86,"flow_dst_max_l4_payload_len":1048,"flow_src_tot_l4_payload_len":132,"flow_dst_tot_l4_payload_len":16768,"midstream":1,"thread_ts_usec":1605292122118430,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::9765:789d","src_port":48240,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24118,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122095843,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":94,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":94,"pkt_l4_len":40,"thread_ts_usec":1605292122163288,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACgGPSoAFFBABwgLAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuW0O3zbp+IuQs5oBJXgJ7NAAACBAV4AQMDAwQCCArC3d\/9EsEnyA=="} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24126,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122163315,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122163315,"pkt":"qtsDr8lk5EKm5WPyht1gD2uVACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICwAAAAAAACAKltABu4i5Cznt826ggBAB+yKbAAABAQgKEsEoDMLd3\/0="} 01169{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24188,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122163584,"flow_dst_last_pkt_time":1605292122163288,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1605292122163584,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ajax.googleapis.com","tls": {"version":"TLSv1.2","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01202{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24239,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122094987,"flow_dst_last_pkt_time":1605292122177975,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605292122177975,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"apis.google.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01214{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24429,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122163584,"flow_dst_last_pkt_time":1605292122212637,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1208,"midstream":0,"thread_ts_usec":1605292122212637,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"ajax.googleapis.com","tls": {"version":"TLSv1.3","ja3":"b32309a26951912be7dba376398abc3b","ja3s":"eb1d94daa7e0344597e756a1fb6e7054","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24477,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122274057,"flow_dst_last_pkt_time":1605292122274042,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":982,"flow_dst_tot_l4_payload_len":8808,"midstream":0,"thread_ts_usec":1605292122274057,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12290.1,"max":67472,"stddev":20336.5,"var":413573216.0,"ent":3.2,"data": [67445,67472,269,44078,5271,1,49097,3,94,53,18571,10150,718,42370,12940,229,14297,2020,1,16083,2556,1,2570,25,64,1,22,4,8]},"pktlen": {"min":86,"avg":392.4,"max":1294,"stddev":464.3,"var":215557.6,"ent":4.1,"data": [94,94,86,603,86,1294,1294,86,86,586,86,150,178,364,86,666,86,117,86,117,86,86,535,1294,86,86,1294,1294,1294,86,86,86]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24501,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122281616,"flow_dst_last_pkt_time":1605292122282509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":9011,"midstream":0,"thread_ts_usec":1605292122282509,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15006.9,"max":83018,"stddev":20961.8,"var":439398816.0,"ent":3.6,"data": [30258,30298,226,70679,12575,2,1,83018,62,4,882,32413,31475,5911,16277,137,34580,1914,14156,7168,10659,16853,1,1,34679,24,2,2,942]},"pktlen": {"min":86,"avg":398.2,"max":1294,"stddev":474.8,"var":225406.5,"ent":4.1,"data": [94,94,86,603,86,1294,1294,325,86,86,86,150,86,666,86,178,117,344,86,117,86,86,86,999,1294,1294,1294,86,86,86,86,1294]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24477,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292122095843,"flow_src_last_pkt_time":1605292122274057,"flow_dst_last_pkt_time":1605292122274042,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":982,"flow_dst_tot_l4_payload_len":8808,"midstream":0,"thread_ts_usec":1605292122274057,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80b::200a","src_port":38608,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":12290.1,"max":67472,"stddev":20336.5,"var":413573216.0,"ent":3.2,"data": [67445,67472,269,44078,5271,1,49097,3,94,53,18571,10150,718,42370,12940,229,14297,2020,1,16083,2556,1,2570,25,64,1,22,4,8]},"pktlen": {"min":72,"avg":378.4,"max":1280,"stddev":464.3,"var":215557.6,"ent":4.1,"data": [80,80,72,589,72,1280,1280,72,72,572,72,136,164,350,72,652,72,103,72,103,72,72,521,1280,72,72,1280,1280,1280,72,72,72]},"bins": {"c_to_s": [13,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,1,0,0,0,0,1,1,0,0,1,1,1,0,1,1,0,0,1,1,1,0,0,0],"entropies": [4.880388737,5.286173344,5.204868793,4.536604404,5.107836723,7.787920475,7.830109596,5.260424137,5.232646465,7.542898178,5.232646465,6.192057133,6.535644054,7.298229218,5.014019012,7.680838585,5.232646465,5.914041996,5.041796684,5.815946102,5.052281380,5.166606426,7.546278477,7.846930027,5.117859364,5.138828754,7.830280781,7.832926273,7.840851784,5.194384098,5.099461079,5.156121731]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.GoogleServices","proto_id":"91.239","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24501,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":43,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1605292122064463,"flow_src_last_pkt_time":1605292122281616,"flow_dst_last_pkt_time":1605292122282509,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1208,"flow_src_tot_l4_payload_len":962,"flow_dst_tot_l4_payload_len":9011,"midstream":0,"thread_ts_usec":1605292122282509,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:809::200e","src_port":49548,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":15006.9,"max":83018,"stddev":20961.8,"var":439398816.0,"ent":3.6,"data": [30258,30298,226,70679,12575,2,1,83018,62,4,882,32413,31475,5911,16277,137,34580,1914,14156,7168,10659,16853,1,1,34679,24,2,2,942]},"pktlen": {"min":72,"avg":384.2,"max":1280,"stddev":474.8,"var":225406.5,"ent":4.1,"data": [80,80,72,589,72,1280,1280,311,72,72,72,136,72,652,72,164,103,330,72,103,72,72,72,985,1280,1280,1280,72,72,72,72,1280]},"bins": {"c_to_s": [12,0,2,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,6,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,1,1,0,1,1,1,1,1,1,0,0,0,0,1],"entropies": [4.836515903,5.311173439,5.222161770,4.516429901,5.097352028,7.813626766,7.833569527,7.238987446,5.249939442,5.211677551,5.222161770,6.183825970,5.163392067,7.648269653,5.182794571,6.507936478,5.802297115,7.243775845,5.097352028,5.700409889,5.249939919,5.097352028,5.163392067,7.756225586,7.832665920,7.840676308,7.826161861,5.222161770,5.222161770,5.166606426,5.183899403,7.820078373]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00716{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24626,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122439986,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":203,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":203,"pkt_l4_len":149,"thread_ts_usec":1605292122439986,"pkt":"qtsDr8lk5EKm5WPyht1gDKQRAJUGQCoBywEgSYsHmR3shSjf9ikqABRQQAcIFwAAAAAAACAK2QgBu\/13v3+ZlfzugBgB9aL3AAABAQgKG7m5ccLd3lMXAwMAcFVxaXihuhejZCNpZ5nuv6bEN9Yj5XMBxAt2QHwyRgmT6ybDwC5C73DyglYgxmIhMzt282zpUtE5GphT7ONBXskP6qssi1eNQHysgmBFeTvR+6kSeL0yhYhtFPIEYfWd8KPo3wOHIQIgFNXMNqMrZ9Q="} 00892{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":24626,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1605292121674877,"flow_src_last_pkt_time":1605292122439986,"flow_dst_last_pkt_time":1605292121698552,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":117,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":117,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122439986,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:817::200a","src_port":55560,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00644{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24657,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1605292122501104,"flow_dst_last_pkt_time":1605292104716333,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":149,"pkt_l4_len":95,"thread_ts_usec":1605292122501104,"pkt":"qtsDr8lk5EKm5WPyht1gBEqMAF8GQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABo9CrI3c4Bu\/+MQoadXXNVgBgB9QaPAAABAQgKTYUvYcLdm\/0XAwMAOgAAAAAAAAAIvZM7k4G8cjK7Q9\/YrVI4eMbPvi74lWEwjtUtgcQJsZEKgX5x1KPe5+ARIWOSp6YRK8o="} @@ -201,7 +201,7 @@ 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24694,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122698834,"flow_dst_last_pkt_time":1605292122698834,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122698834,"pkt":"qtsDr8lk5EKm5WPyht1gCuvGACAGQCoBywEgSYsHmR3shSjf9ikAZP+bAAAAAAAAAABKcpoVprIBu3ASIMYXhL6qgBAB9S93AAABAQgKNSTnjcLdLMU="} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24706,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122698834,"flow_dst_last_pkt_time":1605292122741055,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122741055,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPQBk\/5sAAAAAAAAAAEpymhUqAcsBIEmLB5kd7IUo3\/YpAbumsheEvqpwEiDHgBALdyXtAAABAQgKwt3iZjUkMfM="} 01197{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":24707,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1605292122674024,"flow_src_last_pkt_time":1605292122698360,"flow_dst_last_pkt_time":1605292122755298,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":620,"flow_dst_max_l4_payload_len":270,"flow_src_tot_l4_payload_len":620,"flow_dst_tot_l4_payload_len":270,"midstream":0,"thread_ts_usec":1605292122755298,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39164,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement","hostname":"sb.scorecardresearch.com","tls": {"version":"TLSv1.3","ja3":"44d502d471cfdb99c59bdfb0f220e5a8","ja3s":"2253c82f03b621c5144709b393fde2c9","unsafe_cipher":0,"cipher":"TLS_AES_256_GCM_SHA384","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24724,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292122813676,"flow_dst_last_pkt_time":1605292122725006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":764,"flow_dst_max_l4_payload_len":1279,"flow_src_tot_l4_payload_len":4217,"flow_dst_tot_l4_payload_len":4676,"midstream":0,"thread_ts_usec":1605292122813676,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":1119414.5,"max":16588707,"stddev":4059258.8,"var":16477581213696.0,"ent":1.4,"data": [29466,29487,204,37942,9029,46759,696,98,30996,1834,7035,39073,52635,52694,371915,406395,20731,55185,2451,32929,9268,39721,16556740,16588707,11402,43353,16903,58413,9807,93158,46822]},"pktlen": {"min":86,"avg":364.4,"max":1365,"stddev":367.9,"var":135349.6,"ent":4.3,"data": [94,94,86,706,86,356,86,166,503,86,86,373,86,1273,86,838,86,869,86,850,86,356,86,514,86,1365,86,658,86,686,86,670]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,1,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement"}} +02171{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":24724,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1605292105418417,"flow_src_last_pkt_time":1605292122813676,"flow_dst_last_pkt_time":1605292122725006,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":764,"flow_dst_max_l4_payload_len":1279,"flow_src_tot_l4_payload_len":4217,"flow_dst_tot_l4_payload_len":4676,"midstream":0,"thread_ts_usec":1605292122813676,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"64:ff9b::6006:749","src_port":39152,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":98,"avg":1119414.5,"max":16588707,"stddev":4059258.8,"var":16477581213696.0,"ent":1.4,"data": [29466,29487,204,37942,9029,46759,696,98,30996,1834,7035,39073,52635,52694,371915,406395,20731,55185,2451,32929,9268,39721,16556740,16588707,11402,43353,16903,58413,9807,93158,46822]},"pktlen": {"min":72,"avg":350.4,"max":1351,"stddev":367.9,"var":135349.6,"ent":4.3,"data": [80,80,72,692,72,342,72,152,489,72,72,359,72,1259,72,824,72,855,72,836,72,342,72,500,72,1351,72,644,72,672,72,656]},"bins": {"c_to_s": [9,0,1,0,0,0,0,0,0,0,0,0,0,2,0,0,0,1,1,1,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,1,1,1,0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0],"entropies": [4.797575951,5.229953289,5.190349579,7.030211926,4.972520828,6.811050892,5.091930866,6.334684849,7.516590118,5.055853844,5.055853844,7.313119888,5.190349579,7.806543827,5.218127251,7.745193005,5.000298500,7.694315910,5.134794235,7.706961155,5.028076172,7.266840458,5.190349579,7.564545631,4.972520828,7.854704857,5.162571907,7.655811310,5.000298500,7.622268677,5.134794235,7.624323368]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":101,"category":"Advertisement"}} 00794{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":24733,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1605292122874816,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122874816,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1605292122874816,"l3_proto":"ip6","src_ip":"2a01:cb01:2049:8b07:991d:ec85:28df:f629","dst_ip":"2a00:1450:4007:80a::200a","src_port":40190,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24733,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":1,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122874816,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122874816,"pkt":"qtsDr8lk5EKm5WPyht1gDJQ7ACAGQCoBywEgSYsHmR3shSjf9ikqABRQQAcICgAAAAAAACAKnP4Bu4CgSN\/gvLosgBAB9qrlAAABAQgK1OQQnsLdMvM="} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":24745,"source":"tumblr.pcap","alias":"nDPId-test","flow_id":47,"flow_packet_id":2,"flow_src_last_pkt_time":1605292122874816,"flow_dst_last_pkt_time":1605292122899206,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":86,"pkt_l4_len":32,"thread_ts_usec":1605292122899206,"pkt":"5EKm5WPyqtsDr8lkht1gAAAAACAGPSoAFFBABwgKAAAAAAAAIAoqAcsBIEmLB5kd7IUo3\/YpAbuc\/uC8uiyAoEjggBALQrp6AAABAQgKwt3jAtThR68="} @@ -289,10 +289,10 @@ ~~ total active/idle flows...: 47/47 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 7355414 bytes -~~ total memory freed........: 7355414 bytes -~~ total allocations/frees...: 146817/146817 +~~ total memory allocated....: 7361806 bytes +~~ total memory freed........: 7361806 bytes +~~ total allocations/frees...: 146864/146864 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars -~~ json string max len.......: 1777 chars -~~ json string avg len.......: 1134 chars +~~ json string max len.......: 2176 chars +~~ json string avg len.......: 1333 chars diff --git a/test/results/tunnelbear.pcap.out b/test/results/tunnelbear.pcap.out index e13de6cc5..350dc2dad 100644 --- a/test/results/tunnelbear.pcap.out +++ b/test/results/tunnelbear.pcap.out @@ -36,7 +36,7 @@ 00513{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1655734524482823,"flow_dst_last_pkt_time":1655734524482578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734524482823,"pkt":"ABoRAAACABoRAAABCABFAAAo3gtAAEAGvAcKCAABovfzvLmIAbsjcXmi3I6GX1AQ\/\/9T0gAA"} 01047{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":61,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1655734524480852,"flow_src_last_pkt_time":1655734524484592,"flow_dst_last_pkt_time":1655734524482578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734524484592,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":47496,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01388{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":94,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734524480852,"flow_src_last_pkt_time":1655734524484592,"flow_dst_last_pkt_time":1655734524597187,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3864,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3864,"midstream":0,"thread_ts_usec":1655734524597187,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":47496,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","server_names":"*.newrelic.com,newrelic.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Francisco, O=New Relic, Inc., CN=*.newrelic.com","alpn":"http\/1.1","fingerprint":"90:B0:56:FB:4D:88:5C:EB:F9:79:45:35:26:15:0C:00:F4:08:72:77"}}} -01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734524335198,"flow_src_last_pkt_time":1655734524914388,"flow_dst_last_pkt_time":1655734524915156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3657,"flow_src_tot_l4_payload_len":2952,"flow_dst_tot_l4_payload_len":9379,"midstream":0,"thread_ts_usec":1655734524915156,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":37391.9,"max":265866,"stddev":60218.7,"var":3626296576.0,"ent":3.5,"data": [4811,10763,14,6027,71146,71669,62476,63085,171,99,103,116,2258,2217,58331,58816,497,202,194,148,171,85,633,797,214474,265866,52392,51419,53825,54567,51776]},"pktlen": {"min":54,"avg":440.0,"max":3711,"stddev":812.3,"var":659832.9,"ent":3.6,"data": [74,54,54,571,54,3711,54,147,54,590,54,590,54,319,54,390,375,54,590,54,164,54,54,92,54,1646,54,705,54,366,54,2885]},"bins": {"c_to_s": [7,1,1,1,0,0,0,0,1,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02111{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":113,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734524335198,"flow_src_last_pkt_time":1655734524914388,"flow_dst_last_pkt_time":1655734524915156,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3657,"flow_src_tot_l4_payload_len":2952,"flow_dst_tot_l4_payload_len":9379,"midstream":0,"thread_ts_usec":1655734524915156,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":14,"avg":37391.9,"max":265866,"stddev":60218.7,"var":3626296576.0,"ent":3.5,"data": [4811,10763,14,6027,71146,71669,62476,63085,171,99,103,116,2258,2217,58331,58816,497,202,194,148,171,85,633,797,214474,265866,52392,51419,53825,54567,51776]},"pktlen": {"min":40,"avg":426.0,"max":3697,"stddev":812.3,"var":659832.9,"ent":3.5,"data": [60,40,40,557,40,3697,40,133,40,576,40,576,40,305,40,376,361,40,576,40,150,40,40,78,40,1632,40,691,40,352,40,2871]},"bins": {"c_to_s": [7,1,1,1,0,0,0,0,1,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1],"entropies": [4.505928516,4.461769581,4.584184170,6.096171856,4.530641556,7.154915333,4.484183788,5.938849449,4.530641079,7.408299446,4.530641556,7.614147663,4.580641270,7.362629890,4.511769295,7.075150967,7.354639530,4.461769581,7.592569828,4.461769581,6.475907803,4.530641556,4.584184170,5.252028465,4.480641842,7.871288776,4.584184170,7.643190861,4.584184170,7.059779167,4.584184170,7.871583939]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":132,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734525210582,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525210582,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734525210582,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45124,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":1,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525210582,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1655734525210582,"pkt":"ABoRAAACABoRAAABCABFAAA8oPNAAEAGtIYKCAABaBFzKLBEAbsaEwikAAAAAKAC\/\/\/kSwAAAgQFtAQCCAoBY6hXAAAAAAEDAwg="} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":133,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":2,"flow_src_last_pkt_time":1655734525210582,"flow_dst_last_pkt_time":1655734525218112,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734525218112,"pkt":"ABoRAAACABoRAAABCABFAAAoAJJAABAGhPxoEXMoCggAAQG7sETl7PdbGhMIpVAS\/\/8YkAAA"} @@ -49,7 +49,7 @@ 01061{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":143,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525224208,"flow_dst_last_pkt_time":1655734525221695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734525224208,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":145,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525224208,"flow_dst_last_pkt_time":1655734525281832,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734525281832,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01121{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":147,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734525210582,"flow_src_last_pkt_time":1655734525221986,"flow_dst_last_pkt_time":1655734525332870,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734525332870,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45124,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} -01709{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":186,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525773780,"flow_dst_last_pkt_time":1655734525773395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":749,"flow_src_tot_l4_payload_len":2295,"flow_dst_tot_l4_payload_len":1194,"midstream":0,"thread_ts_usec":1655734525773780,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":35827.1,"max":233720,"stddev":54909.0,"var":3015001088.0,"ent":3.6,"data": [3428,3938,2003,2864,57273,107978,750,51373,305,140,145,128,138,133,50874,51892,1049,50443,50842,196795,233720,37672,51488,50853,51099,141,51026,454,234,444,1019]},"pktlen": {"min":54,"avg":163.7,"max":803,"stddev":198.3,"var":39337.4,"ent":4.2,"data": [74,54,54,571,54,210,54,105,54,590,54,590,54,317,54,132,377,54,92,54,803,54,227,54,92,54,85,54,54,54,54,54]},"bins": {"c_to_s": [9,2,0,0,0,0,0,0,1,0,1,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02107{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":186,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1655734525218267,"flow_src_last_pkt_time":1655734525773780,"flow_dst_last_pkt_time":1655734525773395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":749,"flow_src_tot_l4_payload_len":2295,"flow_dst_tot_l4_payload_len":1194,"midstream":0,"thread_ts_usec":1655734525773780,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.115.40","src_port":45126,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":128,"avg":35827.1,"max":233720,"stddev":54909.0,"var":3015001088.0,"ent":3.6,"data": [3428,3938,2003,2864,57273,107978,750,51373,305,140,145,128,138,133,50874,51892,1049,50443,50842,196795,233720,37672,51488,50853,51099,141,51026,454,234,444,1019]},"pktlen": {"min":40,"avg":149.7,"max":789,"stddev":198.3,"var":39337.4,"ent":4.1,"data": [60,40,40,557,40,196,40,91,40,576,40,576,40,303,40,118,363,40,78,40,789,40,213,40,78,40,71,40,40,40,40,40]},"bins": {"c_to_s": [9,2,0,0,0,0,0,0,1,0,1,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0],"entropies": [4.472595215,4.630641460,4.634183884,6.061924934,4.530641556,6.057179928,4.684184074,5.430868149,4.530642033,7.374313831,4.580641747,7.639074802,4.530642033,7.179740906,4.461769581,5.884557247,7.359737873,4.580641747,5.284663200,4.580641747,7.730541706,4.684184074,6.845517159,4.684184074,5.293632984,4.565311909,5.134845257,4.480641842,4.465312481,4.430641651,4.480641842,4.471928596]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":190,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734754614463,"flow_src_last_pkt_time":1655734754614463,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1655734754614463,"l3_proto":"ip4","src_ip":"10.158.132.91","dst_ip":"104.17.114.40","src_port":38398,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":190,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1655734754614463,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734754614463,"pkt":"ABoRAAACABoRAAABCABFAAAoVtFAAEAGeswKnoRbaBFyKJX+AbuhM960Ee9+klAQAVedJwAA"} 01213{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":191,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1655734754615913,"flow_dst_last_pkt_time":1655734754614463,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":571,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":571,"pkt_l4_len":537,"thread_ts_usec":1655734754615913,"pkt":"ABoRAAACABoRAAABCABFAAItVtJAAEAGeMYKnoRbaBFyKJX+AbuhM960Ee9+klAYAVc2sQAAFgMBAgABAAH8AwOffU2PEFvusphnSRt4iypv4+ZmiFJN5MhWLpPRgxBGWyBzS35friOfAWwzRvK4nOaCBJAbSD\/HvnzVJtlqjl91KAAYwCvALMypwC\/AMMyowBPAFACcAJ0ALwA1AQABm\/8BAAEAAAAAGQAXAAAUYXBpLnBvbGFyZ3JpenpseS5jb20AFwAAACMAwMEVNlaL0tdGnm3V54JqurXqfhCsyPABZtbMnzb26AxMffuozfeg4IKaCIbNJ3q2zznlQTcn2vtZGw2LgspfFkx\/\/ulZltuMfvovkdu6OxfbcYa5VnIF3xidmaUJ8SUPb79tJJFaBhFXEN61mvGK7zPpvVrV3mTyXEwUGGWTkZAGHvhktDm3FDiaeMeQoyzU\/JxID7YfTFAEkYxMS3+IaSjPuX3oi2kUbrLhwugcx7H6N+6QUOak1x1EA8eU6f8ZVAANABQAEgQDCAQEAQUDCAUFAQgGBgECAQAFAAUBAAAAAAAQAA4ADAJoMghodHRwLzEuMQALAAIBAAAKAAgABgAdABcAGAAVAGgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA=="} @@ -126,7 +126,7 @@ 01122{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":312,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776538093,"flow_src_last_pkt_time":1655734776541777,"flow_dst_last_pkt_time":1655734776872181,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":156,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":156,"midstream":0,"thread_ts_usec":1655734776872181,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33848,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.polargrizzly.com","tls": {"version":"TLSv1.2","ja3":"e9ec38c2b40ff3e300e9975dd7619902","ja3s":"5badad76fbdd6e8b6296e2e9f4024401","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01402{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":313,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776512617,"flow_src_last_pkt_time":1655734776537556,"flow_dst_last_pkt_time":1655734776874125,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":5473,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5473,"midstream":0,"thread_ts_usec":1655734776874125,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.154.236","src_port":50904,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN","hostname":"api.tunnelbear.com","tls": {"version":"TLSv1.2","server_names":"*.tunnelbear.com,tunnelbear.com","ja3":"a1c672bda2bda1a05bdca801144b2760","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA","subjectDN":"CN=*.tunnelbear.com","alpn":"h2,http\/1.1","fingerprint":"52:96:E2:83:CC:15:4E:B3:0F:5B:1D:E2:E8:FF:4E:A9:C4:E9:C0:AF"}}} 01390{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":370,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1655734776705767,"flow_src_last_pkt_time":1655734776708195,"flow_dst_last_pkt_time":1655734776969484,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3864,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":3864,"midstream":0,"thread_ts_usec":1655734776969484,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"162.247.243.188","src_port":48222,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"mobile-collector.newrelic.com","tls": {"version":"TLSv1.2","server_names":"*.newrelic.com,newrelic.com","ja3":"3967ff2d2c9c4d144e7e30f24f4e9761","ja3s":"a885fb01204bc11cc58efc02fe640899","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Francisco, O=New Relic, Inc., CN=*.newrelic.com","alpn":"http\/1.1","fingerprint":"90:B0:56:FB:4D:88:5C:EB:F9:79:45:35:26:15:0C:00:F4:08:72:77"}}} -01712{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":385,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1655734776460292,"flow_src_last_pkt_time":1655734776909928,"flow_dst_last_pkt_time":1655734777250607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2900,"flow_src_tot_l4_payload_len":3230,"flow_dst_tot_l4_payload_len":3163,"midstream":0,"thread_ts_usec":1655734777250607,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33830,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":39998.4,"max":340372,"stddev":83812.5,"var":7024526848.0,"ent":3.0,"data": [4054,5298,2009,3384,237730,240091,25,2380,9328,9409,226,61,1426,1484,112,59,79,69,100518,152574,52262,7046,20588,16017,10024,8002,820,1293,7036,6175,340372]},"pktlen": {"min":54,"avg":254.4,"max":2954,"stddev":516.4,"var":266681.9,"ent":3.7,"data": [74,54,54,571,54,210,54,105,54,107,54,140,54,590,54,590,54,179,54,123,92,54,92,375,54,590,54,162,54,377,54,2954]},"bins": {"c_to_s": [3,3,1,2,0,0,0,0,0,0,2,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02109{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":385,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1655734776460292,"flow_src_last_pkt_time":1655734776909928,"flow_dst_last_pkt_time":1655734777250607,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2900,"flow_src_tot_l4_payload_len":3230,"flow_dst_tot_l4_payload_len":3163,"midstream":0,"thread_ts_usec":1655734777250607,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33830,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":25,"avg":39998.4,"max":340372,"stddev":83812.5,"var":7024526848.0,"ent":3.0,"data": [4054,5298,2009,3384,237730,240091,25,2380,9328,9409,226,61,1426,1484,112,59,79,69,100518,152574,52262,7046,20588,16017,10024,8002,820,1293,7036,6175,340372]},"pktlen": {"min":40,"avg":240.4,"max":2940,"stddev":516.4,"var":266681.9,"ent":3.5,"data": [60,40,40,557,40,196,40,91,40,93,40,126,40,576,40,576,40,165,40,109,78,40,78,361,40,576,40,148,40,363,40,2940]},"bins": {"c_to_s": [3,3,1,2,0,0,0,0,0,0,2,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,1,0,1,0,1,1],"entropies": [4.460013390,4.480641842,4.515312195,6.108502865,4.580641747,6.049703121,4.634183884,5.378616810,4.580641747,5.520286560,4.580641747,5.850438595,4.530641556,7.632115364,4.530641556,7.628461361,4.580641747,6.826807022,4.530641556,5.918608665,5.310303688,4.580641747,5.303310871,7.209881783,4.580641747,7.572566509,4.580641747,6.476149559,4.580641747,7.298981190,4.530641556,7.923994541]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.TunnelBear","proto_id":"91.299","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00754{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":414,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1655734777904202,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777904202,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1655734777904202,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"104.17.114.40","src_port":33858,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":414,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":1,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777904202,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1655734777904202,"pkt":"ABoRAAACABoRAAABCABFAAA8VQtAAEAGAW8KCAABaBFyKIRCAbtalsosAAAAAKAC\/\/8YcQAAAgQFtAQCCAoBZJ8nAAAAAAEDAwg="} 00515{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":415,"source":"tunnelbear.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":2,"flow_src_last_pkt_time":1655734777904202,"flow_dst_last_pkt_time":1655734777909352,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1655734777909352,"pkt":"ABoRAAACABoRAAABCABFAAAoALVAABAGhdloEXIoCggAAQG7hEKlaTXTWpbKLVAS\/\/9FkgAA"} @@ -157,10 +157,10 @@ ~~ total active/idle flows...: 21/21 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6201399 bytes -~~ total memory freed........: 6201399 bytes -~~ total allocations/frees...: 122214/122214 +~~ total memory allocated....: 6204255 bytes +~~ total memory freed........: 6204255 bytes +~~ total allocations/frees...: 122235/122235 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 495 chars -~~ json string max len.......: 1717 chars -~~ json string avg len.......: 1106 chars +~~ json string max len.......: 2116 chars +~~ json string avg len.......: 1305 chars diff --git a/test/results/ubntac2.pcap.out b/test/results/ubntac2.pcap.out index 4c38e985f..0e8056962 100644 --- a/test/results/ubntac2.pcap.out +++ b/test/results/ubntac2.pcap.out @@ -43,9 +43,9 @@ ~~ total active/idle flows...: 8/8 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6047017 bytes -~~ total memory freed........: 6047017 bytes -~~ total allocations/frees...: 121557/121557 +~~ total memory allocated....: 6048105 bytes +~~ total memory freed........: 6048105 bytes +~~ total allocations/frees...: 121565/121565 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 925 chars diff --git a/test/results/ultrasurf.pcap.out b/test/results/ultrasurf.pcap.out index 614abcb3d..9a158d56a 100644 --- a/test/results/ultrasurf.pcap.out +++ b/test/results/ultrasurf.pcap.out @@ -5,21 +5,21 @@ 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731609846,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":2576,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":2576,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731609846,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 04022{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1656652731609853,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":2646,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":2646,"pkt_l4_len":2608,"thread_ts_usec":1656652731609853,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAKRM7vQAA3BtrfQTFEGQqEABfDhZQKC2ONCUpUkTKAEAFmmhsAAAEBCAom3sgHA1a0\/YkZzIRfJcoGEDhjun+5RWZFRHORheFaka9qWEEqwSnKRQ8+fGAhhFa7EN5cpLsXBaX2yHZz8DtP4L0FIaDBHwFd5rA4GP5cmI7bfwLgg4FVeGP7SjUTC6qb+HQHzgd9GKJejKikQgtNuMoyW+WltSykS7MMuwC9XmFm880JdkonHY1odOp0bZesqC0Ef58K3CfEAwAV1rHerMtEb3ZHcVOr9dSu4VHvVdRPp+8WfCOtT114DN9xODhN5xizXNsKGb1Vqn77M3rN9osNOzf3tytH8Pevd1aIgf3Sm6YXA7VR5D7dvmhs0FN4QC+LDtkE\/6thA0uo\/lnZqMEIHcwUsGe918WbIwSGOk2MJbaAbJZUODyOfxe+T03WsJGCGLuDQ0m7AsMClrqgh8OHbm5U9HMCsMr4h4pvEhR0z2I+R7A\/GAWfQ1Lv84asTQ\/KcjVoTGNO\/qR9qnBDPz02vpUg0t1qIn5OZjHUJc1XlP7bcvV\/wKw3OfG2mX63GGvc7i7QZES09OVvvvQOx27EiD1xANcAMElPBG4AZ\/1ImDDO55WnYWPfINUR0Htt3CDZHS99b7xjoML0TE0baQJ3Jm38p3DdfsEGrsmIokmWO1TpdGRxB4MJLY3wn7Tw4tqDNqBMVruqsIN3XOP1je5K4jtfip7MN5mhXqQwq26JbXu4RN0QZgBwifB\/DFQoswvG8No+jWGMXSh9v0kJl9fw8bhx9lZpA3tQmLgRL3sOqJAHaqHBZRkJhuHh+Rjm\/6hTfFQ00ehtauLThf9ezdb2uY49gvz2DGebsNmTjFsOx+X4R9hsdpnezkh4aEpX5uL1bXi1H6uS64VjoFNEDHQpZ+3uZrYCmJilgBV0bv0nVghQl4kU33Pf7GIoPZuXhIQfS9VrHsdHbZpH1PU8M\/9PRmRmYlmeapu7XEZp4CzDGYPDSedJ8vQLqPyHzVwGcjHckBVdpjNiPAG5UPQoZ3wCl\/PxEywufemrmfmR\/5AqOpW8\/Wur6zMxw5YPRRe\/bygJ0G9Yqw0LVPvEBxGwFY9uVVI6IGaHAasiMKQLbkze7bdXM6QNfYFDnbbaxoOEV8QDh7YIhuz4gfbAW6eyQbJT2jQKjEHkd0tMaupNho4gKsMUwsj4nZlzTYJVJpDMcLimISegAqBKQ4i8foUUKiadz6eosf+e\/Jex37VfE+krt3zlcpISr8HTnFM1USFF0+9ct3a5KjyNHIWXBbdEjluidEueiRiWyxf4cTH4FbCD2xO9GNRkq9QZppurtJaFbRjXCrw9UUutzbcN9EQ4Cq+gKBSyYXwmUbkSGOLO9rE323nvwyvDcYVdrUsP+BGDklMzvNUHuJnRFouZ1R0WCXxlJrCNrMkgI+iuTt0BJzGXzfEkqc7fmNoiossOF4BZK08wWnsMWJPMsI5Aw3iU49xeiNCj74DW2jR92gY79iEsFrre1ny3NbSwl8EGB091wIYQyL7Ho3Xf3P3gT7nJkJZVIupHy1AL3OnXFLu0aQ9jZogZz0sFxzcPAzim0\/TD+aEJKEn3h1ZCM0dvkLQLeFEGKVhxypzfJLDO0hydYwloEETx3qJaVHzqs8Wq+SgnnsMzDPiMy\/H9mXbpWFOmZUY8c+RgPNNwEPY9sWGgREkghLZgVI4BmbR+1He8AIC\/Jqb6\/fZGK9Su8InqtBz4VDwmCvVjB5VmwRYgEff9Co9KEAKioF+rxsp7jx4CUT\/dUpBgwtPw1AAqwXhQ\/uIBWqnOLtB+sJapVDGqCd6YbeW67lUJtDoMU8VaKm8fednX12fDvla7u1M+CXOyIf\/4rq46zKsHemwKXMSG27KxCoqvfpu2RFyDoNiwIkywHe+mu0KXU6r0uKXXuXHjcqE1XT+Ol42P4hE1aTwsVJT\/aLRIVQDwKL6IhfLinh4zf9x0O\/I\/C1GeMvABe16jJTVzGkcz49endJCMetsRgtWR7oSOwEn5bVIocg8jZsCjdrwEvd6kjZWMsRgHhtbLq+aU27mgxUfacXWiiGTsT33DZFYnj2Gbfgh1MUmZNuxbwGQK74YsSlD8+37pnUDCdBxPu+Gf64VQKHxJ9RtZ7tBvjcOGhEiQQM2Bqm9+kC5dGL6whXOTdBD0aHE3e3jNhysBJXeznMxXLuH5BpQBNhY+pGCD36HH\/gl2POk5EvjD5emciTPfEvMoX\/pO1twUedLTeXtt4V8bNumuTzdRWus9vZCGnaJKWYY+IluLtxDKaBHhULnRKPZr7a3fqY4eZZWnvSv+6SyQfi\/guF4IkYLhqf3LM1QbKUpuoYVTCXDg\/iejAGelMIOMZk\/34eSGVjsk9H4ZDrbf+Wviyu10e\/3LGX4vZqXdNId0qCEAQQsb5bj67rIpqEUfO1gjj68uRkOWA5pTXz1Cw5OGMJDODQJgEJUgUxpgbiqUn1yGaEKOOaiaN2Vv5\/u+w6mqQni+gBiA0+4K0zEMbn8XRxSib6SxlyLQVFPK3+8NFm9X2am1AtSH1\/PoCM1+A0L4I8UddMiaV4KJVbD4gIsbkZTEL2rNpB7+3TEPLkz\/oWqgDlYpiSJoug71nGWFcD+HEERUlO5Z93B7c4XWme9gT2XSraJ9EGS47MTy8E5gSuzHgT06aAD1VDe0EzdVIhzO6QfLKRVyqK\/DkDAcF1dU\/CysJQuLXO26HE1qiZstmUL\/PmaIF1CAre3aq1TiBtKi47RcAusmfTZViQ5pBnP52RilqIkeFHO7qJ+Xe7UbBid1eckGMDShESIKSMkg323ewkUsCQrdbbCQCNxMP\/vovWIiozrHVfadoXMR1+s3vDeGvdijxN0cQlXKhRXEHz1q9AFZPP6OvHtyaigQOx7Av7+CCavPWtRnhVyR2jLsjvU\/P8W5IFa8Qs0a8CJRQpkCWniRyCA3gsdHuiU5LPzN9N6ilFVKYWl8zCdx1E0DuWVnebVHPp\/mSPBcwJb6Kn0mZE5F6Slv4ios+F0zFBa\/+ONDhj8YI3D0pzybuWoGGURZpxxZvXyeMYFUqAzWQpmxOYCpDyYaRzpVXybXDJxWUfNGwmd6Ve5t6JHTxK332fJRagMHTraU5uEpzRuAnBCqVX\/orlzGUbI38lDmfktCRZhIZ0TA4WOuMezAS\/U5UeZ\/Ky36Btzeqc\/GtSNTwfx5pintfeIcHnEiV69AT2a7sR3PISNs\/w0efL492At330L6CabtPqbX+3L9tP+74e7pNSOxbl7oi\/mRnKkb9k8n2BH6yIJJt5VxxH74+2OAUxERThSHVZlYSiPBPktL4R30L859p0z2Uz6qmrKoN1is1fQXX8xGHOr7PkuLtDJqwFDVFJJ9YkA7Dx2pq++TaR\/9pl4AeqnylRZtWT3EJRF\/MYY3nnisHit78gzVET6d1BuDKtwoAyw4mKyfoqWDMp6JOacbgYmXKL3bRC0doX8dbGOchwnFREadeVLCi\/Q5"} 02275{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1656652731631188,"flow_dst_last_pkt_time":1656652731609846,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":1358,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":1358,"pkt_l4_len":1320,"thread_ts_usec":1656652731631188,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAFPM7xQAA3Bt\/lQTFEGQqEABfDhZQKC2OXGUpUkTKAEAFmw0YAAAEBCAom3sgTA1a0\/SxS3iaqHGBX0a8rgr8EFwZv7fbGR3LsZjVMCYTlteWImHMg7dpDQx6QAkVSKrBDRWsAgkFKUO9XRHQzEdcVJv+Jk6+iQYy27OR2Ruv0q0NyJCK8q8neLYQxD7xGx95YziHhCPmx+v2VJKWqXvo5pekBzrhigp\/0TmX3aYQplVTgwksBVP1wSVYSvnxpw4x3MGHY6EK1PhkChr6I2QaCOOskNMVQXjje52Gr0TD6cnIJniT0zvgTXSdGXH4d1pNmH6VI38eKJmR97TCaHW4VbObiULCNV965z+H0nCojIGmrzSNlYRkWatbld8Zbak+Ve9Ye2qFSUfesBybrU8MPKChWDS4szas\/0\/+O+hp7fTEBfmCOnTwpeZ+9ckDlu30IjD3klrlcZcGx59JJ23VaL3mRHXN2m7OYXYqgEUyKkpkk87MSdGKaT3iv+xeB8fdAD0S5iESPxvCatNGVxlnPWQC6LE2Mwk\/UPzo8wmxmWU\/4g2SzkG6fIhc2KfKoBTSS\/18XObBYhTCKn8tmchtQQnCFEhJwUqNPVQHAM7VWv97\/MrpK1Gg3ow57h3u6bsT3zD+7JqhTzfzSb+JLf+gPPuPmKrDBND362h9HtUe4u54hmK0emiAYbKHemgqk5ObUECg98wBR8GbmhEjkgqd5l9MpJjXEnZd7YjYb9HqCPVuTVofELhtwiquLU41YKvkqj9qHY3i83C4I5rsGWBIQz9jCnG\/LAO0gc+K5MhM0jD8w9afyXqZxxIWbvFCzYdvaAxFsd+dbs6QyAzMjBlRwZZJGoKCRudoGu78iGcHZ9v4JjFh8PqFI5RKE50MXupgqZhn5s+mncV4ED4BR62InyQMO+2lSV8XApXho3jZD2BZYaHL8BxzViM2AnSYU40nV5P\/9Zcawh1bVQjVPNsaeHWxMJc5P+uhgQ7yN5cDddbbbFops91CwGboz\/Y\/iUMqNL+Au752094lP9CLdBHTtF0nwGndsTr7PXV2am5lVFY+07I13Rnwh96VlnzAEErq6QUJMFpXVjoILKF75mfhkzufc5ww1btEyyIToFedBu8inrM2nSfVR4GSH1acVyxGJN\/xPMqMoz7qX11hSlDnDNA70XCXcPknSvGQJeC42YvRZuyBXR4bSZJpW3uxAIMisVpx8HuvqUlRDvWeTkl\/KlLkLPqVG6A7V9IJ4CzPp2LGxX0mxIii\/hq8qrdBvVjXBSMG2kFGd1Gk2CYKUDdUedzWwHbeA+x19\/Z8W9DscgX5Ingwo9qBoCIrSYVEyo5A+Bu6P2A6MYai8bIL3N1ixp0uHekzl1S5Y5ONHOtGVOFVnwRx49hvB6HPO9wc0rIJSIsq9YnBJNWgIZNFkCjlBnZHso+vfBKU6hgL+4B1v8gJk8\/+OinGcG00MXqyjoV0hIPvX8fcu6dH9TclFMmJS42m7WMCCPvMCk17qoAwiC5hrfwamrAiYI\/PEcMUUmJwNoLE7aKVZ7926CN5wXkVGlgQDYNSoxPqXoHqtbU6arZQtfgfxuD27lKKUbZm7keaLAlr7T5d0Wedi07GEwl0yp+Np4OWX5kU2Sgn3juSmnKnaCzCcLk2W4PsHrD6xcXA4Ni176mRo2kV4lUcSZ9ReNwImdlBbdKoXwKkzjV8Aa0hRPMOK2kTBCfB1GhE91TGa9BbzjtvK4JbGfzJcCXKDHd6qGUGMR+lTKBl2gIfVx9fr7SRFiR3Ky\/s="} -01719{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731961797,"flow_dst_last_pkt_time":1656652731903862,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1280,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":41208,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731961797,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":20837.6,"max":150485,"stddev":35657.5,"var":1271454592.0,"ent":3.6,"data": [7,21335,5,10969,29128,61453,2,10832,4,9189,30801,10791,6,19965,5,29291,5,3,3,9324,30618,150485,11,11883,141836,4,17858,20033,9,20018,10094]},"pktlen": {"min":98,"avg":1366.5,"max":2646,"stddev":1007.2,"var":1014474.8,"ent":4.5,"data": [2646,2646,1358,1358,2646,2646,98,98,1358,1358,2646,98,1358,1358,1350,2646,98,98,98,98,1358,98,1358,1358,2646,98,98,2646,1358,1358,2646,2646]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,10],"s_to_c": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,1,1,1,1,0,1,0,0,0,1,1,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02118{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652731961797,"flow_dst_last_pkt_time":1656652731903862,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":1280,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":41208,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1656652731961797,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":20837.6,"max":150485,"stddev":35657.5,"var":1271454592.0,"ent":3.6,"data": [7,21335,5,10969,29128,61453,2,10832,4,9189,30801,10791,6,19965,5,29291,5,3,3,9324,30618,150485,11,11883,141836,4,17858,20033,9,20018,10094]},"pktlen": {"min":80,"avg":1348.5,"max":2628,"stddev":1007.2,"var":1014474.8,"ent":4.5,"data": [2628,2628,1340,1340,2628,2628,80,80,1340,1340,2628,80,1340,1340,1332,2628,80,80,80,80,1340,80,1340,1340,2628,80,80,2628,1340,1340,2628,2628]},"bins": {"c_to_s": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0,0,0,0,10],"s_to_c": [10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,1,1,0,0,0,1,0,0,0,0,1,1,1,1,0,1,0,0,0,1,1,0,0,0,0,0],"entropies": [7.935860634,7.912645817,7.844571114,7.831790447,7.918263912,7.928714752,5.522979259,5.447978497,7.859277725,7.870418549,7.933502197,5.497979641,7.862855911,7.853259087,7.847196579,7.913461208,5.472979069,5.319669724,5.429106236,5.429106236,7.836807251,5.479106426,7.821085453,7.859042645,7.931487560,5.538542747,5.538542747,7.931249619,7.868795395,7.859850407,7.922960758,7.932232857]},"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":2962,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778161151,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652778161151,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00548{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2962,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778161151,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652778161151,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAAPJe\/QAA\/BhQYCoQAF0ExRBmU6MOFszN1DQAAAACgAv\/\/UcYAAAIEBVAEAggKA1bisgAAAAABAwMI"} 00544{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2970,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1656652778161151,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652778372319,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAAPAAAQAA3BrPXQTFEGQqEABfDhZTovxOnA7MzdQ6gEnEg1IYAAAIEBYwEAggKJt9+2gNW4rIBAwMJ"} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2974,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1656652778421535,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":70,"pkt_l4_len":32,"thread_ts_usec":1656652778421535,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAANJfAQAA\/BhQfCoQAF0ExRBmU6MOFszN1Dr8TpwSAEAFXcrgAAAEBCAoDVuLwJt9+2g=="} 01331{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":2975,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778421539,"flow_dst_last_pkt_time":1656652778372319,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652778421539,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":2977,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652778421539,"flow_dst_last_pkt_time":1656652778641896,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1288,"midstream":0,"thread_ts_usec":1656652778641896,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01940{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3003,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652779042511,"flow_dst_last_pkt_time":1656652779222772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":5006,"flow_dst_tot_l4_payload_len":4491,"midstream":0,"thread_ts_usec":1656652779222772,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":62676.8,"max":270784,"stddev":99488.0,"var":9897854976.0,"ent":3.4,"data": [211168,260384,4,269572,5,10096,9894,260379,4,20013,20030,10943,4,270784,9694,4,10276,229481,5,19977,40078,29866,14,10092,29929,210869,5,2,9,9396,4]},"pktlen": {"min":70,"avg":367.3,"max":1418,"stddev":449.6,"var":202163.0,"ent":4.1,"data": [78,78,70,587,70,1358,1358,1274,70,70,70,134,156,708,125,105,101,126,101,70,112,1418,104,1166,698,668,70,105,262,205,105,131]},"bins": {"c_to_s": [7,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [4,8,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,0,0,0,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02332{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3003,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652779042511,"flow_dst_last_pkt_time":1656652779222772,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":5006,"flow_dst_tot_l4_payload_len":4491,"midstream":0,"thread_ts_usec":1656652779222772,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":62676.8,"max":270784,"stddev":99488.0,"var":9897854976.0,"ent":3.4,"data": [211168,260384,4,269572,5,10096,9894,260379,4,20013,20030,10943,4,270784,9694,4,10276,229481,5,19977,40078,29866,14,10092,29929,210869,5,2,9,9396,4]},"pktlen": {"min":52,"avg":349.3,"max":1400,"stddev":449.6,"var":202163.0,"ent":4.0,"data": [60,60,52,569,52,1340,1340,1256,52,52,52,116,138,690,107,87,83,108,83,52,94,1400,86,1148,680,650,52,87,244,187,87,113]},"bins": {"c_to_s": [7,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0],"s_to_c": [4,8,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,2,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,1,1,1,1,0,0,1,0,1,0,0,0,1,1,1,1,1,1],"entropies": [4.726680756,5.240227222,5.272274494,6.111527920,5.130220413,7.844857216,7.849434853,7.833609104,5.233813286,5.156889915,5.233813286,6.138292789,6.368075848,7.651264191,6.278759480,5.928515911,5.691242695,6.148318291,5.806828022,5.233812809,5.950813293,7.875130177,5.929117203,7.818894386,7.718791008,7.725904465,5.168681622,5.919838905,6.926432133,6.780454636,5.896851063,6.240451336]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":7468,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831434184,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652831434184,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7468,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831434184,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652831434184,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAAPDStQAA\/BncqCoQAF0ExRBmVCMOFn9EiagAAAACgAv\/\/g5YAAAIEBVAEAggKA1cWxwAAAAABAwMI"} 00545{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7491,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1656652831434184,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":78,"pkt_l4_len":40,"thread_ts_usec":1656652831643678,"pkt":"zBr67JUAcGlaOmiJgQAAyAgARQAAPAAAQAA3BrPXQTFEGQqEABfDhZUIPEwzlZ\/RImugEnEgLEwAAAIEBYwEAggKJuBPGgNXFscBAwMJ"} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":7496,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1656652831673898,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":70,"pkt_l4_len":32,"thread_ts_usec":1656652831673898,"pkt":"cGlaOmiJzBr67JUAgQAAyAgARQAANDSuQAA\/BncxCoQAF0ExRBmVCMOFn9EiazxMM5aAEAFXyn8AAAEBCAoDVxcDJuBPGg=="} 01331{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":7499,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831673908,"flow_dst_last_pkt_time":1656652831643678,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1656652831673908,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.2","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":7502,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652831673908,"flow_dst_last_pkt_time":1656652831894735,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1288,"midstream":0,"thread_ts_usec":1656652831894735,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1.3","ja3":"b592adaa596bb72a5c1ccdbecae52e3f","ja3s":"f4febc55ea12b31ae17cfb7e614afda8","unsafe_cipher":0,"cipher":"TLS_AES_128_GCM_SHA256","alpn":"h2,http\/1.1","tls_supported_versions":"GREASE,TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01924{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7528,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652832235258,"flow_dst_last_pkt_time":1656652832454997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":4808,"flow_dst_tot_l4_payload_len":5851,"midstream":0,"thread_ts_usec":1656652832454997,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":58770.5,"max":269120,"stddev":100848.2,"var":10170350592.0,"ent":3.1,"data": [209494,239714,10,251051,6,11439,12,260675,5,9589,20029,20030,269120,19987,5,231024,5,19971,10,4,3,3,2,249606,8,2,3,3,10064,10,3]},"pktlen": {"min":70,"avg":403.6,"max":1418,"stddev":479.7,"var":230117.0,"ent":4.2,"data": [78,78,70,587,70,1358,1358,1274,70,70,70,134,386,125,105,157,70,101,1418,446,1418,498,268,252,70,105,131,218,262,105,205,1358]},"bins": {"c_to_s": [7,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [3,5,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02319{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":7528,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652832235258,"flow_dst_last_pkt_time":1656652832454997,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1348,"flow_dst_max_l4_payload_len":1288,"flow_src_tot_l4_payload_len":4808,"flow_dst_tot_l4_payload_len":5851,"midstream":0,"thread_ts_usec":1656652832454997,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":58770.5,"max":269120,"stddev":100848.2,"var":10170350592.0,"ent":3.1,"data": [209494,239714,10,251051,6,11439,12,260675,5,9589,20029,20030,269120,19987,5,231024,5,19971,10,4,3,3,2,249606,8,2,3,3,10064,10,3]},"pktlen": {"min":52,"avg":385.6,"max":1400,"stddev":479.7,"var":230117.0,"ent":4.1,"data": [60,60,52,569,52,1340,1340,1256,52,52,52,116,368,107,87,139,52,83,1400,428,1400,480,250,234,52,87,113,200,244,87,187,1340]},"bins": {"c_to_s": [7,0,1,0,0,1,1,0,0,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [3,5,1,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,3,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,1],"entropies": [4.680766106,5.194312096,5.041505337,6.080573082,5.168682098,7.827150345,7.863349915,7.855801105,5.156889915,5.156889915,5.118428230,6.048384190,7.387241364,5.998385429,5.810531616,6.322457314,5.118428230,5.674062252,7.876391411,7.449967384,7.849254131,7.577188969,7.053901672,7.035159111,5.130220413,5.850873470,6.129572392,6.822973251,6.886046886,5.873862267,6.798689365,7.860256195]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00923{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":1802,"flow_dst_packets_processed":1169,"flow_first_seen":1656652731609846,"flow_src_last_pkt_time":1656652778352349,"flow_dst_last_pkt_time":1656652778381476,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":2576,"flow_dst_max_l4_payload_len":1802,"flow_src_tot_l4_payload_len":2740999,"flow_dst_tot_l4_payload_len":23869,"midstream":1,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"65.49.68.25","dst_ip":"10.132.0.23","src_port":50053,"dst_port":37898,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"UltraSurf","proto_id":"304","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 01154{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":1826,"flow_dst_packets_processed":2699,"flow_first_seen":1656652778161151,"flow_src_last_pkt_time":1656652831683725,"flow_dst_last_pkt_time":1656652831663695,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1505,"flow_dst_max_l4_payload_len":2576,"flow_src_tot_l4_payload_len":76106,"flow_dst_tot_l4_payload_len":4310303,"midstream":0,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38120,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01151{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":8142,"source":"ultrasurf.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":304,"flow_dst_packets_processed":342,"flow_first_seen":1656652831434184,"flow_src_last_pkt_time":1656652839654386,"flow_dst_last_pkt_time":1656652839634354,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1391,"flow_dst_max_l4_payload_len":2576,"flow_src_tot_l4_payload_len":56893,"flow_dst_tot_l4_payload_len":279549,"midstream":0,"thread_ts_usec":1656652839654386,"l3_proto":"ip4","src_ip":"10.132.0.23","dst_ip":"65.49.68.25","src_port":38152,"dst_port":50053,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"24": {"risk":"Missing SNI TLS Extn","severity":"Medium","risk_score": {"total":500,"client":350,"server":150}}},"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -32,9 +32,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6299958 bytes -~~ total memory freed........: 6299958 bytes -~~ total allocations/frees...: 129663/129663 +~~ total memory allocated....: 6300366 bytes +~~ total memory freed........: 6300366 bytes +~~ total allocations/frees...: 129666/129666 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 4032 chars diff --git a/test/results/upnp.pcap.out b/test/results/upnp.pcap.out index dd30b34a6..5be03b733 100644 --- a/test/results/upnp.pcap.out +++ b/test/results/upnp.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037615 bytes -~~ total memory freed........: 6037615 bytes -~~ total allocations/frees...: 121509/121509 +~~ total memory allocated....: 6037887 bytes +~~ total memory freed........: 6037887 bytes +~~ total allocations/frees...: 121511/121511 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars ~~ json string max len.......: 1402 chars diff --git a/test/results/viber.pcap.out b/test/results/viber.pcap.out index 74feed818..f98fcec3c 100644 --- a/test/results/viber.pcap.out +++ b/test/results/viber.pcap.out @@ -56,7 +56,7 @@ 01053{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":87,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641865014,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155641868230,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01113{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":89,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641890520,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155641890520,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01376{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":91,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641868230,"flow_dst_last_pkt_time":1527155641890790,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":183,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":4344,"midstream":0,"thread_ts_usec":1527155641890790,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","alpn":"h2,http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}}} -01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":8869.6,"max":47784,"stddev":14735.4,"var":217133360.0,"ent":3.3,"data": [19470,21663,1023,22292,3214,249,21,217,39369,88,574,349,10837,47784,22339,40800,258,54,169,260,19,213,268,217,249,532,41188,70,47,44,1080]},"pktlen": {"min":66,"avg":728.1,"max":1514,"stddev":673.4,"var":453425.2,"ent":4.3,"data": [74,74,66,249,66,1514,1514,1514,411,66,66,66,66,192,308,774,1514,1514,1514,1514,1514,1514,1514,1514,1514,1514,808,66,66,66,66,66]},"bins": {"c_to_s": [11,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0]}} +01954{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":19,"avg":8869.6,"max":47784,"stddev":14735.4,"var":217133360.0,"ent":3.3,"data": [19470,21663,1023,22292,3214,249,21,217,39369,88,574,349,10837,47784,22339,40800,258,54,169,260,19,213,268,217,249,532,41188,70,47,44,1080]},"pktlen": {"min":52,"avg":714.1,"max":1500,"stddev":673.4,"var":453425.2,"ent":4.3,"data": [60,60,52,235,52,1500,1500,1500,397,52,52,52,52,178,294,760,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,794,52,52,52,52,52]},"bins": {"c_to_s": [11,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0],"entropies": [4.571673393,5.231404781,5.154164791,5.626152039,5.147462368,7.170236111,7.463209152,7.511432171,7.329006195,5.115703106,5.154164791,5.192625999,5.154164791,6.447020531,7.153199196,7.703028202,7.855375767,7.870701790,7.853311062,7.869762897,7.858384132,7.891494274,7.876748085,7.889567852,7.884804249,7.876610279,7.713707447,5.154164791,5.154164314,5.115703106,5.154164314,5.109001160]}} 01381{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":115,"source":"viber.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":14,"flow_dst_packets_processed":18,"flow_first_seen":1527155641845544,"flow_src_last_pkt_time":1527155641984215,"flow_dst_last_pkt_time":1527155641981830,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":708,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":1017,"flow_dst_tot_l4_payload_len":20153,"midstream":0,"thread_ts_usec":1527155641984215,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.230.93.53","src_port":53934,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Viber","proto_id":"91.144","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"dl-media.viber.com","tls": {"version":"TLSv1.2","server_names":"*.viber.com,viber.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"76cc3e2d3028143b23ec18e27dbd7ca9","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=thawte, Inc., CN=thawte SSL CA - G2","subjectDN":"C=LU, ST=Luxembourg, L=Luxembourg, O=Viber Media Sarl, OU=IT, CN=*.viber.com","alpn":"h2,http\/1.1","fingerprint":"E1:11:26:E6:14:A5:E6:F7:F1:CB:68:D1:A6:95:A1:5E:11:48:72:2A"}}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":119,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155644240774,"flow_src_last_pkt_time":1527155644240774,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":23,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":23,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155644240774,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"172.217.23.106","src_port":41993,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":119,"source":"viber.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":1,"flow_src_last_pkt_time":1527155644240774,"flow_dst_last_pkt_time":1527155644240774,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":65,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":65,"pkt_l4_len":31,"thread_ts_usec":1527155644240774,"pkt":"AA6OMNv9MAdNo1+nCABFAAAzV0lAAEARXnTAqAARrNkXaqQJAbsAHwH3DO5PoOHayJNED10MJ0pTvsIOJQ7muOI="} @@ -93,7 +93,7 @@ 01039{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":215,"source":"viber.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155648513495,"flow_src_last_pkt_time":1527155648533128,"flow_dst_last_pkt_time":1527155648523699,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155648533128,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"151.101.1.130","src_port":55746,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"venetia.iad.appboy.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01053{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":217,"source":"viber.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155648513495,"flow_src_last_pkt_time":1527155648533128,"flow_dst_last_pkt_time":1527155648544884,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":184,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":184,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155648544884,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"151.101.1.130","src_port":55746,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"venetia.iad.appboy.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 00577{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":255,"source":"viber.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":3,"flow_src_last_pkt_time":1527155666982912,"flow_dst_last_pkt_time":1527155646968117,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":103,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":103,"pkt_l4_len":69,"thread_ts_usec":1527155666982912,"pkt":"AQBeAAD7MAdNo1+nCABFAABZIsxAAP8RtxLAqAAR4AAA+xTpFOkARSvGAAUAAAACAAAAAAAACV84MDU3NDFDOQRfc3ViC19nb29nbGVjYXN0BF90Y3AFbG9jYWwAAAwAAcAbAAwAAQ=="} -01619{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":1934444.6,"max":10701681,"stddev":2902413.2,"var":8424002682880.0,"ent":3.5,"data": [54240,95930,270,43992,41788,57048,16087,92087,91609,10563926,10701681,4192149,4152724,4422076,4422070,309467,309552,21641,197002,97,215011,3974475,3934854,3635331,52554,3635290,52615,12721,140816,167507,4361173]},"pktlen": {"min":66,"avg":155.7,"max":596,"stddev":133.2,"var":17739.8,"ent":4.6,"data": [167,122,66,142,66,508,130,66,134,66,163,66,160,66,160,66,405,66,164,66,150,66,160,66,160,424,66,66,164,150,66,596]},"bins": {"c_to_s": [4,1,6,2,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,1,1,0,1,0]}} +02018{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":97,"avg":1934444.6,"max":10701681,"stddev":2902413.2,"var":8424002682880.0,"ent":3.5,"data": [54240,95930,270,43992,41788,57048,16087,92087,91609,10563926,10701681,4192149,4152724,4422076,4422070,309467,309552,21641,197002,97,215011,3974475,3934854,3635331,52554,3635290,52615,12721,140816,167507,4361173]},"pktlen": {"min":52,"avg":141.7,"max":582,"stddev":133.2,"var":17739.8,"ent":4.5,"data": [153,108,52,128,52,494,116,52,120,52,149,52,146,52,146,52,391,52,150,52,136,52,146,52,146,410,52,52,150,136,52,582]},"bins": {"c_to_s": [4,1,6,2,0,0,0,0,0,0,1,1,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,0,3,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,1,0,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,1,1,0,1,0],"entropies": [6.431744576,6.016238213,4.829590321,6.209959030,4.955154419,7.559208393,6.096168518,5.008132935,6.149723053,4.916692734,6.302158833,4.921030998,6.449830055,4.959492207,6.525306225,4.921030521,7.398088932,4.997953892,6.476407528,4.969671726,6.289449215,4.997953892,6.509795189,4.997953892,6.393223286,7.421437263,4.997953892,4.997953892,6.452959538,6.382457256,4.997953892,7.597495079]}} 00874{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00875{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":257,"source":"viber.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155638428936,"flow_src_last_pkt_time":1527155670525718,"flow_dst_last_pkt_time":1527155666299937,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":530,"flow_dst_max_l4_payload_len":98,"flow_src_tot_l4_payload_len":2467,"flow_dst_tot_l4_payload_len":404,"midstream":1,"thread_ts_usec":1527155670525718,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"52.0.253.101","src_port":33208,"dst_port":4244,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":260,"source":"viber.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155670632131,"flow_src_last_pkt_time":1527155670632131,"flow_dst_last_pkt_time":1527155670632131,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155670632131,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":45424,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -116,7 +116,7 @@ 01059{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":276,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671237849,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155671250450,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"http\/1.1"}}} 01119{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":278,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671423359,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":1448,"midstream":0,"thread_ts_usec":1527155671423359,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}} 01476{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":281,"source":"viber.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":6,"flow_first_seen":1527155671066998,"flow_src_last_pkt_time":1527155671250450,"flow_dst_last_pkt_time":1527155671423665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":181,"flow_dst_max_l4_payload_len":1448,"flow_src_tot_l4_payload_len":181,"flow_dst_tot_l4_payload_len":4873,"midstream":0,"thread_ts_usec":1527155671423665,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"54.187.91.182","src_port":49048,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"brahe.apptimize.com","tls": {"version":"TLSv1.2","server_names":"*.apptimize.com,apptimize.com","ja3":"d8c87b9bfde38897979e41242626c2f3","ja3s":"8d2a028aa94425f76ced7826b1f39039","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=GB, ST=Greater Manchester, L=Salford, O=COMODO CA Limited, CN=COMODO RSA Organization Validation Secure Server CA","subjectDN":"C=US, ST=CA, L=Mountain View, O=Apptimize, Inc, OU=PremiumSSL Wildcard, CN=*.apptimize.com","alpn":"http\/1.1","fingerprint":"BC:4C:8F:EC:8B:7B:85:BD:54:61:8B:C0:7B:E7:A2:69:0B:F2:49:E5"}}} -01755{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":326,"source":"viber.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155670640484,"flow_src_last_pkt_time":1527155675775126,"flow_dst_last_pkt_time":1527155675692683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2947,"flow_dst_tot_l4_payload_len":930,"midstream":0,"thread_ts_usec":1527155675775126,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":47171,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":129,"avg":328607.8,"max":525007,"stddev":210300.8,"var":44226416640.0,"ent":4.6,"data": [129,33097,500276,500261,503516,15204,503250,15302,516057,515704,477654,477626,36790,36786,524953,525007,440389,440669,68112,67828,523108,523160,411969,411845,84133,84199,517782,517791,399760,399674,114810]},"pktlen": {"min":62,"avg":163.2,"max":299,"stddev":100.4,"var":10086.1,"ent":4.7,"data": [299,62,118,299,118,62,299,76,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299,118,299,118,62,76,299]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02154{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":326,"source":"viber.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1527155670640484,"flow_src_last_pkt_time":1527155675775126,"flow_dst_last_pkt_time":1527155675692683,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":20,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2947,"flow_dst_tot_l4_payload_len":930,"midstream":0,"thread_ts_usec":1527155675775126,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.32","src_port":47171,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":129,"avg":328607.8,"max":525007,"stddev":210300.8,"var":44226416640.0,"ent":4.6,"data": [129,33097,500276,500261,503516,15204,503250,15302,516057,515704,477654,477626,36790,36786,524953,525007,440389,440669,68112,67828,523108,523160,411969,411845,84133,84199,517782,517791,399760,399674,114810]},"pktlen": {"min":48,"avg":149.2,"max":285,"stddev":100.4,"var":10086.1,"ent":4.7,"data": [285,48,104,285,104,48,285,62,104,285,104,48,62,285,104,285,104,48,62,285,104,285,104,48,62,285,104,285,104,48,62,285]},"bins": {"c_to_s": [6,0,0,0,0,0,0,0,11,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,10,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [6.429836750,5.092222691,3.431529284,6.457198620,3.469990969,5.092222691,6.466431141,4.018082619,3.469990969,6.511886120,3.469990969,5.092222691,3.985824585,6.440430164,3.469990969,6.468061447,3.419557333,4.967222214,3.953566313,6.441361427,3.450760365,6.449966431,3.469991207,5.050555706,4.018082619,6.492553234,3.489221811,6.449169159,3.469991207,5.050556183,4.018082619,6.452616215]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":357,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155679410348,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679410348,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155679410348,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":33744,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":357,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679410348,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155679410348,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8V2ZAAEAGC9HAqAAREskEA4PQAbvgGt8vAAAAAKAC\/\/+jOgAAAgQFtAQCCAoAIYhJAAAAAAEDAwc="} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":358,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155679411371,"flow_dst_last_pkt_time":1527155679411371,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":257,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":257,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155679411371,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -131,7 +131,7 @@ 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":364,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":2,"flow_src_last_pkt_time":1527155679410348,"flow_dst_last_pkt_time":1527155679443640,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155679443640,"pkt":"MAdNo1+nAA6OMNv9CABFAAA8AABAACsGeDcSyQQDwKgAEQG7g9B0pK754BrfMKASaN\/EGgAAAgQFtAQCCAoA5FGtACGISQEDAwc="} 00524{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":365,"source":"viber.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":3,"flow_src_last_pkt_time":1527155679444692,"flow_dst_last_pkt_time":1527155679443640,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1527155679444692,"pkt":"AA6OMNv9MAdNo1+nCABFAAA0V2dAAEAGC9jAqAAREskEA4PQAbvgGt8wdKSu+oAQAq1ZEAAAAQEICgAhiFIA5FGt"} 00882{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":374,"source":"viber.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1527155647500374,"flow_src_last_pkt_time":1527155647500402,"flow_dst_last_pkt_time":1527155647500374,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":16,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":16,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155680456436,"l3_proto":"ip6","src_ip":"fe80::3207:4dff:fea3:5fa7","dst_ip":"ff02::2","l4_proto":"icmp6","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMPV6","proto_id":"102","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":396,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155683480847,"flow_dst_last_pkt_time":1527155683453495,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2479,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1527155683480847,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":261664.5,"max":531417,"stddev":244884.4,"var":59968385024.0,"ent":4.1,"data": [2549,75,31700,2304,505528,505691,496908,2109,6670,496650,8720,505323,505404,490799,100,14960,490657,15090,513169,513225,531417,103,49,531356,217,492947,492967,448249,97,448143,58424]},"pktlen": {"min":54,"avg":143.8,"max":299,"stddev":99.7,"var":9932.1,"ent":4.7,"data": [299,60,62,118,76,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,299,76,118,299,118,62,54,76,299]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":396,"source":"viber.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1527155679411371,"flow_src_last_pkt_time":1527155683480847,"flow_dst_last_pkt_time":1527155683453495,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":257,"flow_dst_max_l4_payload_len":76,"flow_src_tot_l4_payload_len":2479,"flow_dst_tot_l4_payload_len":778,"midstream":0,"thread_ts_usec":1527155683480847,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"18.201.4.3","src_port":38190,"dst_port":7985,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":49,"avg":261664.5,"max":531417,"stddev":244884.4,"var":59968385024.0,"ent":4.1,"data": [2549,75,31700,2304,505528,505691,496908,2109,6670,496650,8720,505323,505404,490799,100,14960,490657,15090,513169,513225,531417,103,49,531356,217,492947,492967,448249,97,448143,58424]},"pktlen": {"min":40,"avg":129.8,"max":285,"stddev":99.7,"var":9932.1,"ent":4.6,"data": [285,46,48,104,62,285,104,48,40,285,62,104,285,104,48,40,285,62,104,285,104,48,40,285,62,104,285,104,48,40,62,285]},"bins": {"c_to_s": [10,0,0,0,0,0,0,0,9,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,5,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,0,1,1,0,1,0,0,1,0],"entropies": [6.294480801,4.507713318,5.008889198,3.477249622,4.018082619,6.362309933,3.496480465,5.050556183,4.408695221,6.358519077,3.985824585,3.458018780,6.336889267,3.458018780,4.967222214,4.408695221,6.270152092,3.909132719,3.438787937,6.396345615,3.496480465,5.008889198,4.408695221,6.346873283,3.855867863,3.496480465,6.368536949,3.477249622,5.008889198,4.408695221,3.985824585,6.367835045]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Viber","proto_id":"144","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155685529875,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155685529875,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1527155685529875,"pkt":"AA6OMNv9MAdNo1+nCABFAAA8KqJAAEARjp7AqAARwKgAD8OxADUAKKNciEIBAAABAAAAAAAAA3d3dwZnb29nbGUDY29tAAABAAE="} 00996{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":421,"source":"viber.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1527155685529875,"flow_src_last_pkt_time":1527155685529875,"flow_dst_last_pkt_time":1527155685529875,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1527155685529875,"l3_proto":"ip4","src_ip":"192.168.0.17","dst_ip":"192.168.0.15","src_port":50097,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Google","proto_id":"5.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"www.google.com","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -201,9 +201,9 @@ ~~ total active/idle flows...: 29/29 ~~ total timeout flows.......: 3 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6254012 bytes -~~ total memory freed........: 6254012 bytes -~~ total allocations/frees...: 122268/122268 +~~ total memory allocated....: 6257956 bytes +~~ total memory freed........: 6257956 bytes +~~ total allocations/frees...: 122297/122297 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 2466 chars diff --git a/test/results/vnc.pcap.out b/test/results/vnc.pcap.out index 4e319770e..a9f706add 100644 --- a/test/results/vnc.pcap.out +++ b/test/results/vnc.pcap.out @@ -5,13 +5,13 @@ 00519{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1476111264364066,"flow_dst_last_pkt_time":1476111264364590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111264364590,"pkt":"xOodxQGGEP7tAkntCABFAAA0fFNAAIAGAADAqAJuX+0w0Br06Y8QfmeF6sUwZYASIABT+gAAAgQFtAEDAwgBAQQC"} 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1476111264402886,"flow_dst_last_pkt_time":1476111264364590,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1476111264402886,"pkt":"EP7tAkntxOodxQGGCABFAAAoXs5AAHQGVC5f7TDQwKgCbumPGvTqxTBlEH5nhlAQQTqDEwAAAAAAAAAA"} 01107{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":5,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111264453192,"flow_dst_last_pkt_time":1476111264414487,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":12,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":12,"midstream":0,"thread_ts_usec":1476111264453192,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01918{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111265262808,"flow_dst_last_pkt_time":1476111265262852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111265262852,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":57984.8,"max":545295,"stddev":113391.3,"var":12857594880.0,"ent":3.2,"data": [524,38820,49897,50306,38760,37061,157832,7049,164493,745,37544,181,35,36356,3,37327,1189,1,198,747,2,747,516,199031,310273,46,50,545295,719,22308,59473]},"pktlen": {"min":54,"avg":70.6,"max":89,"stddev":12.8,"var":163.2,"ent":5.0,"data": [66,66,60,66,66,62,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,54,77,54,84,82,86,60,60,81,54]},"bins": {"c_to_s": [12,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,1,1,1,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +02317{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111265262808,"flow_dst_last_pkt_time":1476111265262852,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111265262852,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":57984.8,"max":545295,"stddev":113391.3,"var":12857594880.0,"ent":3.2,"data": [524,38820,49897,50306,38760,37061,157832,7049,164493,745,37544,181,35,36356,3,37327,1189,1,198,747,2,747,516,199031,310273,46,50,545295,719,22308,59473]},"pktlen": {"min":40,"avg":56.6,"max":75,"stddev":12.8,"var":163.2,"ent":5.0,"data": [52,52,46,52,52,48,46,40,59,46,69,74,74,62,46,75,40,74,72,40,68,72,40,63,40,70,68,72,46,46,67,40]},"bins": {"c_to_s": [12,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [13,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,1,0,1,1,1,1,0,0,0,1],"entropies": [4.631521702,4.863714218,4.609350204,4.985801697,5.140452385,4.993162155,4.757925987,4.730641365,5.272469521,4.609350204,5.640918255,5.577627659,5.864722729,5.438069820,4.565871716,5.780129910,4.730641365,5.837696075,5.730319500,4.671928406,5.671802044,5.704510212,4.621928692,5.604105949,4.671928406,5.568077564,5.579674721,5.540976048,4.522393703,4.478915215,5.614377499,4.671928406]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":3544,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462067,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1476111286462067,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3544,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111286462067,"pkt":"EP7tAkntxOodxQGGCABFAAA0be5AAHQGRQJf7TDQwKgCbslnGvTjPDftAAAAAIACIAD7xAAAAgQFrAEDAwIBAQQC"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3545,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1476111286462067,"flow_dst_last_pkt_time":1476111286462174,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1476111286462174,"pkt":"xOodxQGGEP7tAkntCABFAAA0AmNAAIAGAADAqAJuX+0w0Br0yWdPW3mt4zw37oASIABT+gAAAgQFtAEDAwgBAQQC"} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3546,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1476111286499568,"flow_dst_last_pkt_time":1476111286462174,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1476111286499568,"pkt":"EP7tAkntxOodxQGGCABFAAAobe9AAHQGRQ1f7TDQwKgCbslnGvTjPDfuT1t5rlAQQTpSNgAAAAAAAAAA"} 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":3548,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111286549120,"flow_dst_last_pkt_time":1476111286510841,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":12,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":12,"midstream":0,"thread_ts_usec":1476111286549120,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} -01922{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3575,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111287358990,"flow_dst_last_pkt_time":1476111287224950,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111287358990,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":53542.1,"max":538844,"stddev":125065.9,"var":15641482240.0,"ent":3.0,"data": [107,37501,48667,49552,38334,36850,46381,48516,45667,1708,45497,182,37420,547,413,36764,2984,39898,772,181,762,824,181,2,1005,501772,46,703,538844,2,97724]},"pktlen": {"min":54,"avg":70.8,"max":89,"stddev":12.6,"var":158.0,"ent":5.0,"data": [66,66,60,66,66,62,60,54,60,54,73,60,83,88,88,76,60,89,54,88,86,54,82,86,77,54,84,82,86,60,60,81]},"bins": {"c_to_s": [13,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,0,1,1,1,1,0,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} +02321{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":3575,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111287358990,"flow_dst_last_pkt_time":1476111287224950,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":287,"flow_dst_tot_l4_payload_len":185,"midstream":0,"thread_ts_usec":1476111287358990,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":53542.1,"max":538844,"stddev":125065.9,"var":15641482240.0,"ent":3.0,"data": [107,37501,48667,49552,38334,36850,46381,48516,45667,1708,45497,182,37420,547,413,36764,2984,39898,772,181,762,824,181,2,1005,501772,46,703,538844,2,97724]},"pktlen": {"min":40,"avg":56.8,"max":75,"stddev":12.6,"var":158.0,"ent":5.0,"data": [52,52,46,52,52,48,46,40,46,40,59,46,69,74,74,62,46,75,40,74,72,40,68,72,63,40,70,68,72,46,46,67]},"bins": {"c_to_s": [13,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,0,1,0,1,1,0,0,1,0,1,0,0,1,0,0,1,0,0,0,1,1,1,1,0,0,0],"entropies": [4.518056870,4.878231525,4.652828693,5.022342682,5.176993847,4.993162155,4.698037148,4.711769104,4.609350204,4.730641365,5.204673767,4.652828693,5.591832638,5.651554108,5.655132294,5.470327854,4.565871716,5.718621254,4.680641174,5.781727314,5.694025517,4.621928692,5.533761978,5.648954391,5.381884575,4.621928692,5.550290108,5.491440296,5.523682594,4.505982876,4.565872192,5.593677998]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01157{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":684,"flow_dst_packets_processed":324,"flow_first_seen":1476111286462067,"flow_src_last_pkt_time":1476111290613528,"flow_dst_last_pkt_time":1476111290394024,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":17754,"flow_dst_tot_l4_payload_len":212,"midstream":0,"thread_ts_usec":1476111290613528,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":51559,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 01158{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":2485,"flow_dst_packets_processed":1058,"flow_first_seen":1476111264364066,"flow_src_last_pkt_time":1476111280884547,"flow_dst_last_pkt_time":1476111280846496,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":35,"flow_dst_max_l4_payload_len":34,"flow_src_tot_l4_payload_len":64000,"flow_dst_tot_l4_payload_len":300,"midstream":0,"thread_ts_usec":1476111290613528,"l3_proto":"ip4","src_ip":"95.237.48.208","dst_ip":"192.168.2.110","src_port":59791,"dst_port":6900,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"30": {"risk":"Desktop\/File Sharing","severity":"Low","risk_score": {"total":1000,"client":800,"server":200}}},"confidence": {"6":"DPI"},"proto":"VNC","proto_id":"89","encrypted":0,"breed":"Acceptable","category_id":12,"category":"RemoteAccess"}} 00562{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":4551,"source":"vnc.pcap","alias":"nDPId-test","packets-captured":4551,"packets-processed":4551,"total-skipped-flows":0,"total-l4-payload-len":82266,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":17,"global_ts_usec":1476111290613528} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6173360 bytes -~~ total memory freed........: 6173360 bytes -~~ total allocations/frees...: 126052/126052 +~~ total memory allocated....: 6173632 bytes +~~ total memory freed........: 6173632 bytes +~~ total allocations/frees...: 126054/126054 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars -~~ json string max len.......: 1927 chars -~~ json string avg len.......: 1206 chars +~~ json string max len.......: 2326 chars +~~ json string avg len.......: 1406 chars diff --git a/test/results/vrrp3.pcapng.out b/test/results/vrrp3.pcapng.out index ed6e8115c..ed9306abd 100644 --- a/test/results/vrrp3.pcapng.out +++ b/test/results/vrrp3.pcapng.out @@ -19,9 +19,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037499 bytes -~~ total memory freed........: 6037499 bytes -~~ total allocations/frees...: 121505/121505 +~~ total memory allocated....: 6037771 bytes +~~ total memory freed........: 6037771 bytes +~~ total allocations/frees...: 121507/121507 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 862 chars diff --git a/test/results/vxlan.pcap.out b/test/results/vxlan.pcap.out index 0dc90fb2b..9dee685de 100644 --- a/test/results/vxlan.pcap.out +++ b/test/results/vxlan.pcap.out @@ -41,8 +41,8 @@ 00860{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1639650443097770,"flow_src_last_pkt_time":1639650443097770,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":62,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":62,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":62,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443097770,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":60230,"dst_port":4789,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1639650443097913,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":108,"pkt_l4_len":70,"thread_ts_usec":1639650443097913,"pkt":"AAy9Bjp0AAy9Bjp1gQAABQgARQAAWgOJAABAEcmwwKgWBMCoFgXrRhK1AEbaoAgAAAAABFcAZnpQqv+aHuppKm\/PCABFCAAoAABAAEAGnqYKChQEnfDgI7CqAbtGa9YTAAAAAFAEAABE2gAA"} 00580{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1639650443097920,"flow_dst_last_pkt_time":1639650443097770,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":108,"pkt_type":2048,"pkt_l3_offset":18,"pkt_l4_offset":38,"pkt_len":108,"pkt_l4_len":70,"thread_ts_usec":1639650443097920,"pkt":"AAy9Bjp0AAy9Bjp1gQAABQgARQAAWgOKAABAEcmvwKgWBMCoFgXrRhK1AEbaoAgAAAAABFcAZnpQqv+aHuppKm\/PCABFCAAoAABAAEAGnqYKChQEnfDgI7CqAbtGa9YUAAAAAFAEAABE2QAA"} -01722{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443255719,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35959,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443255719,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10,"avg":10133.0,"max":140558,"stddev":31047.2,"var":963930240.0,"ent":2.2,"data": [10532,1402,105,10,11439,530,9521,113264,10571,140558,101,64,3057,190,558,175,1284,181,1316,3621,187,402,189,2282,184,313,186,833,189,694,184]},"pktlen": {"min":120,"avg":1169.7,"max":1500,"stddev":546.6,"var":298767.6,"ent":4.8,"data": [128,120,1500,1500,588,120,289,120,572,120,1500,1500,874,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500,1500]},"bins": {"c_to_s": [0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01695{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":122,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442931548,"flow_src_last_pkt_time":1639650443264733,"flow_dst_last_pkt_time":1639650442931548,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":392,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3106,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443264733,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":40646,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":10747.9,"max":150839,"stddev":30032.6,"var":901957440.0,"ent":2.5,"data": [10329,305,11530,200,4,1301,10031,41817,81536,403,150839,3109,802,1504,1403,3811,602,2508,504,1003,903,802,707,803,710,2107,301,402,2307,401,201]},"pktlen": {"min":120,"avg":143.1,"max":438,"stddev":68.2,"var":4655.6,"ent":4.9,"data": [128,120,438,120,120,120,184,285,120,120,303,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120,120]},"bins": {"c_to_s": [0,0,28,0,1,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02121{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":89,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443255719,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":35959,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443255719,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":10,"avg":10133.0,"max":140558,"stddev":31047.2,"var":963930240.0,"ent":2.2,"data": [10532,1402,105,10,11439,530,9521,113264,10571,140558,101,64,3057,190,558,175,1284,181,1316,3621,187,402,189,2282,184,313,186,833,189,694,184]},"pktlen": {"min":102,"avg":1151.7,"max":1482,"stddev":546.6,"var":298767.6,"ent":4.8,"data": [110,102,1482,1482,570,102,271,102,554,102,1482,1482,856,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482,1482]},"bins": {"c_to_s": [0,0,5,0,0,0,0,1,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,23,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [5.583852291,5.651705265,7.826985836,7.861832619,7.623077869,5.619890690,7.052967072,5.635924816,7.564305782,5.565874100,7.866837978,7.859116077,7.762131214,7.859333515,7.877618790,7.863654613,7.851696491,7.874659538,7.855105877,7.845957756,7.883800030,7.862126827,7.878228188,7.846958637,7.850887299,7.866386890,7.866912842,7.871983051,7.852091789,7.857552052,7.852843761,7.854843616]},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02094{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":122,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1639650442931548,"flow_src_last_pkt_time":1639650443264733,"flow_dst_last_pkt_time":1639650442931548,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":392,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":3106,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443264733,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":40646,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":10747.9,"max":150839,"stddev":30032.6,"var":901957440.0,"ent":2.5,"data": [10329,305,11530,200,4,1301,10031,41817,81536,403,150839,3109,802,1504,1403,3811,602,2508,504,1003,903,802,707,803,710,2107,301,402,2307,401,201]},"pktlen": {"min":102,"avg":125.1,"max":420,"stddev":68.2,"var":4655.6,"ent":4.8,"data": [110,102,420,102,102,102,166,267,102,102,285,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102]},"bins": {"c_to_s": [0,0,28,0,1,0,0,1,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [5.313875198,5.603603840,6.154091835,5.623211861,5.630611897,5.623211384,6.288531303,6.880884647,5.615810394,5.596202850,7.036987305,5.564387798,5.603603840,5.596202850,5.623211384,5.564388275,5.583995819,5.556987286,5.591396332,5.603603840,5.576594353,5.623211384,5.544780254,5.603603840,5.603603840,5.623211384,5.642818928,5.588801384,5.603603363,5.635418415,5.635418415,5.655025959]},"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00901{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1639650442864784,"flow_src_last_pkt_time":1639650442864881,"flow_dst_last_pkt_time":1639650442864784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":84,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":84,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":168,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.4","dst_ip":"192.168.22.5","src_port":60351,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00903{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1639650442902284,"flow_src_last_pkt_time":1639650442930989,"flow_dst_last_pkt_time":1639650442902284,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":129,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":141,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":270,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":50251,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00906{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":127,"source":"vxlan.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"finished","flow_src_packets_processed":56,"flow_dst_packets_processed":0,"flow_first_seen":1639650442941597,"flow_src_last_pkt_time":1639650443276182,"flow_dst_last_pkt_time":1639650442941597,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":74,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1454,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":68647,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1639650443276366,"l3_proto":"ip4","src_ip":"192.168.22.5","dst_ip":"192.168.22.4","src_port":36286,"dst_port":4789,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"VXLAN","proto_id":"64","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -61,9 +61,9 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6052316 bytes -~~ total memory freed........: 6052316 bytes -~~ total allocations/frees...: 121694/121694 +~~ total memory allocated....: 6053540 bytes +~~ total memory freed........: 6053540 bytes +~~ total allocations/frees...: 121703/121703 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 2471 chars diff --git a/test/results/wa_video.pcap.out b/test/results/wa_video.pcap.out index 367b7bfbe..6554b5a38 100644 --- a/test/results/wa_video.pcap.out +++ b/test/results/wa_video.pcap.out @@ -35,10 +35,10 @@ 00762{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455770313920,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":137,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":137,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455770313920,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"239.255.255.250","src_port":51277,"dst_port":1900,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00684{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":179,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":179,"pkt_l4_len":145,"thread_ts_usec":1561455770313920,"pkt":"AQBef\/\/6kLkxKPrKCABFAAClcA8AAAIRlYrAqAIM7\/\/\/+shNB2wAkeqFTS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpkZXZpY2U6SW50ZXJuZXRHYXRld2F5RGV2aWNlOjENCk1BTjogInNzZHA6ZGlzY292ZXIiDQpNWDogMw0KDQo="} 00901{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":44,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455770313920,"flow_src_last_pkt_time":1561455770313920,"flow_dst_last_pkt_time":1561455770313920,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":137,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":137,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":137,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455770313920,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"239.255.255.250","src_port":51277,"dst_port":1900,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"SSDP","proto_id":"12","encrypted":0,"breed":"Acceptable","category_id":18,"category":"System","hostname":"239.255.255.250:1900"}} -01566{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":181593.4,"max":2404473,"stddev":480680.3,"var":231053524992.0,"ent":2.4,"data": [51726,176830,2,439642,1227815,753,306057,108901,2404473,241,10,252,9,41,323,133116,635,40681,277,7651,7949,1743,1602,528764,1087,660,696,654,2651,2561]},"pktlen": {"min":66,"avg":282.4,"max":1454,"stddev":335.2,"var":112371.9,"ent":4.3,"data": [614,66,1454,169,522,522,346,203,239,1454,66,66,78,66,66,66,78,242,242,66,66,242,66,418,66,228,226,220,220,220,220,220]},"bins": {"c_to_s": [11,0,0,0,5,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,1,1,4,0,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0]}} +01965{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":181593.4,"max":2404473,"stddev":480680.3,"var":231053524992.0,"ent":2.4,"data": [51726,176830,2,439642,1227815,753,306057,108901,2404473,241,10,252,9,41,323,133116,635,40681,277,7651,7949,1743,1602,528764,1087,660,696,654,2651,2561]},"pktlen": {"min":52,"avg":268.4,"max":1440,"stddev":335.2,"var":112371.9,"ent":4.2,"data": [600,52,1440,155,508,508,332,189,225,1440,52,52,64,52,52,52,64,228,228,52,52,228,52,404,52,214,212,206,206,206,206,206]},"bins": {"c_to_s": [11,0,0,0,5,2,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,0,0,1,1,4,0,0,1,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,1,0,1,0,0,0,0,0,0,0,0],"entropies": [7.608484745,5.077241421,7.865381718,6.691146851,7.578685284,7.572544098,7.307354450,6.700509548,7.001189232,7.865732670,4.976373672,5.053297043,5.138105392,5.091758728,5.053297043,5.091758728,5.157560349,6.986247063,7.012214661,5.053297043,5.053297043,6.984363556,5.053297043,7.459637642,5.053297043,6.913162708,6.866742134,6.851969242,6.911801815,6.922309875,6.837723732,6.965609550]}} 00882{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00883{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":51,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1561455767339689,"flow_src_last_pkt_time":1561455770332620,"flow_dst_last_pkt_time":1561455769794560,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":548,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1640,"flow_dst_tot_l4_payload_len":5261,"midstream":1,"thread_ts_usec":1561455770332620,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} -01731{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1561455769789452,"flow_src_last_pkt_time":1561455770782169,"flow_dst_last_pkt_time":1561455770781798,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":8102,"flow_dst_tot_l4_payload_len":1614,"midstream":0,"thread_ts_usec":1561455770782169,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":53688,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":64034.3,"max":550126,"stddev":135549.6,"var":18373693440.0,"ent":3.1,"data": [95,13142,1109,548212,794,550126,16210,117,20333,106,23568,573,14505,979,116,79305,29641,99,23164,167,19951,342,24390,3500,104447,150456,15882,197610,75380,2499,68245]},"pktlen": {"min":44,"avg":345.6,"max":514,"stddev":205.8,"var":42355.1,"ent":4.7,"data": [168,168,86,86,168,514,86,514,514,514,514,514,514,48,514,514,44,514,514,514,514,514,514,514,168,86,62,514,62,514,514,62]},"bins": {"c_to_s": [3,0,0,4,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02130{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":116,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":23,"flow_dst_packets_processed":9,"flow_first_seen":1561455769789452,"flow_src_last_pkt_time":1561455770782169,"flow_dst_last_pkt_time":1561455770781798,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":472,"flow_dst_max_l4_payload_len":472,"flow_src_tot_l4_payload_len":8102,"flow_dst_tot_l4_payload_len":1614,"midstream":0,"thread_ts_usec":1561455770782169,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":53688,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":95,"avg":64034.3,"max":550126,"stddev":135549.6,"var":18373693440.0,"ent":3.1,"data": [95,13142,1109,548212,794,550126,16210,117,20333,106,23568,573,14505,979,116,79305,29641,99,23164,167,19951,342,24390,3500,104447,150456,15882,197610,75380,2499,68245]},"pktlen": {"min":30,"avg":331.6,"max":500,"stddev":205.8,"var":42355.1,"ent":4.7,"data": [154,154,72,72,154,500,72,500,500,500,500,500,500,34,500,500,30,500,500,500,500,500,500,500,154,72,48,500,48,500,500,48]},"bins": {"c_to_s": [3,0,0,4,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,4,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,1,1,0,1,1,0],"entropies": [6.493677139,6.519650936,5.235420704,5.263198376,6.488775253,7.446858406,5.290976048,7.477643013,7.460317135,7.514078140,7.471118450,7.444753170,7.528831959,4.569532394,7.478866100,7.484198570,4.453236580,7.470160961,7.456147671,7.450516224,7.440128803,7.495639801,7.433229923,7.431243420,6.496860504,5.263197899,3.812905788,7.345452785,3.812905550,7.413387775,7.430417538,4.208755493]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455772049243,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":300,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455772049243,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00911{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":1,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1561455772049243,"pkt":"\/\/\/\/\/\/\/\/2DBiVgAcCABFAAFInqwAAP8RG\/kAAAAA\/\/\/\/\/wBEAEMBNNtQAQEGAH5K8tcAMwAAAAAAAAAAAAAAAAAAAAAAANgwYlYAHAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABjglNjNQEBNwoBeQMGD3f8XywuOQIF3D0HAdgwYlYAHDMEAHanAAwKTHVjYXMtaU1hY\/8AAAAAAAAAAAAAAAAA"} 00956{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":144,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455772049243,"flow_src_last_pkt_time":1561455772049243,"flow_dst_last_pkt_time":1561455772049243,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":300,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":300,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":300,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455772049243,"l3_proto":"ip4","src_ip":"0.0.0.0","dst_ip":"255.255.255.255","src_port":68,"dst_port":67,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DHCP","proto_id":"18","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"lucas-imac","dhcp": {"fingerprint":"1,121,3,6,15,119,252,95,44,46","class_ident":""}}} @@ -55,7 +55,7 @@ 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":434,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1561455782059394,"flow_dst_last_pkt_time":1561455781352254,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782059394,"pkt":"xiwDYGpkkLkxKPrKCABFAABI8PwAAEARMsXAqAIMW\/w4M9G4f4EANE0kAAEAGCESpEKAWzwjt5VRcfVmBmsACAAUJw9zjdQvQsjy5FQih0Itb6wHKg0="} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":485,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":3,"flow_src_last_pkt_time":1561455782574285,"flow_dst_last_pkt_time":1561455781247252,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782574285,"pkt":"xiwDYGpkkLkxKPrKCABFAABIwHEAAEARqAPAqAIMATxOQNG46GMANGXPAAEAGCESpEIoM9pd\/2PDbhKoL1oACAAUvqQBu1i76V7zg0ib1\/6QLghtUUY="} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":497,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1561455782679175,"flow_dst_last_pkt_time":1561455781352254,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455782679175,"pkt":"xiwDYGpkkLkxKPrKCABFAABINRkAAEAR7qjAqAIMW\/w4M9G4f4EANKRJAAEAGCESpEL4j9YAEpPJGTu3VCAACAAUGXORRrB48FGvPcJutSVccHGlcxM="} -01883{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":623,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1561455781352254,"flow_src_last_pkt_time":1561455783672290,"flow_dst_last_pkt_time":1561455783683909,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1118,"flow_dst_max_l4_payload_len":182,"flow_src_tot_l4_payload_len":15240,"flow_dst_tot_l4_payload_len":615,"midstream":0,"thread_ts_usec":1561455783683909,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","src_port":53688,"dst_port":32641,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":150054.5,"max":1979427,"stddev":383224.6,"var":146861080576.0,"ent":2.7,"data": [707140,619781,619147,1979427,36290,69699,132037,26361,100137,1489,36501,24632,139,224,338,341,10692,26140,102372,15137,296,563,516,886,169,757,7597,915,148,631,131189]},"pktlen": {"min":86,"avg":537.5,"max":1160,"stddev":432.0,"var":186635.8,"ent":4.5,"data": [86,86,86,86,86,86,86,170,86,179,164,144,913,913,913,912,1160,208,157,212,1036,1036,1036,1036,1036,1034,164,934,934,934,1062,224]},"bins": {"c_to_s": [0,6,0,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,7,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,2,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02282{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":623,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":26,"flow_dst_packets_processed":6,"flow_first_seen":1561455781352254,"flow_src_last_pkt_time":1561455783672290,"flow_dst_last_pkt_time":1561455783683909,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1118,"flow_dst_max_l4_payload_len":182,"flow_src_tot_l4_payload_len":15240,"flow_dst_tot_l4_payload_len":615,"midstream":0,"thread_ts_usec":1561455783683909,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"91.252.56.51","src_port":53688,"dst_port":32641,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":139,"avg":150054.5,"max":1979427,"stddev":383224.6,"var":146861080576.0,"ent":2.7,"data": [707140,619781,619147,1979427,36290,69699,132037,26361,100137,1489,36501,24632,139,224,338,341,10692,26140,102372,15137,296,563,516,886,169,757,7597,915,148,631,131189]},"pktlen": {"min":72,"avg":523.5,"max":1146,"stddev":432.0,"var":186635.8,"ent":4.5,"data": [72,72,72,72,72,72,72,156,72,165,150,130,899,899,899,898,1146,194,143,198,1022,1022,1022,1022,1022,1020,150,920,920,920,1048,210]},"bins": {"c_to_s": [0,6,0,2,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0,7,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,2,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,1,0,0,1,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1],"entropies": [5.551460743,5.652086735,5.531393051,5.607016087,5.440350056,5.499580860,5.568753719,6.624680996,5.697700977,6.683998108,6.496982574,6.426134586,7.747357368,7.800405025,7.780704021,7.774211884,7.821574688,6.735989094,6.400922298,6.908179283,7.822691441,7.800770760,7.811967850,7.818122864,7.793910027,7.785738468,6.611948967,7.770941734,7.800857544,7.760899067,7.788744450,6.986406326]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00763{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455791449110,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455791449110,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00963{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":1,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455791449110,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxMkoAAEARwOHAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="} 00871{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1470,"source":"wa_video.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455791449110,"flow_src_last_pkt_time":1561455791449110,"flow_dst_last_pkt_time":1561455791449110,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455791449110,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -91,9 +91,9 @@ ~~ total active/idle flows...: 14/14 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6112308 bytes -~~ total memory freed........: 6112308 bytes -~~ total allocations/frees...: 123181/123181 +~~ total memory allocated....: 6114212 bytes +~~ total memory freed........: 6114212 bytes +~~ total allocations/frees...: 123195/123195 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2424 chars diff --git a/test/results/wa_voice.pcap.out b/test/results/wa_voice.pcap.out index 10f6dce70..8aa609ab8 100644 --- a/test/results/wa_voice.pcap.out +++ b/test/results/wa_voice.pcap.out @@ -23,7 +23,7 @@ 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1561455688704143,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1561455688744885,"pkt":"kLkxKPrKxiwDYGpkCABFAAA8AAAAAFMG8uKd8BQ1wKgCDBRmwMsu6BkVm9EK2qASbHAbGAAAAgQFeAQCCAoefUIDNM3yoAEDAwg="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":14,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":3,"flow_src_last_pkt_time":1561455688841176,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455688841176,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGxerAqAIMnfAUNcDLFGab0QraLugZFoAQCAytcgAAAQEICjTN8zsefUID"} 00866{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":15,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689011542,"flow_dst_last_pkt_time":1561455688744885,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":256,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":256,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689011542,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} -01692{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":43,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689377891,"flow_dst_last_pkt_time":1561455689390636,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":286,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":6993,"midstream":0,"thread_ts_usec":1561455689390636,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":43878.7,"max":304081,"stddev":76394.5,"var":5836114944.0,"ent":3.2,"data": [40742,137033,170366,304081,130232,56,30959,5260,28,391,1,177,42,1186,210132,335,9,41,206,11,311,41447,129925,50,6,6,5,1043,24269,131853,38]},"pktlen": {"min":66,"avg":309.4,"max":1454,"stddev":467.5,"var":218553.5,"ent":3.9,"data": [78,74,66,322,66,123,117,151,1454,106,1454,169,1454,178,1454,66,66,66,66,66,66,66,1059,98,112,133,96,125,66,352,66,66]},"bins": {"c_to_s": [11,3,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02089{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":43,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455688704143,"flow_src_last_pkt_time":1561455689377891,"flow_dst_last_pkt_time":1561455689390636,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":286,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":776,"flow_dst_tot_l4_payload_len":6993,"midstream":0,"thread_ts_usec":1561455689390636,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.53","src_port":49355,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":43878.7,"max":304081,"stddev":76394.5,"var":5836114944.0,"ent":3.2,"data": [40742,137033,170366,304081,130232,56,30959,5260,28,391,1,177,42,1186,210132,335,9,41,206,11,311,41447,129925,50,6,6,5,1043,24269,131853,38]},"pktlen": {"min":52,"avg":295.4,"max":1440,"stddev":467.5,"var":218553.5,"ent":3.8,"data": [64,60,52,308,52,109,103,137,1440,92,1440,155,1440,164,1440,52,52,52,52,52,52,52,1045,84,98,119,82,111,52,338,52,52]},"bins": {"c_to_s": [11,3,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,1,1,1,1,1,1,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,1],"entropies": [4.472632408,5.115064144,5.014835358,7.171360493,5.130219936,6.068146706,5.962917328,6.548506737,7.870247841,5.888707161,7.854815006,6.678243637,7.877118111,6.722311020,7.881030083,5.014835358,5.014835358,4.976373196,5.091758251,5.091758251,5.130219936,5.008132935,7.805761337,5.645539761,5.925289631,6.203728676,5.699334145,6.150419712,4.961856842,7.298644066,5.038780212,4.955154419]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455689728258,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689728258,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":55296,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00556{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":1,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":89,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":89,"pkt_l4_len":55,"thread_ts_usec":1561455689728258,"pkt":"xiwDYGpkkLkxKPrKCABFAABL058AAP8RYqTAqAIMwKgCAdgAADUAN5FDM2kBAAABAAAAAAAADG1lZGlhLW14cDEtMQNjZG4Id2hhdHNhcHADbmV0AAABAAE="} 01023{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":60,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455689728258,"flow_src_last_pkt_time":1561455689728258,"flow_dst_last_pkt_time":1561455689728258,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":47,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":47,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":47,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455689728258,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"192.168.2.1","src_port":55296,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.WhatsAppFiles","proto_id":"5.242","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -35,7 +35,7 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":66,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_packet_id":3,"flow_src_last_pkt_time":1561455690036803,"flow_dst_last_pkt_time":1561455689928899,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455690036803,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGAtDAqAIMHw1WM8VHAbtOnG1l7gMI\/YAQBAZZdQAAAQEICjTOBV2HqaVz"} 01170{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":67,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690039586,"flow_dst_last_pkt_time":1561455689928899,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455690039586,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"b92a79ed03c3ff5611abb2305370d3e3","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01221{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":69,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690039586,"flow_dst_last_pkt_time":1561455690058075,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1561455690058075,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"media-mxp1-1.cdn.whatsapp.net","tls": {"version":"TLSv1.3","ja3":"b92a79ed03c3ff5611abb2305370d3e3","ja3s":"475c9302dc42b2751db9edcac3b74891","unsafe_cipher":0,"cipher":"TLS_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01690{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690224696,"flow_dst_last_pkt_time":1561455690224643,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1331,"flow_dst_tot_l4_payload_len":7979,"midstream":0,"thread_ts_usec":1561455690224696,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":21034.6,"max":163286,"stddev":47564.2,"var":2262348544.0,"ent":2.5,"data": [19749,127653,2783,126251,2925,28,22,21046,163,145211,12,6,5,40,5,163286,2,38,250,1,16,17472,279,12,8,2386,284,150,389,567]},"pktlen": {"min":66,"avg":357.6,"max":1454,"stddev":489.7,"var":239839.3,"ent":4.0,"data": [78,74,66,583,66,1454,1454,349,66,66,130,112,109,101,402,325,66,237,140,97,66,114,498,66,66,66,66,1454,66,1454,1454,97]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} +02086{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":95,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1561455689909150,"flow_src_last_pkt_time":1561455690224696,"flow_dst_last_pkt_time":1561455690224643,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":1331,"flow_dst_tot_l4_payload_len":7979,"midstream":0,"thread_ts_usec":1561455690224696,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.51","src_port":50503,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":21034.6,"max":163286,"stddev":47564.2,"var":2262348544.0,"ent":2.5,"data": [19749,127653,2783,126251,2925,28,22,21046,163,145211,12,6,5,40,5,163286,2,38,250,1,16,17472,279,12,8,2386,284,150,389,567]},"pktlen": {"min":52,"avg":343.6,"max":1440,"stddev":489.7,"var":239839.3,"ent":3.9,"data": [64,60,52,569,52,1440,1440,335,52,52,116,98,95,87,388,311,52,223,126,83,52,100,484,52,52,52,52,1440,52,1440,1440,83]},"bins": {"c_to_s": [10,3,1,0,0,0,0,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,1,0,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,1,0,1,1,0],"entropies": [4.453177452,5.156567574,5.038779736,4.954115391,5.062724590,7.845219135,7.875988007,7.363695621,5.038779736,5.077241421,6.006405830,6.022478580,5.964075089,5.738524437,7.327147007,7.233700752,5.115703106,6.979569435,6.337362766,5.826725960,5.032077789,6.041212559,7.548195839,4.923395157,4.961856842,5.000318050,4.947339535,7.873440742,5.038779736,7.854992867,7.876389503,5.699865818]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00761{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455701309996,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455701309996,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":1,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455701309996,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxXcMAAEARlWjAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="} 00869{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":181,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455701309996,"flow_src_last_pkt_time":1561455701309996,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":341,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":341,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":341,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455701309996,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -98,7 +98,7 @@ 00527{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":250,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1561455707513528,"flow_dst_last_pkt_time":1561455707511792,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1561455707513528,"pkt":"xiwDYGpkkLkxKPrKCABFAAA0AABAAEAGxevAqAIMnfAUNMVIAbt68MpOu7CnhYAQBAb72QAAAQEICjTOSZq1oF6C"} 01152{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":251,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707524675,"flow_dst_last_pkt_time":1561455707511792,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455707524675,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"pps.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"7a7a639628f0fe5c7e057628a5bbec5a","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":253,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707524675,"flow_dst_last_pkt_time":1561455707564246,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1388,"midstream":0,"thread_ts_usec":1561455707564246,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat","hostname":"pps.whatsapp.net","tls": {"version":"TLSv1.3","ja3":"7a7a639628f0fe5c7e057628a5bbec5a","ja3s":"475c9302dc42b2751db9edcac3b74891","unsafe_cipher":0,"cipher":"TLS_CHACHA20_POLY1305_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} -01710{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":293,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707778028,"flow_dst_last_pkt_time":1561455707778471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":928,"flow_dst_tot_l4_payload_len":9370,"midstream":0,"thread_ts_usec":1561455707778471,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":19593.0,"max":129132,"stddev":30818.3,"var":949767616.0,"ent":3.5,"data": [37234,38970,11147,51469,985,103,11,42805,136,34645,3771,380,216,299,76165,5,34895,421,279,3605,27,2938,1342,3436,77447,53735,129132,1406,40,219,120]},"pktlen": {"min":66,"avg":388.4,"max":1454,"stddev":526.3,"var":277041.4,"ent":4.0,"data": [78,74,66,583,66,1454,1454,347,66,66,130,112,109,101,258,237,140,66,66,97,66,97,66,101,66,66,516,66,1454,1454,1454,1454]},"bins": {"c_to_s": [10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,1,0,1,1,0,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02105{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":293,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1561455707474558,"flow_src_last_pkt_time":1561455707778028,"flow_dst_last_pkt_time":1561455707778471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1388,"flow_src_tot_l4_payload_len":928,"flow_dst_tot_l4_payload_len":9370,"midstream":0,"thread_ts_usec":1561455707778471,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"157.240.20.52","src_port":50504,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":5,"avg":19593.0,"max":129132,"stddev":30818.3,"var":949767616.0,"ent":3.5,"data": [37234,38970,11147,51469,985,103,11,42805,136,34645,3771,380,216,299,76165,5,34895,421,279,3605,27,2938,1342,3436,77447,53735,129132,1406,40,219,120]},"pktlen": {"min":52,"avg":374.4,"max":1440,"stddev":526.3,"var":277041.4,"ent":3.9,"data": [64,60,52,569,52,1440,1440,333,52,52,116,98,95,87,244,223,126,52,52,83,52,83,52,87,52,52,502,52,1440,1440,1440,1440]},"bins": {"c_to_s": [10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,1,0,0,1,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,0,0,0,1,1,0,0,0,1,1,0,1,0,1,1,0,1,1,1,1],"entropies": [4.421927452,5.127645493,4.947339535,4.844649315,5.024262905,7.828526497,7.880538940,7.342582226,4.947340012,4.947340012,6.096442223,5.933140755,5.903703690,5.761512756,7.014289856,6.959705353,6.368111134,4.923395157,4.923395157,5.597574711,5.062724590,5.763532162,4.985801220,5.859550953,4.947339535,4.985801220,7.559065819,4.947340012,7.871157646,7.859573364,7.846300602,7.844365597]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsApp","proto_id":"91.142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00562{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":347,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1561455709888553,"flow_dst_last_pkt_time":1561455705874172,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":91,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":91,"pkt_l4_len":57,"thread_ts_usec":1561455709888553,"pkt":"AQBeAAD7kLkxKPrKCABFAABNP9UAAP8R2BrAqAIM4AAA+xTpFOkAOUTGAAAAAAACAAAAAAAABV9yYW9wBF90Y3AFbG9jYWwAAAwAAQhfYWlycGxhecASAAwAAQ=="} 00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":3,"flow_src_last_pkt_time":1561455709890098,"flow_dst_last_pkt_time":1561455705874523,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":111,"pkt_type":34525,"pkt_l3_offset":14,"pkt_l4_offset":54,"pkt_len":111,"pkt_l4_len":57,"thread_ts_usec":1561455709890098,"pkt":"MzMAAAD7kLkxKPrKht1gDagnADkR\/\/6AAAAAAAAABBRAnYr9nwX\/AgAAAAAAAAAAAAAAAAD7FOkU6QA5e0MAAAAAAAIAAAAAAAAFX3Jhb3AEX3RjcAVsb2NhbAAADAABCF9haXJwbGF5wBIADAAB"} 00678{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":349,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":2,"flow_src_last_pkt_time":1561455709984212,"flow_dst_last_pkt_time":1561455706979952,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":174,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":174,"pkt_l4_len":140,"thread_ts_usec":1561455709984212,"pkt":"AQBef\/\/6kLkxKPrKCABFAACggMsAAAIRhNPAqAIM7\/\/\/+vzMB2wAjOY9TS1TRUFSQ0ggKiBIVFRQLzEuMQ0KSE9TVDogMjM5LjI1NS4yNTUuMjUwOjE5MDANClNUOiB1cm46c2NoZW1hcy11cG5wLW9yZzpzZXJ2aWNlOldBTklQQ29ubmVjdGlvbjoxDQpNQU46ICJzc2RwOmRpc2NvdmVyIg0KTVg6IDMNCg0K"} @@ -114,14 +114,14 @@ 01095{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":465,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455730495456,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455730495456,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":473,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":2,"flow_src_last_pkt_time":1561455731073692,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731073692,"pkt":"kLkxKPrKxiwDYGpkCABFAABIAlEAADERMHFb\/DgzwKgCDH\/A3AgANGApAAEAGCESpELobM0y9AHrYlN0+hgACAAU\/c20Lcr5wjE5JYKvJct9qbua6og="} 00961{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":477,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":8,"flow_packet_id":3,"flow_src_last_pkt_time":1561455731356183,"flow_dst_last_pkt_time":1561455701309996,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":383,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":383,"pkt_l4_len":349,"thread_ts_usec":1561455731356183,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAFxjdoAAEARZVHAqAIBwKgC\/0RcRFwBXbU+eyJ2ZXJzaW9uIjogWzIsIDBdLCAicG9ydCI6IDE3NTAwLCAiaG9zdF9pbnQiOiAxNzQ1NjcxOTM5MjIwMTQ2OTg4Njg4NzAzNTEyMjAyNTg3OTI0NDMsICJkaXNwbGF5bmFtZSI6ICIiLCAibmFtZXNwYWNlcyI6IFsyNzUwMzcwNTYwLCA3ODUyNjYxNzcsIDE1MjYyNjMwNDUsIDEzMzg2NTkyMDEsIDE0ODE5MzM3LCA0ODA5NDIwMDQ4LCA1MTE3MDY2NDIsIDczNjM0MTUyOCwgOTM4ODEzODQ5LCAxMjY3Njk1MTA5LCA1NDQwNDA3MDcyLCA0ODEwNTkxNzYwLCA1ODM0NDk5NiwgOTk2MzA2MjE1LCA1MzAzMzAxMjQ4LCAzMDc1NTIxNjk2LCA0MDU2NDYyNTkyLCAyOTYzNjgyMDk2LCAxNTIyMTc3NTg3XX0="} -01761{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":487,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1561455706912375,"flow_src_last_pkt_time":1561455731523132,"flow_dst_last_pkt_time":1561455731536124,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":278,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":1833,"midstream":0,"thread_ts_usec":1561455731536124,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":56328,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1588209.8,"max":12196243,"stddev":3050402.8,"var":9304956469248.0,"ent":3.2,"data": [61,13448,128,12194152,12196243,104402,58,105108,1,108628,104619,3043264,3048902,3100925,3096031,3015294,3016553,2001940,2156,107078,164036,190107,88523,28769,198646,133957,3008088,90958,35571,314,36546]},"pktlen": {"min":44,"avg":124.0,"max":320,"stddev":87.2,"var":7598.9,"ent":4.7,"data": [168,168,86,86,48,44,168,168,86,86,48,44,48,44,48,44,48,44,88,68,246,275,254,164,320,248,316,48,44,168,168,86]},"bins": {"c_to_s": [6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,6,0,1,0,0,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,0,1,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02160{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":487,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1561455706912375,"flow_src_last_pkt_time":1561455731523132,"flow_dst_last_pkt_time":1561455731536124,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":6,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":278,"flow_src_tot_l4_payload_len":792,"flow_dst_tot_l4_payload_len":1833,"midstream":0,"thread_ts_usec":1561455731536124,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"31.13.86.48","src_port":56328,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":1588209.8,"max":12196243,"stddev":3050402.8,"var":9304956469248.0,"ent":3.2,"data": [61,13448,128,12194152,12196243,104402,58,105108,1,108628,104619,3043264,3048902,3100925,3096031,3015294,3016553,2001940,2156,107078,164036,190107,88523,28769,198646,133957,3008088,90958,35571,314,36546]},"pktlen": {"min":30,"avg":110.0,"max":306,"stddev":87.2,"var":7598.9,"ent":4.6,"data": [154,154,72,72,34,30,154,154,72,72,34,30,34,30,34,30,34,30,74,54,232,261,240,150,306,234,302,34,30,154,154,72]},"bins": {"c_to_s": [6,0,0,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,6,0,1,0,0,3,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,1,1,1,1,1,1,1,1,0,1,0,0,1],"entropies": [6.541143417,6.523254871,5.258596897,5.258596897,4.628356934,4.453236580,6.497281075,6.520071030,5.203041553,5.130857468,4.628356934,4.453236580,4.628356934,4.453236580,4.628356934,4.453236580,4.628356934,4.453236580,5.668909073,5.185353279,6.995151520,7.135284424,7.074851990,6.635347366,7.304471493,6.999480724,7.242955685,4.628356934,4.453236580,6.523254871,6.523254871,5.230819225]},"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455731665769,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455731665769,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"1.60.78.64","src_port":56328,"dst_port":64282,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00555{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":1,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731665769,"pkt":"xiwDYGpkkLkxKPrKCABFAABId7IAAEAR8MLAqAIMATxOQNwI+xoANL93AAEAGCESpEJNNg9OA5IbZKhKGmoACAAUkUJIDnID0ka3i4LpQfhGRUa3K\/w="} 01093{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":501,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455731665769,"flow_src_last_pkt_time":1561455731665769,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455731665769,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"1.60.78.64","src_port":56328,"dst_port":64282,"l4_proto":"udp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":503,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_packet_id":3,"flow_src_last_pkt_time":1561455731697327,"flow_dst_last_pkt_time":1561455730495456,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455731697327,"pkt":"kLkxKPrKxiwDYGpkCABFAABI\/gUAADERNLxb\/DgzwKgCDH\/A3AgANISZAAEAGCESpEKSaahiiU3KFyQDpDgACAAUPvQQqrwwB3kMX1876e4ssz8N17Y="} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":518,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":2,"flow_src_last_pkt_time":1561455732298035,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455732298035,"pkt":"xiwDYGpkkLkxKPrKCABFAABIre0AAEARuofAqAIMATxOQNwI+xoANHLOAAEAGCESpEIrgAUzrwTeBSrSSH8ACAAUv8Ev3sei+dcRfEZy9ei0mRui3Zw="} 00554{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":528,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":24,"flow_packet_id":3,"flow_src_last_pkt_time":1561455732919461,"flow_dst_last_pkt_time":1561455731665769,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1561455732919461,"pkt":"xiwDYGpkkLkxKPrKCABFAABIV+kAAEAREIzAqAIMATxOQNwI+xoANBvDAAEAGCESpELCs7YUVt8QVzF73yEACAAUMmINwHB46SKyj3xrODHnuD6GHSA="} -01905{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":538,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455733316995,"flow_dst_last_pkt_time":1561455733325980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":273,"flow_src_tot_l4_payload_len":1873,"flow_dst_tot_l4_payload_len":1869,"midstream":0,"thread_ts_usec":1561455733325980,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":182324.6,"max":1203723,"stddev":228895.9,"var":52393320448.0,"ent":4.2,"data": [578236,623635,1203723,72457,167216,11596,115693,158378,2,172820,173607,169808,156213,136586,155315,179817,99336,157427,38286,163380,181314,166574,142422,2967,25967,115313,6126,171847,106305,56249,143448]},"pktlen": {"min":68,"avg":158.9,"max":315,"stddev":51.7,"var":2672.5,"ent":4.9,"data": [86,86,86,86,86,86,213,274,164,175,315,151,173,173,147,163,150,164,186,178,169,173,178,184,164,68,164,164,170,164,153,193]},"bins": {"c_to_s": [1,4,0,8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,4,6,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0,1,0,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02304{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":538,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1561455730495456,"flow_src_last_pkt_time":1561455733316995,"flow_dst_last_pkt_time":1561455733325980,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":171,"flow_dst_max_l4_payload_len":273,"flow_src_tot_l4_payload_len":1873,"flow_dst_tot_l4_payload_len":1869,"midstream":0,"thread_ts_usec":1561455733325980,"l3_proto":"ip4","src_ip":"91.252.56.51","dst_ip":"192.168.2.12","src_port":32704,"dst_port":56328,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2,"avg":182324.6,"max":1203723,"stddev":228895.9,"var":52393320448.0,"ent":4.2,"data": [578236,623635,1203723,72457,167216,11596,115693,158378,2,172820,173607,169808,156213,136586,155315,179817,99336,157427,38286,163380,181314,166574,142422,2967,25967,115313,6126,171847,106305,56249,143448]},"pktlen": {"min":54,"avg":144.9,"max":301,"stddev":51.7,"var":2672.5,"ent":4.9,"data": [72,72,72,72,72,72,199,260,150,161,301,137,159,159,133,149,136,150,172,164,155,159,164,170,150,54,150,150,156,150,139,179]},"bins": {"c_to_s": [1,4,0,8,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,2,0,4,6,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,0,0,1,0,0,1,0,1,0,1,0,1,1,0,1,0,1,0,1,1,0,0,0,1,0,0,1],"entropies": [5.523683071,5.551460743,5.523683071,5.586590290,5.513198376,5.558812618,6.900094032,7.080634594,6.725411892,6.561889648,7.326864719,6.497554302,6.712717533,6.644547939,6.493841648,6.572838783,6.470429420,6.565414429,6.709655762,6.771090984,6.675994873,6.701801777,6.747565746,6.673988342,6.480553150,5.199332237,6.648680687,6.585022449,6.694502831,6.592251301,6.568360806,6.807644844]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00915{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":632,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1561455705874172,"flow_src_last_pkt_time":1561455737893179,"flow_dst_last_pkt_time":1561455705874172,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":138,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455737893179,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_homekit._tcp.local","mdns": {}}} 00924{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":633,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":0,"flow_first_seen":1561455705874523,"flow_src_last_pkt_time":1561455737895397,"flow_dst_last_pkt_time":1561455705874523,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":49,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":138,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":334,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1561455737895397,"l3_proto":"ip6","src_ip":"fe80::414:409d:8afd:9f05","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","hostname":"_homekit._tcp.local","mdns": {}}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":640,"source":"wa_voice.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1561455738163757,"flow_src_last_pkt_time":1561455738163757,"flow_dst_last_pkt_time":1561455738163757,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1561455738163757,"l3_proto":"ip4","src_ip":"192.168.2.12","dst_ip":"169.254.162.244","src_port":49352,"dst_port":49159,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -180,9 +180,9 @@ ~~ total active/idle flows...: 28/28 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6123215 bytes -~~ total memory freed........: 6123215 bytes -~~ total allocations/frees...: 122494/122494 +~~ total memory allocated....: 6127023 bytes +~~ total memory freed........: 6127023 bytes +~~ total allocations/frees...: 122522/122522 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 2484 chars diff --git a/test/results/waze.pcap.out b/test/results/waze.pcap.out index f30402458..10dace17b 100644 --- a/test/results/waze.pcap.out +++ b/test/results/waze.pcap.out @@ -98,8 +98,8 @@ 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":199,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1435587872705148,"flow_dst_last_pkt_time":1435587872704043,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587872705148,"pkt":"ABoRAAACABoRAAABCABFAAAoY6pAAEAGsooKCAABNubjrLHyAFAC8Q5A\/Q7xwVAQ\/\/\/Y9AAA"} 01018{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":201,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1435587872702798,"flow_src_last_pkt_time":1435587872706282,"flow_dst_last_pkt_time":1435587872704043,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":150,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587872706282,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45554,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Waze","proto_id":"7.135","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"cres.waze.com","http": {"url":"cres.waze.com\/newVconfig\/1.0\/3\/lang.conf?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}}} 01026{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":203,"source":"waze.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1435587872702798,"flow_src_last_pkt_time":1435587872706862,"flow_dst_last_pkt_time":1435587872706630,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":150,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":152,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587872706862,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"54.230.227.172","src_port":45554,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Waze","proto_id":"7.135","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"cres.waze.com","http": {"url":"cres.waze.com\/newVconfig\/1.0\/3\/lang.conf?rtserver-id=15","code":0,"content_type":"","user_agent":"\/3.9.4.0"}}} -01882{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":227,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587867755556,"flow_src_last_pkt_time":1435587873023451,"flow_dst_last_pkt_time":1435587873023894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":11779,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":60924,"midstream":0,"thread_ts_usec":1435587873023894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2041,"avg":339878.5,"max":3680611,"stddev":884676.9,"var":782653259776.0,"ent":2.8,"data": [3747,3915,21835,22372,3677989,3680611,286073,284297,338879,393453,330278,329396,54620,2041,179324,179523,2610,51219,50746,3092,28507,76268,51141,51323,122745,73523,10248,59104,52582,58295,56477]},"pktlen": {"min":54,"avg":1966.7,"max":11833,"stddev":3090.5,"var":9551439.0,"ent":3.5,"data": [74,54,54,317,54,1422,54,2790,54,5526,54,8262,54,2687,54,1422,54,1422,54,9630,54,2790,54,5526,54,5526,54,2790,54,11833,54,54]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,10]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} -01586{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":169,"avg":289408.8,"max":1658841,"stddev":505049.6,"var":255075106816.0,"ent":3.3,"data": [1230,10859,357221,367097,474392,475318,8069,9038,265872,317654,51992,865,554,304,254,1430075,1483289,119461,172808,51439,51948,1420,901,467,433,340,381,1601922,1658841,169,57061]},"pktlen": {"min":54,"avg":567.8,"max":5515,"stddev":1270.8,"var":1615041.0,"ent":3.1,"data": [74,54,54,236,54,3201,54,380,54,288,203,54,590,54,115,54,5515,54,203,54,590,54,590,54,590,54,115,54,4411,54,203,54]},"bins": {"c_to_s": [5,2,0,0,3,1,0,0,0,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1]}} +02281{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":227,"source":"waze.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587867755556,"flow_src_last_pkt_time":1435587873023451,"flow_dst_last_pkt_time":1435587873023894,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":263,"flow_dst_max_l4_payload_len":11779,"flow_src_tot_l4_payload_len":263,"flow_dst_tot_l4_payload_len":60924,"midstream":0,"thread_ts_usec":1435587873023894,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"65.39.128.135","src_port":54915,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":2041,"avg":339878.5,"max":3680611,"stddev":884676.9,"var":782653259776.0,"ent":2.8,"data": [3747,3915,21835,22372,3677989,3680611,286073,284297,338879,393453,330278,329396,54620,2041,179324,179523,2610,51219,50746,3092,28507,76268,51141,51323,122745,73523,10248,59104,52582,58295,56477]},"pktlen": {"min":40,"avg":1952.7,"max":11819,"stddev":3090.5,"var":9551440.0,"ent":3.5,"data": [60,40,40,303,40,1408,40,2776,40,5512,40,8248,40,2673,40,1408,40,1408,40,9616,40,2776,40,5512,40,5512,40,2776,40,11819,40,40]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,10]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.427644730,4.730641365,4.680641174,5.499622345,4.630641460,7.039453506,4.630641460,6.947220325,4.630641460,5.584113598,4.680641174,6.835184574,4.680641174,6.998500347,4.580641747,3.024588346,4.630641460,6.950185776,4.730640888,6.195324898,4.680641651,6.552656651,4.680641174,1.660765886,4.730641365,1.651001215,4.730640888,1.384768248,4.611768723,1.660717368,4.680640697,4.680641174]},"ndpi": {"flow_risk": {"4": {"risk":"Binary App Transfer","severity":"Severe","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":7,"category":"Download"}} +01985{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":169,"avg":289408.8,"max":1658841,"stddev":505049.6,"var":255075106816.0,"ent":3.3,"data": [1230,10859,357221,367097,474392,475318,8069,9038,265872,317654,51992,865,554,304,254,1430075,1483289,119461,172808,51439,51948,1420,901,467,433,340,381,1601922,1658841,169,57061]},"pktlen": {"min":40,"avg":553.8,"max":5501,"stddev":1270.8,"var":1615041.0,"ent":3.0,"data": [60,40,40,222,40,3187,40,366,40,274,189,40,576,40,101,40,5501,40,189,40,576,40,576,40,576,40,101,40,4397,40,189,40]},"bins": {"c_to_s": [5,2,0,0,3,1,0,0,0,0,1,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,1,0,0,1,0,1,0,1,0,1,0,1,1,0,0,1],"entropies": [4.346510887,4.684184074,4.665311813,5.227974892,4.665312290,7.402610779,4.615312099,7.299519062,4.665312290,7.035841465,6.858353615,4.615312099,7.612000942,4.665312290,6.077723026,4.615312099,7.960921764,4.665311813,6.823141098,4.596440315,7.582696438,4.615312099,7.667782307,4.615312099,7.607909679,4.665312290,6.192669392,4.665312290,7.950992584,4.615312099,6.755126476,4.615312099]}} 01555{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":236,"source":"waze.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868634159,"flow_src_last_pkt_time":1435587873119875,"flow_dst_last_pkt_time":1435587873120117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":5461,"flow_src_tot_l4_payload_len":3221,"flow_dst_tot_l4_payload_len":13199,"midstream":0,"thread_ts_usec":1435587873120117,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36100,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"714ac86d50db68420429ca897688f5f3","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}}} 01203{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":247,"source":"waze.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1435587871929480,"flow_src_last_pkt_time":1435587872139946,"flow_dst_last_pkt_time":1435587873486827,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":1368,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":1368,"midstream":0,"thread_ts_usec":1435587873486827,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51050,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.AmazonAWS","proto_id":"91.265","encrypted":1,"breed":"Acceptable","category_id":13,"category":"Cloud","hostname":"","tls": {"version":"TLSv1","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA"}}} 01444{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":249,"source":"waze.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1435587871935294,"flow_src_last_pkt_time":1435587872566264,"flow_dst_last_pkt_time":1435587873688799,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":182,"flow_dst_max_l4_payload_len":2111,"flow_src_tot_l4_payload_len":182,"flow_dst_tot_l4_payload_len":3479,"midstream":0,"thread_ts_usec":1435587873688799,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.103.105","src_port":51051,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.waze.com","fingerprint":"A9:35:F0:16:17:A3:FD:73:EC:0C:03:24:F8:34:5A:8A:B3:D7:8D:57"}}} @@ -168,10 +168,10 @@ 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":461,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":1,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589106,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589106,"pkt":"ABoRAAACABoRAAABCABFAAAoS15AAEAGGJgKCAAByKAEMew\/Abump6BqWVh1BVAR\/\/\/VjgAA"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":462,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":2,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589338,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589338,"pkt":"ABoRAAACABoRAAABCABFAAAodVJAABAGHqTIoAQxCggAAQG77D9ZWHUFpqega1AQ\/\/\/VjgAA"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":463,"source":"waze.pcap","alias":"nDPId-test","flow_id":30,"flow_packet_id":3,"flow_src_last_pkt_time":1435587880589106,"flow_dst_last_pkt_time":1435587880589665,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587880589665,"pkt":"ABoRAAACABoRAAABCABFAAAodVNAABAGHqPIoAQxCggAAQG77D9ZWHUFpqega1AR\/\/\/VjQAA"} -01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587878215938,"flow_src_last_pkt_time":1435587880855977,"flow_dst_last_pkt_time":1435587880856912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":21888,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":56070,"midstream":0,"thread_ts_usec":1435587880856912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":475,"avg":170355.3,"max":415925,"stddev":135089.4,"var":18249146368.0,"ent":4.4,"data": [1325,1585,226918,227495,336533,387205,51299,1169,297221,297772,252519,309444,358705,415925,755,475,490,567,254342,305451,51846,52474,211304,161331,247956,249119,81326,79510,208662,209727,563]},"pktlen": {"min":54,"avg":1838.8,"max":21942,"stddev":4660.8,"var":21723254.0,"ent":2.6,"data": [74,54,54,236,54,1422,54,2177,54,188,54,288,54,203,54,590,54,77,54,1422,54,12366,54,5526,54,21942,54,11359,54,54,54,54]},"bins": {"c_to_s": [12,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01604{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":330,"avg":191882.9,"max":1449192,"stddev":279549.5,"var":78147936256.0,"ent":3.8,"data": [2413,2787,291811,292494,279839,332432,52742,50748,425063,475681,259886,310653,731,51371,620,734,450,330,293909,545953,252820,1543,20204,21185,56923,56823,156171,205918,52727,4217,1449192]},"pktlen": {"min":54,"avg":1394.3,"max":11186,"stddev":2994.0,"var":8963944.0,"ent":3.0,"data": [74,54,54,236,54,1066,54,2533,54,188,54,288,54,590,54,403,54,91,54,10174,54,8150,54,1066,54,11186,54,1066,54,6590,54,54]},"bins": {"c_to_s": [12,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0]}} +02283{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":481,"source":"waze.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587878215938,"flow_src_last_pkt_time":1435587880855977,"flow_dst_last_pkt_time":1435587880856912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":21888,"flow_src_tot_l4_payload_len":1024,"flow_dst_tot_l4_payload_len":56070,"midstream":0,"thread_ts_usec":1435587880856912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"52.17.114.219","src_port":39021,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":475,"avg":170355.3,"max":415925,"stddev":135089.4,"var":18249146368.0,"ent":4.4,"data": [1325,1585,226918,227495,336533,387205,51299,1169,297221,297772,252519,309444,358705,415925,755,475,490,567,254342,305451,51846,52474,211304,161331,247956,249119,81326,79510,208662,209727,563]},"pktlen": {"min":40,"avg":1824.8,"max":21928,"stddev":4660.8,"var":21723256.0,"ent":2.6,"data": [60,40,40,222,40,1408,40,2163,40,174,40,274,40,189,40,576,40,63,40,1408,40,12352,40,5512,40,21928,40,11345,40,40,40,40]},"bins": {"c_to_s": [12,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,0,1,1],"entropies": [4.438340664,4.834184170,4.684184074,5.259868145,4.715312481,7.222858906,4.734184265,7.563067913,4.665312290,6.516509533,4.784184456,7.076688766,4.734184265,6.928961754,4.784184456,7.607337475,4.734184265,5.572360516,4.734184265,7.872128963,4.734184265,7.984007359,4.734184265,7.969620705,4.634184361,7.992324829,4.734184265,7.982760429,4.734183788,4.665311813,4.684184074,4.734184265]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02003{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":330,"avg":191882.9,"max":1449192,"stddev":279549.5,"var":78147936256.0,"ent":3.8,"data": [2413,2787,291811,292494,279839,332432,52742,50748,425063,475681,259886,310653,731,51371,620,734,450,330,293909,545953,252820,1543,20204,21185,56923,56823,156171,205918,52727,4217,1449192]},"pktlen": {"min":40,"avg":1380.3,"max":11172,"stddev":2994.0,"var":8963944.0,"ent":2.9,"data": [60,40,40,222,40,1052,40,2519,40,174,40,274,40,576,40,389,40,77,40,10160,40,8136,40,1052,40,11172,40,1052,40,6576,40,40]},"bins": {"c_to_s": [12,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,0],"entropies": [4.438340187,4.834184170,4.784184456,5.232826710,4.734184265,7.011441231,4.784184456,7.575597763,4.634184361,6.629845142,4.684184074,7.007690430,4.734184742,7.624808311,4.784184456,7.415266037,4.734184742,5.664109230,4.734184265,7.981531620,4.784184456,7.979642391,4.734184265,7.801960945,4.715312004,7.982071400,4.834183693,7.818040848,4.834183693,7.971698284,4.715311527,4.765311718]}} 01461{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":492,"source":"waze.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1435587878606407,"flow_src_last_pkt_time":1435587882306533,"flow_dst_last_pkt_time":1435587880854651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":11132,"flow_src_tot_l4_payload_len":1238,"flow_dst_tot_l4_payload_len":41633,"midstream":0,"thread_ts_usec":1435587882306533,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"176.34.186.180","src_port":36312,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","tls": {"version":"TLSv1","server_names":"*.world.waze.com","ja3":"f392f120f1087cd2f8814539cf58cfa4","ja3s":"39f74f5618836d3c5f7dcccc9f67ba75","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA","issuerDN":"C=US, O=Google Inc, CN=Google Internet Authority G2","subjectDN":"C=US, ST=California, L=Mountain View, O=Google Inc, CN=*.world.waze.com","fingerprint":"30:50:FA:42:94:E4:1A:34:9B:23:55:CB:7B:F2:0D:76:FA:1C:58:4B"}}} -01990{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":518,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868635666,"flow_src_last_pkt_time":1435587884544120,"flow_dst_last_pkt_time":1435587884544651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":501,"flow_dst_max_l4_payload_len":3606,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":8366,"midstream":0,"thread_ts_usec":1435587884544651,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":413,"avg":1026369.1,"max":5890947,"stddev":1778823.2,"var":3164212035584.0,"ent":3.4,"data": [9060,9459,461199,462055,319157,370793,51463,554,58722,59273,267346,318521,5838678,5890947,1921,3057,232692,285896,1892628,1892382,50926,52168,293028,345106,632,413,1258587,1309974,5014758,5014527,51517]},"pktlen": {"min":54,"avg":366.1,"max":3660,"stddev":731.9,"var":535720.0,"ent":3.5,"data": [74,54,54,236,54,1066,54,2189,54,380,54,288,54,235,54,555,54,107,54,1066,54,3660,54,203,54,315,54,331,54,91,54,54]},"bins": {"c_to_s": [10,0,0,0,1,2,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02388{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":518,"source":"waze.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1435587868635666,"flow_src_last_pkt_time":1435587884544120,"flow_dst_last_pkt_time":1435587884544651,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":501,"flow_dst_max_l4_payload_len":3606,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":8366,"midstream":0,"thread_ts_usec":1435587884544651,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36102,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":413,"avg":1026369.1,"max":5890947,"stddev":1778823.2,"var":3164212035584.0,"ent":3.4,"data": [9060,9459,461199,462055,319157,370793,51463,554,58722,59273,267346,318521,5838678,5890947,1921,3057,232692,285896,1892628,1892382,50926,52168,293028,345106,632,413,1258587,1309974,5014758,5014527,51517]},"pktlen": {"min":40,"avg":352.1,"max":3646,"stddev":731.9,"var":535720.0,"ent":3.4,"data": [60,40,40,222,40,1052,40,2175,40,366,40,274,40,221,40,541,40,93,40,1052,40,3646,40,189,40,301,40,317,40,77,40,40]},"bins": {"c_to_s": [10,0,0,0,1,2,0,0,1,0,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,2,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,1],"entropies": [4.325758457,4.734184265,4.684184074,5.244800568,4.615312099,7.020944595,4.734184265,7.476994514,4.634184361,7.276714802,4.665312290,7.041373253,4.734184265,6.961156845,4.734184265,7.528326035,4.684184551,6.083172798,4.734184265,7.792463779,4.734184265,7.940383911,4.734184265,6.823890686,4.734184265,7.240302563,4.734184265,7.320995331,4.734184265,5.654304981,4.615312099,4.665312290]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Waze","proto_id":"91.135","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00748{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":532,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1435587894241434,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894241434,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1435587894241434,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"46.51.173.182","src_port":36134,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":532,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894241434,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1435587894241434,"pkt":"ABoRAAACABoRAAABCABFAAA87+5AAEAGZNsKCAABLjOtto0mAbvDfJnqAAAAAKAC\/\/\/\/twAAAgQFtAQCCAoACHYEAAAAAAEDAwg="} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":533,"source":"waze.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":2,"flow_src_last_pkt_time":1435587894241434,"flow_dst_last_pkt_time":1435587894244164,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1435587894244164,"pkt":"ABoRAAACABoRAAABCABFAAAodXFAABAGD20uM622CggAAQG7jSY8g2YVw3yZ61AS\/\/86\/gAA"} @@ -242,10 +242,10 @@ ~~ total active/idle flows...: 33/33 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6397370 bytes -~~ total memory freed........: 6397370 bytes -~~ total allocations/frees...: 122551/122551 +~~ total memory allocated....: 6401858 bytes +~~ total memory freed........: 6401858 bytes +~~ total allocations/frees...: 122584/122584 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 489 chars -~~ json string max len.......: 1995 chars -~~ json string avg len.......: 1242 chars +~~ json string max len.......: 2393 chars +~~ json string avg len.......: 1441 chars diff --git a/test/results/webex.pcap.out b/test/results/webex.pcap.out index 9073c8845..725d777e5 100644 --- a/test/results/webex.pcap.out +++ b/test/results/webex.pcap.out @@ -6,7 +6,7 @@ 00505{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1444570624860575,"flow_dst_last_pkt_time":1444570624860347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570624860575,"pkt":"ABoRAAACABoRAAABCABFAAAoOXRAAEAGTagKCAABQERpZ6GCAbtPGIcNsOd49FAQOQgf2QAA"} 01161{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570624860735,"flow_dst_last_pkt_time":1444570624860347,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":195,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570624860735,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01518{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570625418062,"flow_dst_last_pkt_time":1444570625424499,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":195,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":195,"flow_dst_tot_l4_payload_len":3939,"midstream":0,"thread_ts_usec":1444570625424499,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} -01577{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":160,"avg":112724.9,"max":557327,"stddev":156273.3,"var":24421341184.0,"ent":3.7,"data": [6506,6734,160,592,505708,557327,57852,60147,905,55625,257454,309311,10052,61432,845,730,299224,351252,55954,56159,800,52876,398,2835,268644,322298,52259,51930,18450,69467,546]},"pktlen": {"min":54,"avg":401.9,"max":2774,"stddev":588.9,"var":346810.6,"ent":3.9,"data": [74,54,54,249,54,2774,54,1273,54,364,54,97,54,590,54,138,54,1414,54,823,54,590,54,328,54,1414,54,762,54,590,54,518]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,1,1,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0]}} +01976{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":160,"avg":112724.9,"max":557327,"stddev":156273.3,"var":24421341184.0,"ent":3.7,"data": [6506,6734,160,592,505708,557327,57852,60147,905,55625,257454,309311,10052,61432,845,730,299224,351252,55954,56159,800,52876,398,2835,268644,322298,52259,51930,18450,69467,546]},"pktlen": {"min":40,"avg":387.9,"max":2760,"stddev":588.9,"var":346810.6,"ent":3.8,"data": [60,40,40,235,40,2760,40,1259,40,350,40,83,40,576,40,124,40,1400,40,809,40,576,40,314,40,1400,40,748,40,576,40,504]},"bins": {"c_to_s": [9,0,1,0,0,0,1,0,1,1,0,0,0,0,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,2,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,0,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,0,1,0],"entropies": [4.446510792,4.665312290,4.665311813,5.481472969,4.665312290,7.284092903,4.765311718,7.073906422,4.661769390,7.186378956,4.565312386,5.608655453,4.561769009,7.664141655,4.515312195,6.329119682,4.565312386,7.871033669,4.715311527,7.782140255,4.765311718,7.598457336,4.615312099,7.304864407,4.665312290,7.852759361,4.665311813,7.733906269,4.715312004,7.600008011,4.511769772,7.572229862]}} 01522{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":32,"source":"webex.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1444570624853841,"flow_src_last_pkt_time":1444570626601155,"flow_dst_last_pkt_time":1444570626600999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":2720,"flow_src_tot_l4_payload_len":2935,"flow_dst_tot_l4_payload_len":8179,"midstream":0,"thread_ts_usec":1444570626601155,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41346,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","server_names":"*.webex.com","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} 00747{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":50,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627404164,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570627404164,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":50,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1444570627404164,"flow_dst_last_pkt_time":1444570627404164,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570627404164,"pkt":"ABoRAAACABoRAAABCABFAAA8hnNAAEAGAJUKCAABQERpZ6GEAbuwMDkNAAAAAKACOQgO\/QAAAgQFtAQCCAoATL9+AAAAAAEDAwY="} @@ -26,7 +26,7 @@ 01162{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":89,"source":"webex.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570628117770,"flow_src_last_pkt_time":1444570628122668,"flow_dst_last_pkt_time":1444570628121468,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570628122668,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41351,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01206{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":104,"source":"webex.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570628113579,"flow_src_last_pkt_time":1444570628121998,"flow_dst_last_pkt_time":1444570628514304,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1444570628514304,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41350,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}} 01208{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":106,"source":"webex.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570628117770,"flow_src_last_pkt_time":1444570628122668,"flow_dst_last_pkt_time":1444570628565912,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":129,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":129,"midstream":0,"thread_ts_usec":1444570628565912,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41351,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"radcom.webex.com","tls": {"version":"TLSv1.2","ja3":"f9010d8c34749bdf7659b52227e6f91b","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}} -01884{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":129,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570629212279,"flow_dst_last_pkt_time":1444570629155254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":17966,"flow_src_tot_l4_payload_len":2270,"flow_dst_tot_l4_payload_len":46819,"midstream":0,"thread_ts_usec":1444570629212279,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":156,"avg":114813.1,"max":455330,"stddev":125812.7,"var":15828844544.0,"ent":4.1,"data": [5615,6788,156,1539,404661,455330,597,51300,245810,245870,436,307,223296,274841,51601,360,302,283113,286107,84087,131768,50921,51207,56841,56675,181041,181034,56067,58557,54529,58449]},"pktlen": {"min":54,"avg":1588.7,"max":18020,"stddev":3700.1,"var":13691056.0,"ent":2.9,"data": [74,54,54,281,54,183,54,97,54,590,54,533,54,1658,590,54,503,54,6854,54,1414,54,9477,54,1414,54,1414,54,18020,54,6871,54]},"bins": {"c_to_s": [10,1,0,0,0,0,0,1,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02283{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":129,"source":"webex.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570627404164,"flow_src_last_pkt_time":1444570629212279,"flow_dst_last_pkt_time":1444570629155254,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":17966,"flow_src_tot_l4_payload_len":2270,"flow_dst_tot_l4_payload_len":46819,"midstream":0,"thread_ts_usec":1444570629212279,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41348,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":156,"avg":114813.1,"max":455330,"stddev":125812.7,"var":15828844544.0,"ent":4.1,"data": [5615,6788,156,1539,404661,455330,597,51300,245810,245870,436,307,223296,274841,51601,360,302,283113,286107,84087,131768,50921,51207,56841,56675,181041,181034,56067,58557,54529,58449]},"pktlen": {"min":40,"avg":1574.7,"max":18006,"stddev":3700.1,"var":13691057.0,"ent":2.9,"data": [60,40,40,267,40,169,40,83,40,576,40,519,40,1644,576,40,489,40,6840,40,1400,40,9463,40,1400,40,1400,40,18006,40,6857,40]},"bins": {"c_to_s": [10,1,0,0,0,0,0,1,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,5]},"directions": [0,1,0,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [4.356566429,4.715312004,4.561769009,5.864259720,4.665312290,6.372766018,4.661769390,5.627577305,4.615312099,7.622731686,4.665312290,7.582412243,4.665312290,7.886265755,7.619030476,4.596440315,7.578122616,4.665312290,7.973325729,4.580641270,7.853340149,4.611769199,7.978787899,4.611769199,7.859783649,4.661769390,7.879327297,4.611769199,7.990196228,4.611769199,7.971776009,4.661769390]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":167,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570630272557,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272557,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1444570630272557,"l3_proto":"ip4","src_ip":"10.133.206.47","dst_ip":"185.63.147.10","src_port":54651,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":167,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272557,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1444570630272557,"pkt":"ABoRAAACABoRAAABCABFAAA0ymtAAEAGS1oKhc4vuT+TCtV7Abs2TX647AAfvYARAZp5QwAAAQEICgBMwJ1XHSbf"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":168,"source":"webex.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":2,"flow_src_last_pkt_time":1444570630272557,"flow_dst_last_pkt_time":1444570630272755,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570630272755,"pkt":"ABoRAAACABoRAAABCABFAAAoAWBAABAGRHK5P5MKCoXOLwG71XvsAB+9Nk1+uVAQ\/\/\/y2gAA"} @@ -53,7 +53,7 @@ 00507{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":220,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1444570633360483,"flow_dst_last_pkt_time":1444570633360351,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570633360483,"pkt":"ABoRAAACABoRAAABCABFAAAo7DFAAEAGmuoKCAABQERpZ6GOAbtaKC3jpdfSHlAQOQgfzQAA"} 01138{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":221,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570633362374,"flow_dst_last_pkt_time":1444570633360351,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570633362374,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01602{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":225,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570633810470,"flow_dst_last_pkt_time":1444570633811592,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":63,"flow_dst_max_l4_payload_len":2579,"flow_src_tot_l4_payload_len":63,"flow_dst_tot_l4_payload_len":3939,"midstream":0,"thread_ts_usec":1444570633811592,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","server_names":"*.webex.com","ja3":"7cb93b2404a98399e9f84c74fef1fb8f","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} -01985{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":249,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570635772189,"flow_dst_last_pkt_time":1444570635721813,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":8847,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":33212,"midstream":0,"thread_ts_usec":1444570635772189,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":383,"avg":154174.4,"max":1031495,"stddev":247176.8,"var":61096366080.0,"ent":3.8,"data": [3053,3185,1891,2192,397016,448096,52033,52145,383,52378,209850,261823,51847,1288,975,979869,1031495,52580,53500,94069,93832,53071,53864,119063,117547,148351,147839,51431,51376,96737,96627]},"pktlen": {"min":54,"avg":1122.5,"max":8901,"stddev":2294.9,"var":5266404.0,"ent":3.2,"data": [74,54,54,117,54,1414,54,2633,54,380,54,113,590,54,88,54,1414,54,8171,54,1414,54,8901,54,187,54,1414,54,6731,54,1414,54]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,4]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02383{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":249,"source":"webex.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570633357298,"flow_src_last_pkt_time":1444570635772189,"flow_dst_last_pkt_time":1444570635721813,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":8847,"flow_src_tot_l4_payload_len":959,"flow_dst_tot_l4_payload_len":33212,"midstream":0,"thread_ts_usec":1444570635772189,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"64.68.105.103","src_port":41358,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":383,"avg":154174.4,"max":1031495,"stddev":247176.8,"var":61096366080.0,"ent":3.8,"data": [3053,3185,1891,2192,397016,448096,52033,52145,383,52378,209850,261823,51847,1288,975,979869,1031495,52580,53500,94069,93832,53071,53864,119063,117547,148351,147839,51431,51376,96737,96627]},"pktlen": {"min":40,"avg":1108.5,"max":8887,"stddev":2294.9,"var":5266403.5,"ent":3.1,"data": [60,40,40,103,40,1400,40,2619,40,366,40,99,576,40,74,40,1400,40,8157,40,1400,40,8887,40,173,40,1400,40,6717,40,1400,40]},"bins": {"c_to_s": [12,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,0,0,4]},"directions": [0,1,0,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [4.446510792,4.665312290,4.665311813,5.339869976,4.565312386,7.238214016,4.665312290,7.216020107,4.615311623,7.281401634,4.615312576,5.978787422,7.616997242,4.515312195,5.692360401,4.565312386,7.861890793,4.665311813,7.976788044,4.665311813,7.858300209,4.715312004,7.979997158,4.665311813,6.756694794,4.615312099,7.862811089,4.611769199,7.975809574,4.715312004,7.874713421,4.715312004]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":256,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570636151328,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636151328,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570636151328,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"114.29.213.212","src_port":41726,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":256,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636151328,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570636151328,"pkt":"ABoRAAACABoRAAABCABFAAA8tbVAAEAGMwwKCAABch3V1KL+AbsYGndcAAAAAKACOQjFmAAAAgQFtAQCCAoATMLpAAAAAAEDAwY="} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":257,"source":"webex.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1444570636151328,"flow_dst_last_pkt_time":1444570636154295,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570636154295,"pkt":"ABoRAAACABoRAAABCABFAAAoAY1AABAGF0lyHdXUCggAAQG7ov7n5YijGBp3XVAS\/\/+5HQAA"} @@ -222,9 +222,9 @@ 00511{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":663,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":2,"flow_src_last_pkt_time":1444570674487975,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570674499448,"pkt":"ABoRAAACABoRAAABCABFAAAoAklAABAGsB2t8wBuCggAAQG72XFdISYDot7Z\/VAS\/\/8cOwAA"} 00508{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":664,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1444570674500159,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570674500159,"pkt":"ABoRAAACABoRAAABCABFAAAoCB9AAEAGekcKCAABrfMAbtlxAbui3tn9XSEmBFAQOQjjMwAA"} 01141{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":665,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1444570674487975,"flow_src_last_pkt_time":1444570674600509,"flow_dst_last_pkt_time":1444570674499448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570674600509,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} -01995{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":670,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669745822,"flow_src_last_pkt_time":1444570675008962,"flow_dst_last_pkt_time":1444570675008306,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":10527,"flow_src_tot_l4_payload_len":863,"flow_dst_tot_l4_payload_len":17665,"midstream":0,"thread_ts_usec":1444570675008962,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":339536.2,"max":2214636,"stddev":547768.4,"var":300050219008.0,"ent":3.7,"data": [14198,16626,142,3176,966820,968167,50625,52096,160025,217339,56893,151808,203416,506402,456173,506119,506174,257962,307348,51007,1799,210726,261737,55501,54303,51893,51311,2214636,2165090,3222,2890]},"pktlen": {"min":54,"avg":633.6,"max":10581,"stddev":1915.7,"var":3669828.5,"ent":2.6,"data": [74,54,54,117,54,3961,54,380,54,113,528,54,272,54,1024,54,10581,54,171,54,288,54,123,54,219,54,399,54,560,54,602,54]},"bins": {"c_to_s": [13,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,1,1,0,1,1,1,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02393{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":670,"source":"webex.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669745822,"flow_src_last_pkt_time":1444570675008962,"flow_dst_last_pkt_time":1444570675008306,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":474,"flow_dst_max_l4_payload_len":10527,"flow_src_tot_l4_payload_len":863,"flow_dst_tot_l4_payload_len":17665,"midstream":0,"thread_ts_usec":1444570675008962,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51155,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":339536.2,"max":2214636,"stddev":547768.4,"var":300050219008.0,"ent":3.7,"data": [14198,16626,142,3176,966820,968167,50625,52096,160025,217339,56893,151808,203416,506402,456173,506119,506174,257962,307348,51007,1799,210726,261737,55501,54303,51893,51311,2214636,2165090,3222,2890]},"pktlen": {"min":40,"avg":619.6,"max":10567,"stddev":1915.7,"var":3669828.5,"ent":2.5,"data": [60,40,40,103,40,3947,40,366,40,99,514,40,258,40,1010,40,10567,40,157,40,274,40,109,40,205,40,385,40,546,40,588,40]},"bins": {"c_to_s": [13,1,0,0,0,0,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,1,1,0,1,1,1,0,0,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0],"entropies": [4.471673965,4.784184456,4.784183979,5.354527950,4.684184074,7.260420322,4.784183979,7.246551991,4.734184265,5.886437893,7.525208473,4.734184265,7.158136368,4.734184265,7.747338772,4.784183979,7.959521770,4.784183979,6.617527962,4.784183979,7.154652596,4.834184170,6.117394924,4.834184170,6.934138775,4.784184456,7.251028061,4.734184742,7.541121960,4.784183979,7.600737572,4.834183693]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01605{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":671,"source":"webex.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1444570674487975,"flow_src_last_pkt_time":1444570674600509,"flow_dst_last_pkt_time":1444570675110598,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":187,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":187,"flow_dst_tot_l4_payload_len":3907,"midstream":0,"thread_ts_usec":1444570675110598,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.243.0.110","src_port":55665,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","tls": {"version":"TLSv1","server_names":"*.webex.com","ja3":"64ea4359ad4b496db653a3f30f7073e6","ja3s":"91589ea825a2ee41810c85fab06d2ef6","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_CBC_SHA","issuerDN":"C=US, O=Symantec Corporation, OU=Symantec Trust Network, CN=Symantec Class 3 Secure Server CA - G4","subjectDN":"C=us, ST=California, L=San Jose, O=Cisco Systems, Inc., OU=CSG, CN=*.webex.com","fingerprint":"61:C9:DE:EE:FA:AE:DC:17:A0:36:B9:68:F9:17:F6:5A:90:7B:14:E1"}}} -01969{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":675,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669736143,"flow_src_last_pkt_time":1444570675113022,"flow_dst_last_pkt_time":1444570675113218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":4673,"flow_dst_tot_l4_payload_len":3966,"midstream":0,"thread_ts_usec":1444570675113218,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":309,"avg":346901.8,"max":2270107,"stddev":598058.5,"var":357673959424.0,"ent":3.3,"data": [9053,24144,367,16512,915259,917382,50710,52699,154574,206585,52440,7882,9392,3319,2120,963298,961965,473,411,393,309,561975,562100,368561,368512,670,601,2270083,2270107,1037,1021]},"pktlen": {"min":54,"avg":324.6,"max":3961,"stddev":685.4,"var":469733.5,"ent":3.6,"data": [74,54,54,117,54,3961,54,380,54,113,560,54,590,54,136,54,590,54,590,54,400,54,400,54,590,54,168,54,590,54,264,54]},"bins": {"c_to_s": [3,1,1,1,0,0,1,0,0,0,3,0,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02367{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":675,"source":"webex.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570669736143,"flow_src_last_pkt_time":1444570675113022,"flow_dst_last_pkt_time":1444570675113218,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":536,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":4673,"flow_dst_tot_l4_payload_len":3966,"midstream":0,"thread_ts_usec":1444570675113218,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51154,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":309,"avg":346901.8,"max":2270107,"stddev":598058.5,"var":357673959424.0,"ent":3.3,"data": [9053,24144,367,16512,915259,917382,50710,52699,154574,206585,52440,7882,9392,3319,2120,963298,961965,473,411,393,309,561975,562100,368561,368512,670,601,2270083,2270107,1037,1021]},"pktlen": {"min":40,"avg":310.6,"max":3947,"stddev":685.4,"var":469733.5,"ent":3.5,"data": [60,40,40,103,40,3947,40,366,40,99,546,40,576,40,122,40,576,40,576,40,386,40,386,40,576,40,154,40,576,40,250,40]},"bins": {"c_to_s": [3,1,1,1,0,0,1,0,0,0,3,0,0,0,0,1,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.446510792,4.734184742,4.596439362,5.373945713,4.734184742,7.261288166,4.765311718,7.251562119,4.784184456,6.015275955,7.613259315,4.784184456,7.593419075,4.784184456,6.485950947,4.784184456,7.627359390,4.784184456,7.574399471,4.784184456,7.380361080,4.784184456,7.422137737,4.734184265,7.643012047,4.734184265,6.542441368,4.734184265,7.559129715,4.734184265,7.015539169,4.784184456]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00750{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":736,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570675941714,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675941714,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570675941714,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51833,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":736,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675941714,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570675941714,"pkt":"ABoRAAACABoRAAABCABFAAA8SaRAAEAGwwMKCAABPm3lnsp5AbteGJvVAAAAAKACOQhIBAAAAgQFtAQCCAoATNJxAAAAAAEDAwY="} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":737,"source":"webex.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":2,"flow_src_last_pkt_time":1444570675941714,"flow_dst_last_pkt_time":1444570675945842,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570675945842,"pkt":"ABoRAAACABoRAAABCABFAAAoAm5AABAGOk4+beWeCggAAQG7ynmh52QqXhib1lAS\/\/+1iAAA"} @@ -310,7 +310,7 @@ 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1491,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":1,"flow_src_last_pkt_time":1444570719041198,"flow_dst_last_pkt_time":1444570719041198,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570719041198,"pkt":"ABoRAAACABoRAAABCABFAAA8mB5AAEAGdIkKCAABPm3lnsqTAbu3\/XtaAAAAAKACOQj9rAAAAgQFtAQCCAoATONEAAAAAAEDAwY="} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1492,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1444570719041198,"flow_dst_last_pkt_time":1444570719047347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570719047347,"pkt":"ABoRAAACABoRAAABCABFAAAoA+JAABAGONo+beWeCggAAQG7ypNIAoSlt\/17W1AS\/\/+1bgAA"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1494,"source":"webex.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":3,"flow_src_last_pkt_time":1444570720045734,"flow_dst_last_pkt_time":1444570719047347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570720045734,"pkt":"ABoRAAACABoRAAABCABFAAAoAABAAEAGDLwKCAABPm3lnsqTAbu3\/XtbAAAAAFAEAACCJAAA"} -01977{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1495,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570716599098,"flow_src_last_pkt_time":1444570719040525,"flow_dst_last_pkt_time":1444570720047703,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":378,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":1559,"flow_dst_tot_l4_payload_len":4630,"midstream":0,"thread_ts_usec":1444570720047703,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":213,"avg":190001.0,"max":1366658,"stddev":352312.5,"var":124124102656.0,"ent":3.4,"data": [4232,4962,6442,7614,1312624,1366658,17526,71444,145665,198977,339,53733,129549,180935,213,51454,121214,172258,51492,51164,125484,176177,50764,50844,546,1023,264310,263832,849,855,1006853]},"pktlen": {"min":54,"avg":248.0,"max":3961,"stddev":677.2,"var":458632.1,"ent":3.2,"data": [74,54,54,241,54,3961,54,380,54,113,54,128,54,91,54,432,54,123,54,543,54,144,54,208,54,176,54,176,54,160,54,123]},"bins": {"c_to_s": [7,0,2,3,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,2,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,1]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02375{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1495,"source":"webex.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1444570716599098,"flow_src_last_pkt_time":1444570719040525,"flow_dst_last_pkt_time":1444570720047703,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":378,"flow_dst_max_l4_payload_len":3907,"flow_src_tot_l4_payload_len":1559,"flow_dst_tot_l4_payload_len":4630,"midstream":0,"thread_ts_usec":1444570720047703,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.229.158","src_port":51857,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":213,"avg":190001.0,"max":1366658,"stddev":352312.5,"var":124124102656.0,"ent":3.4,"data": [4232,4962,6442,7614,1312624,1366658,17526,71444,145665,198977,339,53733,129549,180935,213,51454,121214,172258,51492,51164,125484,176177,50764,50844,546,1023,264310,263832,849,855,1006853]},"pktlen": {"min":40,"avg":234.0,"max":3947,"stddev":677.2,"var":458632.1,"ent":3.1,"data": [60,40,40,227,40,3947,40,366,40,99,40,114,40,77,40,418,40,109,40,529,40,130,40,194,40,162,40,162,40,146,40,109]},"bins": {"c_to_s": [7,0,2,3,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [10,2,2,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]},"directions": [0,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,1,0,0,1,0,1,0,1,0,1,0,1,1],"entropies": [4.459092140,4.834184170,4.784183979,5.220240593,4.734184265,7.263404846,4.784183979,7.281803131,4.784184456,5.980217934,4.834184170,6.198987961,4.784184456,5.680279255,4.834183693,7.512312412,4.784184456,6.181793690,4.784184456,7.433725834,4.784183979,6.433676720,4.784184456,6.824645042,4.734184265,6.550875664,4.634184361,6.555935860,4.784184456,6.391854286,4.734184265,6.211565018]},"ndpi": {"flow_risk": {"7": {"risk":"Obsolete TLS (v1.1 or older)","severity":"High","risk_score": {"total":510,"client":455,"server":55}},"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.Webex","proto_id":"91.141","encrypted":1,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00751{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1527,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1444570732086555,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732086555,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1444570732086555,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"62.109.224.120","src_port":51190,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1527,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":1,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732086555,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1444570732086555,"pkt":"ABoRAAACABoRAAABCABFAAA8h\/tAAEAGidIKCAABPm3geMf2AbvHvWEvAAAAAKACOQgMSwAAAgQFtAQCCAoATObUAAAAAAEDAwY="} 00512{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1528,"source":"webex.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":2,"flow_src_last_pkt_time":1444570732086555,"flow_dst_last_pkt_time":1444570732090067,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1444570732090067,"pkt":"ABoRAAACABoRAAABCABFAAAoA+tAABAGPfc+beB4CggAAQG7x\/Y4Qp7Qx71hMFAS\/\/+9MQAA"} @@ -398,10 +398,10 @@ ~~ total active/idle flows...: 57/57 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6550189 bytes -~~ total memory freed........: 6550189 bytes -~~ total allocations/frees...: 123966/123966 +~~ total memory allocated....: 6557941 bytes +~~ total memory freed........: 6557941 bytes +~~ total allocations/frees...: 124023/124023 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 2067 chars -~~ json string avg len.......: 1278 chars +~~ json string max len.......: 2398 chars +~~ json string avg len.......: 1444 chars diff --git a/test/results/websocket.pcap.out b/test/results/websocket.pcap.out index 6163c258d..fa7498b9c 100644 --- a/test/results/websocket.pcap.out +++ b/test/results/websocket.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037834 bytes -~~ total memory freed........: 6037834 bytes -~~ total allocations/frees...: 121493/121493 +~~ total memory allocated....: 6037970 bytes +~~ total memory freed........: 6037970 bytes +~~ total allocations/frees...: 121494/121494 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars ~~ json string max len.......: 914 chars diff --git a/test/results/wechat.pcap.out b/test/results/wechat.pcap.out index 8c76ba9ad..4b3e45218 100644 --- a/test/results/wechat.pcap.out +++ b/test/results/wechat.pcap.out @@ -87,7 +87,7 @@ 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":131,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_src_last_pkt_time":1492167355723894,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167356077508,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG700uz8YPYbAqDH6ASN8iq2QAAAgQFoAQCCApFrUFyADC8mAEDAwc="} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":132,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":3,"flow_src_last_pkt_time":1492167356077551,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167356077551,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0P4dAAEAG1b3AqAFny82XotNLAbtsCoMfs\/GD2YAQAOUQHAAAAQEICgAwvPFFrUFy"} 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":133,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356077750,"flow_dst_last_pkt_time":1492167356077508,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167356077750,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} -01751{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":141,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353687624,"flow_src_last_pkt_time":1492167356095248,"flow_dst_last_pkt_time":1492167356095234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":5826,"flow_src_tot_l4_payload_len":4717,"flow_dst_tot_l4_payload_len":16498,"midstream":0,"thread_ts_usec":1492167356095248,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":287,"avg":155330.1,"max":410564,"stddev":180667.8,"var":32640860160.0,"ent":3.8,"data": [361610,361650,376,378130,3564,381307,56857,56856,287,287,2657,376606,375028,3327,373835,38287,2818,410564,21157,3298,393374,30885,401110,383706,785,383140,2859,2894,5754,1113,1113]},"pktlen": {"min":66,"avg":729.5,"max":5892,"stddev":1101.2,"var":1212669.5,"ent":3.9,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,233,66,1239,443,66,264,1154,1494,1494,66,1494,1494,66,5892,66]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02150{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":141,"source":"wechat.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353687624,"flow_src_last_pkt_time":1492167356095248,"flow_dst_last_pkt_time":1492167356095234,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":5826,"flow_src_tot_l4_payload_len":4717,"flow_dst_tot_l4_payload_len":16498,"midstream":0,"thread_ts_usec":1492167356095248,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54089,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":287,"avg":155330.1,"max":410564,"stddev":180667.8,"var":32640860160.0,"ent":3.8,"data": [361610,361650,376,378130,3564,381307,56857,56856,287,287,2657,376606,375028,3327,373835,38287,2818,410564,21157,3298,393374,30885,401110,383706,785,383140,2859,2894,5754,1113,1113]},"pktlen": {"min":52,"avg":715.5,"max":5878,"stddev":1101.2,"var":1212669.6,"ent":3.9,"data": [60,60,52,290,52,1480,52,1480,52,312,52,178,103,1292,527,52,1480,219,52,1225,429,52,250,1140,1480,1480,52,1480,1480,52,5878,52]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [4,1,0,0,0,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,1,1,0,1,1,0,1,0],"entropies": [4.726680756,5.187538624,5.014835835,5.834213257,5.171407223,6.822011948,4.961856842,7.516278267,5.025067806,7.308955193,4.986606121,6.311928749,5.841652393,7.825830460,7.553427219,5.094483852,7.883197308,6.999384403,4.986606121,7.834380150,7.373102665,5.171406746,7.071372032,7.838574886,7.869080067,7.888019085,4.948144436,7.880359650,7.858109951,5.025067806,7.967877865,5.132945538]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":151,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356077750,"flow_dst_last_pkt_time":1492167356488969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167356488969,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01643{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":153,"source":"wechat.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167355723894,"flow_src_last_pkt_time":1492167356489000,"flow_dst_last_pkt_time":1492167356489253,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167356489253,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54091,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 00603{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":167,"source":"wechat.pcap","alias":"nDPId-test","flow_id":6,"flow_packet_id":3,"flow_src_last_pkt_time":1492167345896252,"flow_dst_last_pkt_time":1492167360622900,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":121,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":121,"pkt_l4_len":87,"thread_ts_usec":1492167360622900,"pkt":"eJKcD6iO8IQvSpdgCABFoABrfSgAADcGnizYOs1OwKgBZwG7ugsgLP3V+HJvr4AYAV2wggAAAQEICvap78EAL9cAFwMDADI7\/WDixcApjMc4oo49oFJiwuyoshtW5rSqz9ahoHcSOkzcmjO3CkNO6pgK6XLAf2uLNg=="} @@ -132,9 +132,9 @@ 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":303,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167382020263,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382020263,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167382020263,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.211","src_port":40740,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00509{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":303,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":1,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382020263,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1492167382020263,"pkt":"8IQvSpdgeJKcD6iOCABFAAAokulAAEAGgjbAqAFny82X058kAbutvz98aYB+jlAQAdESKQAA"} 00518{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":304,"source":"wechat.pcap","alias":"nDPId-test","flow_id":25,"flow_packet_id":2,"flow_src_last_pkt_time":1492167382020263,"flow_dst_last_pkt_time":1492167382374842,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":20,"thread_ts_usec":1492167382374842,"pkt":"eJKcD6iO8IQvSpdgCABFoAAoL8xAAC4G9rPLzZfTwKgBZwG7nyRpgH6Orb8\/fVAQAIMTdgAAAADZK2u8"} -01763{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378674770,"flow_src_last_pkt_time":1492167386718697,"flow_dst_last_pkt_time":1492167385566065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8227,"flow_dst_tot_l4_payload_len":6835,"midstream":0,"thread_ts_usec":1492167386718697,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":435,"avg":481781.3,"max":4544256,"stddev":1044110.9,"var":1090167570432.0,"ent":3.2,"data": [359228,359315,435,360585,1948,362066,491,468,3580,359717,357128,3318,369214,32832,2766,400529,15038,3260,381959,38044,403106,2395,369120,36996,438834,4139732,3287,4544256,34139,398836,1152600]},"pktlen": {"min":66,"avg":537.2,"max":1754,"stddev":556.0,"var":309130.7,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,235,66,1239,443,66,264,1306,541,66,1002,66,1306,541,66,1003,66,1234]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01762{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":335,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378926091,"flow_src_last_pkt_time":1492167387133549,"flow_dst_last_pkt_time":1492167385164247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":8225,"flow_src_tot_l4_payload_len":6431,"flow_dst_tot_l4_payload_len":15757,"midstream":0,"thread_ts_usec":1492167387133549,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":438,"avg":465987.6,"max":3383945,"stddev":827194.4,"var":684250497024.0,"ent":3.4,"data": [353750,353837,953113,1178147,225005,127739,4445,132165,453,438,626,638,1531,362180,361114,370977,4561,375090,3297,3310,3017858,3341,3383945,31235,408978,7414,382158,34643,434308,1925965,3353]},"pktlen": {"min":66,"avg":760.1,"max":8291,"stddev":1463.3,"var":2141136.5,"ent":3.6,"data": [74,74,66,304,74,66,66,1494,66,1494,66,326,66,192,117,1153,1494,1494,66,8291,66,1306,541,66,1377,1239,443,66,264,66,1306,541]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,1]},"directions": [0,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01778{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"wechat.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353674975,"flow_src_last_pkt_time":1492167387855952,"flow_dst_last_pkt_time":1492167387536614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":198,"flow_dst_max_l4_payload_len":1188,"flow_src_tot_l4_payload_len":1584,"flow_dst_tot_l4_payload_len":9504,"midstream":1,"thread_ts_usec":1492167387855952,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54058,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":2194923.0,"max":11774429,"stddev":3337575.2,"var":11139408723968.0,"ent":3.8,"data": [67,1713342,2033838,5903,326356,805535,1165376,11414547,11774429,393649,716591,9325022,9647966,1906296,2225757,6412,325847,425651,784494,2983400,3342263,487827,806732,9168,328050,421461,782117,1181667,1542348,420552,739953]},"pktlen": {"min":66,"avg":412.5,"max":1254,"stddev":492.5,"var":242574.8,"ent":4.1,"data": [264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66,264,66,1254,66]},"bins": {"c_to_s": [8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02160{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":329,"source":"wechat.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378674770,"flow_src_last_pkt_time":1492167386718697,"flow_dst_last_pkt_time":1492167385566065,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8227,"flow_dst_tot_l4_payload_len":6835,"midstream":0,"thread_ts_usec":1492167386718697,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54094,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":435,"avg":481781.3,"max":4544256,"stddev":1044110.9,"var":1090167570432.0,"ent":3.2,"data": [359228,359315,435,360585,1948,362066,491,468,3580,359717,357128,3318,369214,32832,2766,400529,15038,3260,381959,38044,403106,2395,369120,36996,438834,4139732,3287,4544256,34139,398836,1152600]},"pktlen": {"min":52,"avg":523.2,"max":1740,"stddev":556.0,"var":309130.7,"ent":4.2,"data": [60,60,52,290,52,1480,52,1740,52,178,103,1292,527,52,1480,221,52,1225,429,52,250,1292,527,52,988,52,1292,527,52,989,52,1220]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,1,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0],"entropies": [4.605928421,5.108290672,5.014834881,5.876290798,5.094483376,6.803863049,5.053297043,7.616803169,4.972088814,6.308379173,5.995617867,7.811126232,7.530417919,5.171407223,7.866411686,7.065956593,5.063529015,7.814155579,7.416600704,5.171407223,7.067113400,7.817794323,7.516748905,5.171407223,7.779650211,5.025067329,7.859876633,7.574586868,5.176993370,7.802303791,5.025067806,7.850266933]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02161{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":335,"source":"wechat.pcap","alias":"nDPId-test","flow_id":23,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167378926091,"flow_src_last_pkt_time":1492167387133549,"flow_dst_last_pkt_time":1492167385164247,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":8225,"flow_src_tot_l4_payload_len":6431,"flow_dst_tot_l4_payload_len":15757,"midstream":0,"thread_ts_usec":1492167387133549,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54095,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":438,"avg":465987.6,"max":3383945,"stddev":827194.4,"var":684250497024.0,"ent":3.4,"data": [353750,353837,953113,1178147,225005,127739,4445,132165,453,438,626,638,1531,362180,361114,370977,4561,375090,3297,3310,3017858,3341,3383945,31235,408978,7414,382158,34643,434308,1925965,3353]},"pktlen": {"min":52,"avg":746.1,"max":8277,"stddev":1463.3,"var":2141136.5,"ent":3.6,"data": [60,60,52,290,60,52,52,1480,52,1480,52,312,52,178,103,1139,1480,1480,52,8277,52,1292,527,52,1363,1225,429,52,250,52,1292,527]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,4,0,0,1]},"directions": [0,1,0,0,1,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,0,0,0,1,1,0,0,1,1,0,0,0],"entropies": [4.726680756,5.187539101,5.014835358,5.881073475,5.174957275,4.976373672,5.171406746,6.805123806,4.976373672,7.508996010,5.025067806,7.162304878,5.025067806,6.445491314,5.965487480,7.807569027,7.879969597,7.864712715,4.986606121,7.977176189,5.025067806,7.830005169,7.567298412,5.094483376,7.875021458,7.841088295,7.461124897,5.132945061,7.021474361,5.025067806,7.846213341,7.502761364]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02177{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"wechat.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167353674975,"flow_src_last_pkt_time":1492167387855952,"flow_dst_last_pkt_time":1492167387536614,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":198,"flow_dst_max_l4_payload_len":1188,"flow_src_tot_l4_payload_len":1584,"flow_dst_tot_l4_payload_len":9504,"midstream":1,"thread_ts_usec":1492167387855952,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54058,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":67,"avg":2194923.0,"max":11774429,"stddev":3337575.2,"var":11139408723968.0,"ent":3.8,"data": [67,1713342,2033838,5903,326356,805535,1165376,11414547,11774429,393649,716591,9325022,9647966,1906296,2225757,6412,325847,425651,784494,2983400,3342263,487827,806732,9168,328050,421461,782117,1181667,1542348,420552,739953]},"pktlen": {"min":52,"avg":398.5,"max":1240,"stddev":492.5,"var":242574.8,"ent":4.0,"data": [250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52,250,52,1240,52]},"bins": {"c_to_s": [8,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0,0,1,1,0],"entropies": [7.178055763,5.101991177,7.840975285,5.162476063,7.144028187,5.025067806,7.842404366,5.138531685,7.054569721,5.063529491,7.824712276,5.138531685,7.172506809,5.171406746,7.844462872,5.138531685,7.113152027,5.041504860,7.832453728,5.100070000,7.041498184,5.094483852,7.836290359,5.138531685,7.090556145,5.132945538,7.813812256,5.138531685,6.974005222,5.118428230,7.850635529,5.124014854]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00911{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":343,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167383949103,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167387855952,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00902{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":343,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":12,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167383949003,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":480,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167387855952,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":345,"source":"wechat.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1492167397120263,"flow_dst_last_pkt_time":1492167352122932,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167397120263,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0ePJAAEAGFx3AqAFnQOmnvIyxFGy60MyoSq1b+oAQAO0gQAAAAQEICgAw5QaFnXDI"} @@ -159,10 +159,10 @@ 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":382,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402310146,"flow_dst_last_pkt_time":1492167401410519,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167402310146,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":389,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402503381,"flow_dst_last_pkt_time":1492167402665578,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167402665578,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01643{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":391,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167402665635,"flow_dst_last_pkt_time":1492167402666132,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167402666132,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01767{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167400812629,"flow_src_last_pkt_time":1492167418885540,"flow_dst_last_pkt_time":1492167414163142,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8690,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167418885540,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":652,"avg":1013658.8,"max":6862195,"stddev":1947754.9,"var":3793749016576.0,"ent":3.1,"data": [362688,362730,698,359771,652,359747,1773,1754,3156,359980,358071,7205,373852,64622,431388,4503,369570,39986,442333,4042219,3253,4448907,74384,439211,6493521,3286,6862195,32133,397513,4719084,3239]},"pktlen": {"min":66,"avg":510.0,"max":1754,"stddev":523.8,"var":274414.8,"ent":4.3,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1234,535,66,297,1306,541,66,1002,66,1234,525,66,297,66,1306,541,66,1003,66,1234,530]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01772{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":454,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167421570947,"flow_dst_last_pkt_time":1492167421929069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":7047,"flow_dst_tot_l4_payload_len":5272,"midstream":0,"thread_ts_usec":1492167421929069,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":539,"avg":1334601.0,"max":6095000,"stddev":2041764.4,"var":4168801845248.0,"ent":3.5,"data": [346826,346918,899535,1092804,193235,160456,1799,162254,554,539,2941,351941,387151,4178860,3305,4577735,29191,386626,5733723,3651,6095000,83021,440653,5485473,3274,5845918,30151,387318,1889056,2742,2249980]},"pktlen": {"min":66,"avg":451.7,"max":1754,"stddev":521.0,"var":271486.5,"ent":4.1,"data": [74,74,66,304,74,66,66,1494,66,1754,66,192,117,66,1306,541,66,1003,66,1234,522,66,297,66,1306,541,66,1003,66,1234,527,66]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02164{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":439,"source":"wechat.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167400812629,"flow_src_last_pkt_time":1492167418885540,"flow_dst_last_pkt_time":1492167414163142,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8690,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167418885540,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54097,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":652,"avg":1013658.8,"max":6862195,"stddev":1947754.9,"var":3793749016576.0,"ent":3.1,"data": [362688,362730,698,359771,652,359747,1773,1754,3156,359980,358071,7205,373852,64622,431388,4503,369570,39986,442333,4042219,3253,4448907,74384,439211,6493521,3286,6862195,32133,397513,4719084,3239]},"pktlen": {"min":52,"avg":496.0,"max":1740,"stddev":523.8,"var":274414.8,"ent":4.2,"data": [60,60,52,290,52,1480,52,1740,52,178,103,1220,521,52,283,1292,527,52,988,52,1220,511,52,283,52,1292,527,52,989,52,1220,516]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0],"entropies": [4.693346977,5.208290577,5.053297043,5.889862537,5.094483852,6.800672054,5.014835835,7.599623203,4.948144436,6.376589775,6.023739815,7.844972134,7.566354275,5.091758728,7.215152264,7.841954708,7.609091282,4.979098797,7.780104637,5.063529015,7.807397842,7.520520687,4.948143959,7.157586575,5.026988506,7.822068691,7.580903053,5.176993370,7.824234486,5.025067329,7.837800980,7.490112305]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02169{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":454,"source":"wechat.pcap","alias":"nDPId-test","flow_id":27,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167401063693,"flow_src_last_pkt_time":1492167421570947,"flow_dst_last_pkt_time":1492167421929069,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":7047,"flow_dst_tot_l4_payload_len":5272,"midstream":0,"thread_ts_usec":1492167421929069,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54098,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":539,"avg":1334601.0,"max":6095000,"stddev":2041764.4,"var":4168801845248.0,"ent":3.5,"data": [346826,346918,899535,1092804,193235,160456,1799,162254,554,539,2941,351941,387151,4178860,3305,4577735,29191,386626,5733723,3651,6095000,83021,440653,5485473,3274,5845918,30151,387318,1889056,2742,2249980]},"pktlen": {"min":52,"avg":437.7,"max":1740,"stddev":521.0,"var":271486.5,"ent":4.1,"data": [60,60,52,290,60,52,52,1480,52,1740,52,178,103,52,1292,527,52,989,52,1220,508,52,283,52,1292,527,52,989,52,1220,513,52]},"bins": {"c_to_s": [9,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [7,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1]},"directions": [0,1,0,0,1,0,1,1,0,1,0,0,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1],"entropies": [4.760014057,5.220871925,5.000318050,5.874381065,5.254205227,5.053296566,5.118428230,6.815816879,4.983880520,7.609316826,4.930902004,6.376590252,5.910619259,5.025067806,7.831663132,7.556474686,4.961856365,7.782391071,4.983880520,7.816404343,7.565681934,5.094483852,7.163718224,5.063529015,7.819398880,7.535512924,5.132945538,7.794347763,5.101990700,7.811570168,7.574221134,5.100070000]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":466,"source":"wechat.pcap","alias":"nDPId-test","flow_id":21,"flow_packet_id":3,"flow_src_last_pkt_time":1492167422952271,"flow_dst_last_pkt_time":1492167377936495,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167422952271,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0KNBAAEAGqhvAqAFn2DrNjsJ7AbvMOVSD1yvysIAQAT2SvQAAAQEICgAw\/kAycps2"} -01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":473,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167342893680,"flow_src_last_pkt_time":1492167433192261,"flow_dst_last_pkt_time":1492167433240018,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":829,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1283,"flow_dst_tot_l4_payload_len":5138,"midstream":0,"thread_ts_usec":1492167433240018,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":53,"avg":5827255.0,"max":45056034,"stddev":15096891.0,"var":227916113772544.0,"ent":2.0,"data": [48172,48219,208,52487,725,52995,2368,2380,502,490,4525,7884,13634,51249,2766,53,28029,293,26129,2791,10149,38903,378,801,249,45379,2766,45043937,45047542,45056034,45052882]},"pktlen": {"min":66,"avg":267.2,"max":1484,"stddev":422.2,"var":178253.9,"ent":3.9,"data": [74,74,66,288,66,1484,66,1484,66,1442,66,151,111,895,336,114,100,66,96,66,96,572,66,104,104,100,66,66,66,66,66,66]},"bins": {"c_to_s": [10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} +02132{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":473,"source":"wechat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167342893680,"flow_src_last_pkt_time":1492167433192261,"flow_dst_last_pkt_time":1492167433240018,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":829,"flow_dst_max_l4_payload_len":1418,"flow_src_tot_l4_payload_len":1283,"flow_dst_tot_l4_payload_len":5138,"midstream":0,"thread_ts_usec":1492167433240018,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.22.14","src_port":38657,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":53,"avg":5827255.0,"max":45056034,"stddev":15096891.0,"var":227916113772544.0,"ent":2.0,"data": [48172,48219,208,52487,725,52995,2368,2380,502,490,4525,7884,13634,51249,2766,53,28029,293,26129,2791,10149,38903,378,801,249,45379,2766,45043937,45047542,45056034,45052882]},"pktlen": {"min":52,"avg":253.2,"max":1470,"stddev":422.2,"var":178253.9,"ent":3.7,"data": [60,60,52,274,52,1470,52,1470,52,1428,52,137,97,881,322,100,86,52,82,52,82,558,52,90,90,86,52,52,52,52,52,52]},"bins": {"c_to_s": [10,3,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [8,3,0,0,0,0,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,0,0,1,1,1,0,0,1,1,1,0,1,0,0,1,1,0,1,0,1],"entropies": [4.605927944,5.281730652,4.945419312,5.680894375,5.026988029,6.433983326,4.853978634,7.138501167,4.858624458,7.442424297,4.897086143,6.106687546,5.925421238,7.741159916,7.131931782,5.977149487,5.818537235,4.911602974,5.724431038,4.988526344,5.642052650,7.611984253,4.873141289,5.899595737,5.749487400,5.581253052,4.988526344,5.026988029,4.858624458,5.026988029,4.897086143,5.026988029]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Google","proto_id":"91.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} 00717{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167440370306,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167440370306,"l3_proto":"ip4","src_ip":"192.168.1.254","dst_ip":"224.0.0.1","l4_proto":2,"flow_datalink":1,"flow_max_packets":3} 00504{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_packet_id":1,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"pkt_oversize":false,"pkt_caplen":50,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":38,"pkt_len":50,"pkt_l4_len":12,"thread_ts_usec":1492167440370306,"pkt":"AQBeAAAB8IQvSpdgCABGoAAkj9gAAAEC8bPAqAH+4AAAAZQEAAARZOybAAAAAAIAAAA="} 00823{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":474,"source":"wechat.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167440370306,"flow_src_last_pkt_time":1492167440370306,"flow_dst_last_pkt_time":1492167440370306,"flow_idle_time":620000000,"flow_src_min_l4_payload_len":12,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":12,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":12,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167440370306,"l3_proto":"ip4","src_ip":"192.168.1.254","dst_ip":"224.0.0.1","l4_proto":2,"ndpi": {"confidence": {"6":"DPI"},"proto":"IGMP","proto_id":"82","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -217,15 +217,15 @@ 01643{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":569,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167455501611,"flow_dst_last_pkt_time":1492167455502415,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167455502415,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":577,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455528205,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167455528205,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":577,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":1,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455528205,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167455528205,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8kudAAEAGglXAqAFny82XotNYAbvneYz3AAAAAKACchBIqgAAAgQFtAQCCAoAMR4QAAAAAAEDAwc="} -01753{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":587,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167452759446,"flow_src_last_pkt_time":1492167455588916,"flow_dst_last_pkt_time":1492167455588897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":10981,"midstream":0,"thread_ts_usec":1492167455588916,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":470,"avg":182545.8,"max":469392,"stddev":189984.8,"var":36094242816.0,"ent":4.0,"data": [366115,366204,470,368626,765,368875,8160,8175,3097,367881,365600,3239,378746,92724,1992,469392,27762,1703,407097,30016,408635,3752,397818,10943,404654,396022,789,396156,518,1239,1756]},"pktlen": {"min":66,"avg":605.5,"max":1754,"stddev":612.0,"var":374517.1,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1494,344,66,1239,443,66,264,1239,443,66,264,1154,1494,1494,66,1494,1494,66]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02152{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":587,"source":"wechat.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1492167452759446,"flow_src_last_pkt_time":1492167455588916,"flow_dst_last_pkt_time":1492167455588897,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":10981,"midstream":0,"thread_ts_usec":1492167455588916,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54099,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":470,"avg":182545.8,"max":469392,"stddev":189984.8,"var":36094242816.0,"ent":4.0,"data": [366115,366204,470,368626,765,368875,8160,8175,3097,367881,365600,3239,378746,92724,1992,469392,27762,1703,407097,30016,408635,3752,397818,10943,404654,396022,789,396156,518,1239,1756]},"pktlen": {"min":52,"avg":591.5,"max":1740,"stddev":612.0,"var":374517.1,"ent":4.2,"data": [60,60,52,290,52,1480,52,1740,52,178,103,1292,527,52,1480,330,52,1225,429,52,250,1225,429,52,250,1140,1480,1480,52,1480,1480,52]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,6,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,1,1,0,1,1,0],"entropies": [4.693346977,5.074957371,4.839769840,5.845041752,5.171406746,6.800355911,5.053297043,7.610657692,4.986605644,6.235470772,5.957188606,7.840703964,7.543376446,5.056021690,7.864466667,7.286510468,5.025067329,7.818862438,7.434236050,5.041504860,7.005474091,7.809962749,7.378694057,5.056022167,7.067446709,7.836442947,7.850297451,7.840147018,4.909682751,7.856178284,7.859716892,4.986605644]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":613,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":2,"flow_src_last_pkt_time":1492167455528205,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167455891345,"pkt":"eJKcD6iO8IQvSpdgCABFoAA8AABAAC0GJ53LzZeiwKgBZwG701iyhnqT53mM+KASN8htQwAAAgQFoAQCCApFraLqADEeEAEDAwc="} 00525{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":614,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_packet_id":3,"flow_src_last_pkt_time":1492167455891380,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167455891380,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0kuhAAEAGglzAqAFny82XotNYAbvneYz4soZ6lIAQAOXShAAAAQEICgAxHmpFraLq"} 01049{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":615,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455891558,"flow_dst_last_pkt_time":1492167455891345,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167455891558,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01109{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":648,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167455891558,"flow_dst_last_pkt_time":1492167456251036,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167456251036,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01643{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":650,"source":"wechat.pcap","alias":"nDPId-test","flow_id":36,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167455528205,"flow_src_last_pkt_time":1492167456251067,"flow_dst_last_pkt_time":1492167456251627,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167456251627,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54104,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01599{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":485,"avg":129962.4,"max":646724,"stddev":181880.5,"var":33080510464.0,"ent":3.5,"data": [360844,360859,1106,320164,2049,321124,836,835,489,485,2516,331784,329811,339551,757,339771,547,4542,5088,2482,2487,1143,1132,271360,646724,757,376133,549,914,1456,539]},"pktlen": {"min":66,"avg":831.6,"max":3134,"stddev":861.6,"var":742326.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1154,1494,1494,66,1494,1494,66,2922,66,3134,66,1154,1494,1494,66,1494,1494,66,1494]},"bins": {"c_to_s": [11,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,1,1,0,1,1,0,1]}} +01998{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":485,"avg":129962.4,"max":646724,"stddev":181880.5,"var":33080510464.0,"ent":3.5,"data": [360844,360859,1106,320164,2049,321124,836,835,489,485,2516,331784,329811,339551,757,339771,547,4542,5088,2482,2487,1143,1132,271360,646724,757,376133,549,914,1456,539]},"pktlen": {"min":52,"avg":817.6,"max":3120,"stddev":861.6,"var":742326.2,"ent":4.2,"data": [60,60,52,290,52,1480,52,1480,52,312,52,178,103,1140,1480,1480,52,1480,1480,52,2908,52,3120,52,1140,1480,1480,52,1480,1480,52,1480]},"bins": {"c_to_s": [11,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,11,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,1,1,0,1,1,0,1,0,1,0,0,1,1,0,1,1,0,1],"entropies": [4.726680756,5.220871925,5.014835358,5.858064651,5.079967022,6.831523418,5.053297043,7.519194603,5.025067329,7.301003456,5.025067329,6.369594574,5.816505909,7.860216618,7.880475521,7.853042603,5.063529015,7.867065430,7.870931625,5.025067806,7.935112953,5.025067806,7.943042755,4.986606121,7.835324287,7.881664753,7.863303185,5.017560005,7.863364220,7.864516258,5.132945061,7.866506577]}} 01648{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":673,"source":"wechat.pcap","alias":"nDPId-test","flow_id":35,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1492167454818522,"flow_src_last_pkt_time":1492167456832685,"flow_dst_last_pkt_time":1492167456833193,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1088,"flow_dst_max_l4_payload_len":3068,"flow_src_tot_l4_payload_len":2540,"flow_dst_tot_l4_payload_len":21943,"midstream":0,"thread_ts_usec":1492167456833193,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54103,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167454457964,"flow_src_last_pkt_time":1492167457755437,"flow_dst_last_pkt_time":1492167457756747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":9439,"midstream":0,"thread_ts_usec":1492167457756747,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":383,"avg":212782.5,"max":951677,"stddev":233185.6,"var":54375542784.0,"ent":4.0,"data": [378875,378978,383,354036,2419,355982,2806,2818,1046,367448,367322,4404,365806,31144,394889,3196,367851,55930,2766,420112,17934,846,381296,34840,434328,543113,951677,371599,549,523,1340]},"pktlen": {"min":66,"avg":557.3,"max":1754,"stddev":599.1,"var":358890.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1239,443,66,264,1306,541,66,1494,230,66,1239,443,66,264,66,1154,1494,66,1494,66,1494]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,1,0,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02151{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":702,"source":"wechat.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167454457964,"flow_src_last_pkt_time":1492167457755437,"flow_dst_last_pkt_time":1492167457756747,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":6267,"flow_dst_tot_l4_payload_len":9439,"midstream":0,"thread_ts_usec":1492167457756747,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54101,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":383,"avg":212782.5,"max":951677,"stddev":233185.6,"var":54375542784.0,"ent":4.0,"data": [378875,378978,383,354036,2419,355982,2806,2818,1046,367448,367322,4404,365806,31144,394889,3196,367851,55930,2766,420112,17934,846,381296,34840,434328,543113,951677,371599,549,523,1340]},"pktlen": {"min":52,"avg":543.3,"max":1740,"stddev":599.1,"var":358890.2,"ent":4.1,"data": [60,60,52,290,52,1480,52,1740,52,178,103,1225,429,52,250,1292,527,52,1480,216,52,1225,429,52,250,52,1140,1480,52,1480,52,1480]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,2,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,2,0,1,0,0,0,0,0,0,0,0,0],"s_to_c": [5,1,0,0,0,1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,1,0,0,0,1,1,0,0,1,0,1,0,1],"entropies": [4.714098930,5.162375927,5.053297043,5.901997566,5.094483376,6.795276642,5.014835358,7.609866619,4.988526344,6.379345417,6.050486088,7.830496788,7.398893356,5.094483852,7.075847626,7.833686829,7.562863827,5.130220413,7.881128788,6.984771252,5.025067329,7.832070827,7.381729126,5.056022167,7.076413155,5.025067806,7.815702915,7.858382225,5.063529015,7.880737305,5.063529015,7.870216846]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00863{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167337792745,"flow_src_last_pkt_time":1492167353998138,"flow_dst_last_pkt_time":1492167353687334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":604,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":604,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00760{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167337792745,"flow_src_last_pkt_time":1492167353998138,"flow_dst_last_pkt_time":1492167353687334,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":604,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":604,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"203.205.151.162","dst_ip":"192.168.1.103","src_port":443,"dst_port":54084,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00860{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":840,"source":"wechat.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1492167353687522,"flow_src_last_pkt_time":1492167354015579,"flow_dst_last_pkt_time":1492167354015537,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167478295735,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54085,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -306,7 +306,7 @@ 01042{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":943,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648583174,"flow_dst_last_pkt_time":1492167648582668,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167648583174,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":945,"source":"wechat.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":2,"flow_src_last_pkt_time":1492167648494081,"flow_dst_last_pkt_time":1492167648873395,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167648873395,"pkt":"eJKcD6iO8IQvSpdgCABFoAA0AABAADEGHSXLzZ4iwKgBZwG7q0tO\/rLJEoYlf4ASOQgjJgAAAgQFtAEBBAIBAwMH"} 00510{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":946,"source":"wechat.pcap","alias":"nDPId-test","flow_id":46,"flow_packet_id":3,"flow_src_last_pkt_time":1492167648873492,"flow_dst_last_pkt_time":1492167648873395,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1492167648873492,"pkt":"8IQvSpdgeJKcD6iOCABFAAAoAABAAEAGDtHAqAFny82eIqtLAbsShiV\/Tv6yylAQAOWcGwAA"} -01758{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":947,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167639887918,"flow_src_last_pkt_time":1492167648260043,"flow_dst_last_pkt_time":1492167648882009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7218,"midstream":0,"thread_ts_usec":1492167648882009,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":441,"avg":560200.5,"max":6615415,"stddev":1552002.6,"var":2408711979008.0,"ent":2.6,"data": [315233,315308,441,318358,1918,319817,471,453,1116,1109,2559,316619,315146,4640,327259,29671,2699,353912,21653,4624,349989,32226,392645,18020,3295,380639,36894,359501,6259002,6615415,265584]},"pktlen": {"min":66,"avg":492.2,"max":1494,"stddev":547.1,"var":299293.4,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,264,66,1306,541,66,1003,66,1127,66,1494]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02156{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":947,"source":"wechat.pcap","alias":"nDPId-test","flow_id":42,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167639887918,"flow_src_last_pkt_time":1492167648260043,"flow_dst_last_pkt_time":1492167648882009,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7218,"midstream":0,"thread_ts_usec":1492167648882009,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54113,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":441,"avg":560200.5,"max":6615415,"stddev":1552002.6,"var":2408711979008.0,"ent":2.6,"data": [315233,315308,441,318358,1918,319817,471,453,1116,1109,2559,316619,315146,4640,327259,29671,2699,353912,21653,4624,349989,32226,392645,18020,3295,380639,36894,359501,6259002,6615415,265584]},"pktlen": {"min":52,"avg":478.2,"max":1480,"stddev":547.1,"var":299293.4,"ent":4.1,"data": [60,60,52,290,52,1480,52,1480,52,312,52,178,103,1292,527,52,1480,112,52,1225,429,52,250,52,1292,527,52,989,52,1113,52,1480]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,0,1,1,0,0,1,1],"entropies": [4.726680279,5.174957275,5.014835358,5.912752151,5.171406746,6.803393364,5.091758728,7.515910149,5.101990700,7.309720993,5.063529491,6.343719959,6.031068325,7.837167740,7.550827026,5.056021690,7.882212639,6.268015385,4.972088814,7.844335079,7.397187710,5.132945061,7.032490730,4.986606121,7.848376274,7.566510677,5.171406746,7.791433334,5.101990700,7.786844254,5.101990700,7.872010231]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 01214{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":968,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648583174,"flow_dst_last_pkt_time":1492167648902355,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1460,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1460,"midstream":0,"thread_ts_usec":1492167648902355,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","alpn":"h2,http\/1.1"}}} 01778{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":970,"source":"wechat.pcap","alias":"nDPId-test","flow_id":45,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167648277830,"flow_src_last_pkt_time":1492167648902391,"flow_dst_last_pkt_time":1492167648903691,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":3430,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4890,"midstream":0,"thread_ts_usec":1492167648903691,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.158.34","src_port":43850,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"8": {"risk":"Weak TLS Cipher","severity":"High","risk_score": {"total":250,"client":225,"server":25}}},"confidence": {"6":"DPI"},"proto":"TLS.QQ","proto_id":"91.48","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"res.wx.qq.com","tls": {"version":"TLSv1.2","server_names":"wx1.qq.com,webpush.wx.qq.com,webpush1.weixin.qq.com,loginpoll.weixin.qq.com,login.wx.qq.com,file.wx2.qq.com,wx2.qq.com,login.wx2.qq.com,wxitil.qq.com,file.wx.qq.com,login.weixin.qq.com,webpush2.weixin.qq.com,webpush.wx2.qq.com,webpush.weixin.qq.com,web.weixin.qq.com,res.wx.qq.com,wx.qq.com","ja3":"550dce18de1bb143e69d6dd9413b8355","ja3s":"290adf098a54ade688d1df074dbecbf2","unsafe_cipher":1,"cipher":"TLS_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=CN, ST=Guangdong, L=Shenzhen, O=Shenzhen Tencent Computer Systems Company Limited, OU=R&D, CN=wx.qq.com","alpn":"h2,http\/1.1","fingerprint":"67:53:57:7F:22:BB:D0:A6:D4:5F:A6:D4:B3:0A:13:73:29:23:D0:C9"}}} 00756{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":997,"source":"wechat.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167650311981,"flow_src_last_pkt_time":1492167650311981,"flow_dst_last_pkt_time":1492167650311981,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167650311981,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -344,9 +344,9 @@ 00901{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1090,"source":"wechat.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167648243043,"flow_src_last_pkt_time":1492167648243043,"flow_dst_last_pkt_time":1492167648277339,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":31,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":31,"flow_dst_max_l4_payload_len":495,"flow_src_tot_l4_payload_len":31,"flow_dst_tot_l4_payload_len":495,"midstream":0,"thread_ts_usec":1492167697412244,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":19041,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.QQ","proto_id":"5.48","encrypted":0,"breed":"Fun","category_id":9,"category":"Chat"}} 00912{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1090,"source":"wechat.pcap","alias":"nDPId-test","flow_id":47,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167650311981,"flow_src_last_pkt_time":1492167650311981,"flow_dst_last_pkt_time":1492167650345975,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":192,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":192,"midstream":0,"thread_ts_usec":1492167697412244,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"192.168.1.254","src_port":60562,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Google","proto_id":"5.126","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web"}} 00922{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1090,"source":"wechat.pcap","alias":"nDPId-test","flow_id":48,"flow_state":"finished","flow_src_packets_processed":5,"flow_dst_packets_processed":5,"flow_first_seen":1492167650348036,"flow_src_last_pkt_time":1492167650446122,"flow_dst_last_pkt_time":1492167650467068,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":1825,"flow_dst_tot_l4_payload_len":1727,"midstream":0,"thread_ts_usec":1492167697412244,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"172.217.23.67","src_port":35601,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":5,"category":"Web"}} -01755{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1102,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167695237173,"flow_src_last_pkt_time":1492167705300255,"flow_dst_last_pkt_time":1492167705261666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":7069,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167705300255,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":370,"avg":647986.3,"max":7806976,"stddev":1838759.0,"var":3381034745856.0,"ent":2.5,"data": [325248,325323,463,328002,697,328217,391,370,3942,3944,2661,325903,324620,3183,337595,77061,411866,3780,340251,28032,402656,7430680,3764,7806976,79928,412549,2872,372,340125,30342,405762]},"pktlen": {"min":66,"avg":459.3,"max":1494,"stddev":494.6,"var":244586.2,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1234,538,66,297,1306,541,66,1002,66,1234,533,66,297,66,1306,541,66,1003,66]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} -01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1112,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167713329924,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329924,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":304,"avg":12093665.0,"max":183800554,"stddev":33303494.0,"var":1109122757951488.0,"ent":2.6,"data": [304,1000351,2000370,14687423,324,1000207,2000433,21831590,431,1000458,2000811,26318928,434,1000298,2000470,41917186,377,1000169,2000682,183800554,363,1000944,2000954,33299722,386,1000653,2000531,29036990,312,1000238,2000730]},"pktlen": {"min":82,"avg":82.0,"max":82,"stddev":0.0,"var":0.0,"ent":5.0,"data": [82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82,82]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01796{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1113,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167713329983,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329983,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":285,"avg":12093665.0,"max":183800433,"stddev":33303466.0,"var":1109120811794432.0,"ent":2.6,"data": [285,1000432,2000369,14687365,298,1000306,2000399,21831547,409,1000568,2000773,26318883,413,1000363,2000495,41917120,347,1000193,2000827,183800433,319,1000975,2001003,33299664,360,1000743,2000515,29036936,291,1000323,2000677]},"pktlen": {"min":102,"avg":102.0,"max":102,"stddev":0.0,"var":0.0,"ent":5.0,"data": [102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102,102]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02152{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1102,"source":"wechat.pcap","alias":"nDPId-test","flow_id":50,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1492167695237173,"flow_src_last_pkt_time":1492167705300255,"flow_dst_last_pkt_time":1492167705261666,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":7069,"flow_dst_tot_l4_payload_len":5502,"midstream":0,"thread_ts_usec":1492167705300255,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54117,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":370,"avg":647986.3,"max":7806976,"stddev":1838759.0,"var":3381034745856.0,"ent":2.5,"data": [325248,325323,463,328002,697,328217,391,370,3942,3944,2661,325903,324620,3183,337595,77061,411866,3780,340251,28032,402656,7430680,3764,7806976,79928,412549,2872,372,340125,30342,405762]},"pktlen": {"min":52,"avg":445.3,"max":1480,"stddev":494.6,"var":244586.2,"ent":4.2,"data": [60,60,52,290,52,1480,52,1480,52,312,52,178,103,1220,524,52,283,1292,527,52,988,52,1220,519,52,283,52,1292,527,52,989,52]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,0,0,0,4,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,0,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0],"entropies": [4.726680756,5.166786671,4.923395157,5.822334766,5.056022167,6.820251465,4.976373672,7.498965263,5.063529015,7.153721809,4.986605644,6.368108273,5.946069717,7.809127331,7.498535156,5.079966545,7.165245056,7.848978043,7.591750145,5.132945061,7.798501968,5.025067329,7.830883980,7.537351131,5.094483852,7.078479767,5.063529015,7.846497536,7.503941059,5.100070000,7.783425808,5.025067329]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02151{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1112,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167713329924,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329924,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":304,"avg":12093665.0,"max":183800554,"stddev":33303494.0,"var":1109122757951488.0,"ent":2.6,"data": [304,1000351,2000370,14687423,324,1000207,2000433,21831590,431,1000458,2000811,26318928,434,1000298,2000470,41917186,377,1000169,2000682,183800554,363,1000944,2000954,33299722,386,1000653,2000531,29036990,312,1000238,2000730]},"pktlen": {"min":68,"avg":68.0,"max":68,"stddev":0.0,"var":0.0,"ent":5.0,"data": [68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68,68]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [4.271901131,4.271901131,4.271901131,4.242489338,4.271901131,4.271901131,4.271901131,4.271901131,4.271901131,4.271901131,4.271901131,4.271901131,4.242489338,4.242489338,4.242488861,4.271901131,4.271900654,4.271900654,4.231388092,4.271900654,4.271901131,4.242489815,4.242488861,4.271901131,4.271901131,4.271901131,4.271901131,4.271901131,4.271901131,4.271901131,4.224178791,4.224178791]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} +02160{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1113,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167713329983,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167713329983,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":285,"avg":12093665.0,"max":183800433,"stddev":33303466.0,"var":1109120811794432.0,"ent":2.6,"data": [285,1000432,2000369,14687365,298,1000306,2000399,21831547,409,1000568,2000773,26318883,413,1000363,2000495,41917120,347,1000193,2000827,183800433,319,1000975,2001003,33299664,360,1000743,2000515,29036936,291,1000323,2000677]},"pktlen": {"min":88,"avg":88.0,"max":88,"stddev":0.0,"var":0.0,"ent":5.0,"data": [88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88,88]},"bins": {"c_to_s": [0,32,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181,3.772605181]},"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1127,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167720101930,"flow_dst_last_pkt_time":1492167720101930,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167720101930,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1127,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_packet_id":1,"flow_src_last_pkt_time":1492167720101930,"flow_dst_last_pkt_time":1492167720101930,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1492167720101930,"pkt":"8IQvSpdgeJKcD6iOCABFAAA8R8JAAEAGzXrAqAFny82XotNnAbsR+WetAAAAAKACchBBBgAAAgQFtAQCCAoAMiBvAAAAAAEDAwc="} 00758{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":1128,"source":"wechat.pcap","alias":"nDPId-test","flow_id":53,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167720353253,"flow_src_last_pkt_time":1492167720353253,"flow_dst_last_pkt_time":1492167720353253,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167720353253,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54120,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -364,7 +364,7 @@ 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1178,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167713329983,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167722796259,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} 01035{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1178,"source":"wechat.pcap","alias":"nDPId-test","flow_id":49,"flow_state":"finished","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1492167669545491,"flow_src_last_pkt_time":1492167669545491,"flow_dst_last_pkt_time":1492167669545491,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":212,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":212,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":212,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167722796259,"l3_proto":"ip4","src_ip":"192.168.1.100","dst_ip":"192.168.1.255","src_port":138,"dst_port":138,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"NetBIOS.SMBv1","proto_id":"10.16","encrypted":0,"breed":"Dangerous","category_id":18,"category":"System"}} 00904{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1178,"source":"wechat.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":32,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426301,"flow_src_last_pkt_time":1492167713329924,"flow_dst_last_pkt_time":1492167338426301,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1280,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167722796259,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"224.0.0.251","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} -01757{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1181,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167729700517,"flow_dst_last_pkt_time":1492167729700473,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7217,"midstream":0,"thread_ts_usec":1492167729700517,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":333,"avg":619262.2,"max":7132743,"stddev":1664228.6,"var":2769657004032.0,"ent":2.7,"data": [356187,356245,409,353317,672,353556,677,668,333,334,2390,365567,364474,5597,381303,26713,2760,403898,13549,5018,378842,57192,418881,4165,370546,28172,433154,6695589,7132743,143519,540660]},"pktlen": {"min":66,"avg":492.2,"max":1494,"stddev":547.1,"var":299307.7,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1306,541,66,1494,126,66,1239,443,66,263,1306,541,66,1003,66,1127,66,1494,66]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02155{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1181,"source":"wechat.pcap","alias":"nDPId-test","flow_id":52,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1492167720101930,"flow_src_last_pkt_time":1492167729700517,"flow_dst_last_pkt_time":1492167729700473,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":6405,"flow_dst_tot_l4_payload_len":7217,"midstream":0,"thread_ts_usec":1492167729700517,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54119,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":333,"avg":619262.2,"max":7132743,"stddev":1664228.6,"var":2769657004032.0,"ent":2.7,"data": [356187,356245,409,353317,672,353556,677,668,333,334,2390,365567,364474,5597,381303,26713,2760,403898,13549,5018,378842,57192,418881,4165,370546,28172,433154,6695589,7132743,143519,540660]},"pktlen": {"min":52,"avg":478.2,"max":1480,"stddev":547.1,"var":299307.7,"ent":4.1,"data": [60,60,52,290,52,1480,52,1480,52,312,52,178,103,1292,527,52,1480,112,52,1225,429,52,249,1292,527,52,989,52,1113,52,1480,52]},"bins": {"c_to_s": [8,0,0,1,0,0,0,1,0,0,0,1,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,1,0,2,0,0,0,0,0,0,0,0,0],"s_to_c": [6,2,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,1,1,1,0,0,0,1,1,0,0,1,1,0,0,1,1,0],"entropies": [4.614099026,5.054205418,4.784065247,5.803813457,5.041504860,6.789727688,4.976373672,7.508995056,4.909682751,7.239485741,4.948143959,6.283991337,5.914185047,7.847993851,7.497515678,5.056021690,7.882184505,6.223571301,4.818242073,7.846398354,7.468954086,5.094483852,7.143380165,7.812929153,7.551878452,5.132945061,7.789383411,4.948144436,7.801686287,4.986605644,7.883557796,4.871221066]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247730,"flow_src_last_pkt_time":1492167617247730,"flow_dst_last_pkt_time":1492167617598882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54109,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00758{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247730,"flow_src_last_pkt_time":1492167617247730,"flow_dst_last_pkt_time":1492167617598882,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54109,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1216,"source":"wechat.pcap","alias":"nDPId-test","flow_id":38,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":1,"flow_first_seen":1492167617247977,"flow_src_last_pkt_time":1492167617247977,"flow_dst_last_pkt_time":1492167617562993,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167749276262,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54110,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} @@ -402,7 +402,7 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1266,"source":"wechat.pcap","alias":"nDPId-test","flow_id":58,"flow_packet_id":3,"flow_src_last_pkt_time":1492167777476579,"flow_dst_last_pkt_time":1492167777476493,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167777476579,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0XvtAAEAGukDAqAFny82Tq+K3Abv08QbKs2vgPoAQAOVlIAAAAQEICgAyWHdFrtz+"} 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1268,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167777221018,"flow_dst_last_pkt_time":1492167777494071,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167777494071,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01644{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1270,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167777494128,"flow_dst_last_pkt_time":1492167777494665,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":3116,"midstream":0,"thread_ts_usec":1492167777494665,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01760{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1310,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167781392220,"flow_dst_last_pkt_time":1492167781372855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8609,"flow_dst_tot_l4_payload_len":6923,"midstream":0,"thread_ts_usec":1492167781392220,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":433,"avg":285719.9,"max":2508511,"stddev":565344.7,"var":319614582784.0,"ent":3.4,"data": [266637,266706,433,272250,1305,273110,594,572,2940,271769,269630,3217,281421,29714,327642,3217,299639,37418,350851,50937,3180,368575,30208,307140,2227616,3191,2508511,50935,328714,16106,3139]},"pktlen": {"min":66,"avg":551.9,"max":1754,"stddev":561.4,"var":315202.6,"ent":4.2,"data": [74,74,66,304,66,1494,66,1754,66,192,117,1306,541,66,1371,1239,443,66,264,66,1306,541,66,1004,66,1306,541,66,1381,66,1239,443]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,2,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} +02158{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1310,"source":"wechat.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1492167776953879,"flow_src_last_pkt_time":1492167781392220,"flow_dst_last_pkt_time":1492167781372855,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1240,"flow_dst_max_l4_payload_len":1688,"flow_src_tot_l4_payload_len":8609,"flow_dst_tot_l4_payload_len":6923,"midstream":0,"thread_ts_usec":1492167781392220,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58038,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":433,"avg":285719.9,"max":2508511,"stddev":565344.7,"var":319614582784.0,"ent":3.4,"data": [266637,266706,433,272250,1305,273110,594,572,2940,271769,269630,3217,281421,29714,327642,3217,299639,37418,350851,50937,3180,368575,30208,307140,2227616,3191,2508511,50935,328714,16106,3139]},"pktlen": {"min":52,"avg":537.9,"max":1740,"stddev":561.4,"var":315202.6,"ent":4.2,"data": [60,60,52,290,52,1480,52,1740,52,178,103,1292,527,52,1357,1225,429,52,250,52,1292,527,52,990,52,1292,527,52,1367,52,1225,429]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,0,0,0,2,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,3,0,0,0,0,0,0,0,0,0],"s_to_c": [6,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,1,0,0,1,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0],"entropies": [4.726680279,5.287539005,5.053297043,5.856728077,5.094483852,6.784938335,4.976374149,7.592500210,4.986606121,6.312986374,5.936172009,7.837973118,7.533455849,5.132945538,7.845239639,7.816359520,7.375327110,5.132945538,7.120093346,4.986605644,7.828961372,7.600332737,5.079966545,7.769877911,4.933627129,7.832687378,7.593090057,5.138531685,7.868632793,4.933627605,7.822371960,7.393807888]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat"}} 00861{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1492167619048267,"flow_src_last_pkt_time":1492167654504261,"flow_dst_last_pkt_time":1492167619048267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167782480271,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"TLS","proto_id":"91","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00758{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":41,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1492167619048267,"flow_src_last_pkt_time":1492167654504261,"flow_dst_last_pkt_time":1492167619048267,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1492167782480271,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.151.162","src_port":54106,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00913{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1327,"source":"wechat.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":40,"flow_dst_packets_processed":0,"flow_first_seen":1492167338426352,"flow_src_last_pkt_time":1492167781907538,"flow_dst_last_pkt_time":1492167338426352,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":40,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":40,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1600,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167782480271,"l3_proto":"ip6","src_ip":"fe80::7a92:9cff:fe0f:a88e","dst_ip":"ff02::fb","src_port":5353,"dst_port":5353,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"MDNS","proto_id":"8","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -504,7 +504,7 @@ 00526{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1432,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_packet_id":3,"flow_src_last_pkt_time":1492167866495436,"flow_dst_last_pkt_time":1492167866495347,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1492167866495436,"pkt":"8IQvSpdgeJKcD6iOCABFAAA0hOhAAEAGlFPAqAFny82Tq+K5AbuucSvGejQMP4AQAOXl+wAAAQEICgAyr2VFrzPt"} 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1434,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167866243873,"flow_dst_last_pkt_time":1492167866514555,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167866514555,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} 01644{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1436,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167866514612,"flow_dst_last_pkt_time":1492167866514947,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":2856,"midstream":0,"thread_ts_usec":1492167866514947,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} -01594{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":181506.0,"max":1577028,"stddev":351924.9,"var":123851137024.0,"ent":3.2,"data": [268280,268366,474,270444,798,270739,392,385,993,969,2788,273097,271415,164,26,13,12,11,1155,289376,22800,22424,9724,380702,1255603,4960,1577028,73342,350958,5989,3258]},"pktlen": {"min":66,"avg":559.6,"max":1494,"stddev":599.0,"var":358844.3,"ent":4.2,"data": [74,74,66,304,66,1494,66,1494,66,326,66,192,117,1246,1494,1494,1494,1494,1494,329,66,66,66,157,66,1234,527,66,297,66,1306,541]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,0,0,0,0,0,5,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,0,0]}} +01993{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":181506.0,"max":1577028,"stddev":351924.9,"var":123851137024.0,"ent":3.2,"data": [268280,268366,474,270444,798,270739,392,385,993,969,2788,273097,271415,164,26,13,12,11,1155,289376,22800,22424,9724,380702,1255603,4960,1577028,73342,350958,5989,3258]},"pktlen": {"min":52,"avg":545.6,"max":1480,"stddev":599.0,"var":358844.3,"ent":4.1,"data": [60,60,52,290,52,1480,52,1480,52,312,52,178,103,1232,1480,1480,1480,1480,1480,315,52,52,52,143,52,1220,513,52,283,52,1292,527]},"bins": {"c_to_s": [7,0,0,1,0,0,0,1,1,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,1,0,0,0,0,0,5,0,0,0],"s_to_c": [6,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,0,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,1,1,0,0,0],"entropies": [4.680765629,5.154205322,4.884933472,5.839785576,5.017560482,6.813761711,4.831954956,7.514670849,4.842186928,7.190687180,4.895165443,6.306419849,5.873158932,7.841919422,7.869560242,7.865934372,7.865987301,7.878506184,7.864762306,7.242313385,4.964581966,4.834680080,4.895165443,6.393952847,4.986606121,7.814539909,7.515988827,5.061608315,7.244477749,4.895165443,7.844690800,7.504737377]}} 01649{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1465,"source":"wechat.pcap","alias":"nDPId-test","flow_id":72,"flow_state":"info","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1492167865975033,"flow_src_last_pkt_time":1492167868793020,"flow_dst_last_pkt_time":1492167868783731,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1428,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":12291,"flow_dst_tot_l4_payload_len":3489,"midstream":0,"thread_ts_usec":1492167868793020,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58040,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","server_names":"webpush1.wechat.com,webpush.wechat.com,login.web.wechat.com,webpush.web.wechat.com,webpush2.wechat.com,webpush.web2.wechat.com,file.web2.wechat.com,web1.wechat.com,file.web.wechat.com,loginpoll.wechat.com,web2.wechat.com,login.wechat.com,login.web2.wechat.com,res.wechat.com,web.wechat.com","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=GeoTrust Inc., CN=GeoTrust SSL CA - G3","subjectDN":"C=HK, ST=HongKong, L=Wan Chai, O=Tencent Mobility Limited, CN=web.wechat.com","alpn":"h2,http\/1.1","fingerprint":"4F:3B:6A:87:0C:D2:34:09:C9:53:9F:6F:EE:7D:7B:9B:E9:D6:EF:C1"}}} 01050{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1478,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":2,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871050375,"flow_dst_last_pkt_time":1492167867786741,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1492167871050375,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,http\/1.1"}}} 01110{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1484,"source":"wechat.pcap","alias":"nDPId-test","flow_id":73,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":4,"flow_first_seen":1492167866226283,"flow_src_last_pkt_time":1492167871050375,"flow_dst_last_pkt_time":1492167871323158,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":238,"flow_dst_max_l4_payload_len":1428,"flow_src_tot_l4_payload_len":238,"flow_dst_tot_l4_payload_len":1428,"midstream":0,"thread_ts_usec":1492167871323158,"l3_proto":"ip4","src_ip":"192.168.1.103","dst_ip":"203.205.147.171","src_port":58041,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WeChat","proto_id":"91.197","encrypted":1,"breed":"Fun","category_id":9,"category":"Chat","hostname":"web.wechat.com","tls": {"version":"TLSv1.2","ja3":"e330bca99c8a5256ae126a55c4c725c5","ja3s":"699a80bdb17efe157c861f92c5bf5d1d","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"h2,http\/1.1"}}} @@ -768,9 +768,9 @@ ~~ total active/idle flows...: 109/109 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6717280 bytes -~~ total memory freed........: 6717280 bytes -~~ total allocations/frees...: 124856/124856 +~~ total memory allocated....: 6732104 bytes +~~ total memory freed........: 6732104 bytes +~~ total allocations/frees...: 124965/124965 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 2334 chars diff --git a/test/results/weibo.pcap.out b/test/results/weibo.pcap.out index b073da624..6eb74b005 100644 --- a/test/results/weibo.pcap.out +++ b/test/results/weibo.pcap.out @@ -55,7 +55,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":53,"source":"weibo.pcap","alias":"nDPId-test","flow_id":14,"flow_packet_id":2,"flow_src_last_pkt_time":1463089072046092,"flow_dst_last_pkt_time":1463089072070732,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1463089072070732,"pkt":"eJKcD6iOkDVu60UQCABFAAA0NhEAADYG4CXYOtRBwKgBaQG7h4sGjBrJ+KmsNoAQAV6y1gAAAQEICiUZAmMAQNzC"} 01146{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":54,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089071642772,"flow_dst_last_pkt_time":1463089072125117,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":5,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":5,"midstream":0,"thread_ts_usec":1463089072125117,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"www.weibo.com","http": {"url":"www.weibo.com\/login.php?lang=en-us","code":0,"content_type":"","user_agent":"Mozilla\/5.0 (X11; Linux x86_64) AppleWebKit\/537.36 (KHTML, like Gecko) Chrome\/50.0.2661.102 Safari\/537.36","detected_os":"Linux x86_64"}}} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":64,"source":"weibo.pcap","alias":"nDPId-test","flow_id":13,"flow_packet_id":2,"flow_src_last_pkt_time":1463089071994093,"flow_dst_last_pkt_time":1463089072138578,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1463089072138578,"pkt":"eJKcD6iOkDVu60UQCABFAAA0XohAABsGZHc24aPSwKgBaQG7nfhaPbwDA69SioAQAIjCywAAAQEICgEjLGEAQNyy"} -01700{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":83,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089072230888,"flow_dst_last_pkt_time":1463089072285673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":12066,"midstream":0,"thread_ts_usec":1463089072285673,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":21,"avg":41615.1,"max":482409,"stddev":113790.6,"var":12948298752.0,"ent":2.5,"data": [29171,29227,299,28208,454492,482409,111,67,13207,13244,85,48,39,29,8363,8394,90,62,24,21,24,24,26,28,15403,15440,68319,68302,68,48,54797]},"pktlen": {"min":66,"avg":462.1,"max":2938,"stddev":693.4,"var":480801.9,"ent":3.8,"data": [74,74,66,516,66,71,78,1502,78,1502,78,68,86,1078,78,72,78,2938,78,294,86,68,86,1502,78,819,66,72,66,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02099{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":83,"source":"weibo.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089071613246,"flow_src_last_pkt_time":1463089072230888,"flow_dst_last_pkt_time":1463089072285673,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":450,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":450,"flow_dst_tot_l4_payload_len":12066,"midstream":0,"thread_ts_usec":1463089072285673,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.137","src_port":51698,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":21,"avg":41615.1,"max":482409,"stddev":113790.6,"var":12948298752.0,"ent":2.5,"data": [29171,29227,299,28208,454492,482409,111,67,13207,13244,85,48,39,29,8363,8394,90,62,24,21,24,24,26,28,15403,15440,68319,68302,68,48,54797]},"pktlen": {"min":52,"avg":448.1,"max":2924,"stddev":693.4,"var":480801.9,"ent":3.7,"data": [60,60,52,502,52,57,64,1488,64,1488,64,54,72,1064,64,58,64,2924,64,280,72,54,72,1488,64,805,52,58,52,1488,52,1488]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [7,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,5,0,0,1]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.650921822,5.164738178,4.955154419,5.863212585,5.062724113,5.110764980,5.095714092,7.852671146,5.095714092,7.868416309,5.090925217,5.103754044,5.134892464,7.806054115,5.090925217,5.161320686,5.102720261,7.921360016,5.071470261,7.246528625,5.126376152,5.103754044,5.164638519,7.842597485,5.090925217,5.819731712,5.091758728,5.208817959,5.022342682,7.853945732,4.945419312,7.862434864]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072333305,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072333305,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53543,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00535{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_packet_id":1,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":75,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":75,"pkt_l4_len":41,"thread_ts_usec":1463089072333305,"pkt":"kDVu60UQeJKcD6iOCABFAAA9J7BAAEARj0XAqAFpwKgBAdEnADUAKd+0rc0BAAABAAAAAAAAA2ltZwF0BnNpbmFqcwJjbgAAAQAB"} 01005{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":107,"source":"weibo.pcap","alias":"nDPId-test","flow_id":15,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072333305,"flow_src_last_pkt_time":1463089072333305,"flow_dst_last_pkt_time":1463089072333305,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":33,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":33,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":33,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072333305,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":53543,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"img.t.sinajs.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -79,8 +79,8 @@ 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072885992,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072885992,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":41352,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_packet_id":1,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089072885992,"pkt":"kDVu60UQeJKcD6iOCABFAAA8J\/lAAEARjv3AqAFpwKgBAaGIADUAKAcnK+gBAAABAAAAAAAAAmpzAXQGc2luYWpzAmNuAAABAAE="} 01004{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":175,"source":"weibo.pcap","alias":"nDPId-test","flow_id":19,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089072885992,"flow_src_last_pkt_time":1463089072885992,"flow_dst_last_pkt_time":1463089072885992,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":32,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":32,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089072885992,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":41352,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"js.t.sinajs.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} -01740{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":202,"source":"weibo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445053,"flow_src_last_pkt_time":1463089073026834,"flow_dst_last_pkt_time":1463089073029617,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":432,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":432,"flow_dst_tot_l4_payload_len":20099,"midstream":0,"thread_ts_usec":1463089073029617,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35804,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":37624.0,"max":314329,"stddev":71528.6,"var":5116344832.0,"ent":3.5,"data": [26765,26778,207,31365,283150,314329,2585,2590,16662,16689,12849,12816,59,38,45726,45760,5061,5035,70980,70980,5479,5518,32285,32296,43007,42980,3236,3222,2548,2543,2807]},"pktlen": {"min":66,"avg":710.7,"max":2938,"stddev":831.3,"var":691142.8,"ent":4.1,"data": [74,74,66,498,66,580,66,1502,66,2938,66,1502,66,1078,78,1502,66,893,66,580,78,2938,78,1502,78,1502,78,1502,78,1502,78,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01743{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":218,"source":"weibo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445019,"flow_src_last_pkt_time":1463089073075846,"flow_dst_last_pkt_time":1463089073079547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":420,"flow_dst_max_l4_payload_len":4308,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":24521,"midstream":0,"thread_ts_usec":1463089073079547,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35803,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":151,"avg":40817.9,"max":400547,"stddev":92805.4,"var":8612838400.0,"ent":3.2,"data": [26749,26781,151,28232,372448,400547,6653,6652,6583,6577,15474,15480,6563,6553,9179,9174,23391,23365,49260,49303,71669,71670,3337,3323,2937,2940,2804,2796,5515,5515,3734]},"pktlen": {"min":66,"avg":847.8,"max":4374,"stddev":1162.9,"var":1352437.0,"ent":3.9,"data": [74,74,66,486,66,581,66,1502,66,4374,66,1502,66,4374,66,2938,66,581,78,581,78,1502,66,1502,66,1502,78,1502,78,1502,78,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,3]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02139{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":202,"source":"weibo.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445053,"flow_src_last_pkt_time":1463089073026834,"flow_dst_last_pkt_time":1463089073029617,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":432,"flow_dst_max_l4_payload_len":2872,"flow_src_tot_l4_payload_len":432,"flow_dst_tot_l4_payload_len":20099,"midstream":0,"thread_ts_usec":1463089073029617,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35804,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":38,"avg":37624.0,"max":314329,"stddev":71528.6,"var":5116344832.0,"ent":3.5,"data": [26765,26778,207,31365,283150,314329,2585,2590,16662,16689,12849,12816,59,38,45726,45760,5061,5035,70980,70980,5479,5518,32285,32296,43007,42980,3236,3222,2548,2543,2807]},"pktlen": {"min":52,"avg":696.7,"max":2924,"stddev":831.3,"var":691142.8,"ent":4.0,"data": [60,60,52,484,52,566,52,1488,52,2924,52,1488,52,1064,64,1488,52,879,52,566,64,2924,64,1488,64,1488,64,1488,64,1488,64,1488]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,2]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.617588520,5.152156830,5.032077789,5.890464306,5.154164791,5.706288815,4.916693211,7.828411579,4.937911987,7.932244301,5.014835358,7.871539593,4.923395157,7.816699505,4.954130173,7.861829758,4.937912464,7.715563297,5.014835358,5.713728428,5.028425217,7.912923336,4.977720261,7.829431534,5.059675217,7.853170395,5.059675217,7.876567841,5.090925217,7.873678684,5.028425217,7.863162994]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02142{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":218,"source":"weibo.pcap","alias":"nDPId-test","flow_id":16,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445019,"flow_src_last_pkt_time":1463089073075846,"flow_dst_last_pkt_time":1463089073079547,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":420,"flow_dst_max_l4_payload_len":4308,"flow_src_tot_l4_payload_len":420,"flow_dst_tot_l4_payload_len":24521,"midstream":0,"thread_ts_usec":1463089073079547,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35803,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":151,"avg":40817.9,"max":400547,"stddev":92805.4,"var":8612838400.0,"ent":3.2,"data": [26749,26781,151,28232,372448,400547,6653,6652,6583,6577,15474,15480,6563,6553,9179,9174,23391,23365,49260,49303,71669,71670,3337,3323,2937,2940,2804,2796,5515,5515,3734]},"pktlen": {"min":52,"avg":833.8,"max":4360,"stddev":1162.9,"var":1352437.0,"ent":3.8,"data": [60,60,52,472,52,567,52,1488,52,4360,52,1488,52,4360,52,2924,52,567,64,567,64,1488,52,1488,52,1488,64,1488,64,1488,64,1488]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,8,0,0,3]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.571673870,5.052156448,4.931210041,5.882226944,4.985801697,5.695990562,4.801308155,7.757262230,4.853979111,7.951329231,4.892440796,7.858428955,4.808815479,7.951515198,4.892440796,7.937272549,4.892440796,5.696815968,5.006755829,5.720534801,5.006755829,7.871479034,4.906957626,7.880197525,4.945419312,7.866903305,5.026210785,7.865207672,4.994960785,7.858891964,4.994960785,7.845516682]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00753{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073286278,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073286278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":18035,"dst_port":53,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":81,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":81,"pkt_l4_len":47,"thread_ts_usec":1463089073286278,"pkt":"kDVu60UQeJKcD6iOCABFAABDKCFAAEARjs7AqAFpwKgBAUZzADUAL2deWFEBAAABAAAAAAAAAnUxA2ltZwZtb2JpbGUEc2luYQJjbgAAAQAB"} 01011{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":252,"source":"weibo.pcap","alias":"nDPId-test","flow_id":20,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073286278,"flow_src_last_pkt_time":1463089073286278,"flow_dst_last_pkt_time":1463089073286278,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":39,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":39,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":39,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073286278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"192.168.1.1","src_port":18035,"dst_port":53,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"DNS.Sina(Weibo)","proto_id":"5.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork","hostname":"u1.img.mobile.sina.cn","dns": {"num_queries":0,"num_answers":0,"reply_code":0,"query_type":1,"rsp_type":0,"rsp_addr":"0.0.0.0"}}} @@ -173,9 +173,9 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":440,"source":"weibo.pcap","alias":"nDPId-test","flow_id":43,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073788865,"flow_dst_last_pkt_time":1463089073788865,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089073788865,"pkt":"kDVu60UQeJKcD6iOCABFAAA8M4FAAEAGYnrAqAFpKpy4E8wyAbubxznpAAAAAKACchCC5wAAAgQFtAQCCAoAQQpoAAAAAAEDAwc="} 00755{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":441,"source":"weibo.pcap","alias":"nDPId-test","flow_id":44,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073789999,"flow_src_last_pkt_time":1463089073789999,"flow_dst_last_pkt_time":1463089073789999,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073789999,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"140.205.170.63","src_port":47723,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":441,"source":"weibo.pcap","alias":"nDPId-test","flow_id":44,"flow_packet_id":1,"flow_src_last_pkt_time":1463089073789999,"flow_dst_last_pkt_time":1463089073789999,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1463089073789999,"pkt":"kDVu60UQeJKcD6iOCABFAAA8F+ZAAEAGKbjAqAFpjM2qP7prAbvY7h2OAAAAAKACchAfhQAAAgQFtAQCCAoAQQpoAAAAAAEDAwc="} -01754{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":444,"source":"weibo.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445071,"flow_src_last_pkt_time":1463089073791996,"flow_dst_last_pkt_time":1463089073794639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":459,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":13850,"midstream":0,"thread_ts_usec":1463089073794639,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35805,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":259,"avg":86983.6,"max":438815,"stddev":119331.4,"var":14239989760.0,"ent":3.8,"data": [26772,26783,259,31384,276129,307295,6901,6886,153887,153903,2935,2946,375915,438815,4367,67220,2924,2959,31457,31439,138473,138467,6109,6114,4495,4505,193484,193526,28775,28708,2661]},"pktlen": {"min":66,"avg":528.0,"max":1502,"stddev":578.7,"var":334896.4,"ent":4.2,"data": [74,74,66,476,66,577,66,1026,66,577,78,1026,78,525,66,494,66,1502,66,494,78,1502,66,1502,66,1502,66,1502,78,1502,66,1502]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01743{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":450,"source":"weibo.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073321163,"flow_src_last_pkt_time":1463089073801051,"flow_dst_last_pkt_time":1463089073804152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":484,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":484,"flow_dst_tot_l4_payload_len":18086,"midstream":0,"thread_ts_usec":1463089073804152,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35807,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":31060.5,"max":183686,"stddev":54622.5,"var":2983621632.0,"ent":3.4,"data": [62151,62179,142,161101,22711,183686,5733,5740,2565,2546,10538,10551,5220,5299,3225,3182,2451,2404,5526,5539,2866,2854,2576,2563,4789,4821,162100,162064,26294,26318,3143]},"pktlen": {"min":66,"avg":647.2,"max":1502,"stddev":674.0,"var":454231.7,"ent":4.1,"data": [74,74,66,550,66,493,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,493,78,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} -01745{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":495,"source":"weibo.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073334322,"flow_src_last_pkt_time":1463089073888564,"flow_dst_last_pkt_time":1463089073891278,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":473,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":473,"flow_dst_tot_l4_payload_len":18114,"midstream":0,"thread_ts_usec":1463089073891278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35809,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":35845.1,"max":252228,"stddev":55584.3,"var":3089619200.0,"ent":3.8,"data": [50173,50197,137,181460,70884,252228,2685,2690,2552,2523,4210,4257,31840,31804,8134,8135,11411,11401,8727,8746,2645,2641,7148,7148,13606,13617,66334,66313,92394,92405,2753]},"pktlen": {"min":66,"avg":647.7,"max":1502,"stddev":673.8,"var":454044.4,"ent":4.1,"data": [74,74,66,539,66,507,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,1502,66,507,78,1502,66,1502]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02153{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":444,"source":"weibo.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089072445071,"flow_src_last_pkt_time":1463089073791996,"flow_dst_last_pkt_time":1463089073794639,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":459,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":869,"flow_dst_tot_l4_payload_len":13850,"midstream":0,"thread_ts_usec":1463089073794639,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35805,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":259,"avg":86983.6,"max":438815,"stddev":119331.4,"var":14239989760.0,"ent":3.8,"data": [26772,26783,259,31384,276129,307295,6901,6886,153887,153903,2935,2946,375915,438815,4367,67220,2924,2959,31457,31439,138473,138467,6109,6114,4495,4505,193484,193526,28775,28708,2661]},"pktlen": {"min":52,"avg":514.0,"max":1488,"stddev":578.7,"var":334896.4,"ent":4.1,"data": [60,60,52,462,52,563,52,1012,52,563,64,1012,64,511,52,480,52,1488,52,480,64,1488,52,1488,52,1488,52,1488,64,1488,52,1488]},"bins": {"c_to_s": [14,0,0,0,0,0,0,0,0,0,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,0,0,0,0,0,0,0,0,0,0,0,0,2,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,7,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.717588902,5.118823528,5.032077789,5.908517361,5.014835358,5.756928444,5.008133411,7.799871445,4.969672203,5.727755070,5.022979259,7.804618359,4.991729736,5.911708832,5.115703106,5.816450596,5.000318527,6.365411758,5.053297043,5.822424412,5.122175217,7.722197533,5.053297043,7.724967480,5.091758728,7.731284142,5.053297043,7.722201347,5.153425217,7.742957592,5.053297043,7.725163937]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02142{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":450,"source":"weibo.pcap","alias":"nDPId-test","flow_id":26,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073321163,"flow_src_last_pkt_time":1463089073801051,"flow_dst_last_pkt_time":1463089073804152,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":484,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":484,"flow_dst_tot_l4_payload_len":18086,"midstream":0,"thread_ts_usec":1463089073804152,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35807,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":142,"avg":31060.5,"max":183686,"stddev":54622.5,"var":2983621632.0,"ent":3.4,"data": [62151,62179,142,161101,22711,183686,5733,5740,2565,2546,10538,10551,5220,5299,3225,3182,2451,2404,5526,5539,2866,2854,2576,2563,4789,4821,162100,162064,26294,26318,3143]},"pktlen": {"min":52,"avg":633.2,"max":1488,"stddev":674.0,"var":454231.7,"ent":4.1,"data": [60,60,52,536,52,479,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,479,64,1488,52,1488]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.684255600,5.152156830,4.993616104,5.845283031,5.077241421,5.771981716,5.032077789,7.798841476,5.014835358,7.818611622,5.091758728,7.745497227,5.091758728,7.718579292,5.091758728,7.835317612,5.014835358,7.586729527,5.091758728,7.852894306,5.053297043,7.826751709,5.091758728,7.851661682,4.969671726,7.833436489,5.053297043,5.785848141,5.090925217,7.852241993,5.014835835,7.846589088]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} +02144{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":495,"source":"weibo.pcap","alias":"nDPId-test","flow_id":28,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1463089073334322,"flow_src_last_pkt_time":1463089073888564,"flow_dst_last_pkt_time":1463089073891278,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":473,"flow_dst_max_l4_payload_len":1436,"flow_src_tot_l4_payload_len":473,"flow_dst_tot_l4_payload_len":18114,"midstream":0,"thread_ts_usec":1463089073891278,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"93.188.134.246","src_port":35809,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":137,"avg":35845.1,"max":252228,"stddev":55584.3,"var":3089619200.0,"ent":3.8,"data": [50173,50197,137,181460,70884,252228,2685,2690,2552,2523,4210,4257,31840,31804,8134,8135,11411,11401,8727,8746,2645,2641,7148,7148,13606,13617,66334,66313,92394,92405,2753]},"pktlen": {"min":52,"avg":633.7,"max":1488,"stddev":673.8,"var":454044.4,"ent":4.1,"data": [60,60,52,525,52,493,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,1488,52,493,64,1488,52,1488]},"bins": {"c_to_s": [15,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,12,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [4.650922298,5.152156830,4.993616104,5.858173847,5.077241421,5.751578331,5.032077789,7.309309959,5.014835358,7.854790211,5.053297043,7.861942291,4.976373672,7.880206108,5.014835358,7.834024906,4.976373672,7.858521461,5.000318050,7.864043236,5.053297043,7.880113125,4.937911987,7.884674549,4.923395157,7.850847721,5.014835358,5.755910873,5.090925217,7.855472088,5.053297043,7.856210232]},"ndpi": {"confidence": {"6":"DPI"},"proto":"HTTP.Sina(Weibo)","proto_id":"7.200","encrypted":0,"breed":"Fun","category_id":6,"category":"SocialNetwork"}} 00757{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1463089073394759,"flow_src_last_pkt_time":1463089073773797,"flow_dst_last_pkt_time":1463089073773608,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":428,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":428,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42275,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00886{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073537120,"flow_src_last_pkt_time":1463089073537120,"flow_dst_last_pkt_time":1463089073537120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42280,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00753{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":498,"source":"weibo.pcap","alias":"nDPId-test","flow_id":37,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1463089073537120,"flow_src_last_pkt_time":1463089073537120,"flow_dst_last_pkt_time":1463089073537120,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1463089073893914,"l3_proto":"ip4","src_ip":"192.168.1.105","dst_ip":"222.73.28.96","src_port":42280,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} @@ -250,10 +250,10 @@ ~~ total active/idle flows...: 44/44 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6124189 bytes -~~ total memory freed........: 6124189 bytes -~~ total allocations/frees...: 122474/122474 +~~ total memory allocated....: 6130173 bytes +~~ total memory freed........: 6130173 bytes +~~ total allocations/frees...: 122518/122518 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 1759 chars -~~ json string avg len.......: 1124 chars +~~ json string max len.......: 2158 chars +~~ json string avg len.......: 1324 chars diff --git a/test/results/whatsapp.pcap.out b/test/results/whatsapp.pcap.out index b5c715e49..bfe0953d1 100644 --- a/test/results/whatsapp.pcap.out +++ b/test/results/whatsapp.pcap.out @@ -585,9 +585,9 @@ ~~ total active/idle flows...: 86/86 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6369500 bytes -~~ total memory freed........: 6369500 bytes -~~ total allocations/frees...: 123102/123102 +~~ total memory allocated....: 6381196 bytes +~~ total memory freed........: 6381196 bytes +~~ total allocations/frees...: 123188/123188 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 493 chars ~~ json string max len.......: 915 chars diff --git a/test/results/whatsapp_login_call.pcap.out b/test/results/whatsapp_login_call.pcap.out index 71fee60f3..9750bf4e3 100644 --- a/test/results/whatsapp_login_call.pcap.out +++ b/test/results/whatsapp_login_call.pcap.out @@ -72,16 +72,16 @@ 01184{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":2,"flow_src_last_pkt_time":1432582228504689,"flow_dst_last_pkt_time":1432582228503997,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":540,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":540,"pkt_l4_len":506,"thread_ts_usec":1432582228504689,"pkt":"xiwDYGpkAPS5Jrv0CABFAAIO1F9AAEAGq2HAqAIEEW7lDsApFGe4aFEm1IsaTIAYIACssAAAAQEICi36MxJvhmvfY2JtdD6CZ3s26zaizYDBa1\/xV9+nfluOxtxa1tx195Jafsz52yXEOESrPvfo4L8JAAp0DYIaansHyOlB83T10iMEgMWpntVaGhVYz7Ui4c09FkbWN9q+65\/aqUq4TUrgzMyqE5QUWhXZSc\/uGC0icKHu+b2FL4NHGUs7nYDs8Xc0v0flHk5486jecRIc\/ROiqHyACG3C0wwDLYD5dPHsc+oO3YTdMQHp\/Y5aWShkoF9bF0dA6YegCOYLbVQKFU7DAdWxqhRRjje8xXf+tC7iVD+agcMxzHZHBdPvzUlsa6Hnp2KvOrzs9LBI3\/AlWnTDSOZNp+mWgK4MB2zxE5cEBsbimybYF8snsRtPtIBkMUfF1XAd9wg4sSCboXV1ik63xPuzTMdOxIRWWE26PTSksHKRu47JqvdF18Y85LvvQvIIft9jAMxZNM1JpDNK3xHTwcbI8OJ5ZzkwaDArtx1Yo+du+Za4kNeW1j1f7jlL58\/xs\/9pH231BKAPZrpjtiVLnSRVafACBd5M5lgbO1u\/aSBlmIQ\/UK6DM\/jen1DGM+xWiz3ABAYXKSpL6XfsJZ+dpwtcFktAw18x3fF8GSC0\/zgV+SA55WfIkN+qTLtYiq6ct7jHTceCT8cS"} 00878{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":82,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582228593505,"flow_dst_last_pkt_time":1432582228041916,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":166,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":166,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582228593505,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00537{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":16,"flow_packet_id":3,"flow_src_last_pkt_time":1432582228504689,"flow_dst_last_pkt_time":1432582228753368,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582228753368,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0JuMAAC8Gq7gRbuUOwKgCBBRnwCnUixpMuGhRJoAQAQ6R7QAAAQEICm+GjQ4t+jMS"} -01584{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":119895.3,"max":712466,"stddev":179472.3,"var":32210292736.0,"ent":3.4,"data": [281831,283163,8705,294373,1121,35,286034,828,475,587,39758,240,307,326381,1436,373,2981,289942,5828,471,9,317531,1875,68938,587,382640,405162,707,17,712466,1952]},"pktlen": {"min":54,"avg":446.9,"max":1494,"stddev":595.1,"var":354099.2,"ent":3.9,"data": [78,66,54,244,1494,1494,585,54,54,54,54,321,60,91,54,54,54,97,54,1494,1494,167,54,54,1494,1210,54,1494,1494,167,54,54]},"bins": {"c_to_s": [9,1,0,2,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1]}} +01983{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":9,"avg":119895.3,"max":712466,"stddev":179472.3,"var":32210292736.0,"ent":3.4,"data": [281831,283163,8705,294373,1121,35,286034,828,475,587,39758,240,307,326381,1436,373,2981,289942,5828,471,9,317531,1875,68938,587,382640,405162,707,17,712466,1952]},"pktlen": {"min":40,"avg":432.9,"max":1480,"stddev":595.1,"var":354099.2,"ent":3.8,"data": [64,52,40,230,1480,1480,571,40,40,40,40,307,46,77,40,40,40,83,40,1480,1480,153,40,40,1480,1196,40,1480,1480,153,40,40]},"bins": {"c_to_s": [9,1,0,2,0,1,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,4,0,0],"s_to_c": [8,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,0,0,1,1,1,1,0,0,0,0,1,1],"entropies": [4.541277409,4.887659073,4.715312004,5.559735775,7.184122086,7.417570591,6.899518967,4.931687355,4.881687641,4.931686878,4.765311718,7.230942249,4.759187222,5.742031574,4.834183693,4.834183693,4.834183693,5.811724186,4.931686878,7.864183426,7.878191471,6.699968815,4.684184074,4.684184074,7.862710953,7.817599297,4.931687355,7.865705967,7.847981453,6.673823357,4.784183979,4.834183693]}} 01505{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":108,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":13,"flow_state":"info","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1432582227604482,"flow_src_last_pkt_time":1432582229309355,"flow_dst_last_pkt_time":1432582229616362,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":6486,"flow_dst_tot_l4_payload_len":6050,"midstream":0,"thread_ts_usec":1432582229616362,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.178.104.12","src_port":49201,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web","hostname":"query.ess.apple.com","tls": {"version":"TLSv1.2","server_names":"*.ess.apple.com","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5","issuerDN":"CN=Apple Server Authentication CA, OU=Certification Authority, O=Apple Inc., C=US","subjectDN":"CN=*.ess.apple.com, OU=ISG Delivery Ops, O=Apple Inc., C=US","fingerprint":"BD:E0:62:C3:F2:9D:09:5D:52:D4:AA:60:11:1B:36:1B:03:24:F1:9B"}}} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":137,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230648273,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582230648273,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00558{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":137,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":1,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230648273,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1432582230648273,"pkt":"xiwDYGpkAPS5Jrv0CABFAABAZppAAEAGvV7AqAIEEa1CZsA0AbuMr4Y\/AAAAALAC\/\/\/iDQAAAgQFtAEDAwQBAQgKLfo7WAAAAAAEAgAA"} -01736{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":138,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582230649748,"flow_dst_last_pkt_time":1432582230614203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":78,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":445,"midstream":0,"thread_ts_usec":1432582230649748,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":199246.8,"max":709350,"stddev":171222.4,"var":29317117952.0,"ent":4.4,"data": [153871,242175,244771,708056,709350,35643,213202,306,145666,324955,262756,250323,148242,98446,249378,163432,164508,351063,174021,177975,4,178327,331,171720,16,302683,276,301856,4,204047]},"pktlen": {"min":66,"avg":116.8,"max":267,"stddev":60.8,"var":3698.6,"ent":4.8,"data": [78,74,66,66,232,144,87,66,66,267,98,85,87,66,241,98,66,132,98,198,98,98,200,66,99,99,266,66,99,99,99,132]},"bins": {"c_to_s": [9,0,2,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02135{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":138,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":14,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582227643274,"flow_src_last_pkt_time":1432582230649748,"flow_dst_last_pkt_time":1432582230614203,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":201,"flow_dst_max_l4_payload_len":78,"flow_src_tot_l4_payload_len":1159,"flow_dst_tot_l4_payload_len":445,"midstream":0,"thread_ts_usec":1432582230649748,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"184.173.179.37","src_port":49202,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":199246.8,"max":709350,"stddev":171222.4,"var":29317117952.0,"ent":4.4,"data": [153871,242175,244771,708056,709350,35643,213202,306,145666,324955,262756,250323,148242,98446,249378,163432,164508,351063,174021,177975,4,178327,331,171720,16,302683,276,301856,4,204047]},"pktlen": {"min":52,"avg":102.8,"max":253,"stddev":60.8,"var":3698.6,"ent":4.8,"data": [64,60,52,52,218,130,73,52,52,253,84,71,73,52,227,84,52,118,84,184,84,84,186,52,85,85,252,52,85,85,85,118]},"bins": {"c_to_s": [9,0,2,0,2,2,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [4,10,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,1,1,0,0,0,1,0,1,0,0,1,0,0,1,0,1,1,0,0,1,1,0,0,1,1,1,0],"entropies": [4.535581589,5.323234558,5.284870625,5.118428230,6.648615837,6.247110844,5.434191704,5.231892109,5.169486046,7.074976444,5.807060719,5.762281895,5.680767059,5.207947731,7.065171242,5.820694447,5.246409416,6.336829185,5.802911282,6.766283989,5.781786919,5.740469933,6.833239079,5.270353794,5.863435745,5.886964798,7.017980099,5.284870625,5.854554653,5.807495594,5.816376686,6.257439613]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":142,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":2,"flow_src_last_pkt_time":1432582230648273,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582230787552,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0jEsAAO8GKLkRrUJmwKgCBAG7wDR81DyUjK+GQIASH\/6qEgAAAgQFoAEDAwQBAQQC"} 00522{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":144,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_packet_id":3,"flow_src_last_pkt_time":1432582230854807,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432582230854807,"pkt":"xiwDYGpkAPS5Jrv0CABFAAAoLotAAEAG9YXAqAIEEa1CZsA0AbuMr4ZAfNQ8lVAQQADKywAA"} 01198{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":146,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230862990,"flow_dst_last_pkt_time":1432582230787552,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582230862990,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01241{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":148,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582230862990,"flow_dst_last_pkt_time":1432582231003264,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1432582231003264,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}} -01871{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":177,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582231572130,"flow_dst_last_pkt_time":1432582231504448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5225,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582231572130,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":57420.4,"max":246332,"stddev":88943.3,"var":7910914560.0,"ent":3.4,"data": [139279,206534,8183,215650,62,2706,195534,776,251,20,1876,267,2144,191589,2382,13135,3735,6431,14684,18,200945,301,63298,290,2226,246332,5270,14887,15,241033,179]},"pktlen": {"min":54,"avg":303.3,"max":1494,"stddev":408.5,"var":166890.9,"ent":4.0,"data": [78,66,54,281,54,146,91,54,54,60,91,1494,531,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} +02268{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":177,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":17,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582230648273,"flow_src_last_pkt_time":1432582231572130,"flow_dst_last_pkt_time":1432582231504448,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5225,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582231572130,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49204,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":15,"avg":57420.4,"max":246332,"stddev":88943.3,"var":7910914560.0,"ent":3.4,"data": [139279,206534,8183,215650,62,2706,195534,776,251,20,1876,267,2144,191589,2382,13135,3735,6431,14684,18,200945,301,63298,290,2226,246332,5270,14887,15,241033,179]},"pktlen": {"min":40,"avg":289.3,"max":1480,"stddev":408.5,"var":166890.9,"ent":3.9,"data": [64,52,40,267,40,132,77,40,40,46,77,1480,517,596,40,40,40,40,40,988,386,40,40,1480,526,596,40,40,988,386,40,40]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0],"entropies": [4.510027409,4.810735703,4.684184074,5.952049732,4.734184265,5.970739841,5.673912525,4.881687164,4.931687355,4.715708733,5.638134956,7.848487854,7.566340446,7.617396355,4.784183979,4.784183979,4.715312004,4.784183979,4.684184551,7.790213585,7.442604542,4.812815189,4.762814999,7.877933502,7.577860355,7.608998775,4.634183884,4.734184265,7.790307522,7.455507755,4.831687450,4.831687450]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} 00764{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":183,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582233314493,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233314493,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582233314493,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"93.186.135.8","src_port":49192,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":183,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":1,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233314493,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582233314493,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA0kh5AAEAGATfAqAIEXbqHCMAoAFBgmxszxhyTY4ARIABAdgAAAQEICi36RbdjLQIx"} 00538{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":184,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":18,"flow_packet_id":2,"flow_src_last_pkt_time":1432582233314493,"flow_dst_last_pkt_time":1432582233380398,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1432582233380398,"pkt":"APS5Jrv0xiwDYGpkCABFAAA0ewoAADkGX0tduocIwKgCBABQwCjGHJNjYJsbNIAQAebnbwAAAQEICmMteVEt+kW3"} @@ -178,7 +178,7 @@ 00915{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":342,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_packet_id":3,"flow_src_last_pkt_time":1432582258825375,"flow_dst_last_pkt_time":1432582258815685,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":342,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":342,"pkt_l4_len":308,"thread_ts_usec":1432582258825375,"pkt":"xiwDYGpkAPS5Jrv0CABFwAFIgM0AAEARKS3AqAIEW\/2wQck+JIABNDV+gPhBLgAAPABUWSgkrOczzTmmNaWeHGyeFn5K8vlkangPxwACY7IwMpCpL5qUBEDYknjmXwiwt1Sg\/GoDEpuWps7K3BPScguv1CoIPKC+VL4kk69VBQy2eU1f6p0OhYSXKAcM\/9HmK5KZeJJnhjzxZ+J\/AtWZs+X8uDaujdvMYKyUONaU\/07PQLiEd81h3NGLNxCpTNYPkmMGXMy1y+UaiUzN89zB2\/RkHbLVqN6e+nvnnRR2frMRlVsFWAJQmXtD929e1+a2u\/RdJfu15HCbSLl3jTXDbl84mpeVYYxkc3LSpxB7HrCYZEpYcCniVsfACmA6zpHVbv1BlaoQu+KuUWJT2eQ73+Vh12sP5aPix21kFcGvLfE3UalmxPkTCEhiCOUQRQbTvOcEo103"} 00567{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":350,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":2,"flow_src_last_pkt_time":1432582259254832,"flow_dst_last_pkt_time":1432582258587552,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582259254832,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIbNAAAEAR7efAqAIEAcJav8k+65gANKlVAAEAGCESpEKmTTdqxAPLVFlkZFwACAAUe9SyVdo3\/CPkaMOU00d3jUs\/Tzg="} 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":362,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":38,"flow_packet_id":3,"flow_src_last_pkt_time":1432582259886962,"flow_dst_last_pkt_time":1432582258587552,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582259886962,"pkt":"xiwDYGpkAPS5Jrv0CABFwABI77MAAEARawTAqAIEAcJav8k+65gANKqSAAEAGCESpEK30Ms3\/7rzJdDOeSQACAAUjiMqFpbreAaLOXedI1Eon++y9eE="} -01911{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":378,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582258730153,"flow_src_last_pkt_time":1432582260754649,"flow_dst_last_pkt_time":1432582260775626,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":309,"flow_dst_max_l4_payload_len":289,"flow_src_tot_l4_payload_len":3471,"flow_dst_tot_l4_payload_len":2001,"midstream":0,"thread_ts_usec":1432582260775626,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":51518,"dst_port":9344,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":44,"avg":131289.3,"max":352421,"stddev":70223.6,"var":4931354624.0,"ent":4.7,"data": [85532,95222,66134,60379,102693,208383,184141,159624,139073,188537,352421,23426,152856,55080,31139,91630,61,141160,44,163250,159227,188593,161930,163639,162107,156758,164890,143228,181638,163297,123877]},"pktlen": {"min":64,"avg":213.0,"max":351,"stddev":98.8,"var":9763.6,"ent":4.8,"data": [86,86,342,86,86,315,225,311,248,315,220,148,64,249,199,148,137,68,260,68,274,134,351,117,315,117,319,243,320,331,329,305]},"bins": {"c_to_s": [1,2,1,1,0,1,1,1,7,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,3,1,1,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,0,1,1,0,1,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02310{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":378,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582258730153,"flow_src_last_pkt_time":1432582260754649,"flow_dst_last_pkt_time":1432582260775626,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":309,"flow_dst_max_l4_payload_len":289,"flow_src_tot_l4_payload_len":3471,"flow_dst_tot_l4_payload_len":2001,"midstream":0,"thread_ts_usec":1432582260775626,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":51518,"dst_port":9344,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":44,"avg":131289.3,"max":352421,"stddev":70223.6,"var":4931354624.0,"ent":4.7,"data": [85532,95222,66134,60379,102693,208383,184141,159624,139073,188537,352421,23426,152856,55080,31139,91630,61,141160,44,163250,159227,188593,161930,163639,162107,156758,164890,143228,181638,163297,123877]},"pktlen": {"min":50,"avg":199.0,"max":337,"stddev":98.8,"var":9763.6,"ent":4.8,"data": [72,72,328,72,72,301,211,297,234,301,206,134,50,235,185,134,123,54,246,54,260,120,337,103,301,103,305,229,306,317,315,291]},"bins": {"c_to_s": [1,2,1,1,0,1,1,1,7,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,3,1,1,1,3,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,1,0,0,1,0,1,0,0,1,1,0,1,0,0,0,1,1,0,1,0,1,0,1,0,1,0,1,0,1],"entropies": [5.642145634,5.662571430,7.306882858,5.607016087,5.619208336,7.276579380,6.918804169,7.219153404,7.014481544,7.348511696,6.906354427,6.461464405,5.083854198,6.954874992,6.766034603,6.415629864,6.367953777,5.205786228,7.119737148,5.148316383,7.136041164,6.350277901,7.294374466,6.069901943,7.367813587,6.103599548,7.328564644,7.015753746,7.285601139,7.344736099,7.265763760,7.231878281]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00737{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582267983119,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582267983119,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} 00547{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_packet_id":1,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"pkt_oversize":false,"pkt_caplen":70,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":70,"pkt_l4_len":36,"thread_ts_usec":1432582267983119,"pkt":"xiwDYGpkAPS5Jrv0CABFAAA44FwAAEABy33AqAIEW\/2wQQMDDx4AAAAARQAANHIMAAAvEUrCW\/2wQcCoAgQkgMk+ACAAAA=="} 00862{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":826,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582267983119,"flow_src_last_pkt_time":1432582267983119,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582267983119,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network","entropy":4.105516}} @@ -273,7 +273,7 @@ 00566{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":965,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_packet_id":3,"flow_src_last_pkt_time":1432582303607918,"flow_dst_last_pkt_time":1432582303604793,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582303607918,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIbOUAAEARPhXAqAIEW\/2wQc46JcEANIk8AQEAGCESpEIU61RZ3ZsVVlL2qyQACAAU6CFWVCyx0lHi4kItE160ER18SxI="} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":972,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":2,"flow_src_last_pkt_time":1432582303831637,"flow_dst_last_pkt_time":1432582303186638,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582303831637,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIdWcAAEAR5VDAqAIEAcJav846yg8ANHIiAAEAGCESpEJT9nMzid0wAn5OIFYACAAUj7UY3ZixJKF1uir6vHE5QBib28w="} 00565{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":985,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":54,"flow_packet_id":3,"flow_src_last_pkt_time":1432582304464260,"flow_dst_last_pkt_time":1432582303186638,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432582304464260,"pkt":"xiwDYGpkAPS5Jrv0CABFwABIRQUAAEARFbPAqAIEAcJav846yg8ANIW7AAEAGCESpEIZoNpuKgJFUxs+kVcACAAURUHG5kUyySWGpYslvS2cuO+ddv8="} -01901{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":999,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432582303300524,"flow_src_last_pkt_time":1432582305119064,"flow_dst_last_pkt_time":1432582305008654,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":200,"flow_src_tot_l4_payload_len":1888,"flow_dst_tot_l4_payload_len":1727,"midstream":0,"thread_ts_usec":1432582305119064,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":52794,"dst_port":9665,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":40,"avg":113763.5,"max":307394,"stddev":86013.0,"var":7398240768.0,"ent":4.5,"data": [304269,307394,8384,89918,31917,6521,226162,154173,40,188009,271,163937,163420,160100,21775,153703,73,168136,122602,138908,158523,186698,16232,65895,114250,83709,193240,164541,1311,77123,55436]},"pktlen": {"min":68,"avg":155.0,"max":320,"stddev":58.8,"var":3453.3,"ent":4.9,"data": [86,86,86,86,86,148,138,320,181,68,246,148,242,226,117,148,165,68,186,170,175,186,170,148,128,154,219,154,223,68,148,185]},"bins": {"c_to_s": [1,3,0,6,3,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,2,3,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,1,0,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} +02300{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":999,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":55,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432582303300524,"flow_src_last_pkt_time":1432582305119064,"flow_dst_last_pkt_time":1432582305008654,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":278,"flow_dst_max_l4_payload_len":200,"flow_src_tot_l4_payload_len":1888,"flow_dst_tot_l4_payload_len":1727,"midstream":0,"thread_ts_usec":1432582305119064,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":52794,"dst_port":9665,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":40,"avg":113763.5,"max":307394,"stddev":86013.0,"var":7398240768.0,"ent":4.5,"data": [304269,307394,8384,89918,31917,6521,226162,154173,40,188009,271,163937,163420,160100,21775,153703,73,168136,122602,138908,158523,186698,16232,65895,114250,83709,193240,164541,1311,77123,55436]},"pktlen": {"min":54,"avg":141.0,"max":306,"stddev":58.8,"var":3453.3,"ent":4.9,"data": [72,72,72,72,72,134,124,306,167,54,232,134,228,212,103,134,151,54,172,156,161,172,156,134,114,140,205,140,209,54,134,171]},"bins": {"c_to_s": [1,3,0,6,3,1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,2,2,3,4,2,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,1,1,0,0,1,0,1,0,0,0,1,0,1,1,0,1,1,0,1,0,1,1,0,0],"entropies": [5.586590290,5.634793758,5.591430664,5.548327923,5.614367962,6.343744755,6.353155136,7.262660980,6.708292484,5.199332714,6.977910042,6.582841873,7.061330318,6.964643955,6.193738461,6.469698906,6.640622616,5.205786228,6.713893890,6.594544411,6.678621769,6.732760429,6.737264633,6.418371201,6.335039139,6.527385712,6.871919632,6.504805565,6.851323605,5.199332714,6.565941334,6.741304874]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 01191{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1022,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":3,"flow_src_last_pkt_time":1432582306376756,"flow_dst_last_pkt_time":1432582246280217,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1432582306376756,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAIS5VYAAEARDTTAqAIBwKgC\/0RcRFwB\/jsJeyJob3N0X2ludCI6IDMzNzUzNTk1OTMsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} 01076{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1188,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":39,"flow_state":"finished","flow_src_packets_processed":186,"flow_dst_packets_processed":278,"flow_first_seen":1432582258730153,"flow_src_last_pkt_time":1432582267934161,"flow_dst_last_pkt_time":1432582268457283,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":26,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":483,"flow_dst_max_l4_payload_len":446,"flow_src_tot_l4_payload_len":19213,"flow_dst_tot_l4_payload_len":14219,"midstream":0,"thread_ts_usec":1432582311138615,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","src_port":51518,"dst_port":9344,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}}},"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00887{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1188,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":40,"flow_state":"finished","flow_src_packets_processed":10,"flow_dst_packets_processed":0,"flow_first_seen":1432582267983119,"flow_src_last_pkt_time":1432582311138615,"flow_dst_last_pkt_time":1432582267983119,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":360,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582311138615,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"91.253.176.65","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"ICMP","proto_id":"81","encrypted":0,"breed":"Acceptable","category_id":14,"category":"Network"}} @@ -304,7 +304,7 @@ 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":1219,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_packet_id":3,"flow_src_last_pkt_time":1432582355478348,"flow_dst_last_pkt_time":1432582355393148,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432582355478348,"pkt":"xiwDYGpkAPS5Jrv0CABFAAAoTu9AAEAG1SHAqAIEEa1CZsA1Abt+ckUkpMYmoFAQQAAIJwAA"} 01199{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":1220,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582355482566,"flow_dst_last_pkt_time":1432582355393148,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582355482566,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL"}}} 01242{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":1222,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582355482566,"flow_dst_last_pkt_time":1432582355622106,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":227,"flow_dst_max_l4_payload_len":92,"flow_src_tot_l4_payload_len":227,"flow_dst_tot_l4_payload_len":92,"midstream":0,"thread_ts_usec":1432582355622106,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate","hostname":"p53-buy.itunes.apple.com","tls": {"version":"TLSv1.2","ja3":"799135475da362592a4be9199d258726","ja3s":"c253ec3ad88e42f8da4032682892f9a0","unsafe_cipher":2,"cipher":"TLS_RSA_WITH_RC4_128_MD5"}}} -01871{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582356195572,"flow_dst_last_pkt_time":1432582356100109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5224,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":57713.9,"max":271808,"stddev":91895.6,"var":8444797952.0,"ent":3.3,"data": [139873,225073,4218,228888,70,2672,200693,278,1388,194,2268,310,435,198176,1008,14244,4721,5042,13250,23,199875,308,34695,427,52,217025,5837,15994,11,271808,275]},"pktlen": {"min":54,"avg":303.3,"max":1494,"stddev":408.5,"var":166876.7,"ent":4.0,"data": [78,66,54,281,54,146,91,54,54,60,91,1494,530,610,54,54,54,54,54,1002,400,54,54,1494,540,610,54,54,1002,400,54,54]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} +02268{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":1248,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":57,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582355253275,"flow_src_last_pkt_time":1432582356195572,"flow_dst_last_pkt_time":1432582356100109,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":5224,"flow_dst_tot_l4_payload_len":2717,"midstream":0,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":11,"avg":57713.9,"max":271808,"stddev":91895.6,"var":8444797952.0,"ent":3.3,"data": [139873,225073,4218,228888,70,2672,200693,278,1388,194,2268,310,435,198176,1008,14244,4721,5042,13250,23,199875,308,34695,427,52,217025,5837,15994,11,271808,275]},"pktlen": {"min":40,"avg":289.3,"max":1480,"stddev":408.5,"var":166876.7,"ent":3.9,"data": [64,52,40,267,40,132,77,40,40,46,77,1480,516,596,40,40,40,40,40,988,386,40,40,1480,526,596,40,40,988,386,40,40]},"bins": {"c_to_s": [9,1,0,0,0,0,0,1,0,0,0,0,0,0,1,1,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0],"s_to_c": [9,1,1,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,1,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0],"entropies": [4.478777409,4.849197388,4.715312004,5.931038380,4.784183979,6.049894810,5.799257278,4.881687164,4.881687164,4.802665710,5.737505436,7.869925976,7.601890564,7.659376144,4.834184170,4.884183884,4.884183884,4.834183693,4.834183693,7.790913582,7.529675484,4.881687164,4.931687355,7.881880760,7.552830696,7.654625893,4.834183693,4.884183884,7.775795460,7.413623333,4.931687355,4.881687164]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.AppleStore","proto_id":"91.224","encrypted":1,"breed":"Safe","category_id":19,"category":"SoftwareUpdate"}} 00897{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224235628,"flow_src_last_pkt_time":1432582224264733,"flow_dst_last_pkt_time":1432582224263291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"5.178.42.26","src_port":49174,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} 00763{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":7,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224235628,"flow_src_last_pkt_time":1432582224264733,"flow_dst_last_pkt_time":1432582224263291,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"5.178.42.26","src_port":49174,"dst_port":80,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00899{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":1249,"source":"whatsapp_login_call.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":1,"flow_first_seen":1432582224210874,"flow_src_last_pkt_time":1432582224240462,"flow_dst_last_pkt_time":1432582224238952,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582356195572,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"93.186.135.82","src_port":49173,"dst_port":80,"l4_proto":"tcp","ndpi": {"confidence": {"1":"Match by port"},"proto":"HTTP","proto_id":"7","encrypted":0,"breed":"Acceptable","category_id":5,"category":"Web","hostname":"","http": {}}} @@ -406,9 +406,9 @@ ~~ total active/idle flows...: 57/57 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6205778 bytes -~~ total memory freed........: 6205778 bytes -~~ total allocations/frees...: 123314/123314 +~~ total memory allocated....: 6213530 bytes +~~ total memory freed........: 6213530 bytes +~~ total allocations/frees...: 123371/123371 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars ~~ json string max len.......: 2496 chars diff --git a/test/results/whatsapp_login_chat.pcap.out b/test/results/whatsapp_login_chat.pcap.out index d1441650f..94ff7e6cf 100644 --- a/test/results/whatsapp_login_chat.pcap.out +++ b/test/results/whatsapp_login_chat.pcap.out @@ -18,7 +18,7 @@ 01165{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":19,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1432582381179706,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":531,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":531,"pkt_l4_len":497,"thread_ts_usec":1432582381179706,"pkt":"xiwDYGpkAPS5Jrv0CABFAAIFAqxAAEAGH4jAqAIEEa1CZsA1Abt+cl8spMYxPVAYQAAK4wAA+zXxkGmxqmlJcwlR7TpHpRtDDy9iaRt9w+hOFsERXuy8gwV22TTGXYqWLP3aSg0FRpPNh6b2JxTA9OSkJEk04NCfWqJRauLthWRuA7XoVn8i6Smk+coAOa3u15Yq91KVTfK0Likn42RkhoMCTU67u6i6Y4GW7d7uWiM6L3uLokbbGTmGs29u3afEGnNWZwLcuyp6rGxmPmWxvxgkiNCzEIsj5+jDbrTqLXDyyF322ZG7ztnAr92I1EUwbaElkdT9P28rYnazLdDX3NtrMNZoVpJg+JtJ\/7kZqQ2Wqzmg\/a3xXi4EVY3r6CTewAoUnubR3Qb8d8SxZWO8dXB980UXO8ObJWaEL5I20Sp30w7kYXi8hv4VgTLwR\/5GH+diyQKZuXNNplXdUL9qR0BnzfYHcTgjG28TOg74dTk611xDBeVR4Itg6rhO4EXCbpfiRmK6bb3CXGkaTCMHxUnezI+xc2Wog+XxCXrGyOiN2uGEyOBaMLxsAdU\/WfMK5Hg2kk6QV97kZZAhmz0GEeQIuwbiHtXsFgOmiLHGkBFU3uvrL2U0AIsy\/dg28ProYM\/UVKotXUmjaEkwo4XPHqyzoqhSMSd8fGbpRTWD+Jj7SG1OLSQLZ6OzyLhulPpesWWw"} 00876{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":19,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":0,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582381179706,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":477,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1917,"flow_dst_tot_l4_payload_len":0,"midstream":1,"thread_ts_usec":1432582381179706,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 01281{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":20,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1432582381179774,"flow_dst_last_pkt_time":1432582381179399,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":610,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":610,"pkt_l4_len":576,"thread_ts_usec":1432582381179774,"pkt":"xiwDYGpkAPS5Jrv0CABFAAJULUhAAEAG9JzAqAIEEa1CZsA1Abt+cmEJpMYxPVAYQAAkaQAAFwMDAifRP6n1iN3uB\/Uhy6B3MN22nTeVXJRqDhAyLGWagzjVPV67eGMiWlDpxIYk9ZRXb8ENyJMklAVg5qQxAfredM796d1woE5CM\/dDlnC9hhfBLqlOMT0Sc23vnR6S0CtE+vcI2IEc50YYFIr8cCuBcLPUtehQ+6FiIBzPUNdC8gBpCK0l8ehCaB6UsJ+9Lz+rqI7LymD80O7JD9GQGlEzf0ROrOYPwKN9oloslBYMUuNcVtuTSnZlQf6clnYgiVqjkPEIWZnj1\/SzJxC0XzXDZTCazzjZUphrvHsUFVKI\/iQfQLn2Pm20z\/bY+umTrESbc\/Rb\/jTAxKkWPlTguW5QNPTgHe+8CLbu8GlNIUhp6XnzV0lotZMlMuaBJakvd6GmWA8qWeiSGeNI8Nxabsp54T+pQf+cFTWMVSzn894mO+DZZ3gtq32z87kDjYiMhE2jHBbOrnjFvxmtQtZu7lyboSLDYh55cOzJECLrbK8MSRuDtHOP5G6iepYtPwv3WMGLCV+hTD9hULIUKlQnW8NxmNPf6x7m2WXh+T5KFO1k2GNZTSM8sWZLLJiGPB3r5p1nS3ObF9UaRS1rU\/+0JK5FT6PVQl\/T6rcJ66cGodbOS0a03YtqhfdlphEfqQSNy4IBPyE7+TYhqlI5kH8vw+oFYBVtxUinzFEEO03Tz6ey1LN8P\/4vb9rv1pyNfFxaNarK\/6\/1noAhKaU7nGWU\/L6Er+GI\/BOXYTn7Ng=="} -01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582384764367,"flow_dst_last_pkt_time":1432582384691063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":11339,"flow_dst_tot_l4_payload_len":3880,"midstream":1,"thread_ts_usec":1432582384764367,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":228923.6,"max":3030585,"stddev":711161.6,"var":505750847488.0,"ent":2.0,"data": [307,68,156057,6041,20562,3,205015,214,59650,355,76,237850,6388,13739,3,246436,156,2803227,690,58,155,163,149,3030585,5762,13968,11,3,10327,10365,268249]},"pktlen": {"min":54,"avg":529.6,"max":1494,"stddev":518.7,"var":269058.2,"ent":4.3,"data": [1494,531,610,54,54,1000,400,54,54,1494,538,610,54,54,1002,400,54,54,1494,531,610,1494,1254,1254,54,54,1002,400,54,54,54,127]},"bins": {"c_to_s": [4,0,1,0,0,0,0,0,0,0,0,0,0,0,2,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,4,0,0],"s_to_c": [9,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} +02120{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":53,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432582381179399,"flow_src_last_pkt_time":1432582384764367,"flow_dst_last_pkt_time":1432582384691063,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":948,"flow_src_tot_l4_payload_len":11339,"flow_dst_tot_l4_payload_len":3880,"midstream":1,"thread_ts_usec":1432582384764367,"l3_proto":"ip4","src_ip":"192.168.2.4","dst_ip":"17.173.66.102","src_port":49205,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":228923.6,"max":3030585,"stddev":711161.6,"var":505750847488.0,"ent":2.0,"data": [307,68,156057,6041,20562,3,205015,214,59650,355,76,237850,6388,13739,3,246436,156,2803227,690,58,155,163,149,3030585,5762,13968,11,3,10327,10365,268249]},"pktlen": {"min":40,"avg":515.6,"max":1480,"stddev":518.7,"var":269058.2,"ent":4.2,"data": [1480,517,596,40,40,986,386,40,40,1480,524,596,40,40,988,386,40,40,1480,517,596,1480,1240,1240,40,40,988,386,40,40,40,113]},"bins": {"c_to_s": [4,0,1,0,0,0,0,0,0,0,0,0,0,0,2,1,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0,0,0,4,0,0],"s_to_c": [9,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,0,1,1,1,1,0,0,0,0,0,1,1,1,1,0,0,0,0,0,0,0,0,1,1,1,1,1,1,1,0],"entropies": [7.845222473,7.564460754,7.723596096,4.884183884,4.784184456,7.802291870,7.349081993,4.781687260,4.881687164,7.891665459,7.618573189,7.589188576,4.834184170,4.884183884,7.765514851,7.364068508,4.931687355,4.931687355,7.868970394,7.635158062,7.659084320,7.869641304,7.832291603,7.869807243,4.884183884,4.884183884,7.782162189,7.393073082,4.765311718,4.815311432,4.815311432,6.363091469]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Apple","proto_id":"91.140","encrypted":1,"breed":"Safe","category_id":5,"category":"Web"}} 00771{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582396509617,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":502,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582396509617,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 01188{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_packet_id":1,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":544,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":544,"pkt_l4_len":510,"thread_ts_usec":1432582396509617,"pkt":"\/\/\/\/\/\/\/\/xiwDYGpkCABFAAISQPEAAEARsZnAqAIBwKgC\/0RcRFwB\/jsJeyJob3N0X2ludCI6IDMzNzUzNTk1OTMsICJ2ZXJzaW9uIjogWzEsIDhdLCAiZGlzcGxheW5hbWUiOiAiIiwgInBvcnQiOiAxNzUwMCwgIm5hbWVzcGFjZXMiOiBbMTQ4MTkzMzcsIDE3NjA5OTYzLCAyMDY0OTM0OSwgMjg1MjE2MDcsIDU4MzQ0OTk2LCA2MDU5NDk4MywgNjQ0MzYwOTksIDk2ODUzMjI0LCA5OTQ2OTc3MywgMTAxMDQ3OTk2LCAxMDgxNTkxMDIsIDEyNTU0MDU2NiwgMTc2OTY0MzA3LCAyNDM2ODI5ODYsIDI0NzkyNTA4NSwgMjYwNDY1MjYxLCAyNzA0MDQ3NDIsIDI4Mzg2MTQ1NywgNDI0NTQwMTk3LCA0NDgzOTczOTMsIDQ1MTQ3MjY1OCwgNTExNzA2NjQyLCA1NjgzOTU4MzMsIDU5NDI0Njk1NCwgNTk4MDYxMDY2LCA2MTU5ODMzNzksIDcyMDA1ODM2MSwgNzM1MDUxODMwLCA3MzYzNDE1MjgsIDc0MTI1NTYxMywgNzc2MDg3MjQ3LCA3ODA4NzA1ODEsIDc4Mjk4MTk0OSwgNzg1MjY2MTc3LCA4MTg3NTI3MTAsIDg1NTY4MjM5MCwgODg0MTIwMTMyLCA5MDg5MTQ4NjhdfQ=="} 00879{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":73,"source":"whatsapp_login_chat.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432582396509617,"flow_src_last_pkt_time":1432582396509617,"flow_dst_last_pkt_time":1432582396509617,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":502,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":502,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":502,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432582396509617,"l3_proto":"ip4","src_ip":"192.168.2.1","dst_ip":"192.168.2.255","src_port":17500,"dst_port":17500,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Dropbox","proto_id":"121","encrypted":0,"breed":"Acceptable","category_id":13,"category":"Cloud"}} @@ -57,9 +57,9 @@ ~~ total active/idle flows...: 9/9 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6059382 bytes -~~ total memory freed........: 6059382 bytes -~~ total allocations/frees...: 121659/121659 +~~ total memory allocated....: 6060606 bytes +~~ total memory freed........: 6060606 bytes +~~ total allocations/frees...: 121668/121668 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars ~~ json string max len.......: 2479 chars diff --git a/test/results/whatsapp_voice_and_message.pcap.out b/test/results/whatsapp_voice_and_message.pcap.out index 90ca5652f..fc88af2cd 100644 --- a/test/results/whatsapp_voice_and_message.pcap.out +++ b/test/results/whatsapp_voice_and_message.pcap.out @@ -45,7 +45,7 @@ 00976{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":54,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432820571488232,"flow_src_last_pkt_time":1432820571488232,"flow_dst_last_pkt_time":1432820571488232,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":126,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820571488232,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"31.13.73.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP","hostname":"","stun": {"num_pkts":0,"num_binding_requests":0,"num_processed_pkts":0}}} 00570{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":55,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":2,"flow_src_last_pkt_time":1432820571488232,"flow_dst_last_pkt_time":1432820571716839,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1432820571716839,"pkt":"ABoRAAACABoRAAABCABFAABIABxAABAR+EMfDUkwCggAAQ2W0XQANGvUAQMAGCESpEIAAOlKSWdSWOu7U1cAIAAIAAGOsJ6wzx5AAgAIAAABTZrC3xA="} 00683{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":56,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":9,"flow_packet_id":3,"flow_src_last_pkt_time":1432820571716900,"flow_dst_last_pkt_time":1432820571716839,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":168,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":168,"pkt_l4_len":134,"thread_ts_usec":1432820571716900,"pkt":"ABoRAAACABoRAAABCABFwACaAABAAEARx00KCAABHw1JMNF0DZYAhta5AAMAaiESpEIAAOlKSWdSWOu7U1dAAABmAQCy86Qxc0\/TrfZVVa\/eTEZDohPoeRLoRZc1aFVhrGc1f8RW2vMjT5P8rAsiwZ+p9NloXItIT0xPBspixBWhh83rOo673FqXfKhsmqCbgcYysEXxS1G0BQlmTNaw3EzKh7wFRa3N"} -01749{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":64,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432820558921094,"flow_src_last_pkt_time":1432820571925000,"flow_dst_last_pkt_time":1432820571924969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":415,"flow_src_tot_l4_payload_len":984,"flow_dst_tot_l4_payload_len":706,"midstream":0,"thread_ts_usec":1432820571925000,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"184.173.179.46","src_port":35480,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":838960.6,"max":10748901,"stddev":2599895.5,"var":6759456964608.0,"ent":2.2,"data": [61035,61126,147705,147918,346802,397248,61,50507,310058,310119,199799,397950,91,198181,50507,50568,386718,386688,54077,104523,50476,50446,398316,399963,10696747,10748901,336,153,244,335,183]},"pktlen": {"min":54,"avg":107.4,"max":469,"stddev":97.6,"var":9526.4,"ent":4.6,"data": [74,54,54,231,54,132,54,84,54,77,54,223,54,86,54,104,54,410,54,77,54,75,54,469,54,133,54,133,54,133,54,133]},"bins": {"c_to_s": [9,2,4,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,0,1,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02146{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":64,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1432820558921094,"flow_src_last_pkt_time":1432820571925000,"flow_dst_last_pkt_time":1432820571924969,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":356,"flow_dst_max_l4_payload_len":415,"flow_src_tot_l4_payload_len":984,"flow_dst_tot_l4_payload_len":706,"midstream":0,"thread_ts_usec":1432820571925000,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"184.173.179.46","src_port":35480,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":61,"avg":838960.6,"max":10748901,"stddev":2599895.5,"var":6759456964608.0,"ent":2.2,"data": [61035,61126,147705,147918,346802,397248,61,50507,310058,310119,199799,397950,91,198181,50507,50568,386718,386688,54077,104523,50476,50446,398316,399963,10696747,10748901,336,153,244,335,183]},"pktlen": {"min":40,"avg":93.4,"max":455,"stddev":97.6,"var":9526.4,"ent":4.5,"data": [60,40,40,217,40,118,40,70,40,63,40,209,40,72,40,90,40,396,40,63,40,61,40,455,40,119,40,119,40,119,40,119]},"bins": {"c_to_s": [9,2,4,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [12,0,1,0,0,1,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,1,1,0,0,1,0,1,0,1,1,0,1,0,1,0,0,1,0,1,0,1,0],"entropies": [4.392425537,4.511769295,4.684184074,6.627061367,4.630641460,6.138794422,4.734184265,5.591402531,4.580641747,5.220905781,4.561769485,6.947570324,4.734183788,5.719834328,4.580641747,5.914073467,4.630641460,7.386677742,4.580641747,5.362121105,4.684184074,5.274999619,4.734184265,7.486519814,4.615312099,6.287545204,4.580641747,6.290473938,4.580641747,6.273667336,4.580641747,6.324087143]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00769{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":83,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1432820624900403,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820624900403,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820624900403,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.42","src_port":44819,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00557{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":83,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":1,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820624900403,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1432820624900403,"pkt":"ABoRAAACABoRAAABCABFAAA85gNAAEAGcjAKCAABnlU6Kq8TFGbeopMoAAAAAKACOQiB\/gAAAgQFtAQCCAoABHUrAAAAAAEDAwQ="} 00530{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":84,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":10,"flow_packet_id":2,"flow_src_last_pkt_time":1432820624900403,"flow_dst_last_pkt_time":1432820625066907,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820625066907,"pkt":"ABoRAAACABoRAAABCABFAAAoACpAABAGiB6eVToqCggAARRmrxMhXWzX3qKTKVAS\/\/8J0AAA"} @@ -56,7 +56,7 @@ 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":122,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":2,"flow_src_last_pkt_time":1432820633802533,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820633803845,"pkt":"ABoRAAACABoRAAABCABFAAAoADlAABAG1BCtwN69CggAARRmpQHPUwduMKz4klAS\/\/9f4wAA"} 00529{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":123,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_packet_id":3,"flow_src_last_pkt_time":1432820633804974,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820633804974,"pkt":"ABoRAAACABoRAAABCABFAAAogDhAAEAGJBEKCAABrcDevaUBFGYwrPiSz1MHb1AQOQgm3AAA"} 00884{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":124,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820633834790,"flow_dst_last_pkt_time":1432820633803845,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820633834790,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} -01730{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":152,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820634797314,"flow_dst_last_pkt_time":1432820634796460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":505,"flow_src_tot_l4_payload_len":707,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":64151.9,"max":457947,"stddev":103861.5,"var":10787211264.0,"ent":3.7,"data": [1312,2441,29816,31189,401459,457947,56427,244,122,152,50476,50415,214,112548,112763,50812,57282,6500,274,183,50385,50538,122,50415,131042,50415,131164,122,50507,50629,793]},"pktlen": {"min":54,"avg":102.2,"max":559,"stddev":100.3,"var":10067.6,"ent":4.6,"data": [74,54,54,228,54,132,54,559,84,54,54,77,54,54,79,54,76,135,54,299,54,76,78,54,108,54,72,105,54,223,54,54]},"bins": {"c_to_s": [10,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02126{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":152,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":11,"flow_state":"finished","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1432820633802533,"flow_src_last_pkt_time":1432820634797314,"flow_dst_last_pkt_time":1432820634796460,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":505,"flow_src_tot_l4_payload_len":707,"flow_dst_tot_l4_payload_len":814,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.192.222.189","src_port":42241,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":122,"avg":64151.9,"max":457947,"stddev":103861.5,"var":10787211264.0,"ent":3.7,"data": [1312,2441,29816,31189,401459,457947,56427,244,122,152,50476,50415,214,112548,112763,50812,57282,6500,274,183,50385,50538,122,50415,131042,50415,131164,122,50507,50629,793]},"pktlen": {"min":40,"avg":88.2,"max":545,"stddev":100.3,"var":10067.6,"ent":4.4,"data": [60,40,40,214,40,118,40,545,70,40,40,63,40,40,65,40,62,121,40,285,40,62,64,40,94,40,58,91,40,209,40,40]},"bins": {"c_to_s": [10,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [14,0,1,0,0,1,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,1,0,1,0,0,1,1,0,1,0,1,1,0,1,0,1,1,0,1,1,0,0],"entropies": [4.459092617,4.680641651,4.784183979,6.607134819,4.630641460,6.115448475,4.665311813,7.571388721,5.552047253,4.580641270,4.630640984,5.367652893,4.630641460,4.834183693,5.504653454,4.580641747,5.300499439,6.294820786,4.630641460,7.156640053,4.530641556,5.393635750,5.481855392,4.630641460,5.938459396,4.680641651,5.375223160,5.945579052,4.611769676,6.961353779,4.834183693,4.665311813]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":153,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820568947491,"flow_src_last_pkt_time":1432820628171429,"flow_dst_last_pkt_time":1432820569427136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.252.121.1","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":153,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820569427258,"flow_src_last_pkt_time":1432820629171551,"flow_dst_last_pkt_time":1432820570006695,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"179.60.192.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00935{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":153,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820567259228,"flow_src_last_pkt_time":1432820625171734,"flow_dst_last_pkt_time":1432820567917126,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820634797314,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"31.13.84.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} @@ -70,7 +70,7 @@ 00532{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":184,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":2,"flow_src_last_pkt_time":1432820681899121,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820681901135,"pkt":"ABoRAAACABoRAAABCABFAAAoAFlAABAGh6yeVTptCggAARRmwjmuxBSBUTvrf1AS\/\/\/2ZgAA"} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":185,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_packet_id":3,"flow_src_last_pkt_time":1432820681901684,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":54,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":54,"pkt_l4_len":20,"thread_ts_usec":1432820681901684,"pkt":"ABoRAAACABoRAAABCABFAAAoYBJAAEAG9\/IKCAABnlU6bcI5FGZRO+t\/rsQUglAQOQi9XwAA"} 00882{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":186,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820681935773,"flow_dst_last_pkt_time":1432820681901135,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":174,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":174,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1432820681935773,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} -01737{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":214,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820685106122,"flow_dst_last_pkt_time":1432820683287396,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":254,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":751,"midstream":0,"thread_ts_usec":1432820685106122,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":91,"avg":148234.7,"max":1768433,"stddev":316376.5,"var":100094115840.0,"ent":3.4,"data": [2014,2563,34089,34790,390289,440887,50599,183,91,50446,50537,139282,139252,92,50506,50445,92,51240,51147,213,122,77789,128296,50873,179230,229706,260559,260559,50476,50476,1768433]},"pktlen": {"min":54,"avg":99.1,"max":308,"stddev":70.4,"var":4957.0,"ent":4.7,"data": [74,54,54,228,54,132,54,308,84,54,77,54,79,54,76,135,54,76,299,54,54,54,223,112,54,113,54,179,54,76,54,90]},"bins": {"c_to_s": [11,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} +02134{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":214,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":12,"flow_state":"finished","flow_src_packets_processed":16,"flow_dst_packets_processed":16,"flow_first_seen":1432820681899121,"flow_src_last_pkt_time":1432820685106122,"flow_dst_last_pkt_time":1432820683287396,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":245,"flow_dst_max_l4_payload_len":254,"flow_src_tot_l4_payload_len":672,"flow_dst_tot_l4_payload_len":751,"midstream":0,"thread_ts_usec":1432820685106122,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"158.85.58.109","src_port":49721,"dst_port":5222,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":91,"avg":148234.7,"max":1768433,"stddev":316376.5,"var":100094115840.0,"ent":3.4,"data": [2014,2563,34089,34790,390289,440887,50599,183,91,50446,50537,139282,139252,92,50506,50445,92,51240,51147,213,122,77789,128296,50873,179230,229706,260559,260559,50476,50476,1768433]},"pktlen": {"min":40,"avg":85.1,"max":294,"stddev":70.4,"var":4957.0,"ent":4.6,"data": [60,40,40,214,40,118,40,294,70,40,63,40,65,40,62,121,40,62,285,40,40,40,209,98,40,99,40,165,40,62,40,76]},"bins": {"c_to_s": [11,2,1,0,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [11,1,1,1,0,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,1,0,1,0,1,0,1,1,0,1,1,0,1,0,0,1,0,1,1,0,1,0,1,0,0],"entropies": [4.471673489,4.680641651,4.734183788,6.810238838,4.680641651,6.078742027,4.665311813,7.177294731,5.455548763,4.680641651,5.570110321,4.730641842,5.523809433,4.730641842,5.470327377,6.416762829,4.730641842,5.470327854,7.190139771,4.730641842,4.884183884,4.884183884,6.934513569,6.068694592,4.730641842,6.043103695,4.815311432,6.668905258,4.815311432,5.405810833,4.765311718,5.731334686]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WhatsApp","proto_id":"142","encrypted":1,"breed":"Acceptable","category_id":9,"category":"Chat"}} 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":225,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820568947491,"flow_src_last_pkt_time":1432820628171429,"flow_dst_last_pkt_time":1432820569427136,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820691515362,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"173.252.121.1","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00937{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":225,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":6,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820569427258,"flow_src_last_pkt_time":1432820629171551,"flow_dst_last_pkt_time":1432820570006695,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820691515362,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"179.60.192.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} 00935{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":225,"source":"whatsapp_voice_and_message.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":2,"flow_first_seen":1432820567259228,"flow_src_last_pkt_time":1432820625171734,"flow_dst_last_pkt_time":1432820567917126,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":126,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":126,"flow_dst_max_l4_payload_len":44,"flow_src_tot_l4_payload_len":378,"flow_dst_tot_l4_payload_len":88,"midstream":0,"thread_ts_usec":1432820691515362,"l3_proto":"ip4","src_ip":"10.8.0.1","dst_ip":"31.13.84.48","src_port":53620,"dst_port":3478,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"STUN.WhatsAppCall","proto_id":"78.45","encrypted":0,"breed":"Acceptable","category_id":10,"category":"VoIP"}} @@ -106,10 +106,10 @@ ~~ total active/idle flows...: 13/13 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6081170 bytes -~~ total memory freed........: 6081170 bytes -~~ total allocations/frees...: 121875/121875 +~~ total memory allocated....: 6082938 bytes +~~ total memory freed........: 6082938 bytes +~~ total allocations/frees...: 121888/121888 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 511 chars -~~ json string max len.......: 1754 chars -~~ json string avg len.......: 1132 chars +~~ json string max len.......: 2151 chars +~~ json string avg len.......: 1331 chars diff --git a/test/results/whatsappfiles.pcap.out b/test/results/whatsappfiles.pcap.out index c74ddf6db..545454ca5 100644 --- a/test/results/whatsappfiles.pcap.out +++ b/test/results/whatsappfiles.pcap.out @@ -7,14 +7,14 @@ 01110{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083501147,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924083506116,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083598208,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":1398,"midstream":0,"thread_ts_usec":1519924083598208,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01542{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924083506116,"flow_dst_last_pkt_time":1519924083599471,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":243,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":243,"flow_dst_tot_l4_payload_len":3208,"midstream":0,"thread_ts_usec":1519924083599471,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","server_names":"*.cdn.whatsapp.net,*.snr.whatsapp.net,*.whatsapp.com,*.whatsapp.net,whatsapp.com,whatsapp.net","ja3":"107144b88827da5da9ed42d8776ccdc5","ja3s":"2d1eb5817ece335c24904f516ad5da12","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert SHA2 High Assurance Server CA","subjectDN":"C=US, ST=California, L=Menlo Park, O=Facebook, Inc., CN=*.whatsapp.net","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1","fingerprint":"10:54:EB:4A:A2:2A:42:2F:A6:1C:E7:9C:F4:84:10:7E:30:2E:56:BB"}}} -01738{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924108832377,"flow_dst_last_pkt_time":1519924084217928,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":5152,"flow_dst_tot_l4_payload_len":3695,"midstream":0,"thread_ts_usec":1519924108832377,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":846062.3,"max":24639770,"stddev":4345174.0,"var":18880535724032.0,"ent":0.5,"data": [89960,91931,2998,95622,1439,1232,31,95929,999,78942,282792,460945,6,97926,4,3994,6995,998,5,4,115136,17,1231,43,102916,998,41079,24639770,4996,5995,2998]},"pktlen": {"min":66,"avg":343.1,"max":1464,"stddev":491.8,"var":241822.2,"ent":3.9,"data": [78,74,66,309,66,1464,1464,478,66,66,66,192,324,147,66,66,119,116,108,249,104,66,104,66,176,66,66,66,289,1464,1464,1464]},"bins": {"c_to_s": [9,4,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0],"s_to_c": [5,1,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} +02134{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":20,"flow_dst_packets_processed":12,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924108832377,"flow_dst_last_pkt_time":1519924084217928,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":5152,"flow_dst_tot_l4_payload_len":3695,"midstream":0,"thread_ts_usec":1519924108832377,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":846062.3,"max":24639770,"stddev":4345174.0,"var":18880535724032.0,"ent":0.5,"data": [89960,91931,2998,95622,1439,1232,31,95929,999,78942,282792,460945,6,97926,4,3994,6995,998,5,4,115136,17,1231,43,102916,998,41079,24639770,4996,5995,2998]},"pktlen": {"min":52,"avg":329.1,"max":1450,"stddev":491.8,"var":241822.2,"ent":3.8,"data": [64,60,52,295,52,1450,1450,464,52,52,52,178,310,133,52,52,105,102,94,235,90,52,90,52,162,52,52,52,275,1450,1450,1450]},"bins": {"c_to_s": [9,4,0,1,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0],"s_to_c": [5,1,1,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,0,0,1,1,0,0,0,0,0,0,0,1,1,1,1,0,0,1,0,0,0,0],"entropies": [4.421927452,5.154205322,5.000318527,5.630068779,5.156889915,6.911639214,7.331070900,7.439278603,5.077241421,5.077241421,4.892748356,6.281505585,7.104421139,6.400995731,4.993616104,5.038779736,5.644111633,5.709043026,5.428511143,6.868546009,5.439019203,5.156889439,5.895723343,5.156889439,6.637435913,5.038779736,5.077241421,5.156889915,7.004677773,7.873590469,7.843841553,7.873690605]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":311,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240121220,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":0,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":0,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924240121220,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00549{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":311,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240121220,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":78,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":78,"pkt_l4_len":44,"thread_ts_usec":1519924240121220,"pkt":"XEl5dU5qkLkxKPrKCABFAABAAABAAEAG5oDAqAIduTzYNcIiAbuCj0EnAAAAALDC\/\/+6MAAAAgQFtAEDAwYBAQgKKOd3WAAAAAAEAgAA"} 00543{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":312,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1519924240121220,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1519924240177946,"pkt":"kLkxKPrKXEl5dU5qCABFAAA8AABAAFUG0YS5PNg1wKgCHQG7wiLPr2ypgo9BKKASbTgw1AAAAgQFggQCCAq3hjooKOd3WAEDAwg="} 00531{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":313,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1519924240182174,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1519924240182174,"pkt":"XEl5dU5qkLkxKPrKCABFAAA0AABAAEAG5ozAqAIduTzYNcIiAbuCj0Eoz69sqoAQCAXEZQAAAQEICijnd5W3hjoo"} 01112{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":314,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240183173,"flow_dst_last_pkt_time":1519924240177946,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1519924240183173,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"4e1a414c4f4c99097edd2a9a98e336c8","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} 01172{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":316,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240183173,"flow_dst_last_pkt_time":1519924240244034,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":146,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":146,"midstream":0,"thread_ts_usec":1519924240244034,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download","hostname":"mmg-fna.whatsapp.net","tls": {"version":"TLSv1.2","ja3":"4e1a414c4f4c99097edd2a9a98e336c8","ja3s":"96681175a9547081bf3d417f1a572091","unsafe_cipher":0,"cipher":"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256","alpn":"h2,h2-16,h2-15,h2-14,spdy\/3.1,spdy\/3,http\/1.1"}}} -01724{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240317078,"flow_dst_last_pkt_time":1519924240518900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":12875,"midstream":0,"thread_ts_usec":1519924240518900,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":19146.4,"max":107518,"stddev":30886.0,"var":953946176.0,"ent":3.3,"data": [56726,60954,999,65972,116,64953,998,4998,4,994,4,59896,50958,5,7285,18,4137,107,10987,4,86355,107518,6,1398,909,1355,1209,1240,1010,1222,1201]},"pktlen": {"min":66,"avg":499.4,"max":1464,"stddev":599.2,"var":359069.1,"ent":4.0,"data": [78,74,66,583,66,212,66,117,119,116,108,290,147,66,104,66,104,66,108,66,66,66,1464,234,1464,1282,1464,1464,1464,1464,1464,1464]},"bins": {"c_to_s": [6,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} +02119{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":342,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924240317078,"flow_dst_last_pkt_time":1519924240518900,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":975,"flow_dst_tot_l4_payload_len":12875,"midstream":0,"thread_ts_usec":1519924240518900,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":4,"avg":19146.4,"max":107518,"stddev":30886.0,"var":953946176.0,"ent":3.3,"data": [56726,60954,999,65972,116,64953,998,4998,4,994,4,59896,50958,5,7285,18,4137,107,10987,4,86355,107518,6,1398,909,1355,1209,1240,1010,1222,1201]},"pktlen": {"min":52,"avg":485.4,"max":1450,"stddev":599.2,"var":359069.1,"ent":4.0,"data": [64,60,52,569,52,198,52,103,105,102,94,276,133,52,90,52,90,52,94,52,52,52,1450,220,1450,1268,1450,1450,1450,1450,1450,1450]},"bins": {"c_to_s": [6,5,0,0,0,0,0,1,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [5,2,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,8,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,0,0,0,0,1,0,0,1,1,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1],"entropies": [4.484427452,5.220872402,5.062724590,6.536932945,5.310736179,6.547456264,5.115703106,5.511427402,5.798887253,5.734943390,5.532109261,7.100424290,6.478804111,5.091758728,5.529591560,5.233812809,6.065113068,5.272274971,6.031597137,5.091758728,5.070539474,5.272274971,7.882384777,7.084619522,7.865714073,7.857034683,7.885036469,7.857791901,7.873408318,7.856501579,7.894844532,7.850902557]},"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00939{"flow_event_id":2,"flow_event_name":"end","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":161,"flow_dst_packets_processed":149,"flow_first_seen":1519924083411187,"flow_src_last_pkt_time":1519924193366820,"flow_dst_last_pkt_time":1519924193429446,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1398,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":178544,"flow_dst_tot_l4_payload_len":4980,"midstream":0,"thread_ts_usec":1519924247388841,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49674,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00939{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":132,"flow_dst_packets_processed":178,"flow_first_seen":1519924240121220,"flow_src_last_pkt_time":1519924247388841,"flow_dst_last_pkt_time":1519924247384385,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1398,"flow_src_tot_l4_payload_len":1170,"flow_dst_tot_l4_payload_len":225649,"midstream":0,"thread_ts_usec":1519924247388841,"l3_proto":"ip4","src_ip":"192.168.2.29","dst_ip":"185.60.216.53","src_port":49698,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.WhatsAppFiles","proto_id":"91.242","encrypted":1,"breed":"Acceptable","category_id":7,"category":"Download"}} 00570{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":620,"source":"whatsappfiles.pcap","alias":"nDPId-test","packets-captured":620,"packets-processed":620,"total-skipped-flows":0,"total-l4-payload-len":410343,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":2,"total-detection-updates":3,"total-updates":0,"current-active-flows":0,"total-active-flows":2,"total-idle-flows":2,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":20,"global_ts_usec":1519924247388841} @@ -26,10 +26,10 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6069886 bytes -~~ total memory freed........: 6069886 bytes -~~ total allocations/frees...: 122133/122133 +~~ total memory allocated....: 6070158 bytes +~~ total memory freed........: 6070158 bytes +~~ total allocations/frees...: 122135/122135 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars -~~ json string max len.......: 1743 chars -~~ json string avg len.......: 1119 chars +~~ json string max len.......: 2139 chars +~~ json string avg len.......: 1317 chars diff --git a/test/results/whois.pcapng.out b/test/results/whois.pcapng.out index f94432e5c..f32e27eaf 100644 --- a/test/results/whois.pcapng.out +++ b/test/results/whois.pcapng.out @@ -30,9 +30,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6045804 bytes -~~ total memory freed........: 6045804 bytes -~~ total allocations/frees...: 121538/121538 +~~ total memory allocated....: 6046212 bytes +~~ total memory freed........: 6046212 bytes +~~ total allocations/frees...: 121541/121541 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 2128 chars diff --git a/test/results/windowsupdate_over_http.pcap.out b/test/results/windowsupdate_over_http.pcap.out index 38ffe0a66..ecacaa2c4 100644 --- a/test/results/windowsupdate_over_http.pcap.out +++ b/test/results/windowsupdate_over_http.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037114 bytes -~~ total memory freed........: 6037114 bytes -~~ total allocations/frees...: 121522/121522 +~~ total memory allocated....: 6037250 bytes +~~ total memory freed........: 6037250 bytes +~~ total allocations/frees...: 121523/121523 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 504 chars ~~ json string max len.......: 1539 chars diff --git a/test/results/wireguard.pcap.out b/test/results/wireguard.pcap.out index 53cfdf6a6..48d92ff0f 100644 --- a/test/results/wireguard.pcap.out +++ b/test/results/wireguard.pcap.out @@ -5,7 +5,7 @@ 00688{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554628757,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":186,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":186,"pkt_l4_len":152,"thread_ts_usec":1563973554628780,"pkt":"OCxKuzMdABAY3q0FCABFAACsFXoAADURYtGLosCdwKgADspsjRQAmIUlBAAAAL5AaY1sAAAAAAAAAApaAsrtXpH1hJEWMIaMon2Jp07DYKtFnos9KJ2dxNXsnPOlMw8teGIqqtQyAhfCvZKfSoj8FKmPC1PCtu8qqniK567s\/wF6cALr5IJXHXdFnmr1I94kKjzDU62XCT24xGedWrUZRek84+e2Fsx1lJJ6NR9cFgw9VnO9J77GX8hL"} 00624{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554628915,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":138,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":138,"pkt_l4_len":104,"thread_ts_usec":1563973554628915,"pkt":"ABAY3q0FOCxKuzMdCABFAAB8LYcAAEARP\/TAqAAOi6LAnY0UymwAaNyeBAAAAG2mYV5wAAAAAAAAAAo35XrmOHswcilnP2QelKUcrUyMt+9zQAFDeYSUJyyw9BNkc7uq5jhjxm51P1MBuT08PEWRrzriFSk+BrqayZkHU3Oi+bUZJb76bMmarQhF"} 00874{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":2,"flow_dst_packets_processed":2,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973554628780,"flow_dst_last_pkt_time":1563973554642219,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":144,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":944,"flow_dst_tot_l4_payload_len":368,"midstream":0,"thread_ts_usec":1563973554642219,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} -01752{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973564026392,"flow_dst_last_pkt_time":1563973564026499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":4816,"flow_dst_tot_l4_payload_len":2160,"midstream":0,"thread_ts_usec":1563973564026499,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":606302.4,"max":5525882,"stddev":1489465.9,"var":2218508681216.0,"ent":2.5,"data": [23,158,13304,82421,23440,98,92806,699,114421,124480,180,238536,14265,86010,36434,91,108248,778,113616,3087006,3060616,97488,183654,5525873,24,5525882,16499,87990,44371,59,115907]},"pktlen": {"min":138,"avg":260.0,"max":842,"stddev":181.0,"var":32764.0,"ent":4.7,"data": [842,186,138,314,138,330,186,138,298,138,666,186,138,314,138,362,186,138,298,138,186,154,186,154,698,186,138,314,138,570,186,138]},"bins": {"c_to_s": [0,0,0,6,7,0,0,0,0,1,1,0,0,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,7,1,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,0,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} +02151{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":19,"flow_dst_packets_processed":13,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973564026392,"flow_dst_last_pkt_time":1563973564026499,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":96,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":800,"flow_dst_max_l4_payload_len":272,"flow_src_tot_l4_payload_len":4816,"flow_dst_tot_l4_payload_len":2160,"midstream":0,"thread_ts_usec":1563973564026499,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":23,"avg":606302.4,"max":5525882,"stddev":1489465.9,"var":2218508681216.0,"ent":2.5,"data": [23,158,13304,82421,23440,98,92806,699,114421,124480,180,238536,14265,86010,36434,91,108248,778,113616,3087006,3060616,97488,183654,5525873,24,5525882,16499,87990,44371,59,115907]},"pktlen": {"min":124,"avg":246.0,"max":828,"stddev":181.0,"var":32764.0,"ent":4.7,"data": [828,172,124,300,124,316,172,124,284,124,652,172,124,300,124,348,172,124,284,124,172,140,172,140,684,172,124,300,124,556,172,124]},"bins": {"c_to_s": [0,0,0,6,7,0,0,0,0,1,1,0,0,0,0,0,1,0,0,1,1,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [0,0,0,7,1,0,0,0,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,0,0,1,1,0,1,0,0,1,0,0,1,1,0,0,0,1],"entropies": [7.721926689,6.520606995,6.064967632,7.277743816,6.125530243,7.157748699,6.507213116,6.119441986,7.162059307,6.042750835,7.643404961,6.557894707,6.103312969,7.165712357,6.014130592,7.252914429,6.580285549,6.200272083,7.152356148,6.059064388,6.527978897,6.293422222,6.622408867,6.284528732,7.697811604,6.593225002,6.135756016,7.191918850,6.052976608,7.621836662,6.581598282,6.206175327]},"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1241,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":714,"flow_dst_packets_processed":526,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973605316022,"flow_dst_last_pkt_time":1563973605316188,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":302280,"flow_dst_tot_l4_payload_len":80034,"midstream":0,"thread_ts_usec":1563973605316188,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00928{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1381,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":792,"flow_dst_packets_processed":588,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973656994951,"flow_dst_last_pkt_time":1563973656882661,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":80,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":319860,"flow_dst_tot_l4_payload_len":89542,"midstream":0,"thread_ts_usec":1563973656994951,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} 00929{"flow_event_id":4,"flow_event_name":"update","thread_id":0,"packet_id":1551,"source":"wireguard.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":889,"flow_dst_packets_processed":661,"flow_first_seen":1563973554628757,"flow_src_last_pkt_time":1563973716802971,"flow_dst_last_pkt_time":1563973716804203,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":32,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1362,"flow_dst_max_l4_payload_len":1362,"flow_src_tot_l4_payload_len":342916,"flow_dst_tot_l4_payload_len":101510,"midstream":0,"thread_ts_usec":1563973716804203,"l3_proto":"ip4","src_ip":"139.162.192.157","dst_ip":"192.168.0.14","src_port":51820,"dst_port":36116,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"WireGuard","proto_id":"206","encrypted":1,"breed":"Acceptable","category_id":2,"category":"VPN"}} @@ -23,10 +23,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6105212 bytes -~~ total memory freed........: 6105212 bytes -~~ total allocations/frees...: 123886/123886 +~~ total memory allocated....: 6105348 bytes +~~ total memory freed........: 6105348 bytes +~~ total allocations/frees...: 123887/123887 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 494 chars -~~ json string max len.......: 1757 chars -~~ json string avg len.......: 1124 chars +~~ json string max len.......: 2156 chars +~~ json string avg len.......: 1324 chars diff --git a/test/results/wow.pcap.out b/test/results/wow.pcap.out index a2aa9729d..ff00cbdbc 100644 --- a/test/results/wow.pcap.out +++ b/test/results/wow.pcap.out @@ -40,9 +40,9 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6051281 bytes -~~ total memory freed........: 6051281 bytes -~~ total allocations/frees...: 121634/121634 +~~ total memory allocated....: 6051961 bytes +~~ total memory freed........: 6051961 bytes +~~ total allocations/frees...: 121639/121639 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 1021 chars diff --git a/test/results/xdmcp.pcap.out b/test/results/xdmcp.pcap.out index a5f06edd3..c48c246be 100644 --- a/test/results/xdmcp.pcap.out +++ b/test/results/xdmcp.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035815 bytes -~~ total memory freed........: 6035815 bytes -~~ total allocations/frees...: 121493/121493 +~~ total memory allocated....: 6035951 bytes +~~ total memory freed........: 6035951 bytes +~~ total allocations/frees...: 121494/121494 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars ~~ json string max len.......: 902 chars diff --git a/test/results/xiaomi.pcap.out b/test/results/xiaomi.pcap.out index f95f1dde1..da22c594e 100644 --- a/test/results/xiaomi.pcap.out +++ b/test/results/xiaomi.pcap.out @@ -53,9 +53,9 @@ ~~ total active/idle flows...: 7/7 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6059828 bytes -~~ total memory freed........: 6059828 bytes -~~ total allocations/frees...: 121621/121621 +~~ total memory allocated....: 6060780 bytes +~~ total memory freed........: 6060780 bytes +~~ total allocations/frees...: 121628/121628 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 1351 chars diff --git a/test/results/xss.pcap.out b/test/results/xss.pcap.out index 1d098d9b7..8716620b8 100644 --- a/test/results/xss.pcap.out +++ b/test/results/xss.pcap.out @@ -21,9 +21,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6037922 bytes -~~ total memory freed........: 6037922 bytes -~~ total allocations/frees...: 121515/121515 +~~ total memory allocated....: 6038194 bytes +~~ total memory freed........: 6038194 bytes +~~ total allocations/frees...: 121517/121517 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 488 chars ~~ json string max len.......: 1308 chars diff --git a/test/results/youtube_quic.pcap.out b/test/results/youtube_quic.pcap.out index 41e9cbcea..e80399211 100644 --- a/test/results/youtube_quic.pcap.out +++ b/test/results/youtube_quic.pcap.out @@ -10,7 +10,7 @@ 00975{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":11,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823738796,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363823738796,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"yt3.ggpht.com","quic": {"user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}}} 02318{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":12,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823782478,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363823782478,"pkt":"xCwDBkn+gCqojWksCABFAAViAABAADUR4H\/YOsYhwKgBBwG72woFTqYeCGI\/o1o3gkQjAfrje9Hje5P995YFE4ABUkVKAAgAAABTVEsAPAAAAFNOTwB0AAAAUFJPRroAAABTQ0ZHWQEAAFJSRUpdAQAAU1RUTGUBAABDU0NUVwIAAENSVP\/\/BQAA+LXECKXyXyaGkNvk1LnkKe2HcwZSdJKMjSZdwRtRvlgkC7wrIojsxa12VSbQ+UqytsSw5ZWrAguctbN84e+itVKKdDan60SbCn6HO8EhAZXhZCoi6zTXVPfruFP+xbK0jobs4P1ETvvj7642AaRXoyX3AiUwRAIga0VZvCZ3TBiWNQTgv6KY8y2d9RkggowYQwi1RHlUtm4CIDUxV08RC49VVgJORrtGSNh+UsyMA8+5V0kTzoS1\/6EyU0NGRwgAAABBRUFECAAAAFNDSUQYAAAAUERNRBwAAABUQktQIAAAAFBVQlNDAAAAS0VYU0cAAABPQklUTwAAAEVYUFlXAAAAQUVTR0NDMjBrdmP1GwKyBEvvwtZJjj6PQ0hJRFRCMTAgAAC7MI00KZ1MP25xAs8ApFxY\/QSpEMcZP7AIDZmbDnFGD0MyNTUwMDAwMDAwMEDbx1gAAAAADAAAAND3AQAAAAAAAPAAdQDuS723dc5guuFCaR+r4Z5mow9+X7By2IMAxHuJeqj9ywAAAVplaZe7AAAEAwBGMEQCIFrxuSR6yQfoERjhpyCo\/HC4DbnJyy5PDUNSQYvoLd7WAiA1du1k\/DfC+hSnbCFZ+CiZL\/WBsCA2tHRh+V5os9e8wAB3AN3rHSt6DU+mIIuBrYFocH4ujp0B1VyIjT0RxM227L7MAAABWmVpmAsAAAQDAEgwRgIhAK1Z+StuHvhEQzbhrizA0oP28zksTi\/aWkPYynKMWI7wAiEAoZsd0Sdt7uEo3XB3wMmgRGZNny2cfedCYnG3zpLag4YBA37tgIaiFYKRAgAAAAMB6IFgkpIa6AAAAAAAKgcAAHi7gTUtv1NjZwCWXOxKBk1sXJA2HIf55ae2MzL3PkFvyFGxkQUqDMwNjIyMgPkFmJfA7TkDUyC2MDUHdaIKsVrFwcPlDEw3aflFeZmJsATJzsPrm1+aVwJKXWGZqeVwd\/EguwvUlgC5i0dcCximIGFgJilKBqbG1Dxw1BtEGgizsQO9e84W2BLhADOYGdmZnRhYMt6FvD+wnV996Zw\/hsoKnDX1AkfE3LjmrmD0Xbj\/45IfeVee\/OywebVOPSnedOpTyamR\/2zN7jmfePP5sO3s0PyvawoWN7GsN2hiWU2oLGtizgMpEGRpYk4FchKbcLm1SUZLL7GgoBiHrApEtiAfzNUrBqaYxPRUqGJgYi4Gq+LT0kvKyU+HKWsSBPILUIWUtEBUbn4eMKcm4jBGE6QGbLcuVIVuSn55Xk5+Ygq6UnVMpaUF2BQqYChEVwEMgJT80qSc1OSczORs9ADgBoZbekEG3F8QzSnAIioVLAQP1+LKvBRo5QWWEIFJlKcm5WSmQ02Q19IrTkxLzSstwBHgYAV5KUn5FTgUKGrpEQoceYQS7IEioYUrJhFa9YpTgUFSgq6AByVW+dGjWYFgJEvhCWxORFDzowe0KPbgEMISyNrFJcB4SNYrSMwDOiE3Mx9f2hXDIS6LPxz4S\/PSMnOA5VFqil5eankxUtuLvcEgA6kEjwGWQdpIZbM8tLgsyM6EGgoukd09Hd2NwIWvNlJxD1MMDC6gj4sNkXWAqgCk9qDW3+B7S2xzw150iDxJLJ4oWT2f5yFamwi5WMfaiVKENDKAtRxaz4WDjS29kQdYohsYQFpFmgbqBqoLlBco"} 02313{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":13,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1489363823738796,"flow_dst_last_pkt_time":1489363823783077,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363823783077,"pkt":"xCwDBkn+gCqojWksCABFAAViAABAADUR4H\/YOsYhwKgBBwG72woFTtjVCGI\/o1o3gkQjAl1iY1+IPhyu0ittLaQBLgUZARLyTw62Xo9mQ7Tn55dir+alTNnl+EuTXetgrtU\/li3WZUF3t3EtPfqBg1nJrPp7bar7qdPHbjH8jwhk+pimkWuq6rVs4cviafuTL\/pWbDvkJD1zwixjdUFbM0aGipe63\/v0luly7P6xK4d1\/V35zVlHfZnq9OpLDbRdp3F95Wn77GK+6cqsr8cEfY77RjhzSh7Unhdryl2mU\/IhTPRZgsMXhZ65ayI6rm07a3GnaGsF6wp\/3rLVzcqh63smBXkUr5RrfvOpMsbbX\/13ZPXcymfXdeZ+LWmcELGYmfOd+prGpXeZdtiyB0ssnuZwNOYGp72hD8PxC2ds8mZMXnnvqd7Gb2w82Yw3Hn\/6nvVjXthRi\/UnDQF+1X0RAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -01723{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823844687,"flow_dst_last_pkt_time":1489363823852784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3698,"flow_dst_tot_l4_payload_len":22654,"midstream":0,"thread_ts_usec":1489363823852784,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":7092.9,"max":47402,"stddev":13323.0,"var":177502752.0,"ent":3.3,"data": [43682,599,47402,292,154,45,22593,22345,6,41882,73,4311,1249,5208,1009,1199,2078,995,1205,2173,1079,939,1972,1276,1007,2312,930,1274,2300,574,7716]},"pktlen": {"min":73,"avg":865.5,"max":1392,"stddev":620.1,"var":384534.2,"ent":4.5,"data": [1392,1392,1392,1392,459,177,178,77,1392,73,83,83,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1392,1392,80,1030,1392]},"bins": {"c_to_s": [0,8,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0]},"directions": [0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +02122{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":42,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":19,"flow_first_seen":1489363823738796,"flow_src_last_pkt_time":1489363823844687,"flow_dst_last_pkt_time":1489363823852784,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":38,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":3698,"flow_dst_tot_l4_payload_len":22654,"midstream":0,"thread_ts_usec":1489363823852784,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.198.33","src_port":56074,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":6,"avg":7092.9,"max":47402,"stddev":13323.0,"var":177502752.0,"ent":3.3,"data": [43682,599,47402,292,154,45,22593,22345,6,41882,73,4311,1249,5208,1009,1199,2078,995,1205,2173,1079,939,1972,1276,1007,2312,930,1274,2300,574,7716]},"pktlen": {"min":59,"avg":851.5,"max":1378,"stddev":620.1,"var":384534.2,"ent":4.5,"data": [1378,1378,1378,1378,445,163,164,63,1378,59,69,69,1378,1378,66,1378,1378,66,1378,1378,66,1378,1378,66,1378,1378,66,1378,1378,66,1016,1378]},"bins": {"c_to_s": [0,8,0,0,2,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,2,0,0,0,0,0],"s_to_c": [1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,16,0,0,0,0,0]},"directions": [0,1,1,0,0,0,0,1,1,1,0,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1,0,1,1],"entropies": [2.490298986,7.548896313,2.557327986,5.454246521,7.513552189,6.657486916,6.667313099,5.203137398,7.879892826,5.320584774,5.540966511,5.620818138,7.837260723,7.846781731,5.625435352,7.860443115,7.869290352,5.595131874,7.865964890,7.867100716,5.462482452,7.871220112,7.858954430,5.583694935,7.863245964,7.872319698,5.564828873,7.868106365,7.885589600,5.529245377,7.780364990,7.853522778]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTube","proto_id":"188.124","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00766{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363824401150,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363824401150,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 02312{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":1,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1489363824401150,"pkt":"gCqojWksxCwDBkn+CABFAAVisIYAAEARAADAqAEH2DrNQtJjAbsFTmyMDXhX73QJ\/9nIUTAzNQGC9mpeAxq6QsMNjNmgAQAEQ0hMTx0AAABQQUQACAEAAFNOSQAjAQAAU1RLAF0BAABWRVIAYQEAAENDUwBxAQAATk9OQ5EBAABNU1BDlQEAAEFFQUSZAQAAVUFJRMgBAABTQ0lE2AEAAFRDSUTcAQAAUERNROABAABTUkJG5AEAAFNNSEzoAQAASUNTTOwBAABDVElN9AEAAE5PTlAUAgAAUFVCUzQCAABNSURTOAIAAFNDTFM8AgAAS0VYU0ACAABYTENUSAIAAENTQ1RIAgAAQ09QVEgCAABDQ1JUYAIAAElSVFRkAgAAQ0VUVggDAABDRkNXDAMAAFNGQ1cQAwAALS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tZ29vZ2xlYWRzLmcuZG91YmxlY2xpY2submV0gCa63gfstks25NXDBda+jRe1AwMuFIPOgLr8Vdt88WUvAddL7KVg5kyrPLEzz5PxZEMuEuhwybaZ0VEwMzUB6IFgkpIa6H7tgIaiFYKRWMXjcDAwMDAwMDAwQoHc+xZQMEvJrifGGZTcfUn5aXxkAAAAQ0MyMGJldGEgQ2hyb21lLzU3LjAuMjk4Ny45OCBJbnRlbCBNYWMgT1MgWCAxMF8xMl8za3Zj9RsCsgRL78LWSY4+jwAAAABYNTA5AAAQAAEAAAAeAAAAcOPFWAAAAACN\/AA7IChJw\/uFk6rkJtT8KHam\/zP1YJxL1R6PGerdhviM0jsqfVXK1sMGRgIfu1Gw5yjD\/\/Q\/fKW3aZLxbK0ZZAAAAAEAAABDMjU1qvorPqjeOwuq+is+qN47Cz2t9HxBefiRQAt7kKmueet+NAEAgygqfGXu0L2syT5vA8mDxoSqG087cDiVovZ6s0ywmTUWtgw5lXy+Ac4T6qWEMJOPvUqVQrabfhIiKh6bU4h\/Diu+B3D3YFOkHFOA3JEmhpJ\/3PZn9DncBSC36LdWvsJ8Uwgl2IG2lc1SfhMotW8c5gE3wCT8YVfQJL1vCNMKzgZWBrzkDiYZ7cTxYUMsLfK1F7K2mD1WVm4PU008ujahjZ6t1bAAAPAAAABgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} 01006{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":134,"source":"youtube_quic.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1489363824401150,"flow_src_last_pkt_time":1489363824401150,"flow_dst_last_pkt_time":1489363824401150,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1489363824401150,"l3_proto":"ip4","src_ip":"192.168.1.7","dst_ip":"216.58.205.66","src_port":53859,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.Google","proto_id":"188.126","encrypted":1,"breed":"Acceptable","category_id":101,"category":"Advertisement","hostname":"googleads.g.doubleclick.net","quic": {"user_agent":"beta Chrome\/57.0.2987.98 Intel Mac OS X 10_12_3"}}} @@ -28,9 +28,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6047414 bytes -~~ total memory freed........: 6047414 bytes -~~ total allocations/frees...: 121799/121799 +~~ total memory allocated....: 6047822 bytes +~~ total memory freed........: 6047822 bytes +~~ total allocations/frees...: 121802/121802 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 497 chars ~~ json string max len.......: 2332 chars diff --git a/test/results/youtubeupload.pcap.out b/test/results/youtubeupload.pcap.out index eb6e5a35b..101ef62fe 100644 --- a/test/results/youtubeupload.pcap.out +++ b/test/results/youtubeupload.pcap.out @@ -17,7 +17,7 @@ 00989{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":29,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1511102578051971,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578051971,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":1350,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":1350,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1511102578051971,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":62232,"dst_port":443,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media","hostname":"upload.youtube.com","quic": {"user_agent":"Chrome\/62.0.3202.94 Windows NT 10.0; Win64; x64"}}} 02318{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":30,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":2,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578108526,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1511102578108526,"pkt":"2MuK4S0uXEl5dU5qCABFAAViAABAADgRtn+s2RdvwKgCGwG78xgFTs8jCAjRAddSQpCnAZLrpBY0DjIhd5jwe0ABH5UBAQD\/\/\/\/1BgCAAVJFSgAIAAAAU1RLADgAAABTTk8AbAAAAFBST0a0AAAAU0NGR1MBAABSUkVKVwEAAFNUVExfAQAAQ1NDVFECAABDUlT\/XwkAAOdd9OCaMJjZHEuQSnBheExXijy9L8yxcLxijUGUgt7VeQLmXHCE0dSCjTwUu4DOXBlw0HTG62CtZtu2a6Ru1X+sH1IA2FJqDRpGVA5MHyMKc7vKtJZUWy6Wq\/FvJH3N94ZirXYSBfeq9Qo8ATBGAiEAppVGAzltTsobgX744i5bBeIqIDO\/YtwFhdblUPMaf9ECIQDgN5eoKUWZEY4A\/yjD3jA5j4ZdDcRSfqhMU1oZUTGdIVNDRkcIAAAAQUVBRAgAAABTQ0lEGAAAAFBETUQcAAAAVEJLUCAAAABQVUJTQwAAAEtFWFNHAAAAT0JJVE8AAABFWFBZVwAAAEFFU0dDQzIw9lqyAICUa+kwugeWBsbKvkNISURUQjEwIAAAhphHmLi5BO0Bd0EZ92vmXccblzalgzbYj90Qfoq9ozBDMjU1MDAwMDAwMDBAFRRaAAAAAAwAAADNfAIAAAAAAADwAHUApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BAAAAFfeBYhgQAABAMARjBEAiBdvW4RdrxYmmjeJbc+3jgs5l6RJLipl3aPIQhj9TtUVgIgA9hjkGDtPgI+WyeFtwtRP0uw9dCVeIWw5SDGQbdmUYsAdwDd6x0reg1PpiCLga2BaHB+Lo6dAdVciI09EcTNtuy+zAAAAV94FiCrAAAEAwBIMEYCIQCUIhZCh2zhmqj0uNpoeUCnAI4TO75j9mv1oMYRKX9EbwIhAIVqH7drJ4DDuKcAhaeeCXOoj8EoQkKnHGLbzkyKPDlhAQEDAeiBYJKSGugAAAAAALsLAAB4u4FGwB+tWGtQE1cUJpBXY6I8VdDyFNEgYZOQAr7wiYpWBawlaIsJ2cBCSCJJwEgVWK3A4KNOsVAVxfdjqlClUhXRURAFClYRHasEpKBgRdBILVjtzS6ETSYz9oczmdmc777Onnvu9527WTQrwFy0TRBKTcQLKrp9dm9xz+ylJ4l0NALQ0SJTNhpMGAZIGIUiTgYb8pXrDXnhuTHeCAI35bB6mBzcF\/AwMggEG8\/l8gN4AQK8oOLyArh8PlZQSS0uRWcy5oK8kSqS5YhoKCFpTNbnCo1cbciulQicavSLSfTLCXLA\/GIy2SCmBhjbXCGAaeAd62cA1adjf2xINJs5VuSOLXMcnO6g0xtjxu1zfIrK71z\/\/lBHSmjev8J8r4IzjW36x8zZNOc0+uStj3j5jQFTCvdXObyJDvLf4usWsNFD234IpYyDUMoYbF1AYEyIMUxgprRFy4BQm1YDYkdGbe4DoxE1cRNlsTkiuSRZgUgwczQwlUpYHofIYWI3ezYnVqbQSIiYI5sjEQfx+cECvhGWo1QwPWhGR4JnLMjJFDVvaGa8k59ILpJp1UisCsNHDLsjIhoybIah1TiI3NROUJramkR0FPHFOKJkc0BjBojNewCvTYGkdWaA2nxIipzgswQmGLCKYEiTCUa8hmAgaoIhlxEMpYmhNmwBbogkgDbw4BmdwRG5YU9wALQmwaAKwbrZDaEpiARWYJAhC1RqQKaxhmEsggUaGWzDvnEJ\/3lDO54Eq5NBL2JvMBWod+IRjNRQW4MlI+YJ2HmtQqPWiGE\/uSJWoUhEjKk3iJt1gyUaXPYxnAZwNUeMxRakTVIchroY"} 02333{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":31,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1511102578051971,"flow_dst_last_pkt_time":1511102578109522,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":1392,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":1392,"pkt_l4_len":1358,"thread_ts_usec":1511102578109522,"pkt":"2MuK4S0uXEl5dU5qCABFAAViAABAADgRtn+s2RdvwKgCGwG78xgFTrFpCAjRAddSQpCnArwHRDvEv6bzYWaHzaQBBSEEhrNWhsBytYq44AhiRo+TwCmwTKGEk42JPpys442NKgutZCyRqQAAtRXqaDF9GcRDYiH0Y\/Fi0MLsDELQGJhY4OvQsShgL0wMj6PF4FCw0EDxBIlYDUjOl0D+boN8rExECEHyX7Bo9gIexu6+BD0Z6jwYVS5xhEFjCAVnb9OEZ+1zI6xu60jhXe7FYiEjXGJWdBF1I+wRdfS48r74X1JeZ567KHa5EJ3pD3ngVQyQUTCSgZUFTVprCgmiU6lxmUwgGRCEl12TIR\/Iu8iryOND7yMz0xaswN6jCztbGOmK9M1HAtnb0p6qNH6hov6O7rqWzJfC2lmeHtZeU6WbjsS8u3ntcJQzOr2oWOwTXcLWes24V6eOPFWo8+TNul2fEFLQ78eM1PXs2XQnqjfDqk3auk2v6+r9pEcxm7ylpmzrihbHoOb9i7fucvoKaS0tCfOsbMqMP3nB9ezFL69FLLtTF+p+dsZl1fPc\/DBpqVvY0e9eHrAZ+VA9+k3JGb\/9upojFbdLGEEHzpW4tGy79WmG8IZ+5InTV7teNKN9mWsYUcLOpqcV59uW1kr1OramoTHz1vv11JzRr2tDd4S\/WkfbF2P7ZGza6rI\/j9Us8WXle5QG\/b6jzfNgyphjqo6oKWSDFJMnAQGwxaXYlmTl4Z1d0i88lvqCkib10ZlL8sf48IBpMSTg8YAY8\/iBmBZzeXzwEwQLgqM\/pux\/6Oa0l01OXX1\/+c6p1ENoy\/3lC8tzQnqdlS7ZoRtbdlT15tR7dEe\/E7HKePNyitQjIpd9cbgeFe\/qfiaMud5KybCv\/DovpHzVwiB95N8TOgZ2djpVNugjWfqwt\/tXNG+oKEpUZF25tdxtEmQz6wFdFS5Lfz91+rFA6vZLi+3IzzZMaO745y137UDe3TWvOGHFc27XdlUmuJypi3zktDjX7YazyO23wuMzY303CxB48w3nqlDPN5G7Ktoywmyvs\/+6kO9uVx38oy25qEe0fpf31qURmsfnntNrHN\/WeyacXdoQapOfb7Pxys\/NacXz+Q0XZq4ta9Z7e19lCXIKCwdG2mlzXAOrircnI\/g3DpRkByLCMjmYFj9jDB9zi+fW\/KMGh8A\/npA75EqgFPvB8xrHUWmTYjFShuyNNEGHqOBhDa5jAvygcyBwwyoCN6wtE0wGiocL7zg1ftXFTvv\/oJAPXPQs8EXNovaf7kkkqasq1vY36F29qncjsStini1pcp7kJZFuH1+dlSGJIedOLC7QMZTl5c4zutP4J9Iv6SmNyouUidqu3dUF52nOcEDd9M6QKlK\/grnxj\/XK1Uve+Vn11FT4bS89njFAcsiu3RvSfjG1ZmrcZ6\/q7\/pYJ88tuiS37l1AWTuTJOy02+fyavOojKMH1wn8z1UfTB\/zTWvuytPdcdnhPtCaI+KIa4F3p3V9yyYFZR1sUJ46vP5m5ZOaqgflXryX78ZeTWvRTfNvvGXb8cOSgXllHhLWeas8yH5iVlRBMCVoVB26EFSw0u7LpTGV75XHW9Nztb6\/wrxD58u4nYzXfW68h\/8B+TYP2QAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"} -01755{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580012300,"flow_dst_last_pkt_time":1511102579994904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18813,"flow_dst_tot_l4_payload_len":4860,"midstream":0,"thread_ts_usec":1511102580012300,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":80,"avg":207043.7,"max":1883081,"stddev":509890.4,"var":259988193280.0,"ent":2.4,"data": [56118,973,59784,1844,356,60874,87,57514,351,30658,1096880,488,1126775,721,1825776,1883081,71241,80,128481,3345,2763,363,669,1041,1120,1220,1141,1157,1131,1161,1163]},"pktlen": {"min":58,"avg":781.8,"max":1392,"stddev":621.3,"var":386013.8,"ent":4.4,"data": [1392,1392,1392,80,1392,424,1392,73,83,80,72,58,611,83,77,344,78,154,58,83,387,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392,1392]},"bins": {"c_to_s": [0,6,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0],"s_to_c": [4,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} +02154{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":67,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":22,"flow_dst_packets_processed":10,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580012300,"flow_dst_last_pkt_time":1511102579994904,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":18813,"flow_dst_tot_l4_payload_len":4860,"midstream":0,"thread_ts_usec":1511102580012300,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":80,"avg":207043.7,"max":1883081,"stddev":509890.4,"var":259988193280.0,"ent":2.4,"data": [56118,973,59784,1844,356,60874,87,57514,351,30658,1096880,488,1126775,721,1825776,1883081,71241,80,128481,3345,2763,363,669,1041,1120,1220,1141,1157,1131,1161,1163]},"pktlen": {"min":44,"avg":767.8,"max":1378,"stddev":621.3,"var":386013.8,"ent":4.4,"data": [1378,1378,1378,66,1378,410,1378,59,69,66,58,44,597,69,63,330,64,140,44,69,373,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378,1378]},"bins": {"c_to_s": [0,6,0,0,0,0,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,13,0,0,0,0,0],"s_to_c": [4,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,3,0,0,0,0,0]},"directions": [0,1,1,0,0,0,1,1,0,0,1,1,1,0,0,0,1,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0],"entropies": [2.572486401,7.537513733,7.402596951,5.250994682,4.556015491,7.434559345,7.870773315,5.447868824,5.731709003,5.771669865,5.450197697,4.967351913,7.653637886,5.570558548,5.691562653,7.349846363,5.524900436,6.587018490,4.967351913,5.749753952,7.464030743,7.863305569,7.871096611,7.856682777,7.872458458,7.853973389,7.869896412,7.852776527,7.860300064,7.865760326,7.833461761,7.854090214]},"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00772{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":6,"flow_dst_packets_processed":7,"flow_first_seen":1511102576835328,"flow_src_last_pkt_time":1511102576954116,"flow_dst_last_pkt_time":1511102576952686,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":202,"flow_dst_max_l4_payload_len":1430,"flow_src_tot_l4_payload_len":295,"flow_dst_tot_l4_payload_len":4409,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":57452,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3} 00930{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":80,"flow_dst_packets_processed":20,"flow_first_seen":1511102576794424,"flow_src_last_pkt_time":1511102580286427,"flow_dst_last_pkt_time":1511102580285015,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":35,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":97113,"flow_dst_tot_l4_payload_len":5163,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":51925,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} 00929{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":137,"source":"youtubeupload.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"finished","flow_src_packets_processed":13,"flow_dst_packets_processed":11,"flow_first_seen":1511102578051971,"flow_src_last_pkt_time":1511102594783349,"flow_dst_last_pkt_time":1511102594936951,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":23,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1350,"flow_dst_max_l4_payload_len":1350,"flow_src_tot_l4_payload_len":8105,"flow_dst_tot_l4_payload_len":6001,"midstream":0,"thread_ts_usec":1511102594936951,"l3_proto":"ip4","src_ip":"192.168.2.27","dst_ip":"172.217.23.111","src_port":62232,"dst_port":443,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"confidence": {"6":"DPI"},"proto":"QUIC.YouTubeUpload","proto_id":"188.136","encrypted":1,"breed":"Fun","category_id":1,"category":"Media"}} @@ -30,9 +30,9 @@ ~~ total active/idle flows...: 3/3 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6055318 bytes -~~ total memory freed........: 6055318 bytes -~~ total allocations/frees...: 121666/121666 +~~ total memory allocated....: 6055726 bytes +~~ total memory freed........: 6055726 bytes +~~ total allocations/frees...: 121669/121669 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 498 chars ~~ json string max len.......: 2338 chars diff --git a/test/results/z3950.pcapng.out b/test/results/z3950.pcapng.out index e33287a5f..ba77d0a93 100644 --- a/test/results/z3950.pcapng.out +++ b/test/results/z3950.pcapng.out @@ -22,9 +22,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 1 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042260 bytes -~~ total memory freed........: 6042260 bytes -~~ total allocations/frees...: 121530/121530 +~~ total memory allocated....: 6042532 bytes +~~ total memory freed........: 6042532 bytes +~~ total allocations/frees...: 121532/121532 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 492 chars ~~ json string max len.......: 1046 chars diff --git a/test/results/zabbix.pcap.out b/test/results/zabbix.pcap.out index 9a28fee42..9d5577ad4 100644 --- a/test/results/zabbix.pcap.out +++ b/test/results/zabbix.pcap.out @@ -15,9 +15,9 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6035931 bytes -~~ total memory freed........: 6035931 bytes -~~ total allocations/frees...: 121497/121497 +~~ total memory allocated....: 6036067 bytes +~~ total memory freed........: 6036067 bytes +~~ total allocations/frees...: 121498/121498 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 911 chars diff --git a/test/results/zattoo.pcap.out b/test/results/zattoo.pcap.out index e6f7d2413..2e4a79578 100644 --- a/test/results/zattoo.pcap.out +++ b/test/results/zattoo.pcap.out @@ -22,9 +22,9 @@ ~~ total active/idle flows...: 2/2 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6042672 bytes -~~ total memory freed........: 6042672 bytes -~~ total allocations/frees...: 121539/121539 +~~ total memory allocated....: 6042944 bytes +~~ total memory freed........: 6042944 bytes +~~ total allocations/frees...: 121541/121541 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 491 chars ~~ json string max len.......: 1578 chars diff --git a/test/results/zcash.pcap.out b/test/results/zcash.pcap.out index 222eb11dd..640c326a1 100644 --- a/test/results/zcash.pcap.out +++ b/test/results/zcash.pcap.out @@ -5,7 +5,7 @@ 00536{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":2,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":2,"flow_src_last_pkt_time":1514196094240063,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":74,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":74,"pkt_l4_len":40,"thread_ts_usec":1514196094322725,"pkt":"cIXCQA64fmgbW\/gUCABFAAA8AABAADMGDb6yIMTZwKgCXCNa15Yj5r0mgJ3\/OqAScSDZNwAAAgQFtAQCCArshW\/8T467sAEDAwk="} 00523{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":3,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1514196094322778,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":66,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":66,"pkt_l4_len":32,"thread_ts_usec":1514196094322778,"pkt":"fmgbW\/gUcIXCQA64CABFAAA0ux5AAEAGRafAqAJcsiDE2deWI1qAnf86I+a9J4AQAOV4LAAAAQEICk+Ou8XshW\/8"} 01095{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196094322947,"flow_dst_last_pkt_time":1514196094322725,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":260,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1514196094322947,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} -02004{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196187394861,"flow_dst_last_pkt_time":1514196187518495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":1724,"flow_dst_tot_l4_payload_len":1124,"midstream":0,"thread_ts_usec":1514196187518495,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":6013975.0,"max":50191373,"stddev":12033642.0,"var":144808530149376.0,"ent":3.2,"data": [82662,82715,169,82626,1477,83954,12149836,12261597,111733,2618837,2732392,113543,6931182,7043979,112799,7848884,7848880,48786215,308388,319989,608003,50191373,143,24,41664,210617,4833234,4833228,8034710,8116947,41430]},"pktlen": {"min":66,"avg":156.6,"max":369,"stddev":98.9,"var":9779.1,"ent":4.7,"data": [74,74,66,326,66,369,66,249,129,66,249,129,66,249,129,66,319,66,249,249,249,249,78,78,78,129,66,319,66,249,66,129]},"bins": {"c_to_s": [9,0,0,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,5,0,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} +02403{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514196187394861,"flow_dst_last_pkt_time":1514196187518495,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":1724,"flow_dst_tot_l4_payload_len":1124,"midstream":0,"thread_ts_usec":1514196187518495,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":24,"avg":6013975.0,"max":50191373,"stddev":12033642.0,"var":144808530149376.0,"ent":3.2,"data": [82662,82715,169,82626,1477,83954,12149836,12261597,111733,2618837,2732392,113543,6931182,7043979,112799,7848884,7848880,48786215,308388,319989,608003,50191373,143,24,41664,210617,4833234,4833228,8034710,8116947,41430]},"pktlen": {"min":52,"avg":142.6,"max":355,"stddev":98.9,"var":9779.1,"ent":4.7,"data": [60,60,52,312,52,355,52,235,115,52,235,115,52,235,115,52,305,52,235,235,235,235,64,64,64,115,52,305,52,235,52,115]},"bins": {"c_to_s": [9,0,0,0,0,8,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [6,5,0,0,0,0,0,2,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,0,0,1,1,0,0,1,0,0,1,0,0,1,0,1,0,0,0,0,0,1,1,1,1,0,1,0,0,1,1],"entropies": [4.771797657,5.333454132,5.171406746,6.152554512,5.168681622,5.319005013,5.053297043,5.511947632,5.527595043,5.053297043,5.498871803,5.546218395,5.156889915,5.566714287,5.501477242,5.094483376,5.293007374,4.926119804,5.440917015,5.447358608,5.455869675,5.449427605,5.128524780,5.159774780,5.159774780,5.546219349,5.041504383,5.292303562,5.209868431,5.539683342,5.248330116,5.587565422]},"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00554{"daemon_event_id":4,"daemon_event_name":"status","thread_id":0,"packet_id":88,"source":"zcash.pcap","alias":"nDPId-test","packets-captured":88,"packets-processed":87,"total-skipped-flows":0,"total-l4-payload-len":6805,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":1,"total-active-flows":1,"total-idle-flows":0,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":9,"global_ts_usec":1514196730496095} 01144{"flow_event_id":3,"flow_event_name":"idle","thread_id":0,"packet_id":145,"source":"zcash.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":83,"flow_dst_packets_processed":62,"flow_first_seen":1514196094240063,"flow_src_last_pkt_time":1514197248783309,"flow_dst_last_pkt_time":1514197248783271,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":260,"flow_dst_max_l4_payload_len":303,"flow_src_tot_l4_payload_len":6299,"flow_dst_tot_l4_payload_len":4723,"midstream":0,"thread_ts_usec":1514197248783309,"l3_proto":"ip4","src_ip":"192.168.2.92","dst_ip":"178.32.196.217","src_port":55190,"dst_port":9050,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"ndpi": {"flow_risk": {"5": {"risk":"Known Proto on Non Std Port","severity":"Medium","risk_score": {"total":260,"client":230,"server":30}},"22": {"risk":"Unsafe Protocol","severity":"Low","risk_score": {"total":750,"client":575,"server":175}}},"confidence": {"6":"DPI"},"proto":"Mining","proto_id":"42","encrypted":0,"breed":"Unsafe","category_id":99,"category":"Mining"}} 00561{"daemon_event_id":3,"daemon_event_name":"shutdown","thread_id":0,"packet_id":145,"source":"zcash.pcap","alias":"nDPId-test","packets-captured":145,"packets-processed":145,"total-skipped-flows":0,"total-l4-payload-len":11022,"total-not-detected-flows":0,"total-guessed-flows":0,"total-detected-flows":1,"total-detection-updates":0,"total-updates":0,"current-active-flows":0,"total-active-flows":1,"total-idle-flows":1,"total-compressions":0,"total-compression-diff":0,"current-compression-diff":0,"total-events-serialized":11,"global_ts_usec":1514197248783309} @@ -17,10 +17,10 @@ ~~ total active/idle flows...: 1/1 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6050126 bytes -~~ total memory freed........: 6050126 bytes -~~ total allocations/frees...: 121635/121635 +~~ total memory allocated....: 6050262 bytes +~~ total memory freed........: 6050262 bytes +~~ total allocations/frees...: 121636/121636 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 2009 chars -~~ json string avg len.......: 1214 chars +~~ json string max len.......: 2408 chars +~~ json string avg len.......: 1402 chars diff --git a/test/results/zoom.pcap.out b/test/results/zoom.pcap.out index de587ba69..8358fc964 100644 --- a/test/results/zoom.pcap.out +++ b/test/results/zoom.pcap.out @@ -102,7 +102,7 @@ 01107{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":112,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470165906,"flow_dst_last_pkt_time":1569520470280367,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1452,"midstream":0,"thread_ts_usec":1569520470280367,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","alpn":"http\/1.1"}}} 01431{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":116,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":4,"flow_dst_packets_processed":6,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470280708,"flow_dst_last_pkt_time":1569520470280793,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5608,"midstream":0,"thread_ts_usec":1569520470280793,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}} 00796{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":124,"source":"zoom.pcap","alias":"nDPId-test","flow_id":1,"flow_packet_id":3,"flow_src_last_pkt_time":1569520470350181,"flow_dst_last_pkt_time":1569520466080774,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":265,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":265,"pkt_l4_len":231,"thread_ts_usec":1569520470350181,"pkt":"EBMx8Tl2KDc3AG3ICABFAAD7AABAAEAGtb7AqAF1rNkVSNZGAbt9MLg2pduNV4AYEAjK4AAAAQEICiWc3wRwmChtFgMBAMIBAAC+AwE5BEH329R9hgOe6JDNh5Do5\/IyBg\/qLeMPj9mOGNz+swAAEgAvADMANQA5wAnACsATwBRWAAEAAIP\/AQABAAAAAB0AGwAAGHd3dy5nb29nbGV0YWdtYW5hZ2VyLmNvbQAXAAAABQAFAQAAAAAzdAAAABIAAAAQADAALgJoMgVoMi0xNgVoMi0xNQVoMi0xNAhzcGR5LzMuMQZzcGR5LzMIaHR0cC8xLjEACwACAQAACgAKAAgAHQAXABgAGQ=="} -01568{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":38469.9,"max":210729,"stddev":59394.9,"var":3527759616.0,"ent":3.3,"data": [112386,112530,31116,143960,1761,226,34,114802,166,170,7182,2922,121940,111900,4272,3,116559,98015,494,36,210729,39,183,114,242,129,123,246,127,13,148]},"pktlen": {"min":54,"avg":677.0,"max":1506,"stddev":660.1,"var":435695.1,"ent":4.2,"data": [78,66,54,571,60,1506,1506,1506,54,1306,54,54,245,105,54,745,864,60,1506,1506,1506,54,54,1506,1506,54,1506,1506,54,1506,459,54]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0]}} +01966{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":3,"avg":38469.9,"max":210729,"stddev":59394.9,"var":3527759616.0,"ent":3.3,"data": [112386,112530,31116,143960,1761,226,34,114802,166,170,7182,2922,121940,111900,4272,3,116559,98015,494,36,210729,39,183,114,242,129,123,246,127,13,148]},"pktlen": {"min":40,"avg":663.0,"max":1492,"stddev":660.1,"var":435695.1,"ent":4.2,"data": [64,52,40,557,46,1492,1492,1492,40,1292,40,40,231,91,40,731,850,46,1492,1492,1492,40,40,1492,1492,40,1492,1492,40,1492,445,40]},"bins": {"c_to_s": [11,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,1,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [3,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,11,0,0]},"directions": [0,1,0,0,1,1,1,1,0,1,0,0,0,1,0,0,0,1,1,1,1,0,0,1,1,0,1,1,0,1,1,0],"entropies": [4.416232109,4.853979111,4.521928310,4.120527744,4.501398087,7.132670879,7.329687119,7.314774990,4.730641365,7.640571117,4.630640984,4.680641174,6.885639668,5.726258755,4.730641365,7.684801102,7.726203442,4.457919598,7.862352848,7.860615253,7.859583378,4.680641174,4.621928692,7.878399849,7.862105846,4.680641174,7.872378349,7.851402760,4.630641460,7.881779194,7.526136398,4.561769009]}} 01435{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":156,"source":"zoom.pcap","alias":"nDPId-test","flow_id":21,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1569520470022260,"flow_src_last_pkt_time":1569520470618561,"flow_dst_last_pkt_time":1569520470618526,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":810,"flow_dst_max_l4_payload_len":1452,"flow_src_tot_l4_payload_len":2209,"flow_dst_tot_l4_payload_len":17680,"midstream":0,"thread_ts_usec":1569520470618561,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"52.202.62.236","src_port":54866,"dst_port":443,"l4_proto":"tcp","ndpi": {"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"www3.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"535aca3d99fc247509cd50933cd71d37","ja3s":"3c30f2c064a3aed8cd95de8d68c726a6","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","alpn":"http\/1.1","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}} 00757{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520470666966,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":44,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":44,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":44,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520470666966,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"192.168.1.255","src_port":57621,"dst_port":57621,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00559{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":158,"source":"zoom.pcap","alias":"nDPId-test","flow_id":22,"flow_packet_id":1,"flow_src_last_pkt_time":1569520470666966,"flow_dst_last_pkt_time":1569520470666966,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1569520470666966,"pkt":"\/\/\/\/\/\/\/\/KDc3AG3ICABFAABI4PAAAEARFPDAqAF1wKgB\/+EV4RUANLyaU3BvdFVkcDAJFTOWktM6lAABAARIlcIDDi3QR5gZLZgtSkZtNr91y8rdz4k="} @@ -158,7 +158,7 @@ 01232{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":286,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471221044,"flow_dst_last_pkt_time":1569520471255395,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1569520471255395,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomfrn99mmr.zoom.us","tls": {"version":"TLSv1.2","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"}}} 01556{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":291,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":6,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471255585,"flow_dst_last_pkt_time":1569520471266033,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":5536,"midstream":0,"thread_ts_usec":1569520471266033,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomfrn99mmr.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.zoom.us,zoom.us","ja3":"c51de225944b7d58d48c0f99f86ba8e6","ja3s":"ada793d0f02b028a6c840504edccb652","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256","issuerDN":"C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com, Inc., OU=http:\/\/certs.godaddy.com\/repository\/, CN=Go Daddy Secure Certificate Authority - G2","subjectDN":"OU=Domain Control Validated, CN=*.zoom.us","fingerprint":"F7:5A:83:A8:77:24:55:D7:6D:2E:93:F6:6E:9C:C9:7E:AD:9B:3B:E8"}}} 00592{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":302,"source":"zoom.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1569520471399595,"flow_dst_last_pkt_time":1569520467811636,"flow_idle_time":3285032704,"pkt_oversize":false,"pkt_caplen":113,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":113,"pkt_l4_len":79,"thread_ts_usec":1569520471399595,"pkt":"EBMx8Tl2KDc3AG3ICABFAABjAABAAEAGoUnAqAF1PpWYmdRFA+E5lpAkp\/QQcoAYEAA2VgAAAQEICiWc4viZh0dJFwMDACpAXTQxH2s8yyXvpDmREm16+\/VcNt\/x\/vlsIce1k7D8R+clMelpc+AJPCA="} -01852{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471662963,"flow_dst_last_pkt_time":1569520471590160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3063,"flow_dst_tot_l4_payload_len":8708,"midstream":0,"thread_ts_usec":1569520471662963,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":28227.3,"max":156067,"stddev":40349.6,"var":1628089600.0,"ent":3.8,"data": [31621,31782,223,32749,1986,135,18,34538,3,10485,3,10554,60088,93852,33789,375,31290,30856,4598,4,36582,6223,38193,156062,156067,114,1,94,10606,59053,3101]},"pktlen": {"min":66,"avg":434.5,"max":1506,"stddev":552.4,"var":305116.1,"ent":4.0,"data": [78,74,66,583,66,1506,1506,1282,66,66,1506,93,66,192,308,66,206,132,66,1506,547,66,104,66,1331,66,1506,160,66,104,216,237]},"bins": {"c_to_s": [10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,0,0]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} +02249{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":320,"source":"zoom.pcap","alias":"nDPId-test","flow_id":30,"flow_state":"finished","flow_src_packets_processed":18,"flow_dst_packets_processed":14,"flow_first_seen":1569520471189039,"flow_src_last_pkt_time":1569520471662963,"flow_dst_last_pkt_time":1569520471590160,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3063,"flow_dst_tot_l4_payload_len":8708,"midstream":0,"thread_ts_usec":1569520471662963,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":54871,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":28227.3,"max":156067,"stddev":40349.6,"var":1628089600.0,"ent":3.8,"data": [31621,31782,223,32749,1986,135,18,34538,3,10485,3,10554,60088,93852,33789,375,31290,30856,4598,4,36582,6223,38193,156062,156067,114,1,94,10606,59053,3101]},"pktlen": {"min":52,"avg":420.5,"max":1492,"stddev":552.4,"var":305116.1,"ent":3.9,"data": [64,60,52,569,52,1492,1492,1268,52,52,1492,79,52,178,294,52,192,118,52,1492,533,52,90,52,1317,52,1492,146,52,90,202,223]},"bins": {"c_to_s": [10,1,0,1,2,1,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [4,1,2,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,1,0,0,0,0,0,4,0,0]},"directions": [0,1,0,0,1,1,1,1,0,0,1,1,0,0,1,0,0,1,0,0,0,1,1,0,1,0,1,1,0,0,0,0],"entropies": [4.428027153,5.266787052,5.014835358,4.340119362,5.209868431,7.128724575,7.325717926,7.321290493,5.014835358,5.053297043,7.580979347,5.559112549,5.053297043,6.556212902,7.136325836,5.130220413,6.862732410,6.273187160,5.053297043,7.864217758,7.611272335,5.132945538,5.887335777,5.091758728,7.866543293,5.130220413,7.874340057,6.566402435,5.130220413,5.819303036,6.871904373,6.960445881]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471748648,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00640{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_packet_id":1,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":149,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":149,"pkt_l4_len":115,"thread_ts_usec":1569520471748648,"pkt":"EBMx8Tl2KDc3AG3ICABFAACHYY4AAEARSPnAqAF1bV6gY+PXImEAcwEfAQACfUZNNf\/9ojRJXQ1tO1HolgAAAAAAAAACAHoAKgB6ACoAAABADhc935YCXvuVxCQMI1O\/y\/Bgvpncu9jEece5cy1sdfpDYvCDXrg+TanGp+bzCbMeQN8Pa7V1aoQPcx2bwfanLQAAAAA="} 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":386,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471748648,"flow_dst_last_pkt_time":1569520471748648,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471748648,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} @@ -171,7 +171,7 @@ 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":425,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520471915269,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471915269,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":107,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":107,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520471915269,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":60620,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00539{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":442,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":2,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471939789,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":77,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":77,"pkt_l4_len":43,"thread_ts_usec":1569520471939789,"pkt":"KDc3AG3IEBMx8Tl2CABFAAA\/uqdAADURuydtXqBjwKgBdSJh7MwAK7AuAgABgEJ0mpHOZDa3wq7Yfnt8kABaDj8AegDRAAAAAAAAAAA="} 00514{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":443,"source":"zoom.pcap","alias":"nDPId-test","flow_id":32,"flow_packet_id":3,"flow_src_last_pkt_time":1569520471915269,"flow_dst_last_pkt_time":1569520471939806,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":60,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":60,"pkt_l4_len":21,"thread_ts_usec":1569520471939806,"pkt":"KDc3AG3IEBMx8Tl2CABFAAApuqhAADURuzxtXqBjwKgBdSJh7MwAFUSkAwAAAAF2Ko4UAFoOPwAAAAAA"} -01742{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":474,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471785584,"flow_dst_last_pkt_time":1569520472033049,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":1029,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":26845,"midstream":0,"thread_ts_usec":1569520472033049,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":28,"avg":10365.7,"max":35562,"stddev":8525.9,"var":72690992.0,"ent":4.5,"data": [31967,28,32217,4719,35562,13763,10264,10242,9996,63,10130,10327,9979,9966,107,9866,10246,10252,10251,126,10146,9980,10130,10478,32,9954,10261,9714,10315,406,9850]},"pktlen": {"min":55,"avg":886.8,"max":1071,"stddev":383.7,"var":147246.2,"ent":4.8,"data": [149,77,60,55,105,85,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071,1071]},"bins": {"c_to_s": [1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} +02140{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":474,"source":"zoom.pcap","alias":"nDPId-test","flow_id":31,"flow_state":"finished","flow_src_packets_processed":3,"flow_dst_packets_processed":29,"flow_first_seen":1569520471748648,"flow_src_last_pkt_time":1569520471785584,"flow_dst_last_pkt_time":1569520472033049,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":13,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":107,"flow_dst_max_l4_payload_len":1029,"flow_src_tot_l4_payload_len":183,"flow_dst_tot_l4_payload_len":26845,"midstream":0,"thread_ts_usec":1569520472033049,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":58327,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":28,"avg":10365.7,"max":35562,"stddev":8525.9,"var":72690992.0,"ent":4.5,"data": [31967,28,32217,4719,35562,13763,10264,10242,9996,63,10130,10327,9979,9966,107,9866,10246,10252,10251,126,10146,9980,10130,10478,32,9954,10261,9714,10315,406,9850]},"pktlen": {"min":41,"avg":872.8,"max":1057,"stddev":383.7,"var":147246.2,"ent":4.8,"data": [135,63,46,41,91,71,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057,1057]},"bins": {"c_to_s": [1,1,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [1,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,26,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,1,1,0,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.872597694,4.834421635,4.434307098,4.564153194,5.116748810,4.833924294,0.510210812,0.504684150,0.513590038,0.511697888,0.528077245,0.513589978,0.515482187,0.515482187,0.513590038,0.532575667,0.515482187,0.508318722,0.515482187,0.512875855,0.532575667,0.515482187,0.511697948,0.511697888,0.513590038,0.532575667,0.515482187,0.513589978,0.510983646,0.515482187,0.532575667,0.515482187]},"ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520473084563,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":109,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":109,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":109,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520473084563,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00648{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_packet_id":1,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":151,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":151,"pkt_l4_len":117,"thread_ts_usec":1569520473084563,"pkt":"EBMx8Tl2KDc3AG3ICABFAACJ4\/YAAEARxo7AqAF1bV6gY\/EjImEAde5DAQACOkSxT2rBSy0CI5EJ7ghSoQAAAAAAAAACAHoFYgB6BWIAAABAyr1YPP8KZ34wUqB9PR5Zle\/sBvgfAfGBqNzDFPjrnryOYaOvAtAdhsk5Sd978V5OWjrnwByNSAVBXX+sDOwgiv\/\/\/\/8KAA=="} 00864{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":651,"source":"zoom.pcap","alias":"nDPId-test","flow_id":33,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1569520473084563,"flow_src_last_pkt_time":1569520473084563,"flow_dst_last_pkt_time":1569520473084563,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":109,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":109,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":109,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1569520473084563,"l3_proto":"ip4","src_ip":"192.168.1.117","dst_ip":"109.94.160.99","src_port":61731,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"6":"DPI"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} @@ -221,9 +221,9 @@ ~~ total active/idle flows...: 33/33 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6355440 bytes -~~ total memory freed........: 6355440 bytes -~~ total allocations/frees...: 122604/122604 +~~ total memory allocated....: 6359928 bytes +~~ total memory freed........: 6359928 bytes +~~ total allocations/frees...: 122637/122637 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 190 chars ~~ json string max len.......: 2387 chars diff --git a/test/results/zoom2.pcap.out b/test/results/zoom2.pcap.out index 42af221c3..f0b98bf0a 100644 --- a/test/results/zoom2.pcap.out +++ b/test/results/zoom2.pcap.out @@ -7,12 +7,12 @@ 01235{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":4,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":1,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458577638,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965458578318,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","ja3":"832952db10f1453442636675bed2702b","ja3s":"","unsafe_cipher":0,"cipher":"TLS_NULL_WITH_NULL_NULL","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01295{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":6,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":3,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458752945,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":1440,"midstream":0,"thread_ts_usec":1642965458752945,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","ja3":"832952db10f1453442636675bed2702b","ja3s":"8aca82d60194883e764ab2743e60c380","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1"}}} 01572{"flow_event_id":8,"flow_event_name":"detection-update","thread_id":0,"packet_id":8,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"info","flow_src_packets_processed":3,"flow_dst_packets_processed":5,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965458578318,"flow_dst_last_pkt_time":1642965458752990,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":517,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":517,"flow_dst_tot_l4_payload_len":4096,"midstream":0,"thread_ts_usec":1642965458752990,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video","hostname":"zoomsjccv154mmr.sjc.zoom.us","tls": {"version":"TLSv1.2","server_names":"*.sjc.zoom.us","ja3":"832952db10f1453442636675bed2702b","ja3s":"8aca82d60194883e764ab2743e60c380","unsafe_cipher":0,"cipher":"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384","issuerDN":"C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1","subjectDN":"C=US, ST=California, L=San Jose, O=Zoom Video Communications, Inc., CN=*.sjc.zoom.us","tls_supported_versions":"TLSv1.3,TLSv1.2,TLSv1.1,TLSv1","fingerprint":"43:42:0A:34:FD:F6:7A:FC:E9:C1:95:D8:E0:79:7E:17:B9:65:B0:A7"}}} -01842{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965459315313,"flow_dst_last_pkt_time":1642965459315763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3004,"flow_dst_tot_l4_payload_len":9722,"midstream":0,"thread_ts_usec":1642965459315763,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":58874.8,"max":198571,"stddev":83051.8,"var":6897604608.0,"ent":3.4,"data": [174660,174776,564,174002,1305,35,10,9,175382,5,1,23625,1263,198571,173076,348,174461,174128,5783,7,187559,672,15,182407,110,83,84,878,803,496,2]},"pktlen": {"min":66,"avg":464.3,"max":1506,"stddev":547.4,"var":299645.5,"ent":4.1,"data": [78,74,66,583,66,1506,1506,1282,828,66,66,66,66,192,117,66,222,141,66,1506,781,66,1506,456,66,214,66,116,1344,66,1344,270]},"bins": {"c_to_s": [11,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,1,1,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,0,1,0,0,0,1,1,1,0,1,0,0,1,0,1,1]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} +02241{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":32,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":1,"flow_state":"finished","flow_src_packets_processed":17,"flow_dst_packets_processed":15,"flow_first_seen":1642965458402978,"flow_src_last_pkt_time":1642965459315313,"flow_dst_last_pkt_time":1642965459315763,"flow_idle_time":3285032704,"flow_src_min_l4_payload_len":0,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":1440,"flow_dst_max_l4_payload_len":1440,"flow_src_tot_l4_payload_len":3004,"flow_dst_tot_l4_payload_len":9722,"midstream":0,"thread_ts_usec":1642965459315763,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":50076,"dst_port":443,"l4_proto":"tcp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":1,"avg":58874.8,"max":198571,"stddev":83051.8,"var":6897604608.0,"ent":3.4,"data": [174660,174776,564,174002,1305,35,10,9,175382,5,1,23625,1263,198571,173076,348,174461,174128,5783,7,187559,672,15,182407,110,83,84,878,803,496,2]},"pktlen": {"min":52,"avg":450.3,"max":1492,"stddev":547.4,"var":299645.5,"ent":4.0,"data": [64,60,52,569,52,1492,1492,1268,814,52,52,52,52,178,103,52,208,127,52,1492,767,52,1492,442,52,200,52,102,1330,52,1330,256]},"bins": {"c_to_s": [11,1,0,1,1,0,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0],"s_to_c": [3,1,1,0,1,0,1,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,2,0,0,0,0,0,3,0,0]},"directions": [0,1,0,0,1,1,1,1,1,0,0,0,0,0,1,0,0,1,0,0,0,1,1,1,0,1,0,0,1,0,1,1],"entropies": [4.254878044,5.233453751,5.053297043,4.421474934,5.063529015,7.154266357,7.350361347,7.483180046,7.590131760,5.022342205,4.983880997,5.022342205,4.983880520,6.548796177,5.785968304,4.855899334,6.773957253,6.347529888,5.014834881,7.875683308,7.723464012,5.132945061,7.879707336,7.463565826,4.976374149,6.741343498,5.014835358,5.970962524,7.852532387,5.014835358,7.852782249,6.910366535]},"ndpi": {"flow_risk": {"15": {"risk":"TLS (probably) Not Carrying HTTPS","severity":"Low","risk_score": {"total":760,"client":680,"server":80}}},"confidence": {"6":"DPI"},"proto":"TLS.Zoom","proto_id":"91.189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00759{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":95,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459595620,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":123,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":123,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965459595620,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} 00657{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":95,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":1,"flow_src_last_pkt_time":1642965459595620,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"thread_ts_usec":1642965459595620,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXeHsAAEARZSPAqAGykMNJmuztImEAgzNnAQADyErEUocYzaK4R3obiZ8zgwAAAAAAAAACAG9hPwBvYT8AAABA5tdm9ZTyTIyTAkYLAufeKJLgneU8bl8DozakMMlr\/JDYAlm5+8RxsTcW0dGDYHnKojsP3MD2C2S9PgF8PPhtdgAAAAAAQABAAAB1MAABAAMAAiAA"} 00657{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":104,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":2,"flow_src_last_pkt_time":1642965459696999,"flow_dst_last_pkt_time":1642965459595620,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":165,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":165,"pkt_l4_len":131,"thread_ts_usec":1642965459696999,"pkt":"EBMx8Tl2KDc3AG3ICABFAACXZlQAAEARd0rAqAGykMNJmuztImEAg30SAQADyErEUocYzaK4R3obiZ8zgwAAAAAAAAACAG9hpABvYaQAAABASNx7XNkhaVV2TkWPa7HXWfzTaegL7lyuofS42ADMsef1ZS+nG51oqDil0vt0Fn4zbdXfyiCV8oAbYGEn4LlcKwAAAAAAQABAAAB1MAABAAMAAiAA"} 00551{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":114,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_packet_id":3,"flow_src_last_pkt_time":1642965459696999,"flow_dst_last_pkt_time":1642965459762205,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965459762205,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvJFAADER8FuQw0mawKgBsiJh7O0ANHLoAgADyErEUocYzaK4R3obiZ8zgwBPg3gAb2E\/AAAAAAAAAAAAQABAAAPgAwA="} -01602{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":21,"avg":25414.0,"max":166585,"stddev":40490.2,"var":1639456256.0,"ent":3.6,"data": [101379,166585,27,72990,12330,100439,29,101849,72959,11921,4860,10860,10480,10129,246,9160,10351,10320,11352,21,292,9440,8565,5418,4862,82,10799,10006,10476,9401,205]},"pktlen": {"min":60,"avg":718.7,"max":1078,"stddev":464.6,"var":215864.3,"ent":4.6,"data": [165,165,86,60,170,170,86,60,170,102,102,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,1078,102,1078,1078,1078,1078,1078,1078,1078]},"bins": {"c_to_s": [0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1]}} +01998{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":21,"avg":25414.0,"max":166585,"stddev":40490.2,"var":1639456256.0,"ent":3.6,"data": [101379,166585,27,72990,12330,100439,29,101849,72959,11921,4860,10860,10480,10129,246,9160,10351,10320,11352,21,292,9440,8565,5418,4862,82,10799,10006,10476,9401,205]},"pktlen": {"min":46,"avg":704.7,"max":1064,"stddev":464.6,"var":215864.3,"ent":4.6,"data": [151,151,72,46,156,156,72,46,156,88,88,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,1064,88,1064,1064,1064,1064,1064,1064,1064]},"bins": {"c_to_s": [0,0,0,2,3,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,20,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1,1],"entropies": [5.840515137,5.848702431,4.861306667,4.234366894,5.447824001,5.554306984,4.833528996,4.321323395,5.629264832,4.681292534,4.672410965,0.559972763,0.556576610,0.564253807,0.560080409,0.590531707,0.561960101,0.563839793,0.561959982,0.563839793,0.597341061,0.588497758,0.561959982,0.561959982,4.750781059,0.551231861,0.590992451,0.553111553,0.553111553,0.561959982,0.561959982,0.599220753]}} 00880{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00881{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":172,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":2,"flow_state":"info","flow_src_packets_processed":5,"flow_dst_packets_processed":27,"flow_first_seen":1642965459595620,"flow_src_last_pkt_time":1642965459884168,"flow_dst_last_pkt_time":1642965460094905,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":128,"flow_dst_max_l4_payload_len":1036,"flow_src_tot_l4_payload_len":630,"flow_dst_tot_l4_payload_len":21016,"midstream":0,"thread_ts_usec":1642965460094905,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":60653,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00760{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":207,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460219455,"flow_dst_last_pkt_time":1642965460219455,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":123,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":123,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":123,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965460219455,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3} @@ -23,10 +23,10 @@ 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":274,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_packet_id":3,"flow_src_last_pkt_time":1642965460317924,"flow_dst_last_pkt_time":1642965460395901,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965460395901,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvbFAADER7zuQw0mawKgBsiJh4wUANKrxAgADlUCX4nL8uBw5x1bMJMqfpQBPg3kAb2OvAAAAAAAAAAAAQABAAAPgAwA="} 00665{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":299,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":2,"flow_src_last_pkt_time":1642965460461401,"flow_dst_last_pkt_time":1642965460359314,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":167,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":167,"pkt_l4_len":133,"thread_ts_usec":1642965460461401,"pkt":"EBMx8Tl2KDc3AG3ICABFAACZ6kAAAEAR81vAqAGykMNJmuJhImEAhaEiAQADwkJYttycXaTnsMPEsai0ugAAAAAAAAACAG9koQBvZKEAAABA6DEQatkP0ZiaMugg0SFSq6JqmaXOleBRM3eRUGv0uLvPr6CL4g3oVryKRdoOzve7SJqEd+2jwB1vjsn7k5LMNv\/\/\/\/8AQABAAAB1MAABAAMAAiAACgA="} 00550{"packet_event_id":2,"packet_event_name":"packet-flow","thread_id":0,"packet_id":348,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_packet_id":3,"flow_src_last_pkt_time":1642965460461401,"flow_dst_last_pkt_time":1642965460546911,"flow_idle_time":200000000,"pkt_oversize":false,"pkt_caplen":86,"pkt_type":2048,"pkt_l3_offset":14,"pkt_l4_offset":34,"pkt_len":86,"pkt_l4_len":52,"thread_ts_usec":1642965460546911,"pkt":"KDc3AG3IEBMx8Tl2CABFAABIvg1AAC8R8N+Qw0mawKgBsiJh4mEANErbAgADwkJYttycXaTnsMPEsai0ugBPg3oAb2Q7AAAAAAAAAAAAQABAAAPgAwA="} -01589{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":42778.1,"max":176446,"stddev":48878.6,"var":2389121792.0,"ent":4.1,"data": [98469,176446,124,85491,9538,94754,12,99878,94166,12337,1946,12440,20627,16992,20131,168367,18000,3631,10879,10252,19350,32137,20903,115345,15,17844,18745,20098,20216,21487,85502]},"pktlen": {"min":60,"avg":143.0,"max":203,"stddev":35.8,"var":1279.8,"ent":4.9,"data": [165,165,86,60,170,170,86,60,170,102,102,175,178,168,163,159,130,102,163,106,157,158,148,149,180,203,130,164,162,157,158,130]},"bins": {"c_to_s": [0,0,1,6,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,3,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1]}} +01984{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":12,"avg":42778.1,"max":176446,"stddev":48878.6,"var":2389121792.0,"ent":4.1,"data": [98469,176446,124,85491,9538,94754,12,99878,94166,12337,1946,12440,20627,16992,20131,168367,18000,3631,10879,10252,19350,32137,20903,115345,15,17844,18745,20098,20216,21487,85502]},"pktlen": {"min":46,"avg":129.0,"max":189,"stddev":35.8,"var":1279.8,"ent":4.9,"data": [151,151,72,46,156,156,72,46,156,88,88,161,164,154,149,145,116,88,149,92,143,144,134,135,166,189,116,150,148,143,144,116]},"bins": {"c_to_s": [0,0,1,6,4,1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [2,5,3,8,2,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,1,1,1,1,1,1,1,0,1,1,1,1,1,1,1,0,0,1,0,0,0,0,1],"entropies": [5.774950981,5.795780182,4.871791363,4.390829086,5.589504242,5.647461891,4.816236019,4.390829086,5.513776779,4.672714233,4.717865467,5.984676361,5.988471985,5.890224934,5.750802994,5.721282959,5.103803158,4.742203236,5.809841633,4.711098671,5.716365814,5.704583168,5.625706196,5.615069389,6.022024632,6.167570114,5.279437542,5.717482567,5.684329510,5.700431347,5.688298225,5.216770172]}} 00879{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00880{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":497,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":3,"flow_state":"info","flow_src_packets_processed":12,"flow_dst_packets_processed":20,"flow_first_seen":1642965460219455,"flow_src_last_pkt_time":1642965460877104,"flow_dst_last_pkt_time":1642965460887928,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":88,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":161,"flow_dst_max_l4_payload_len":136,"flow_src_tot_l4_payload_len":1490,"flow_dst_tot_l4_payload_len":1734,"midstream":0,"thread_ts_usec":1642965460887928,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":58117,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} -01555{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":46715.2,"max":187597,"stddev":42950.9,"var":1844783744.0,"ent":4.3,"data": [102087,187597,15,105625,59,93505,28,87640,70667,56,105994,30,21517,32815,58979,18,48377,5541,49496,50209,26,8,55223,45719,56325,52361,22,59786,52118,47745,58582]},"pktlen": {"min":60,"avg":105.1,"max":185,"stddev":44.6,"var":1993.4,"ent":4.9,"data": [167,167,86,60,177,177,86,60,177,177,177,117,117,69,69,185,69,69,117,69,117,117,69,69,69,69,117,69,69,69,69,69]},"bins": {"c_to_s": [7,0,0,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,0,0,1,1,0,1,0,0,1,1,0,1,1,1,0,1,0,1,1,0,1,1,0]}} +01953{"flow_event_id":5,"flow_event_name":"analyse","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","flow_datalink":1,"flow_max_packets":3,"data_analysis": {"iat": {"min":8,"avg":46715.2,"max":187597,"stddev":42950.9,"var":1844783744.0,"ent":4.3,"data": [102087,187597,15,105625,59,93505,28,87640,70667,56,105994,30,21517,32815,58979,18,48377,5541,49496,50209,26,8,55223,45719,56325,52361,22,59786,52118,47745,58582]},"pktlen": {"min":46,"avg":91.1,"max":171,"stddev":44.6,"var":1993.4,"ent":4.8,"data": [153,153,72,46,163,163,72,46,163,163,163,103,103,55,55,171,55,55,103,55,103,103,55,55,55,55,103,55,55,55,55,55]},"bins": {"c_to_s": [7,0,0,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0],"s_to_c": [9,2,6,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0]},"directions": [0,0,1,1,0,0,1,1,0,0,0,1,1,0,1,0,0,1,1,0,1,1,1,0,1,0,1,1,0,1,1,0],"entropies": [5.810314178,5.912507057,4.833528996,4.303872585,5.517835140,5.506913185,4.805751324,4.390829086,5.576398373,5.539088726,5.561493397,4.442456245,4.487634182,3.597789288,3.852133274,5.482311726,3.597789288,3.888496876,4.520360470,3.744285822,4.494622231,4.547106743,3.853325367,3.707922220,3.961224079,3.671558619,4.547106743,3.924860477,3.671558380,3.888496876,3.924860477,3.707922220]}} 00877{"flow_event_id":6,"flow_event_name":"guessed","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00878{"flow_event_id":7,"flow_event_name":"detected","thread_id":0,"packet_id":575,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":4,"flow_state":"info","flow_src_packets_processed":15,"flow_dst_packets_processed":17,"flow_first_seen":1642965460359314,"flow_src_last_pkt_time":1642965461085374,"flow_dst_last_pkt_time":1642965461081424,"flow_idle_time":200000000,"flow_src_min_l4_payload_len":27,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":143,"flow_dst_max_l4_payload_len":75,"flow_src_tot_l4_payload_len":1257,"flow_dst_tot_l4_payload_len":755,"midstream":0,"thread_ts_usec":1642965461085374,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","src_port":57953,"dst_port":8801,"l4_proto":"udp","ndpi": {"confidence": {"2":"Match by IP"},"proto":"Zoom","proto_id":"189","encrypted":1,"breed":"Acceptable","category_id":26,"category":"Video"}} 00727{"flow_event_id":1,"flow_event_name":"new","thread_id":0,"packet_id":11804,"source":"zoom2.pcap","alias":"nDPId-test","flow_id":5,"flow_state":"info","flow_src_packets_processed":1,"flow_dst_packets_processed":0,"flow_first_seen":1642965500049643,"flow_src_last_pkt_time":1642965500049643,"flow_dst_last_pkt_time":1642965500049643,"flow_idle_time":140000000,"flow_src_min_l4_payload_len":36,"flow_dst_min_l4_payload_len":0,"flow_src_max_l4_payload_len":36,"flow_dst_max_l4_payload_len":0,"flow_src_tot_l4_payload_len":36,"flow_dst_tot_l4_payload_len":0,"midstream":0,"thread_ts_usec":1642965500049643,"l3_proto":"ip4","src_ip":"192.168.1.178","dst_ip":"144.195.73.154","l4_proto":"icmp","flow_datalink":1,"flow_max_packets":3} @@ -48,10 +48,10 @@ ~~ total active/idle flows...: 5/5 ~~ total timeout flows.......: 0 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ -~~ total memory allocated....: 6406891 bytes -~~ total memory freed........: 6406891 bytes -~~ total allocations/frees...: 133516/133516 +~~ total memory allocated....: 6407571 bytes +~~ total memory freed........: 6407571 bytes +~~ total allocations/frees...: 133521/133521 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~ json string min len.......: 490 chars -~~ json string max len.......: 1847 chars -~~ json string avg len.......: 1167 chars +~~ json string max len.......: 2246 chars +~~ json string avg len.......: 1367 chars |